Before we proceed any further, it's time to secure the service account used by Deployment Server. This entails,
-
Granting the Altiris Service account admin rights over Deployment Server's folders in the file system and registry
-
Granting the Altiris Service account dbOwner rights over the express database in SQL Server
-
Removing the Altiris Service account from the Administrators NT group
So, what we are doing is severely reducing the scope in both our Windows OS and SQL Server where the Altiris Service account has elevated rights. Below I illustrate how in a typical DS Installation, the Altiris service account would have full sysadmin rights over SQL Server (Figure 7). This is not good policy, especially if the SQL server is being used for other databases. By moving to the best-practice model underneath, the scope of Altiris service account is restricted, and only has full control only over the eXpress database.
Figure 7: SQL Server security overview illustrating how moving to a best-practice implementation reduces the scope in SQL Server where the Altiris service account has control.
Configuring permissions for the service account
As mentioned above, the first task we need to complete is to explicitly grant the altservice account full rights over Deployment Server's folder structures in the file system and registry. This is so that when we remove it from the administrators group, the service account still retains sufficient rights in its functional areas.
Configuring Altiris Service account permissions on express share
Now we're going to give the Altiris service full NTFS permissions over the express share.
-
In windows explorer, navigate to C:\Program Files\Altiris
-
Right-click the express folder, and select properties
-
In the security tab, grant the altservice account full rights
-
Click Apply, the OK.
Configuring Altiris Service account permissions in registry
Now we're going to give the Altiris service full rights over Deployment Server's folder structure in the registry hive HKEY_LOCAL_MACHINE.
-
Open up the Windows Registry editor by typing regedit in the run box located on the Windows Start Menu
-
Navigate to the Altiris registry key under HKLM\Software
-
Right-Click the Altiris folder, and select permissions. Add the altservice account with Full Control,
Click 'Apply'
Scoping the Service Account in SQL Server
Now, let's give the service account full rights only over the eXpress database in SQL Server. With SQL 2005 express this was easy -you could just fire up the SQL Express Surface Area Configuration MMC snap-in. However, this is not available in SQL 2008 Express, so we have to login to SQL Server Management Studio,
-
Open the SQL Server Management Studio console,
'Start Menu'
> 'Programs'
> 'Microsoft SQL Server 2008'
> 'SQL Server Management Studio'
-
Authenticate to the instance with the login dialog
-
Select 'New Login' under Security -> Logins,
-
In the General page, enter the login name '<SERVERNAME>\altservice', substituting your server name.
-
In the General page, set the default database to eXpress.
-
In the User Mappings page, set the altservice account to mapped to the express database, and grant it the dbowner role
-
Click 'OK' and exit SQL Server Management Studio
Demoting the service account
Now we've finished explicitly granting the service account the rights it requires to function, we can proceed to removing the account from the administrators group (and while we're at it, the users group as this account will not login interactively).
-
Remove the altservice account from the administrators and users groups. This can be done from a command prompt (as shown below), or using the Local Users and Groups MMC,
-
Reboot the server
The Deployment Server Services
If you take a look at the services now installed on your server (services.msc) , you'll notice several Altiris services. Below is snippet from the services MMC, which I've embellished with the application targets for each service.
That's a lot of services*. The important one to note for now though is the Altiris Deployment Server DB Management Service. This is because this is the service which the Deployment Console contacts in order to extract console data from the underlying eXpress database.
When the express.exe process starts up, it must do the following before it can load up the Console interface.
-
Connect to the SQL instance directly using the logged-on users (your) NT credentials
-
Connect to the SQL database through the Altiris DB Management Service. This service runs as the process dbManager.exe, and should now be using the altservice credential
Bearing the above in mind, if you do have any problems opening the DS Console it's likely related to SQL access. If you have problems opening the console, check that,
-
MS SQL Server and the Altiris Deployment DB Management Service are up and running
-
Confirm that you are logging into your server as a local administrator (if you recall we granted full access earlier to the local administrators group).
-
Finally, if your problem occurs just after a server reboot, be patient. SQL Server takes a few moments to get rolling. The Console cannot be opened until it is ready to accept connections.
* For those Deployment Server veterans out there who are wondering what happened to the mysterious mm.exe, in DS6.9SP1 this finally renamed to dbManager.exe. The name change didn't go much further, so you'll still see references to the MM service in the databases, logfiles and settings.
Return to Index
Read Part 6: Deployment Server 6.9 - A Quick-Start Course, Part 6: SQL Server Recovery Models