Why is "Act As Part of the Operating System" needed for Apache on Windows?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Everyone,

This is my first time here, so if I'm doing this wrong please correct me so that I learn. (Be gentle.)

I have a question about running Apache httpd 2.4.x on Windows Server 2008 R2. I searched everywhere online for an answer and read the manuals, but the most info I got was that someone posed this question here 11 years ago and there was no reply. (Copied below.)


The Apache 2.4 documentation recommends creating a new user for httpd that has "Log on as a service" AND "Act as part of the operating system" rights. 

My question is, why is "act as part of the operating system" needed? It is a very high risk permission. 

I ran Apache without this right and it seems to work fine. What feature needs it? I don't want the server to suddenly fail on me, but I also don't understand why it is "required." Help?



----  MORE DETAIL, IF YOU WANT --------

The "Act as part of the operating system" permission is a high risk permission. Programs with this access can impersonate any user on the entire computer, thereby getting full access to any file. It is basically the Windows equivalent of root. 

My concern here is that setting read/write/execute permissions for the Apache user is effectively meaningless because of that capability. And more importantly, should the server get compromised for any reason (e.g., a client somehow convincing the httpd service to execute harmful code due to a configuration mistake), the attacker would be able to do literally anything if they impersonate as an Administrator.

On Linux, Apache runs a service to bind to port 80 (or whichever) as root, but the web-serving sub-processes run as limited users, so this isn't an issue there. On IIS, the sites run as site specific users ("application pool" users), so even if the server/site is compromised, the attacker has no permissions to do anything beyond affect the specific site files. 

On Apache for Windows, it seems that the whole thing is run under the equivalent of root. I'm nervous do that. In fact, Microsoft specifically recommends AGAINST providing "Act as part of the operating system" to any users.

Apache recommending a new user with the permission: https://httpd.apache.org/docs/2.4/platform/windows.html

Microsoft recommending against it: https://msdn.microsoft.com/en-us/subscriptions/dn221957(v=ws.10).aspx



​------- EMAIL I FOUND IN THE ARCHIVES THAT WAS NEVER ANSWERED ----

(Can be seen online here: http://httpd.markmail.org/search/?q=%22act+as+part+of+the+operating+system%22+why#query:%22act%20as%20part%20of%20the%20operating%20system%22%20why+page:1+mid:v3nkvtddxoumjaoo+state:results

Jan 12, 2004


Hey everyone,

Have a question about the "User rights assignment" in windows. In the
apache docs they recommend (when running apache as a service) to create a
new user account for the apache service and to grant this new user "Log on
as a service and Act as part of the operating system" priviledges. Our
apache test server seems to run fine without "Act as part of the operating
system". Why is this right needed? It seems to be more than necessary.
Maybe we have the module that needs this right disabled. Can anyone see any
reason to enable this right?

Here is the apache doc that talks about this
http://httpd.apache.org/docs-2.0/platform/windows.html#winsvc

Here is the Microsoft description of *Act as part of the operating system*
http://www.microsoft.com/technet/treeview/default.asp?url="">

Thanks, Ryan
*Ryan Johnson Security Architect ESP Group  *
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux