3

How can I grant an application access to listen on one particular port, without running it as Administrator or disabling UAC?

Per policy, had to transition from an old server (Windows Server 2003) to Windows Server 2012.

The primary purpose of this server is to run a third-party app that listens on a particular (nonstandard) port and responds to requests. (It has to be run manually, it's not a Windows service.)

On the old server, it worked fine running as any old user, as long as the firewall was set to allow that port to open. On 2012, even with the firewall configured to allow it, it has to be run as administrator in order to be allowed to open the port.

I understand the necessity of this for security purposes (arbitrary users shouldn't be able to open arbitrary ports on the server, even if they have login access) but what about when I really do need to allow that access?

Note: I do NOT want the application to run as administrator. I do not want to disable UAC. I want all security measures to remain in place, just allow this one application (it can have its own user account) to be able to open a port and listen on it.

I searched on some promising search terms but only got information about which ports Windows Server 2012 requires for its own services.

EDIT More information about the application. It just uses plain Winsock with bind() and listen() and accept(). It doesn't use any Windows service like HTTPListener. So how can I track down what's causing the socket to not get opened when run as a normal user?

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Snowbody
  • 135
  • 1
  • 1
  • 4

1 Answers1

6

Edited because OP provided more information:

Listening to TCP ports does not require administrator rights. However, some helpers like HTTPListener would require admin rights. In those case, try configuring a reservation, so that a user can listen on that port.

netsh http add urlacl url=http://+:80/MyUri user=DOMAIN\user

https://msdn.microsoft.com/en-us/library/ms733768.aspx?f=255&MSPPError=-2147217396

In your case, using winsock, the binding to a port is not triggering UAC or requiring administrator rights. It's something else. A tool I absolutely love, when it comes to permission problems is Sysinternal's Process Monitor!

Add a Filter (CTRL+L) "Result is ACCESS DENIED". That will show you all processes that try to access a path, where the process lacks permissions. You can play around with the filters to narrow down the problem.

Daniel
  • 6,780
  • 5
  • 31
  • 60
  • 1
    useful information, unfortunately this app just uses plain Winsock and not HTTPListener. I updated my question; what other information would be helpful? – Snowbody Mar 12 '15 at 20:05