X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=4.5 required=5.0	tests=AWL,BAYES_50,BOTNET,RCVD_IN_DNSWL_NONE
X-Spam-Check-By: sourceware.org
Message-id: <4BF1B2F6.6060608@cygwin.com>
Date: Mon, 17 May 2010 17:19:50 -0400
From: "Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>
Reply-to: cygwin AT cygwin DOT com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.21) Gecko/20090320 Remi/2.0.0.21-1.fc8.remi Lightning/0.9 Thunderbird/2.0.0.21 Mnenhy/0.7.5.0
MIME-version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: 1.7 sshd - Alternative for cyg_server account?
References: <AANLkTimNEa0kj73JlAlWxvMvwrybXRK8W7CFZSX1A4lN AT mail DOT gmail DOT com>
In-reply-to: <AANLkTimNEa0kj73JlAlWxvMvwrybXRK8W7CFZSX1A4lN@mail.gmail.com>
Content-type: text/plain; charset=UTF-8; format=flowed
Content-transfer-encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On 5/17/2010 12:21 PM, Greg Fury wrote:
> Excuse me for my lack of Windows security knowledge.
>
> I'm getting some pushback from our Windows admins while trying to
> implement sshd (1.7) on Windows server 2003.
>
> They are concerned about the cyg_server account being a local
> administrator.  Saying it's another account that could be compromised,
> and they would like to avoid it.
>
> Is this a valid concern?
> Are there alternatives to creating this account?
> Could we run directly under Administrator?

The "Administrator" account is not sufficient.  'sshd' requires the
ability to switch users, which the "Administrator" account, by default,
doesn't allow.  One could supplement "Administrator" to have the
required permissions and then use it, though I don't personally see
that as being more secure.

-- 
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
216 Dalton Rd.                          (508) 893-9889 - FAX
Holliston, MA 01746

_____________________________________________________________________

A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple