Start BESClient service with Domain Account

(imported topic written by Bill.Ehardt)

I’ve done some searching, but haven’t found out if this is possible. If so, would we lose functionality? We’re investigating connecting to shares, but for security reasons we don’t want to use null session shares.

(imported comment written by BenKus)

I think this won’t work well. We make lots of assumptions that the BigFix Agent runs as the SYSTEM account and I am not sure what might break (and in what ways) if you break that assumption. We certainly don’t test with this environment.

Also:

  • password management would be a big pain
  • I don’t know if the agent would revert to SYSTEM after you upgrade it.
  • I think there would be a security implication to this change… I believe that if you use the same domain user/pw for each computer, then theoretically someone could extract the pw from their services cache and then be able to login to any computer (I am not completely sure how the Windows pw cache works so you can double-check on this).

Ben

(imported comment written by MattBoyd)

Has anyone tried adding an ACL that gives “Domain Computers” group permission to access the network share? I thought this would work if the computer is joined to a domain and the service is running as SYSTEM. Maybe it’s worth a try?

(imported comment written by Bill.Ehardt)

Ben, that all makes sense… I realized the whole pw thing as soon as I posted it.

Boyd, I tried it a few ways, no luck on a this end. Let me know if you figure something out though!

(imported comment written by JackCoates91)

Hi,

Can you tell me more about why you want to use network shares from the client?

thanks,

Jack

(imported comment written by Bill.Ehardt)

We are investigating creating a task for something like code migration for custom apps. For example we may need to update a new version every month. The task itself would be the same and would never change, just the files it uses.

For example, the script copies everything from \SERVER1\Application\NewFiles to c:\temp\newfiles, then kicks off c:\temp\newfiles\update.bat.

I know we could package things up and use the software distribution wizard, however we wanted to give the server/application owners rights to run this task. Set it up for them, then they can handle it all moving forward, instead of us creating a new task every month.

I know we can do null session shares, but we were looking for something a bit more secure.

(imported comment written by JackCoates91)

I see, thanks. We’ve just finished a new software distribution tool that would efficiently handle the file updates, but you’d still need to modify fixlets and restart actions. That’s a design goal intended to prevent ‘spooky action at a distance’, because someone with BigFix credentials must be involved in modifying the files that will be distributed.

Boyd’s suggestion is probably your best bet for bypassing those protections. Be careful to validate the files in your update.bat though, because any failure in upload or download will mean you’ve just automatically disabled your custom app…