Background
We have a windows service running under the LocalSystem account running on a server. We have a separate server holding attachments for our application that may contain PHI. Today this attachments folder is not accessible to our windows service. We cannot control the server or what applications are installed on this server.
What we want to do
We want to have access to this attachments folder from our windows service.
Our proposed solution
We are considering recommending our clients grant the LocalSystem account access to this attachments folder. It is my understanding that this will allow all services access to this folder along with anything on that server impersonating the LocalSystem account.
My concerns
Since we are not in control of this server other applications will be running on this server possibly under the LocalSystem account. Other applications may have public facing IIS websites configured using the LocalSystem account (Hopefully not). The point being I am worried about recommending something that could cause these PHI documents to be accessed in an unintended way. I much rather prefer a dedicated network account being built but I am trying to understand if my concern is warranted about granting the LocalSystem account access.
My question
Would this be considered bad practice? Does this open us up to more security risks?
Best Answer
You have two options here, You can create a service account just to access the attachment folder (remember to set the service to run with this service account) or you can use the server (where the service is running under LocalSystem account) to access the attachment folder. Remember, you will need to grand access to the machine account (the server where you're running LocalSystem) to the attachment folder. Make sure to allow permissions to the shared file if you are using DFS management.
Suggestions: If you want to increase the security between attachment folder and LocalService server you can:
Set a rule on your firewall (to manage the traffic between the server and the attachment folder).
Turn on the Auditing Logs on the attachment folder.
Also, if you have a nice antivirus software, you can set a rules to allow or deny permissions on the attachment folder.