bad security setting for win32 tor service
Carsten Krüger
C.Krueger at gmx.org
Fri Aug 19 19:17:39 UTC 2005
Hi,
BM> encrypted using xp EFS
that's pretty useless for a service-account, the password is somewere
on the harddisk
BM> Is running it as LocalService better?
I'm not sure.
You should delete the membership of the Tor-account in the group
"Users". Then the Toraccount has the same rights as the User Guest.
run: lusrmgr.msc
or
net LOCALGROUP Users <Tor_Service_User> /DELETE
BM> I also had concern with the
BM> service running under the System account, and want to give the
BM> account running the tor service as little permission as possible,
BM> even sandbox it to just the tor directory if possible.
me, too.
MS wrote:
The Local Service account is a special, built-in account that is similar
to an authenticated user account. The Local Service account has the same
level of access to resources and objects as members of the Users group.
This limited access helps safeguard your system if individual services
or processes are compromised. Services that run as the Local Service
account access network resources as a null session with no credentials.
greetings
Carsten
PS: It would be nice if this change goes to the next version of
stable. Running the service with SYSTEM-privileges is a high security
risk.
More information about the tor-talk
mailing list