1

Background

We have a windows service running under the LocalSystem account running on a server. We have a separate server holding attachments for our application that may contain PHI. Today this attachments folder is not accessible to our windows service. We cannot control the server or what applications are installed on this server.

What we want to do

We want to have access to this attachments folder from our windows service.

Our proposed solution

We are considering recommending our clients grant the LocalSystem account access to this attachments folder. It is my understanding that this will allow all services access to this folder along with anything on that server impersonating the LocalSystem account.

My concerns

Since we are not in control of this server other applications will be running on this server possibly under the LocalSystem account. Other applications may have public facing IIS websites configured using the LocalSystem account (Hopefully not). The point being I am worried about recommending something that could cause these PHI documents to be accessed in an unintended way. I much rather prefer a dedicated network account being built but I am trying to understand if my concern is warranted about granting the LocalSystem account access.

My question

Would this be considered bad practice? Does this open us up to more security risks?

user4484399
  • 13
  • 1
  • 4
  • 1
    I don't think granting access to system will provide the desired end result. You would need to grant access to the computer account that runs the service, assuming they are on the same forest or a trusted domain. – Greg Askew Nov 03 '16 at 20:01
  • @GregAskew I looks like it was accomplished by granting the "Computer" access to the network folder. I don't have a way to verify if it is working though. – user4484399 Nov 03 '16 at 20:32

1 Answers1

1

You have two options here, You can create a service account just to access the attachment folder (remember to set the service to run with this service account) or you can use the server (where the service is running under LocalSystem account) to access the attachment folder. Remember, you will need to grand access to the machine account (the server where you're running LocalSystem) to the attachment folder. Make sure to allow permissions to the shared file if you are using DFS management.

Suggestions: If you want to increase the security between attachment folder and LocalService server you can:

  1. Set a rule on your firewall (to manage the traffic between the server and the attachment folder).

  2. Turn on the Auditing Logs on the attachment folder.

  3. Also, if you have a nice antivirus software, you can set a rules to allow or deny permissions on the attachment folder.

HEMAN85
  • 415
  • 3
  • 9
  • I added an edit to explicitly state my concerns. Since my concern is about other applications using that same LocalSystem account I am guessing those additional suggestions would not help in the event another app/service on that server does something malicious? – user4484399 Nov 03 '16 at 20:23
  • 1
    Well, if you grant access to the server account to the attachment folder, definitely someone can run a malicious software from the server to the attachment folder. I hope you to use a good antivirus to avoid that. I think you're best option is to use a service account to allow access to the attachment folder. (don't share the service account password) – HEMAN85 Nov 03 '16 at 20:34