File System Permissions for Windows Service Account
Olaf Lautenschlaeger
ol at anova.de
Mon Sep 25 07:54:11 UTC 2006
On Sunday, September 24, 2006 9:02 PM [GMT+1=CET],
Will <DELETE_westes at earthbroadcast.com> wrote:
> In BIND 9.3 under Windows, what NTFS file system permissions does the
> service account need to run correctly?
I just found out that the default permissions
from installation didn't make too much sense.
It turned out that the following will work well:
(presumed having
options {
directory "C:/WinNT/system32/dns"; ...
};
in named.conf)
for the base dir above (no inheritance,
remove User/Power user group etc.):
- group Administrators: full access
- user named: full access
- SYSTEM: Read/Execute, List folders, Read
- CREATOR-OWNER: special: full rights for sub-folders and files only
You'll probably notice that temp files are written here.
(I've been running into trouble especially with this).
{basedir}\bin:
inherit the above (have no TSIG key files residing
there!)
{basedir}\etc:
- Administrators: full access
- named: full access
- CREATOR-OWNER: special: full access for sub-folders and files only
(all naming is back-translated from my german win2k)
Someone will probably contradict or, even better, point
to a more subtle rights allocation.
Olaf Lautenschlaeger
ANOVA Multimedia Studios GmbH, Rostock
More information about the bind-users
mailing list