Most restrictive shared permissions on Package Server

pmakaveev's picture

Hello,

What would be the most restrictive shared permissions  on the "Package Delivery" share on a Package Server? By default, "Everyone" has "Full Control" share permissions.

I am not able to find many documents on Package Server security best practices.

I have seen a document "Hardening NS Configuration". I would be glad to see a "Hardening PS Configuration" document as well.

Thank you very much!
Peter

jharings's picture

Client need to be able to read

the packages to download. So I think the most restricive would need to be authenticated users with 'read' and 'list' access. That way you would need to be in an authenticated (domain) session to read the packages. If you have IIS, typically anonymous user would be enabled, but if you have authenticated user combined with Windows Authentication in IIS that should be good enough.

Jim Harings
Technical Solutions Consultant
Xcend Group
http://xcendgroup.com

DSnelleman's picture

Depends on usage

Peter,

This is quite simple

Case 1 you are downloading packages to the client and then execute

Step 1 - Open NS 6.5 Console 
               Go to Configure -> Agents -> Global Settings
               Open the Authentication tab
               Select "Use These Credentials
               Enter a username and password that you want to use (The account does not have to exist)
 

Step 2 - Go to Configure -> Package Servers -> Package Servers Setup
               Open the Settings tab
               Deselect "Allow anonymous access to package codebases"
               Select "Create the Agent Connectivity Credential on Package Servers

Case 2 you are executing packages from the package server

Step 1 - Create your Package to run under a domain account with admin rights
               Programs tab
               Run with right:Specified user
               Enter the Domain username and password of the domain account you want to use.
Step 2 - On your package server open the registry editor
               Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\Package Server
               Create a new DWORD named "EnableDACLManagement" with a value of "0"
               Restart the package Server
Step 3 - Reset all security on your "Package Delivery" share and setup your security the way you like.
               Don't forget to allow the account entered in step 1 read access
               Don't forget to allow the Altiris Service Account Full Controll access (Modify should work but i have not tried it)

Regards,
Dennis