Running ColdFusion as a specific user - coldfusion

On this page, it talks about Windows NT, 2000, XP and 2003. Fortunately, I have a Windows 7 machine.
The very first line says:
In User Manager for Domains, create a local user for the ColdFusion
service to log in as.
I don't see a "User Manager for Domains", so do they mean just "Add a new user"?
If it DOES mean that, can I use my own user account as the ColdFusion user, or should I specifically create a new account just for ColdFusion?

If you are creating a domain account it has to be created ON the domain - using user manager for domains connected to your domain controllers. If that's what you need then a sys admin has to help.
If you are doing a "local" user on a windows 7 I always end up hunting around for the right view of user manager before I get it right :) Here are the steps that I use:
Search from start and open the "user accounts" cpl.
Click on "Manage User Accounts"
Click on the "advanced" tab
Click on the "advanced" buttton.
This takes me to the mmc-like view of users that I'm accustomed to where I can add a user, change membership, set passwords etc.
Hope this helps :)

You can use your own username or you can create one for CF to run as. Creating a user to run CF as probably more closely replicates your production environment ( an assumption ) so if production for example writes to a UNC path the coldfusion user must have acces. You could
Mimic this locally.

You can use either an account local to the OS where ColdFusion is running, or a domain account if the OS is joined to a domain. In your case, you can just create a local user on your Windows 7 OS and run the ColdFusion Application Service as that user. The user account will need access to ColdFusion's installation folder, as well as read access to the webroot.
The whole idea is to run the ColdFusion service as a user with the minimum privileges necessary to handle requests and prevent access to other resources in the event of a data breach or remote code execution (e.g. someone exploits an upload form and manages to get their own CF code to run on your server; it's not pretty but can be somewhat restricted by running the CF service under a user account with restricted access).
As someone else mentioned, if CF needs access to other network resources, the user account will need to be granted access to those resources as well (either by using a domain account or having a local account with the same username and password on the remote system).

Just did this on Windows 2008 R2 with CF 10. The trick was to change the ownership of the c:\windows and c:\windows\system32 directories as outlined here.
change ownership from trustedInstaller

Related

AWS Access issue after downgrade the instance type

We are facing an issue to Remote Desktop login to an AWS windows instance. When we tried to login to the RDP using our user account (which is created by Admin) it is showing the error “The User Profile Service failed the login - User profile cannot be loaded”.
We also tried to regenerate the admin password from AWS admin console using “.pem” file . But when we tried to click the “Get Password” from instance listing page ,it is showing an error saying “Password not available yet:-Please wait at least 4 minutes after launching an instance before trying to retrieve the auto-generated password.” How can we solve the issue and regain the access to instance?
If you have any idea related to this issue, it would be grateful.
The password would not have changed from the random password that was assigned when the instance was first launched. So, if you remember it, just use the same password.
Of course, you can update the password through standard Windows techniques (Change Password, or joining a Domain). In this case, the original Administrator password is no longer valid.
By the way, it is recommended that after you start a new Windows instance via 'Get Password', you should change the password or attach it to a Domain as per your standard security practices. You should not use 'Get Password' as a standard security practice. It's just a way of providing you with initial access to a Windows EC2 instance.

C++ read any windows user HKEY using username/SID or Alternate

I have created an application, which works for all the windows users (Local, AD, Azure etc). For every user, I'm storing some data inside HKEY_CurrentUer\TESTApp\ registry. Now in the custom credential provider (LOGINUI) once the user enters the credential Wants to read that user HKEY_{...}\TESTApp\ details to know more about the user.
I can successfully store user details in HKEY_CurrentUer\TESTApp\ registry and read details from HKEY_USERS\SID\TESTApp\ if he already login's in.
Now I have the following question,
Is it possible to do the same for not logged in or log out users using either username/SID?
Is there any other HKEY place where I can store the user details and can easily read using username/SID without admin permission? For now, I want to maintain the user details in the machine itself (no cloud).
At last, if the above two is not possible, can I create and read a file with key-pair values in my app workspace without any permission issue?
Since I'm new to windows app development, correct me if I'm doing wrong. THANKS in advance.
HKEY_USERS\SID will be created only after successfully logon on this machine and continue to reside after logout.
If you are talking about logon scenario for credential provider CPUS_LOGON means that your credential provider is working with highest privileges for application - as a SYSTEM user, and you can read and write practically everywhere.

