...
Warning |
---|
Under Construction |
Table of Contents | ||||||
---|---|---|---|---|---|---|
|
As installed the SHIBD_IDP system service runs as the “Local System Account”. For obvious reasons, it is preferable to run the service with as few permissions and privileges as possible. In particular it is important to deny the service the option of writing to the IdP’s own configuration - this is a point of attack.
This is done after (every) installation and is quite easy to achieve. There are three steps:
...
The created account should have as few privileges and permissions as possible. In particular:
Note |
---|
Needs reviewed by someone with proper AD / Windows System Admin expertise |
The account should be a Member of “Users”, but not “Administrators” (of any flavor)
The account should have the following Rights
Log on As service
Deny log on as batch job
Deny log on locally
Deny log on through Remote Desktop Services
...
Open Regedit. Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\shibd_idp
Right click, Permissions, Add.. , enter
SHIBD_USER
, then click “Check Names”, click OKAllow READ, but NOT full control
Open Explorer, Right Click on
C:\Program Files (x86)\Shibboleth\IdP\jetty-base\start.d
Permissions Tab, Advanced, Continue (as elevated)
Add, Select a Principal, enter
SHIBD_USER
, then click “Check Names”, click OKMake sure “Type” is “allow” and “Applies to” is “This folder, subfolder and files”
Make sure that “Read&Execute”, “List Folder Contents” , and “Read” are checked and nothing else,
OK, OK
Dismiss window
Repeat the above for
C:\Program Files (x86)\Shibboleth\IdP\conf
Repeat the above for
C:\Program Files (x86)\Shibboleth\IdP\credentials
Open Explorer, Right click on
C:\Program Files (x86)\Shibboleth\IdP\jetty-base\logs
Permissions Tab, edit…
Add, Select a Principal, enter
SHIBD_USER
, then click “Check Names”, click OKSelect on “Full control” and then OK
Dismiss window
Repeat for
C:\Program Files (x86)\Shibboleth\IdP\IdP\jetty-base\tmp
Repeat for
C:\Program Files (x86)\Shibboleth\IdP\logs
You may get warning about “permissions being mis ordered”. Click on “Edit”, then “Reorder” before continuing as above
Repeat for
C:\Program Files (x86)\Shibboleth\ProcRun\log
...
Anchor | ||||
---|---|---|---|---|
|
Open the services control panel (Control Panel\All Control Panel Items\Administrative Tools\services)
Find the
Shibboleth IdP Daemon
and double clickSelect the “Log On” tab.
Click pm on “This account” and fill in the user details
Stop and restart the service
Testing and Debugging
...
The service should restart without problems. You should check (with task manager) that the it is running under the correct account.
...
If
idp-process.log
is being written to, then the conversion change has been successfulOtherwise , if the jetty logs (
IdP\jetty-base\logs
) are being written then the issue is with Jetty and those logs will helpOtherwise, if the procrun logs (
Procrun\log
) are being written, then they will helpOtherwise, consult the Windows Even log.
If you are using any new or non standard locations (for instance to cache metadata), then you may need to add ACE’s to allow Jetty and the IdP access.
...