RE: [ACFUG Discuss] CF Service Account

2007-08-02 Thread Charlie Arehart
servers. /charlie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Mason Sent: Wednesday, August 01, 2007 4:58 PM To: discussion@acfug.org Subject: RE: [ACFUG Discuss] CF Service Account The issue, as I remember, is how Jrun implements JAAS. Lib

Re: [ACFUG Discuss] CF Service Account

2007-08-01 Thread Dean H. Saxe
CF should never be run as a high privileged account. Create a low privilege account and run CF under that account. Only allow CF permissions on the filesystem where they are absolutely required. Ensure CF does not have any administrative privileges if they are not used (like using

RE: [ACFUG Discuss] CF Service Account

2007-08-01 Thread Charlie Arehart
, August 01, 2007 12:25 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] CF Service Account CF should never be run as a high privileged account. Create a low privilege account and run CF under that account. Only allow CF permissions on the filesystem where they are absolutely required

RE: [ACFUG Discuss] CF Service Account

2007-08-01 Thread John Mason
Dean said it and I completely agree. Be very careful not to use the default local system account for this or on a AD account. A web app really doesn't need high level permissions. If you can share why you would need to access shared drives, etc. Maybe we can advise a better way. On the question

RE: [ACFUG Discuss] CF Service Account

2007-08-01 Thread Rob Saxon
Sent: Wednesday, August 01, 2007 1:50 PM To: discussion@acfug.org Subject: RE: [ACFUG Discuss] CF Service Account Dean said it and I completely agree. Be very careful not to use the default local system account for this or on a AD account. A web app really doesn't need high level permissions

RE: [ACFUG Discuss] CF Service Account

2007-08-01 Thread John Mason
, 2007 2:05 PM To: discussion@acfug.org Subject: RE: [ACFUG Discuss] CF Service Account Thank you John and Dean for your feedback. The CF script needs to write the contents of a web form to a folder on another server so that an application on that server can read in the form results

RE: [ACFUG Discuss] CF Service Account

2007-08-01 Thread Charlie Arehart
No value in the resource/sandbox security? :-) /charlie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Saxon Sent: Wednesday, August 01, 2007 2:05 PM To: discussion@acfug.org Subject: RE: [ACFUG Discuss] CF Service Account Thank you John and Dean for your

Re: [ACFUG Discuss] CF Service Account

2007-08-01 Thread Dean H. Saxe
, August 01, 2007 3:17 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] CF Service Account Sandbox security is fine when it is backed up by OS-level security. What hack do you refer to? That's a new one on me. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] [U]nconstitutional behavior

Re: [ACFUG Discuss] CF Service Account

2007-08-01 Thread Dean H. Saxe
Sent: Wednesday, August 01, 2007 2:59 PM To: discussion@acfug.org Subject: RE: [ACFUG Discuss] CF Service Account No value in the resource/sandbox security? :-) /charlie From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Saxon Sent: Wednesday, August 01, 2007 2:05 PM

RE: [ACFUG Discuss] CF Service Account

2007-08-01 Thread John Mason
: Wednesday, August 01, 2007 3:17 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] CF Service Account Sandbox security is fine when it is backed up by OS-level security. What hack do you refer to? That's a new one on me. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] [U

Re: [ACFUG Discuss] CF Service Account

2007-08-01 Thread Kevin
, August 01, 2007 3:17 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] CF Service Account Sandbox security is fine when it is backed up by OS-level security. What hack do you refer to? That's a new one on me. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] [U]nconstitutional

Re: [ACFUG Discuss] CF Service Account

2007-08-01 Thread Dean H. Saxe
Of Dean H. Saxe Sent: Wednesday, August 01, 2007 3:32 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] CF Service Account Well the point is really you can't secure what you don't know about. CF can be a very secure platform if you know how to secure it and write secure code on top

RE: [ACFUG Discuss] CF Service Account

2007-08-01 Thread John Mason
and server John [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Wednesday, August 01, 2007 4:36 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] CF Service Account If you are using sandbox security, which under

Re: [ACFUG Discuss] CF Service Account

2007-08-01 Thread Dean H. Saxe
? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Mason Sent: Wednesday, August 01, 2007 4:58 PM To: discussion@acfug.org Subject: RE: [ACFUG Discuss] CF Service Account The issue, as I remember, is how Jrun implements JAAS. Lib is actually open

RE: [ACFUG Discuss] CF Service Account

2007-08-01 Thread John Mason
01, 2007 5:01 PM To: discussion@acfug.org Subject: RE: [ACFUG Discuss] CF Service Account Is there a document or web site with CF security best practices? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Mason Sent: Wednesday, August 01, 2007 4:58 PM