SM-9.6x (and future): allow sm.exe to be run as user not being member of Administrators

Idea ID 2707315

SM-9.6x (and future): allow sm.exe to be run as user not being member of Administrators

When running Service Manager as a Service on Windows Server,
currently sm.exe needs to be run as user which is member of the "Administrators" group.

This is a potential high risk because the user (often called service account) has full admin rights on this windows server. Therefore this user has MUCH MORE rights than it actually requires to run sm.exe.

Being member of the "Administrators" group is actually not needed for the service account.
It would be sufficient to have the rights "SeCreateGlobalPrivilege" to create shared memory objects.

Request:
Adjust the required condition for a user to run sm.exe. Remove the requirement to be member of "Administrators" group and add requirement to have "SeCreateGlobalPrivilege" right.

Pros of this solution:
- sm.exe can be run as a service account which is NOT member of Administrators group
- the "high risk" of the service account being member of Administrator group is mitigated

Cons of this solution:
- none

Tags (1)
5 Comments
Respected Contributor.
Respected Contributor.

good idea!

Micro Focus Contributor
Micro Focus Contributor

Create shared memory objects is one of many tasks during start SM and there are also other activities require other privileges when call other process during SM Running. So only provide "SeCreateGlobalPrivilege" is not enough. And as my test result, there are many other privileges that only Administrators group can be granted. This idea is not suitable for Service Manager. 

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
Status changed to: Declined
 
Valued Contributor.. Valued Contributor..
Valued Contributor..

According to our Windows Administrator, there exists NO privilege that can only be granted to Administrators groups.
Please provide a full list of needed requirements. Only mention that "more" are needed or "SeCreateGlobalPrivilege" is not enough does not help.
For sure an alternative method exists to avoid that the service account running sm.exe requires to be member of Administrators group.
We are still convinced that the idea to run sm.exe as user not being member of Administrator is possible if this user (service account) is granted to proper privileges (and this can be achieved on other ways than being member of Administrators group.

Actually, with the current implementation, the service account user under which SM run does have WAY TO MUCH rights. This causes security risks/concerns.

Please reconsider this idea

Micro Focus Expert
Micro Focus Expert

I think that Micro Focus should document the minimum required privileges for running Service Manager on Windows and Linux. Minimizing the privileges granted to run an application is a standard IT security policy.

The requirement of local administrator rights is set of privileges. Hence this is not minimized.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.