Re: File System Permissions for Windows Service Account - DNS

This is a discussion on Re: File System Permissions for Windows Service Account - DNS ; On Sunday, September 24, 2006 9:02 PM [GMT+1=CET], Will wrote: > In BIND 9.3 under Windows, what NTFS file system permissions does the > service account need to run correctly? I just found out that the default permissions from installation ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Re: File System Permissions for Windows Service Account

  1. Re: File System Permissions for Windows Service Account

    On Sunday, September 24, 2006 9:02 PM [GMT+1=CET],
    Will wrote:

    > In BIND 9.3 under Windows, what NTFS file system permissions does the
    > service account need to run correctly?


    I just found out that the default permissions
    from installation didn't make too much sense.

    It turned out that the following will work well:
    (presumed having
    options {
    directory "C:/WinNT/system32/dns"; ...
    };
    in named.conf)

    for the base dir above (no inheritance,
    remove User/Power user group etc.):
    - group Administrators: full access
    - user named: full access
    - SYSTEM: Read/Execute, List folders, Read
    - CREATOR-OWNER: special: full rights for sub-folders and files only

    You'll probably notice that temp files are written here.
    (I've been running into trouble especially with this).

    {basedir}\bin:
    inherit the above (have no TSIG key files residing
    there!)

    {basedir}\etc:
    - Administrators: full access
    - named: full access
    - CREATOR-OWNER: special: full access for sub-folders and files only

    (all naming is back-translated from my german win2k)

    Someone will probably contradict or, even better, point
    to a more subtle rights allocation.

    Olaf Lautenschlaeger
    ANOVA Multimedia Studios GmbH, Rostock



  2. Re: File System Permissions for Windows Service Account

    I'm liking most of this, but what is the reasoning for this permission:

    - CREATOR-OWNER: special: full rights for sub-folders and files only

    named has full access in your scheme. What other creator owner is there
    going to be?

    --
    Will


    "Olaf Lautenschlaeger" wrote in message
    news:ef94m9$opn$1@sf1.isc.org...
    > On Sunday, September 24, 2006 9:02 PM [GMT+1=CET],
    > Will wrote:
    > > In BIND 9.3 under Windows, what NTFS file system permissions does the
    > > service account need to run correctly?

    >
    > I just found out that the default permissions
    > from installation didn't make too much sense.
    >
    > It turned out that the following will work well:
    > (presumed having
    > options {
    > directory "C:/WinNT/system32/dns"; ...
    > };
    > in named.conf)
    >
    > for the base dir above (no inheritance,
    > remove User/Power user group etc.):
    > - group Administrators: full access
    > - user named: full access
    > - SYSTEM: Read/Execute, List folders, Read
    > - CREATOR-OWNER: special: full rights for sub-folders and files only
    >
    > You'll probably notice that temp files are written here.
    > (I've been running into trouble especially with this).
    >
    > {basedir}\bin:
    > inherit the above (have no TSIG key files residing
    > there!)
    >
    > {basedir}\etc:
    > - Administrators: full access
    > - named: full access
    > - CREATOR-OWNER: special: full access for sub-folders and files only
    >
    > (all naming is back-translated from my german win2k)
    >
    > Someone will probably contradict or, even better, point
    > to a more subtle rights allocation.
    >
    > Olaf Lautenschlaeger
    > ANOVA Multimedia Studios GmbH, Rostock





  3. Re: File System Permissions for Windows Service Account

    On Monday, September 25, 2006 8:41 PM [GMT+1=CET],
    Will wrote:

    > I'm liking most of this, but what is the reasoning for this
    > permission:
    >
    > - CREATOR-OWNER: special: full rights for sub-folders and files


    Merely an residue from windows defaults.
    Maybe the name (it's one of those hard-coded groups) has to go
    vice-versa in english windows versions. In german, it's ERSTELLER-
    BESITZER ;-)

    It shall inhibit bad boy's code from fiddling with the base folder itself.



+ Reply to Thread