Windows – Apache running as local system account, how to access other network resources

apache-2.2windows

  • Apache 2.2, Windows Server 2003 R2
  • Apache autmatically started as service, log on as local system account
  • different vhosts configured

What (apache module?) do I have to configure so that e.g. a script can
output a file to a application-server in a specific path? The path is
accessible with read and write permissions for a user or group managed by
active directory.
Web server and application server are different machines, both managed by
active directory.

The different vhosts communicate with different hosts on a per file-level
mostly XML or text files.

Switching to a active directory user running the apache process is not a solution!

Best Answer

LocalSystem is, of course, only recognized by the local system's SAM. So it clearly cannot be authenticated by any other server.

You've actually ruled out the typical solution to problems like this: change the account that the Apache service runs as. Create a specific service account in your domain for it (say, "ApacheServiceOnServer1"), make sure it is in no groups whatsoever (not even 'users'), and then add an ACL for ApacheServiceOnServer1 to the specific directories it needs to read/write to. Make sure said ACL has only the exact permissions it needs - for instance, if it doesn't need the ability to delete files in that directory, then do not grant that priv. Pay attention to inheritance, too. In this way, you limit the Apache service's access to only those exact things it needs to do.

If the above is not suitable to you, then you are left with two choices:

1: Your script (which writes to some network share) must include an authentication step, so that it provides creds recognized by the other server.

2: Loosen the security on the share your script is writing to, by allowing the 'Everyone' user to write to it. This will require you to enable the 'Guest' account on the other server.