[Building Sakai] Resources-within-Filesystem on Windows -- SOLVED

Adams, David da1 at vt.edu
Thu May 21 06:09:41 PDT 2009 

Dave Ross wrote:
> just a heads up that we've seen instability with this config unless:
>
> 1) Your sakai app server is in a windows domain (along with the share
you are using)
> 
> 2) Your tomcat is running as a service
> 
> 3) Your tomcat service is running as a user with rights to the share.

Using Active Directory is the best way to deal with a server app running
on a Windows network, if you have the infrastructure. Any service you
install should be running as a minimally privileged user. If your
servers aren't part of a Windows domain, then the sharing should work if
the username and password of the service user matches that of the user
with access to the share on the fileserver, but that becomes troublesome
to keep in sync.

One more note about setting up share authorizations. There are two
layers of authorization used by Windows shares. The filesystem ACLs
themselves and the share permissions. Windows will use the less
permissive of the two to determine what access a particular user has to
files in that share.

The best practice for setting permissions for shared folders is to
remove all existing and inherited permissions from the folder itself,
and adding back only what is required to run the application. Typically
that would be granting the Administrators group full control and a group
containing the application user read-write access. The share permissions
should be set to allow only the application group read-write access to
the share.

I'm not familiar with Server 2008, but I seem to recall Windows 2000 or
NT defaulting to "Everyone" with "Full Control" to newly shared
directories, which was a terrible default. The point is that you should
never trust the default settings, although they have improved greatly
over the past 10 years.

Windows permissions feel like a big mess, but they can also be *very*
secure if you understand them. The big thing I miss from when I was a
Windows Server admin is being able to rely on a service account's Active
Directory authentication to run a web app, access network fileshares,
and use databases on SQL Server, all securely, with nary a password in
the code.

-dave

More information about the sakai-dev mailing list