IIS AppPool user permissions not working

I'm moving a PHP app from IIS7 to IIS8.5 on Win2012 R2. The app runs in its own application pool (MyPortal) and needs write permission on a sub-folder to create PDFs. So I assign Modify or Full Control permissions to IIS AppPool\MyPortal on the local machine, however the app is still unable to write to the folder. The only way I have found to allow it to do so is by giving Modify access to the local USERS group, which I'd rather not do (although I have no choice ATM).
The php-cgi.exe process is running under the MyPortal identity, but somehow isn't picking up the permissions I have assigned to the MyPortal user on the folder. The PHP process is doing a simple fopen command $file = fopen($tmp_filename,"w");.
I saw this similar post https://serverfault.com/questions/570033/iis-iusrs-and-defaultapppool-permissions-do-not-work which suggested it may be a permissions caching issue, solved by a reboot, but that's not worked in this instance.
Any suggestions as to what's wrong?
You've got it #Jan Reinlink. Anonymous Authentication needed setting to 'Application identity pool'. I had assumed that because the PHP process was running as MyPortal it was using the same permissions.

Add user to Sharepoint database

I created a web part for Sharepoint 2013 which reads the email address from the user that is currently logged in. I'm deploying locally and the only user I have is the administrator which has also no email address yet.
Where can I add an email address for the administrator?
Where can I create a new user account?
Sorry for these basic questions but I'm pretty new to SP and I couldn't find any solution on the web yet.
Thanks for your help!
This depends on your SharePoint instance (if it is on o365 or on-prem).
In case of o365 it is being managed by Azure AD (you can use the o365 admin center to change the email property) and if this is on-prem instance you have to change user property inside your Windows Server Active Directory.
After you do that make sure you run the full sync on the user profile job.
Needs to be done in the Active Directory. Search for "Active Directory Users and Computers" on your machine.

Creating Firewall rule for a process running in a Non-admin user account

I have a basic requirement - to run my application smoothly on Windows by creating firewall rules when prompted, that has windows firewall turned-ON.
When I log in to my system as an user with Admin privileges when I run my application the first time, the firewall comes up with a prompt, I inform it to allow my app and create a rule, nice.
However when I turn-on my PC, log in as a non-Admin user, and I run my application, the firewall shows up with a prompt as expected; however when I click on the same options as I did from the Admin user, the firewall prompt keeps popping up continuously even though I clicked on Allow /ok every time the prompt appears. The prompt only goes away when I click on "Cancel / Block" the application from running, which is obviously not what I want to do.
So here comes the million $ question, What and How should I change my application code to run smoothly by creating the firewall rule successfully the first time I click on the firewall prompt to allow my application; exactly the same way it is working when I run my application as an user with Admin privileges.
I have done my bit of searching online and have come to understand that Non-admin users cannot modify firewall rules (cannot even create them???). BTW I have tested this scenario on Windows XP, Vista 7 both x86 and x64 with same results.
If someone has encountered and / or solved similar issues please share your knowledge. If I am missing something, please make me understand what I am missing.
Thanks
I don't think what you are trying is possible in a non-admin account. What you may try is to gain admin privilege by using the windows runas feature by creating a new process, so that the user is prompted for the username and password of the Admin Account, which would give your program the required access to create firewall rules for your program.
You may also take a look into CreateProcessAsUser or LogOnUSer . Basically in order to succeed in what you are trying to do, you need a token that represents the Administrator account or an account which has admin privileges.