On Wednesday 26 June 2002 04:46, George Woltman wrote: > I've spent a few days fighting with Windows and MFC to make Prime95 run as > a true > Windows NT Service. That is, when you check the "Start at Bootup" menu > choice, prime95 is installed as a service. At next bootup it starts before > anyone logs in. > At first login, the familiar red icon appears in the system tray, and > prime95 keeps > running even when you log off. > > This question is for the serious NT sysadmins out there: Given that > Microsoft strongly discourages NT services having a GUI interface, are > there any problems or security issues I need to worry about? A GUI service > must run under the Local > System account. You can still use Hide Icon to make the service virtually > invisible to all users.
I can't be accused of being a "serious" NT sysadmin. But, with considerable experience in general system & network security, I think running _anything_ under the local system account is Best Avoided (tm). Unless (a) you trust your local users and (b) the process(es) never make or respond to network connections. The reason for (b) is pretty obvious; my concerns about (a) are based on the fact that some weakness in the application or the libraries it calls usually make it possible for a local user to leverage priveleges. A great deal of development work in the *n*x environment is being put into making as little as possible run as root, e.g. in OpenSSH v3.3 (released this week) the daemon runs all the network code in user space (as the logged-on user, or an unpriveleged "dummy" user until login is complete) rather than as root. That way, even if anyone does penetrate the armour, they don't have root privelege, so the damage they can do to the system is limited. > > Even if there are problems, I think this will work well for naive home > users running > WinXP with multiple user accounts. Yes, in a home situation the risk should be acceptable - provided network access is strictly controlled through a properly configured personal firewall. (This is of course an absolute neccessity in any case if you have a permanent network connection e.g. cable modem or xDSL connection.) But, in an office situation (where Prime95/NTPrime is soaking up waste cycles on an office server) I'd be somewhat dubious. > My hope is to eliminate the NTsetup and > NTPrime programs with this feature. Umm - what is the problem with keeping these? I thought the code was pretty well integrated & the extra compilation time cannot be crippling? Really dumb question - why does a service need a GUI interface at all? mprime manages without one! The only real problem with "mprime -m" is that, if you change something in the .ini files, you have to stop & restart the service to persuade mprime to re-read the .ini files. Regards Brian Beesley _________________________________________________________________________ Unsubscribe & list info -- http://www.ndatech.com/mersenne/signup.htm Mersenne Prime FAQ -- http://www.tasam.com/~lrwiman/FAQ-mers
