Hello Heiko, > The idea to have the service do the privileged operations instead of just > starting openvpn as "Local System" (or whatever) came from the fear of > privilege escalation in the scripts that are run by openvpn.
Scripting is a point, but as long as the administrator installs openvpn + config + script to a folder that is non writeable for users there should be no problem. From hackers point of view (send malicious packets to openvpn client to exploit a bug) least privileges is a very good idea. > So, at least I care that it's not running in privilege mode. Your point is > invalid. =P I created a new user "openvpn", only group membership "network configuration operator" and add him the right to logon as a service. Now openvpnserver.exe runs as user openvpn and it works. According to MS members of this group can't do to much harmfull: http://support.microsoft.com/kb/297938 greetings Carsten