Security must : run service as "automatically"

[dimitrifrom31]

I install the same hotlaps like secondary application, I think that it is a good way. Do you install with rfactor directly?

 

The customers usually ask more like webview with IIS and I am deciding now if put it or not.

 

I don't like that these plugins usually are services o require installations, it looks that the programmers don't think that we are here.

 

ye im installing it directly with rfactor using install script creating a service dependency with the rfactor server so if game server gets stopped, so does hotlaps. this way if they reinstall their server hotlaps get stopped and files can be deleted (else it would fail reinstalling, files being in use).

[KevinJ]

related to R4Z0R49 comment :

 

the "Relative Working Directory" must be empty in each of your game config using that feature.

 

Is this still an issue?

For instance, for CSS I have /orangebox as my relative directory.

Do I need to edit some things to use your script with CSS?

[dimitrifrom31]

Is this still an issue?

For instance, for CSS I have /orangebox as my relative directory.

Do I need to edit some things to use your script with CSS?

 

leave the relative directory empty (works just fine with CSS afaik) or add this at the beginning of the "run as" install script :

cd..

[KevinJ]

It seems read permissions are still available to users, where they could potentially read logs on the hard drive and >> that information into a txt file in their game server directory.

For instance, read the Monitor.config .

Is there a way to disable read permissions ?

[dimitrifrom31]

right click the files/folders you want to deny the permissions on then select "Users"group as the user to edit and deny him the read permission.

 

Be careful with this as Users include admins and deny permissions have priority over permit. Means you will not be able toreadthose files/folders yourself unless you edit the permissions again.

[KevinJ]

Thanks, is there a way to have the deny permission by default for all users for folders they shouldn't have access to? I guess your method above, but with the tcagroup group instead ?

 

Also thank you for releasing this.

[dimitrifrom31]

you can use cacls in a command prompt to deny read access to tcagroup. Just make sure to not deny access on system folders the game server needs read access to.

 

something like :

 

cacls C:\restricted_folder /T /E /G tcagroup:R /R

 

type

cacls /?

in a command prompt for advanced options or just do it manually with a right click on the folder/file you want to edit access.

[Ideal-Hosting]

Hello, I have tried this but having some errors.

I try to use it on Win. Server 2008 R2 (German Version)

 

@echo off&setlocal enableextensions
for %%* in (.) do set serviceid=%%~n*
if not defined serviceid set serviceid=%CD:\=%
net user %serverip%%serverport% <valid pw> /add /passwordchg:no
net localgroup tcagroup %serverip%%serverport% /add
net localgroup Benutzer %serverip%%serverport% /delete
net accounts /maxpwage:unlimited
REM cacls "C:\_SH\TcAdmin\Monitor\Services\%serviceid%" /t /e /g %serverip%%serverport%:f
REM cacls %gameserverroot%.. /t /e /g %serverip%%serverport%:f
sc config %serviceid% obj= .\%serverip%%serverport% password= <valid pw>
echo %serverip% and %serverport% [serviceID: %serviceid%]
pause

 

(Just remmed them out to see if everything else is working correctly)

This is the output:

 

 

where

Der angegebene Dienst ist kein installierter Dienst.

means

The specified service does not exist as an installed service.

 

Can someone help please?

[dimitrifrom31]

set your "working directory" empty instead of orangebox.

 

Else add the following line to the beginning of your script :

 

cd..

[Ideal-Hosting]

Thanks!

Worked fine

[KevinJ]

I learned the hard way denying read access to the TCAdmin program folder for tcagroup pretty much breaks all services. I tried to make an exception to the folder and files needed but it seemed the deny took priority over allow(which I think is common Windows behavior).

 

I'm mostly worried about the log and monitor.config files being read, any solution to this?

I was able to make a java script plugin for Altitude that let me copy the contents of any file that would open with a text editor into a local log file in my test game account. Very scary

I'm mostly worried about all the passwords in monitor.config, but I assume there could be some other text readable files as well that I would need to deny?

 

Headaches

[dimitrifrom31]

just deny on specific files/folders not on parnet folder cuz idd deny takes priority over allow

[KevinJ]

Thanks Dimitri, which files need read exactly under Monitor/Services/TC### ?

I would figure the System would run those anyway, but I am probably wrong.

I tried tinkering with denying that folder as well, but then nothing worked of course

[dimitrifrom31]

you need to leave full control to tcagroup over the services folder. Else if you reinstall a game server it wont start.

