I’ve done some searching, but haven’t found out if this is possible. If so, would we lose functionality? We’re investigating connecting to shares, but for security reasons we don’t want to use null session shares.
I think this won’t work well. We make lots of assumptions that the BigFix Agent runs as the SYSTEM account and I am not sure what might break (and in what ways) if you break that assumption. We certainly don’t test with this environment.
Also:
password management would be a big pain
I don’t know if the agent would revert to SYSTEM after you upgrade it.
I think there would be a security implication to this change… I believe that if you use the same domain user/pw for each computer, then theoretically someone could extract the pw from their services cache and then be able to login to any computer (I am not completely sure how the Windows pw cache works so you can double-check on this).
Has anyone tried adding an ACL that gives “Domain Computers” group permission to access the network share? I thought this would work if the computer is joined to a domain and the service is running as SYSTEM. Maybe it’s worth a try?
We are investigating creating a task for something like code migration for custom apps. For example we may need to update a new version every month. The task itself would be the same and would never change, just the files it uses.
For example, the script copies everything from \SERVER1\Application\NewFiles to c:\temp\newfiles, then kicks off c:\temp\newfiles\update.bat.
I know we could package things up and use the software distribution wizard, however we wanted to give the server/application owners rights to run this task. Set it up for them, then they can handle it all moving forward, instead of us creating a new task every month.
I know we can do null session shares, but we were looking for something a bit more secure.
I see, thanks. We’ve just finished a new software distribution tool that would efficiently handle the file updates, but you’d still need to modify fixlets and restart actions. That’s a design goal intended to prevent ‘spooky action at a distance’, because someone with BigFix credentials must be involved in modifying the files that will be distributed.
Boyd’s suggestion is probably your best bet for bypassing those protections. Be careful to validate the files in your update.bat though, because any failure in upload or download will mean you’ve just automatically disabled your custom app…