NTFS Permissions for a secured Notification Server environment

book

Article ID: 180471

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

 

Resolution

Note:This was validated against NS 6.0 SP3

Question
What are the most common NTFS permissions (rights) for the Notification Server?

Answer
Local Security Policies

Security Policies are set by going to Administrative Tools > Local Security Policy. Browse down into the Local Security, and select User Rights Assignment. The account being used for the Application Identity and the ASP.NET account need the following rights:

  • Access this computer from the network
  • Act as Part of the OS
  • Impersonate a client after authentication
  • Logon as a batch job
  • Logon locally

NTFS Permissions

Verify that the security of the Documents and Settings folder as follows:

  • The Network Service user with Full Control permissions.

Verify that the Program Files\Common Files folder security as follows:

  • The Network Service user with List, Read, and Execute permissions.
  • The IUSR_% user with List, Read, and Execute permissions.
  • The IIS_WPG group with List, Read, and Execute permissions.

Verify that the Inetpub folder security as follows:

  • The Network Service user with List, Read, and Execute permissions

Verify that the Inetpub\wwwroot folder security:

  • The IUSR_% user with List, Read, and Execute permissions
  • The IIS_WPG group with List, Read, and Execute permissions

Verify that the security of the %windir%\Microsoft.NET\Framework\v1.1.4322 folder:

  • The Network Service user with Full Control permissions

Verify that the %windir%\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll file security as follows:

  • The IUSR_% user with Read and Execute permissions
  • The IIS_WPG group with Read and Execute permissions

Verify that the security of the %windir%\Help, %windir%\Assembly, and %windir%\Fonts folders as follows (use the Ctrl key to select all three folders at once. Click Properties on Help or Fonts, not Assembly.)

  • The Network Service user with List, Read, and Execute permissions

Verify that the security of the %windir%\WinSxS folder:

  • The Network Service and/or the ASP.NET user with List, Read, and Execute permissions

Verify that the security of the %windir%\Temp, %systemroot%\temp, %systemroot%\tmp, %windir%\Registration, and %windir%\Debug folders (use the Ctrl key to select all folders at once) as follows:

  • The Network Service user with Full Control permissions

Verify that the %windir%\IIS Temporary Compressed Files folder security:

  • The Network Service user with Full Control permissions
  • The IIS_WPG group with List, Read, and Execute permissions

Verify that the security of the %windir%\System32 folder as follows:

  • The Network Service user with List, Read, and Execute permissions
  • The Local Service group with List, Read, and Execute permissions/

    Note: Local Service is a hidden group.

Verify that the %windir%\System32\MsDtc folder as follows

  • The Local Service group with Modify, List, Read, Execute, and Write.
  • The Network Service group with Modify, List, Read, Execute, and Write.

Verify that the %windir%\System32\Inetsrv folder security:

  • The Network Service user to with Full Control permissions
  • The IUSR_% user with List, Read, and Execute permissions
  • The IIS_WPG group with List, Read, and Execute permissions

Verify that the security of the %windir%\Help\iisHelp\common folder as follows:

  • The IUSR_% user with List, Read, and Execute permissions
  • The IIS_WPG group with List, Read, and Execute permissions

Verify that the security of the %NSinstallpath%\Altiris folder:

  • The Network Service user with List, Read, and Execute permissions

Verify the %NSinstallpath%\Altiris\Altiris Web folder security as follows:

  • The IUSR_% user with List, Read, and Execute permissions
  • The IIS_WPG group with List, Read, and Execute permissions

Verify the security of the %NSinstallpath%\Notification Server\Logs folder:

  • The Network Service user with Full Control permission
  • The IUSR_% user with Full Control permissions
  • The IIS_WPG group with Full Control permissions

Verify the security of the %NSinstallpath%\Notification Server\NScap\Bin, and Notification Server\NScap\Help folders as follows (use Ctrl key to select both folders at once):

  • The IUSR_% user with List, Read, and Execute permissions
  • The IIS_WPG group with List, Read, and Execute permissions

Verify that the security of the %NSinstallpath%\Notification Server\NScap\EvtInbox folder:

  • The IUSR_% user with List, Read, and Execute permissions
  • The IIS_WPG group with List, Read, and Execute permissions

    Note: The IUSR_% user and local Users group will require Full Control of this folder if stand alone inventory is to be posted to the Notification Server

Verify that the security of the %NSinstallpath%\Notification Server\NScap\EvtQFast, Notification Server\NScap\EvtQLarge, Notification Server\NScap\EvtQSlow, Notification Server\NScap\EvtQueue, and Notification Server\NScap\Temp folders (use the Ctrl key to select all three folders at once) as follows:

  • The Network Service user with Full Control permissions
  • The IUSR_% user with Write and Modify permissions
  • The IIS_WPG group with Write and Modify permissions

Verify that the security of the %NSinstallpath%\Notification Server\Agent folder:

  • The IUSR_% user with List, Read, and Execute permissions
  • The IIS_WPG group with List, Read, and Execute permissions

Verify that the security of the %NSinstallpath%\Notification Server\Bin\Aexloglib.dll, and Notification Server\Bin\AeXNSEventRouter.dll files as follows:

  • The IUSR_% user with Read and Execute permissions
  • The IIS_WPG group with Read and Execute permissions

Verify that the %NSinstallpath%\Notification Server\Bin\Isapi folder security:

  • The IUSR_% user with List, Read, and Execute permissions
  • The IIS_WPG group with List, Read, and Execute permissions
  1. At the command prompt run "C:\Windows\Microsoft.Net\Framwork\v1.1.4322\aspnet_regiis.exe –i".
  2. At the command prompt run the "iisreset" command.

Note:  Items 1 and 2 should be run after any NTFS permissions change.

 

Note: Permissions on the %NSInstallPath%\Altiris folders and files will be reset back to their defaults if a Notification Server repair is ran.