Idea ID: 2707315

SM-9.6x (and future): allow sm.exe to be run as user not being member of Administrators

Status : Declined
over 1 year ago

When running Service Manager as a Service on Windows Server,
currently sm.exe needs to be run as user which is member of the "Administrators" group.

This is a potential high risk because the user (often called service account) has full admin rights on this windows server. Therefore this user has MUCH MORE rights than it actually requires to run sm.exe.

Being member of the "Administrators" group is actually not needed for the service account.
It would be sufficient to have the rights "SeCreateGlobalPrivilege" to create shared memory objects.

Request:
Adjust the required condition for a user to run sm.exe. Remove the requirement to be member of "Administrators" group and add requirement to have "SeCreateGlobalPrivilege" right.

Pros of this solution:
- sm.exe can be run as a service account which is NOT member of Administrators group
- the "high risk" of the service account being member of Administrator group is mitigated

Cons of this solution:
- none

Tags:

  • I think that Micro Focus should document the minimum required privileges for running Service Manager on Windows and Linux. Minimizing the privileges granted to run an application is a standard IT security policy.

    The requirement of local administrator rights is set of privileges. Hence this is not minimized.

  • According to our Windows Administrator, there exists NO privilege that can only be granted to Administrators groups.
    Please provide a full list of needed requirements. Only mention that "more" are needed or "SeCreateGlobalPrivilege" is not enough does not help.
    For sure an alternative method exists to avoid that the service account running sm.exe requires to be member of Administrators group.
    We are still convinced that the idea to run sm.exe as user not being member of Administrator is possible if this user (service account) is granted to proper privileges (and this can be achieved on other ways than being member of Administrators group.

    Actually, with the current implementation, the service account user under which SM run does have WAY TO MUCH rights. This causes security risks/concerns.

    Please reconsider this idea

  • Create shared memory objects is one of many tasks during start SM and there are also other activities require other privileges when call other process during SM Running. So only provide "SeCreateGlobalPrivilege" is not enough. And as my test result, there are many other privileges that only Administrators group can be granted. This idea is not suitable for Service Manager.