Modifying PkgSvrSpeedTest$ share access
search cancel

Modifying PkgSvrSpeedTest$ share access

book

Article ID: 256625

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

The customer asked about PkgSvrSpeedTest$ share. Their security team has found that the PkgSvrSpeedTest$ share on all their package servers grants "Everyone" group with Full Control. The share's path is ...\Program Files\Altiris\Altiris Agent\Package Server Agent\PkgSvrSpeedTest.

Questions:

  1. Can the "Everyone" group be restricted to only Read access without breaking any of the Altiris processes that involve this share?
  2. Do you know if we can change the permissions for Everyone on package shares?
     

Environment

ITMS 8.5, 8.6

Resolution

This "PkgSvrSpeedTest$" share has the same permissions as other shares on the Package Server. If the customer wants to strike the permissions, then it is required to uncheck the "Allow anonymous access..." check-box in Package Server Settings (Settings>Notification Server>Site Server Settings>Site Server Settings>Package Service>Package Service Settings).

Then all shares, including "Package Delivery" will be allowed to access only by ACC credentials instead of Everyone. ACC credentials could be set up in Global Settings on SMP Server.

Note:
Per KB 150861 "FAQ on Package Servers":
2.7 - Package Access
Package Service Setting - 'Allow anonymous access to package codebases'
Anonymous access effectively means all authenticated users are allowed when downloading via UNC.  Even if a Package Server in a non-trusted domain has anonymous access enabled on its files, if the ACC account that the Altiris Agent uses to connect anonymously to the UNC source cannot be authenticated, then access with be denied and no download will occur.
When attempting to download via HTTP from a Package Server in a non-trusted domain using anonymous access, the download should occur with no access issues.

 

Package Service is fixing the permissions on shares based on that "Allow anonymous..." checkbox. If a customer changes the "Everyone" group to another one manually, the Package Server will change it back eventually upon the next self fix loop. Proper way is to use the "Allow anonymous access..." check-box. The ACC account is the account intended to use especially for Accessibility on package shares. Using of some other account is not designed. There is a designed choice, whether to use ACC or Everyone/Anonymous for file downloading.

If DACL management is switched OFF (when using "EnableDACLManagement" regkey), then Package Server will not be able to fix and manage any ACL permissions on folders/shares and this will become the customer responsibility. For all the Package Server folders. Use this manual fine tuning with extreme caution.

PkgSvrSpeedTest$ share was used for the same concept as connectionTest.html. PkgSvrSpeedTest$ share was used for speedtest on UNC paths. We will be removing the use of it in ITMS 8.7 release since it is an obsolete legacy speed test. Not used since 8.5 RTM. We will remove the PkgSvrSpeedTest$ folder after upgrade PS to 8.7 version.