Running OpenEdge in limited user account

[fverstegen]

Dear all,

Just let me present myself. I'm into system administration and take care of several Linux/Solaris/W2k/... boxes running database servers and applications.

As you might guess I now have to install a Progress/OpenEdge server on a wintel 2003 server and have the following issue:
Progress/OpenEdge has to be installed as local administrator, this is fine for me, but I'd like to run the Progess/OpenEdge server in a restricted user account. This is what I generally do with Oracle/DB2/MicrosoftSQL...

Can this be done, does anyone have any pointers on how to implement this ? (thinking about tweaking the NTFS Acl's)

Thank you in advance for your guidance.
Regards,
Frans

 

[TomBascom]

Yes it can be done.

Details? Not really. I'm more of a UNIX guy... I know I've managed to do it under Windows but it was a while ago. (And if *I* could do it then it really can't be all that hard...) As I recall I did a bit of fiddling around with automating the backup -- I think I needed to have a local user in the proper group on the server to do that.

It might help other people who might comment if you could mention which specific version of Progress you're installing.

 

[fverstegen]

Dear all,

I now have an answer from support:

After further investigations, tests and discussions with my colleagues and Development I can now confirm that it is definitely *not* possible to run the AdminServer with a non-Admin user.
The user *has* to be part of the local Administrator group and in addition to that have to have the following privileges:

- Log on as a service.
- Log on as batch job.
- Act as part of the operating system.
- Adjust memory quotas for a process.
- Create a token object.
- Replace a process level token.

Frans

 

[TomBascom]

Running the admin server isn't the same as running the database.

 

[fverstegen]

Dear Tom,

I'm new to Progress, sorry for the confusion.

You are right, the admin server is *not* the database, I use the admin server to autostart the database.

- Does that mean that I do not have to run the admin server ?

- If not using the admin server to autostart the database on boot, how can I auto start the database on an x86 platform ?

- If I won't be running admin server, can I remove the account I use for the Progress database and admin server from the "Local Administrators" group ? This will "read-only" the Progress and database directory structure. Will granting Change permissions to the database directory be sufficient ?

Thank you again,
Frans

 

[TomBascom]

Whether or not you need the admin server depends on what else is going on. If all you have running is a database then no, you don't need it. If you've got app servers and other stuff then you probably do need it.

To start the db without the admin server you can just use proserve.

Permissions and privileges depend on whether or not anyone else needs to connect to the db, who they are and where they're connecting from. But assuming that it is not a stand-alone db you probably do need something beyond just changing file perms.

Personally, I'd install the Linux patch and stop worrying about all this Windows "security" drivel

 

[fverstegen]

Tom,

Thank you for your explanation.

I'm a Solaris/Linux guy too, but for this project the business people followed the ISV recommendation for x86 platform.

Following your explanation, I guess I'm stuck with running these services and database with much too high privileges, and on the first internal audit eyebrows will probably raise.
Running applications with these local administrator privileges today is considered bad, not recommended and probably neither necessary.

Thank you again for your excellent help.
Frans