Versions Compared

Old Version 7

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version Current

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning

Under Construction

Table of Contents
minLevel1
maxLevel7
printablefalse

As installed the SHIBD_IDP system service runs as the “Local System Account”. For obvious reasons, it is preferable to run the service with as few permissions and privileges as possible. In particular it is important to deny the service the option of writing to the IdP’s own configuration - this is a point of attack.

This is done after (every) installation and is quite easy to achieve. There are three steps:

...

The created account should have as few privileges and permissions as possible. In particular:

Note

Needs reviewed by someone with proper AD / Windows System Admin expertise

  • The account should be a Member of “Users”, but not “Administrators” (of any flavor)

  • The account should have the following Rights

    • Log on As service

    • Deny log on as batch job

    • Deny log on locally

    • Deny log on through Remote Desktop Services

...

  1. Open Regedit. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\shibd_idp

    • Right click, Permissions, Add.. , enterSHIBD_USER, then click “Check Names”, click OK

    • Allow READ, but NOT full control

  2. Open Explorer,  Right Click on C:\Program Files (x86)\Shibboleth\IdP\jetty-base\start.d

    • Permissions Tab, Advanced, Continue (as elevated)

    • Add, Select a Principal, enter SHIBD_USER, then click “Check Names”, click OK

    • Make sure “Type” is “allow” and “Applies to” is “This folder, subfolder and files”

    • Make sure that “Read&Execute”, “List Folder Contents” , and “Read” are checked and nothing else,

    • OK, OK

    • Dismiss window

  3. Repeat the above for C:\Program Files (x86)\Shibboleth\IdP\conf

  4. Repeat the above for C:\Program Files (x86)\Shibboleth\IdP\credentials

  5. Open Explorer,  Right click on C:\Program Files (x86)\Shibboleth\IdP\jetty-base\logs

    • Permissions Tab, edit…

    • Add, Select a Principal, enter SHIBD_USER, then click “Check Names”, click OK

    • Select on “Full control” and then OK

    • Dismiss window

  6. Repeat for C:\Program Files (x86)\Shibboleth\IdP\IdP\jetty-base\tmp

  7. Repeat for C:\Program Files (x86)\Shibboleth\IdP\logs

    • You may get warning about “permissions being mis ordered”. Click on “Edit”, then “Reorder” before continuing as above

  8. Repeat for C:\Program Files (x86)\Shibboleth\ProcRun\log

...

Anchor
CreateService
CreateService
Arrange for the service to run as SHIBD_USED

  • Open the services control panel (Control Panel\All Control Panel Items\Administrative Tools\services)

  • Find the Shibboleth IdP Daemon and double click

  • Select the “Log On” tab.

  • Click pm on “This account” and fill in the user details

  • Stop and restart the service

Testing and Debugging

...

The service should restart without problems. You should check (with task manager) that the it is running under the correct account.

...

  1. If idp-process.log is being written to, then the conversion change has been successful

  2. Otherwise , if the jetty logs (IdP\jetty-base\logs) are being written then the issue is with Jetty and those logs will help

  3. Otherwise, if the procrun logs (Procrun\log) are being written, then they will help

  4. Otherwise, consult the Windows Even log.

If you are using any new or non standard locations (for instance to cache metadata), then you may need to add ACE’s to allow Jetty and the IdP access.

...