Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Any reason not to grant a domain computer account shared folder permission on another server?

Posted on 2011-09-08
4
Medium Priority
?
431 Views
Last Modified: 2012-06-22
We have a few web servers in a DMZ that need to access files on a single file server share in the inside network.  Currently we use a domain account (call it webshare) which is what the web services use when they need to access a file on the inside share.  One of the developers asked if we could add the web server's domain computer account to the share, as it would be easer for the application developers not to have to impersonate a user accouint when they need to access those files.  Note that the webshare account has local admin rights on the web server, but no domain rights other then that one share on one file server.

This is a single windows domain and 2008 servers we're talking about, fyi.

Any reason why using the computer account instead of a domain account would be better/safer or less secure the the current method?  Or basically the same?

Thanks
0
Comment
Question by:mchad65
  • 2
  • 2
4 Comments
 
LVL 41

Accepted Solution

by:
Kyle Abrahams earned 2000 total points
ID: 36503559
If the server was ever compromised (eg: hacked), the computer could then write files to your file share bypassing security.  It would then just take someone to execute that file and now you have a someone on your internal network.

In general you never want any traffic going across your DMZ to your internal network.  If you need to get files into the network, you should actually write them to your DMZ (behind another firewall) and let the internal users pull them the same way the external users do.


0
 

Author Comment

by:mchad65
ID: 36503606
Understand your point re: network security, and we have taken appropriate steps.  Certainly one wouldn't put a SQL server in a DMZ, and web servers often need to talk to SQL.  Clearly I am not revealing the full details of our internal network security architecture in a public forum.

Network security aside, back to the original question, is there any more or less inherent risk in using a computer account for share permissions vs. a domain user account?

Thanks
0
 
LVL 41

Expert Comment

by:Kyle Abrahams
ID: 36503658
anyone who gets onto the computer could use the fileshare vs only that one account.  

So you're opening up the gate a bit.  

Also from an administration side say you scale out the website to multiple computers.  Using 1 windows account they could all write to the share.  Otherwise you would need to add each computer where the application was running to the share.  

Which breeds another question:  Do you have other applications running on any of the servers that shouldn't have access to the share?

IMO I would tell the developer to suck it up and impersonate with the user account.

0
 

Author Comment

by:mchad65
ID: 36503817
I am leaning towards keeping it as is, i just wanted another opinion.  The share exist solely for storing pdf's the users of the sites need to download.  Pretty much each site has a need to access. There may be the odd app that doesn't need access, but the majority do.  

I think I agree with your last.  Thanks.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question