Apache Server on Windows XP Pro. - Tilted Forum Project Discussion Community

Realizm · 06-07-2003, 05:47 PM

I'm trying to set up Apache server, and I continuously am reading about how it's normally run on an account with Very Very few permissions.

How do I set that up? My apache server starts as a service when the computer turns on...

What kind of permissions would I want toset.. and where.. and how?

Thanks..

chodarama · 06-08-2003, 11:03 PM

which version of apache for windows?

an excerpt from the apache 2.1 documentation at http://httpd.apache.org/docs-2.1/platform/windows.html

By default, all Apache services are registered to run as the system user (the LocalSystem account). The LocalSystem account has no privileges to your network via any Windows-secured mechanism, including the file system, named pipes, DCOM, or secure RPC. It has, however, wide privileges locally.
Never grant any network privileges to the LocalSystem account! If you need Apache to be able to access network resources, create a separate account for Apache as noted below.

You may want to create a separate account for running Apache service(s). Especially, if you have to access network resources via Apache, this is strongly recommended.

1. Create a normal domain user account, and be sure to memorize its password.
2. Grant the newly-created user a privilege of Log on as a service and Act as part of the operating system. On Windows NT 4.0 these privileges are granted via User Manager for Domains, but on Windows 2000 and XP you probably want to use Group Policy for propagating these settings. You can also manually set these via the Local Security Policy MMC snap-in.
3. Confirm that the created account is a member of the Users group.
4. Grant the account read and execute (RX) rights to all document and script folders (htdocs and cgi-bin for example).
5. Grant the account change (RWXD) rights to the Apache logs directory.
6. Grant the account read and execute (RX) rights to the Apache.exe binary executable.

It is usually a good practice to grant the user the Apache service runs as read and execute (RX) access to the whole Apache2 directory, except the logs subdirectory, where the user has to have at least change (RWXD) rights.

If you allow the account to log in as a user and as a service, then you can log on with that account and test that the account has the privileges to execute the scripts, read the web pages, and that you can start Apache in a console window. If this works, and you have followed the steps above, Apache should execute as a service with no problems.
Error code 2186 is a good indication that you need to review the "Log On As" configuration for the service, since Apache cannot access a required network resource. Also, pay close attention to the privileges of the user Apache is configured to run as.

06-07-2003, 05:47 PM	#1 (permalink)
Realizm Insane Location: A fuzzy cloud.	Apache Server on Windows XP Pro. I'm trying to set up Apache server, and I continuously am reading about how it's normally run on an account with Very Very few permissions. How do I set that up? My apache server starts as a service when the computer turns on... What kind of permissions would I want toset.. and where.. and how? Thanks..

06-08-2003, 11:03 PM	#2 (permalink)
chodarama Insane Location: a van, down by the river	which version of apache for windows? an excerpt from the apache 2.1 documentation at http://httpd.apache.org/docs-2.1/platform/windows.html By default, all Apache services are registered to run as the system user (the LocalSystem account). The LocalSystem account has no privileges to your network via any Windows-secured mechanism, including the file system, named pipes, DCOM, or secure RPC. It has, however, wide privileges locally. Never grant any network privileges to the LocalSystem account! If you need Apache to be able to access network resources, create a separate account for Apache as noted below. You may want to create a separate account for running Apache service(s). Especially, if you have to access network resources via Apache, this is strongly recommended. 1. Create a normal domain user account, and be sure to memorize its password. 2. Grant the newly-created user a privilege of Log on as a service and Act as part of the operating system. On Windows NT 4.0 these privileges are granted via User Manager for Domains, but on Windows 2000 and XP you probably want to use Group Policy for propagating these settings. You can also manually set these via the Local Security Policy MMC snap-in. 3. Confirm that the created account is a member of the Users group. 4. Grant the account read and execute (RX) rights to all document and script folders (htdocs and cgi-bin for example). 5. Grant the account change (RWXD) rights to the Apache logs directory. 6. Grant the account read and execute (RX) rights to the Apache.exe binary executable. It is usually a good practice to grant the user the Apache service runs as read and execute (RX) access to the whole Apache2 directory, except the logs subdirectory, where the user has to have at least change (RWXD) rights. If you allow the account to log in as a user and as a service, then you can log on with that account and test that the account has the privileges to execute the scripts, read the web pages, and that you can start Apache in a console window. If this works, and you have followed the steps above, Apache should execute as a service with no problems. Error code 2186 is a good indication that you need to review the "Log On As" configuration for the service, since Apache cannot access a required network resource. Also, pay close attention to the privileges of the user Apache is configured to run as.