Run Apis on user with limited rights
This procedure is for information only and is neither supported or recommended,
Running Foundation services on user without local adminastrive rights, should only be performed in extraordinary circumstances
Run Apis on user with limited rights
Install Apis from a user with administrator rights.
When finished, fulfill following tasks:
- Change the service Log On As account
- Change Identity in DCOM
- Give the user appropriate DCOM rights
- Give the user appropriate registry rights
- Give the user appropriate file system rights
Change the service Log On As account
Start services console and on the Log On tab of ApisHive service select This account and type in the user (in this case user) and the password for the user.
Change Identity in DCOM
Start DCOM configuration, in the Identity tab of property window of Apis Hive select This user and type in the user (in this case user) and the password for the user.
Apply
Give the user appropriate DCOM rights
Still in Component services for ApisHive, in Security tab Edit Launch and activation permissions.
Add the user and give it Local launch an Activation permission.
Repeat for Access and Configuration permissions
Give the user appropriate registry rights
Open registry editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Prediktor, right click Permissions
Add the user and give it Full Control rights
Give the user appropriate file system rights
In windows Explorer navigate to the installation directory of ApisHive
For instance C:\\Program Files\APIS
Add the user and give it Full control
Run Apis on domain user with limited rights
Install Apis from a user with administrator rights and do this procedure from a user with administrator rights and access to AD.
Full fill following tasks:
- Change the service Log On As account
- Change Identity in DCOM
- Give the user appropriate DCOM rights
- Give the user appropriate registry rights
- Give the user appropriate file system rights
- Check domain group policy for user and computer running Apis
- Restart Honeystore and ApisHive Services
The examples below show how to setup ApisHive to run on a standard domain user Apis1 in the domain prediktor.
Change the service Log On As account
Start services console and on the Log On tab of ApisHive service select This account and type in the user (in this case prediktor\Apis1) and the password for the user.
Change Identity in DCOM
Start DCOM configuration, in the Identity tab of property window of Apis Hive select This user and type in the user (in this case prediktor\Apis1) and the password for the user.
Apply
Give the user appropriate DCOM rights
Still in Component services for ApisHive, in Security tab Edit Launch and activation permissions.
Add the prediktor\Apis1 user and give it Local launch an Activation permission.
Repeat for Access and Configuration permissions
Still i Component services now select ApisHoneystore Properties/Security Access permissions
Add the prediktor\Apis1 user and give it Local Access permissionss
Still i Component services now select My Computer / COM Security / Launch and Activation Permissions Edit Default
Add the prediktor\Apis1 user and give it Local launch an Activation permission.
Give the user appropriate rights to config part of registry
Open registry editor, navigate to:
- HKEY_LOCAL_MACHINE\SOFTWARE\Prediktor
right click Permissions
Add the prediktor\Apis1 user and give it Full Control rights
Repeat for
- HKEY_LOCAL_MACHINE\SOFTWARE\Prediktor
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
Setting registry permissions to COM part of registry;
Hive needs read/query-access to the COM part of registry where information about COM classes are stored.
Add special permissions for HKCR\CLSID
Press add, and specify the service user (in this case, “User”)
Select the added user, and press the Advanced button
In the next dialog, select the service user again, and click the Edit button
Make sure at least the permissions shown above is granted, and do NOT check the “Apply these permissions to objects and/or containers within this container only”
Press OK on the 3 open dialogs. Now the Hive will be able to run as a regular user.
Give the user appropriate file system rights
In windows Explorer navigate to the installation directory of ApisHive
For instance
- C:\\Program Files\APIS
Add the prediktor\Apis1 user and give it Full control
Check domain group policy for user and computer running Apis
In domain group policy, check registry access for the service user in policy group where the computer belongs.
The following is not fully verified:
On x64 version of Apis it seems that, the user must have full access to CLASSES_ROOT\CLSID
