[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re[2]: bad security setting for win32 tor service



Hi,

BM> encrypted using xp EFS

that's pretty useless for a service-account, the password is somewere
on the harddisk

BM> Is running it as LocalService better?

I'm not sure.

You should delete the membership of the Tor-account in the group
"Users". Then the Toraccount has the same rights as the User Guest.
run: lusrmgr.msc
or
net LOCALGROUP Users <Tor_Service_User> /DELETE

BM> I also had concern with the
BM> service running under the System account, and want to give the
BM> account running the tor service as little permission as possible,
BM> even sandbox it to just the tor directory if possible.

me, too.

MS wrote:
The Local Service account is a special, built-in account that is similar
to an authenticated user account. The Local Service account has the same
level of access to resources and objects as members of the Users group.
This limited access helps safeguard your system if individual services
or processes are compromised. Services that run as the Local Service
account access network resources as a null session with no credentials.

greetings
Carsten

PS: It would be nice if this change goes to the next version of
stable. Running the service with SYSTEM-privileges is a high security
risk.