Notification Server: A Refresher on File and Folder Permissions

Access to certain files and shares are required in order for NS Clients to communicate effectively with Notification Server. When Notification Server is installed, default security settings are used. Depending on your needs, you may need to make changes to your security settings. This article discusses the minimum file and share permissions that are needed for Notification Server to work. It also discusses system and network access needed by Notification Server resources. This will help you in deciding how best to provide security while allowing Notification Server to do perform effectively.

Minimum File and Share Permissions

Minimum file permissions that are needed for running Notification Server:

• For the install path\Altiris\eXpress\Notification Server path, set the security for Administrators to 'Full Control' and Everyone to 'Read'.
• For the install path\Altiris\eXpress\Notification Server\NSCap path, 'Full Control' should be granted to the local system account, the local administrators group, and the Altiris application identity account (AeXNS) if it is not part of the local administrators group. Optionally, 'Full Control' can be given to the domain administrators group.
• The IIS_USR_%computername% user needs full control of the following file queues:
  • install path\Altiris\eXpress\Notification Server\NSCap\EvtInbox
  • install path\Altiris\eXpress\Notification Server\NSCap\EvtQFast
  • install path\Altiris\eXpress\Notification Server\NSCap\EvtQueue

  Minimum share permissions that are needed for running Notification Server

• For the install path\Altiris\eXpress\Notification Server\NSCap path, set the security for Everyone to 'Read'.
• For the install path\Altiris\eXpress\Notification Server\NSCap\EvtInbox directory, set the security for Everyone to 'Write' (users need to be able to access this directory when doing standalone inventory).
• For the install path\Altiris\eXpress\Notification Server\NSCap\EvtQFast directory, set the security for Everyone to 'No Access'
• For the install path\Altiris\eXpress\Notification Server\NSCap\EvtQueue directory, set the security for Everyone to 'No Access'
• For the install path\Altiris\eXpress\Notification Server\NSCap\install directory, set the security for Everyone to 'No Access'.

System and Network Access

Accessing Notification Server resources can be broken down into areas that require system access and network access. The system requires access to the file system area under the \Program Files\Altiris\eXpress\Notification Server folder and all sub folders. This system access is also required for DCOM, the AeXNS COM+ package, the registry, the IIS metabase, and the AeXNS SQL database. It is necessary to have network access to the file system area under the \NSCap sub folder of the Notification server root folder. Access to this folder from network clients is via the \NSCap UNC share. Network access is also required for the IIS service running on the Notification Server.

System Access

• NTFS file permission for 'system' type access should be applied to the \Notification Server folder and all sub folders. 'Full Control' should be granted to the following as a minimum for the following users and groups - The Altiris application identity account, Local & Domain administrators groups, Local System account. Optional - Backup operators group, server operators group. Not recommended (in the interest of security) - Any users groups, Everyone group.
• In addition to the above, read and execute permissions must always be permitted on the Postevent.asp, GetClientPolicies.asp, and the CreateResource.asp files for the IIS_USR... Account (IIS anonymous user).
• Domain and Local administrators have access to the local registry, DCOM, and to the IIS metabase by default. If the Altiris Application identity is not a member of these groups, then access must be given explicitly for them in the individual configuration for each.
• Access to the AeXNS COM+ package is configured during setup. If manual editing is done to the configuration of this package, permission to access by the Altiris application identity account (AeXNS) must be maintained.
• The security credentials used by AeXNS to access the SQL database can be configured at setup and through the Web Administration Console. If no account is supplied, the Altiris application identity is used. In a high security configuration, it is recommended that an account alternate to the application identity be used for access. The SQL administrator account 'sa' is not recommended for use.

Network Access

• There are three reasons that you need access to the NSCAP share via the Network UNC: to install the NS Client via a login script or e-mail link, to send the results of stand alone inventory to the server, and to download and install solutions from the Solutions Center.

  For the purpose of standalone inventory, the Everyone group needs write access to the \EvtInbox folder under the NScap share. Everyone should have read access to the \BIN and \Help sub-folders.

• To the \NScap folder and ALL subfolders, FULL Control should be granted to local system account, local & domain administrators group, and the AeXNS application identity.
• The IIS anonymous account also needs write access to the \EvtQFast and \EvtQueue folders so that the postevent.asp process may write event NSEs to the queues when users post NSE data through IIS. The IIS anonymous account also requires write access to the \logs folder.
• IIS security, TCP/IP security can be applied to the IIS interface on the AeXNS server. Under the site properties, directory security is an option for IP address and Domain name restrictions. Restricting access to only those subnets on which NS Clients and remote management hosts reside is an effective way of restricting external access to the AeXNS system. Restrictions via external host domain can also be done, but can present a performance problem because every connection requires a reverse DNS lookup to be performed.
• Further security can be provided through the use of ACLs on routers and Firewalls to restrict TCP/IP traffic to only desired hosts.