Solved

Any reason not to grant a domain computer account shared folder permission on another server?

Posted on 2011-09-08
4
422 Views
Last Modified: 2012-06-22
We have a few web servers in a DMZ that need to access files on a single file server share in the inside network.  Currently we use a domain account (call it webshare) which is what the web services use when they need to access a file on the inside share.  One of the developers asked if we could add the web server's domain computer account to the share, as it would be easer for the application developers not to have to impersonate a user accouint when they need to access those files.  Note that the webshare account has local admin rights on the web server, but no domain rights other then that one share on one file server.

This is a single windows domain and 2008 servers we're talking about, fyi.

Any reason why using the computer account instead of a domain account would be better/safer or less secure the the current method?  Or basically the same?

Thanks
0
Comment
Question by:mchad65
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 40

Accepted Solution

by:
Kyle Abrahams earned 500 total points
ID: 36503559
If the server was ever compromised (eg: hacked), the computer could then write files to your file share bypassing security.  It would then just take someone to execute that file and now you have a someone on your internal network.

In general you never want any traffic going across your DMZ to your internal network.  If you need to get files into the network, you should actually write them to your DMZ (behind another firewall) and let the internal users pull them the same way the external users do.


0
 

Author Comment

by:mchad65
ID: 36503606
Understand your point re: network security, and we have taken appropriate steps.  Certainly one wouldn't put a SQL server in a DMZ, and web servers often need to talk to SQL.  Clearly I am not revealing the full details of our internal network security architecture in a public forum.

Network security aside, back to the original question, is there any more or less inherent risk in using a computer account for share permissions vs. a domain user account?

Thanks
0
 
LVL 40

Expert Comment

by:Kyle Abrahams
ID: 36503658
anyone who gets onto the computer could use the fileshare vs only that one account.  

So you're opening up the gate a bit.  

Also from an administration side say you scale out the website to multiple computers.  Using 1 windows account they could all write to the share.  Otherwise you would need to add each computer where the application was running to the share.  

Which breeds another question:  Do you have other applications running on any of the servers that shouldn't have access to the share?

IMO I would tell the developer to suck it up and impersonate with the user account.

0
 

Author Comment

by:mchad65
ID: 36503817
I am leaning towards keeping it as is, i just wanted another opinion.  The share exist solely for storing pdf's the users of the sites need to download.  Pretty much each site has a need to access. There may be the odd app that doesn't need access, but the majority do.  

I think I agree with your last.  Thanks.
0

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question