Deployment Solution

 View Only
Back to Library

Deployment Server 6.9 - A Quick-Start Course, Part 5: Securing the Service Account 

Jul 06, 2010 03:39 PM

Before we proceed any further, it's time to secure the service account used by Deployment Server. This entails,

  1. Granting the Altiris Service account admin rights over Deployment Server's folders in the file system and registry
  2. Granting the Altiris Service account dbOwner rights over the express database in SQL Server
  3. Removing the Altiris Service account from the Administrators NT group

So, what we are doing is severely reducing the scope in both our Windows OS and SQL Server where the Altiris Service account has elevated rights. Below I illustrate how in a typical DS Installation, the Altiris service account would have full sysadmin rights over SQL Server (Figure 7). This is not good policy, especially if the SQL server is being used for other databases. By moving to the best-practice model underneath, the scope of Altiris service account is restricted, and only has full control only over the eXpress database.

Figure 7: SQL Server security overview illustrating how moving to a best-practice implementation reduces the scope in SQL Server where the Altiris service account has control.

Configuring permissions for the service account

As mentioned above, the first task we need to complete is to explicitly grant the altservice account full rights over Deployment Server's folder structures in the file system and registry. This is so that when we remove it from the administrators group, the service account still retains sufficient rights in its functional areas.

Configuring Altiris Service account permissions on express share

Now we're going to give the Altiris service full NTFS permissions over the express share.

  1. In windows explorer, navigate to C:\Program Files\Altiris
  2. Right-click the express folder, and select properties
  3. In the security tab, grant the altservice account full rights

  4. Click Apply, the OK.

Configuring Altiris Service account permissions in registry

Now we're going to give the Altiris service full rights over Deployment Server's folder structure in the registry hive HKEY_LOCAL_MACHINE.

  1. Open up the Windows Registry editor by typing regedit in the run box located on the Windows Start Menu
  2. Navigate to the Altiris registry key under HKLM\Software
  3. Right-Click the Altiris folder, and select permissions. Add the altservice account with Full Control,

    Click 'Apply'

Scoping the Service Account in SQL Server

Now, let's give the service account full rights only over the eXpress database in SQL Server. With SQL 2005 express this was easy -you could just fire up the SQL Express Surface Area Configuration MMC snap-in. However, this is not available in SQL 2008 Express, so we have to login to SQL Server Management Studio,

  1. Open the SQL Server Management Studio console, 
    		'Start Menu'
	> 'Programs'
		> 'Microsoft SQL Server 2008'
			> 'SQL Server Management Studio'
  2. Authenticate to the instance with the login dialog
  3. Select 'New Login' under Security -> Logins,

  4. In the General page, enter the login name '<SERVERNAME>\altservice', substituting your server name.
  5. In the General page, set the default database to eXpress.
  6. In the User Mappings page, set the altservice account to mapped to the express database, and grant it the dbowner role
  7. Click 'OK' and exit SQL Server Management Studio

Demoting the service account

Now we've finished explicitly granting the service account the rights it requires to function, we can proceed to removing the account from the administrators group (and while we're at it, the users group as this account will not login interactively).

  1. Remove the altservice account from the administrators and users groups. This can be done from a command prompt (as shown below), or using the Local Users and Groups MMC,

  2. Reboot the server

The Deployment Server Services

If you take a look at the services now installed on your server (services.msc) , you'll notice several Altiris services. Below is snippet from the services MMC, which I've embellished with the application targets for each service.

That's a lot of services*. The important one to note for now though is the Altiris Deployment Server DB Management Service. This is because this is the service which the Deployment Console contacts in order to extract console data from the underlying eXpress database.

When the express.exe process starts up, it must do the following before it can load up the Console interface.

  1. Connect to the SQL instance directly using the logged-on users (your) NT credentials
  2. Connect to the SQL database through the Altiris DB Management Service. This service runs as the process dbManager.exe, and should now be using the altservice credential

Bearing the above in mind, if you do have any problems opening the DS Console it's likely related to SQL access. If you have problems opening the console, check that,

  1. MS SQL Server and the Altiris Deployment DB Management Service are up and running
  2. Confirm that you are logging into your server as a local administrator (if you recall we granted full access earlier to the local administrators group).
  3. Finally, if your problem occurs just after a server reboot, be patient. SQL Server takes a few moments to get rolling. The Console cannot be opened until it is ready to accept connections.

* For those Deployment Server veterans out there who are wondering what happened to the mysterious mm.exe, in DS6.9SP1 this finally renamed to dbManager.exe. The name change didn't go much further, so you'll still see references to the MM service in the databases, logfiles and settings.

Return to Index

Read Part 6: Deployment Server 6.9 - A Quick-Start Course, Part 6: SQL Server Recovery Models

Statistics
0 Favorited
0 Views
7 Files
0 Shares
0 Downloads
Attachment(s)
Download All
jpg file
ds6-5-1.jpg   37 KB   1 version
Uploaded - Feb 25, 2020
 
Download
jpg file
ds6-5-2.jpg   21 KB   1 version
Uploaded - Feb 25, 2020
 
Download
jpg file
ds6-5-3.jpg   35 KB   1 version
Uploaded - Feb 25, 2020
 
Download
jpg file
ds6-5-4.jpg   17 KB   1 version
Uploaded - Feb 25, 2020
 
Download
jpg file
ds6-5-5.jpg   20 KB   1 version
Uploaded - Feb 25, 2020
 
Download
jpg file
ds6-5-6.jpg   31 KB   1 version
Uploaded - Feb 25, 2020
 
Download
jpg file
ds6-5-7.jpg   23 KB   1 version
Uploaded - Feb 25, 2020
 
Download

Tags and Keywords

Comments

Migration User
Jul 30, 2010 03:53 PM

OK. Resolved here. Thank you and I loved this course and I am waiting on the other parties. Thanks for the help.

ianatkin
Jul 30, 2010 02:49 AM

Hi,

I might be misunderstanding you, but if you've been following  this course you should have a database called eXpress. When you install Deployment Server with the simple install this is created automatically.

Can you provide some screenshots to explain your problem further?

Migration User
Jul 29, 2010 07:31 AM

A doubt on the part of logins where to create a new login.
Asks you to select the default database equal "EXPRESS," but does not have this option the Database, and never spoke in his creation?
I did so the same procedures for database 'MASTER'. Is it correct?

I am waiting the response and thanks.

ianatkin
Jul 16, 2010 07:28 PM

Jeeze... serves me right for making the picture up in word... ;-)

Will sort that out... 

[Edit: Now sorted!]

Licenses LCFIB
Jul 16, 2010 06:59 PM

Use 'localgroup' instead of 'user': 
C:\Documents and Settings\Administrator>net localgroup users altservice /delete
The command completed successfully.

C:\Documents and Settings\Administrator>net localgroup administrators altservice /delete
The command completed successfully.
;-)
 

Related Entries and Links

No Related Resource entered.