Service Account Rights

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
norkmeister
New user
New user
Posts: 5
Joined: 2012-09-10 07:16

Service Account Rights

Post by norkmeister » 2012-09-10 07:23

Hi,

I've just started using this product and wanted to know what the minimum permission are and where they are required to run the service account with least privilege. I note that it installs as LOCAL SYSTEM and so have been adding the service account as a member of the local Administrators group, but I'd prefer to have an account with less privilege if it is supported. Is this documented anywhere?

Regards,
Jeremy.

User avatar
mattg
Moderator
Moderator
Posts: 20293
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Service Account Rights

Post by mattg » 2012-09-10 08:10

What exactly are you hoping to achieve?
Why are you adding this user to the administrator group?
What is wrong with the default 'system' user (unless you have remote storage and/or remote database)?

In answer...
The user that the service runs under will need:-
read / write access to the database (whichever database you choose)
read / write access to the data directory
Read only access to the rest of the hMailserver branch of the file system

You should also allow only ports through the firewall, not the program

There may be other things required if you use a webmail.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

norkmeister
New user
New user
Posts: 5
Joined: 2012-09-10 07:16

Re: Service Account Rights

Post by norkmeister » 2012-09-10 08:46

mattg wrote:What exactly are you hoping to achieve?
Why are you adding this user to the administrator group?
What is wrong with the default 'system' user (unless you have remote storage and/or remote database)?

In answer...
The user that the service runs under will need:-
read / write access to the database (whichever database you choose)
read / write access to the data directory
Read only access to the rest of the hMailserver branch of the file system

You should also allow only ports through the firewall, not the program

There may be other things required if you use a webmail.
Correct. I want to use a remote SQL server with Windows authentication and not use the Computer Account to provide access. Thanks for the info.

Post Reply