Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Any reason not to grant a domain computer account shared folder permission on another server?

Posted on 2011-09-08
4
Medium Priority
?
427 Views
Last Modified: 2012-06-22
We have a few web servers in a DMZ that need to access files on a single file server share in the inside network.  Currently we use a domain account (call it webshare) which is what the web services use when they need to access a file on the inside share.  One of the developers asked if we could add the web server's domain computer account to the share, as it would be easer for the application developers not to have to impersonate a user accouint when they need to access those files.  Note that the webshare account has local admin rights on the web server, but no domain rights other then that one share on one file server.

This is a single windows domain and 2008 servers we're talking about, fyi.

Any reason why using the computer account instead of a domain account would be better/safer or less secure the the current method?  Or basically the same?

Thanks
0
Comment
Question by:mchad65
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 40

Accepted Solution

by:
Kyle Abrahams earned 2000 total points
ID: 36503559
If the server was ever compromised (eg: hacked), the computer could then write files to your file share bypassing security.  It would then just take someone to execute that file and now you have a someone on your internal network.

In general you never want any traffic going across your DMZ to your internal network.  If you need to get files into the network, you should actually write them to your DMZ (behind another firewall) and let the internal users pull them the same way the external users do.


0
 

Author Comment

by:mchad65
ID: 36503606
Understand your point re: network security, and we have taken appropriate steps.  Certainly one wouldn't put a SQL server in a DMZ, and web servers often need to talk to SQL.  Clearly I am not revealing the full details of our internal network security architecture in a public forum.

Network security aside, back to the original question, is there any more or less inherent risk in using a computer account for share permissions vs. a domain user account?

Thanks
0
 
LVL 40

Expert Comment

by:Kyle Abrahams
ID: 36503658
anyone who gets onto the computer could use the fileshare vs only that one account.  

So you're opening up the gate a bit.  

Also from an administration side say you scale out the website to multiple computers.  Using 1 windows account they could all write to the share.  Otherwise you would need to add each computer where the application was running to the share.  

Which breeds another question:  Do you have other applications running on any of the servers that shouldn't have access to the share?

IMO I would tell the developer to suck it up and impersonate with the user account.

0
 

Author Comment

by:mchad65
ID: 36503817
I am leaning towards keeping it as is, i just wanted another opinion.  The share exist solely for storing pdf's the users of the sites need to download.  Pretty much each site has a need to access. There may be the odd app that doesn't need access, but the majority do.  

I think I agree with your last.  Thanks.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question