How to limit the rights of the user (or the process he runs)?

V

vista1x2015-12-02 22:53:32

PowerShell

vista1x, 2015-12-02 22:53:32

Hello.
Let me explain the situation:
There is a computer with Windows Server 2008 on board. There are two users on the computer: an administrator and a user with normal rights.
The computer has a service installed that runs on behalf of the user.
What does the service do? Listens on a specific port. When a certain message is received, it launches a powershell script, which in turn launches several other processes and adds/updates data to the database connected via ODBC.
The task is as follows: you need to make sure that the processes launched from the powershell script have limited rights: they must have access only to their directory (there must be the right to create files, but not delete them). In other words, you need to run a process that cannot harm the system.
How it is possible to configure the rights so flexibly? What would be more logical to do - restrict the rights of the user directly or somehow restrict the rights of the executable application?
I would be grateful for useful links and advice.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

S

Saboteur, 2015-12-03
@vista1x

The app is already limited to being run as a user.
Windows does not have built-in tools for chroot (that is, lock the user in one directory), because any process needs to handle libraries, but you can google third-party solutions, for example www.airesoft.co.uk/chroot
rights to this folder using NTFS.
Restricting all folders for this user in general will be problematic, on the other hand, a regular user will not be able to do any harm anyway. He will not be able to make changes to the system. If everything is so critical for you, maybe it makes sense to run a virtual system on the server for the user?