 

If you never reinstall game server you can give full rights "only" on the TCXXX folder but i really dont recommend that and anyway theres no big risk in giving full control over the whole services folder. each TCXXXX folder can be restet simply by going to each game server "service settings" and clicking on save.

If you are worried about the services folder you can make a simple batch to back it up daily or use syncbackup to do the job.

 

being paranoid is a gd thing to prevent hacking but this may not go too far

[KevinJ]

Is there a way to make it so that "interact with desktop" works?

[dimitrifrom31]

sc config %serviceid% obj= LocalSystem

sc config %serviceid% type= interact

[KevinJ]

I denied tcagroup all permissions to Monitor.config and it gave me this error when trying to start a service:

 

Service cannot be started. System.UnauthorizedAccessException: Access to the path 'c:\program files (x86)\tcadmin control panel\Monitor.config' is denied.

at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)

 

Removing this deny fixed the problem of course.

There is a way to read any file on the computer through this one program we run, which is a nice feature, but that's the only file I wouldn't want access to.

Not sure what to do.

[dimitrifrom31]

I denied tcagroup all permissions to Monitor.config and it gave me this error when trying to start a service:

 

Service cannot be started. System.UnauthorizedAccessException: Access to the path 'c:\program files (x86)\tcadmin control panel\Monitor.config' is denied.

at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)

 

Removing this deny fixed the problem of course.

There is a way to read any file on the computer through this one program we run, which is a nice feature, but that's the only file I wouldn't want access to.

Not sure what to do.

 

I wonder how exactly you could get hacked via this file tbh but a simple solution would be to move ur tca install to another path like c:\hackmeifyoucan\monitor.config

 

makes it much harder to copy the file.

[KevinJ]

leave the relative directory empty (works just fine with CSS afaik) or add this at the beginning of the "run as" install script :

cd..

 

So in the Install/Uninstall Scripts, at the very top on it's own line put cd.. ?

I put it on the 2nd line and seems to work great, thanks!

[R4Z0R49]

hi guys,

 

So i have a question about the logon way and RunAs.Config way

 

Is there any diffrence between the two ways anyone can think off?

what way would be most secure editing Logon or using RunAs.config?

 

Both can be done using install scripts without hassle.

 

cheers

[KingJ]

Having a bit of an odd issue with this script.

 

It was working flawlessly, but recently it seems to have stopped working. The user account is created and added to the group and the appropriate permissions are being set on the game's folder and the relevant service directory.

 

However, the service fails to start due to "Error 1069: The service did not start due to a logon failure.". I see no reason why this should happen, the account for the service is part of the TCServers group, the TCServers group has been granted the Log on as a Service right in Local Security Policy and the password for the account is correct.

 

The really odd thing is that if I change the service to log on as the local account, click apply, and then set it to use the proper account again it will say it has granted the account the log on as a service right, indeed if I check the accounts that are listed there the server account now appears. However, if I remove the account from the list and try and start it... it works, starting as the correct account.

 

Why I have to set it to the local service account and then back to the proper account in order for it to work doesn't make any sense to me. If anyone has any idea why this is happening, i'd love to know. Right now I have to do this to every server by hand which takes a while...

[dimitrifrom31]

add this before the other sc config line:

 

sc config %serviceid% obj= LocalSystem
sc start %serviceid%
ping -n 5 127.0.0.1
sc stop %serviceid%

[KingJ]

Hi Dimitri,

 

I added those lines before the last sc config line, but unfortunately it didn't help.

 

One thing I did find though is that if I run the final sc config command manually after the installation and then try to start the server it works. The sc config line is exactly the same oddly enough, which makes me think TCA isn't running it properly for some reason.

 

However, a bit more tinkering and I found the cause - special characters in the password. After changing the password that creates the account to only use alphanumeric characters (and changing the sc config command too) the service is started fine first time.

 

Thanks for your help anyway Dimitri, and thanks for a much needed script!

 

The other thing I noticed while stepping through the commands manually was that "for %%* in (.) do set serviceid=%%~n*" returned the error "%%* was unexpected at this time.". Is this to be expected?

[strikeR-]

Hi,

 

That was working for me but now it only create the users, don't put the service associated to the user of it.

 

What could be the problem ?

 

Regards,

[strikeR-]

I found my problem.

 

This only happens on users that already have been created on this machine.

 

There is a way to delete all informaticon about that user on windows to recreate it after ?

 

Regards,