4.9 Configuring Tomcat to Run as a Non-Administrator User

On Windows Access Gateway Service, Tomcat runs with the administrator privileges. This may allow any attacker to gain access to the server. You must configure Tomcat to run as a non-administrator user.

Perform the following steps:

  1. Create a novlwww user.

    1. Open services.msc.

    2. Stop the Tomcat service.

    3. Before performing the next step, ensure that the 'novlwww' user is not already created.

    4. Run the following command:

      C:\Windows\System32\sc.exe config tomcat8 obj= ".\novlwww" password= "novellIman@Sec1"

      NOTE:This is the password used to create the user. It is available in the UserUtil.vbs file.

    5. Change the tomcat folder permissions by running the following command:

      C:\Windows\System32\icacls.exe "C:\Program Files\Novell\Tomcat" /Q /C /T /grant:r novlwww:(OI)(CI)F

    6. Start the Tomcat service.

  2. Assign permission to the novlwww user to start and stop Tomcat as an administrator.

    1. In the command prompt, type sc sdshow tomcat8.

      This results an output similar to the following:

      D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

      NOTE:It lists all permissions for each user and group on this system.

    2. Get the SID of the novlwww user to grant novlwww the required permissions to start and stop Windows Services.

      Go to Start > regedit > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\. Select the key pertaining to novlwww and copy it.

    3. Include the key in (A;;RPWPCR;;;<KEY_NAME>) and insert it in the output got in step 2a. It will look similar to the following: 

      D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-2738286421-3044359772-2946809952-1001)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    4. To grant the required permission to novlwww on Apache Service, copy the output in step 2c and run the following command:

      sc sdset Apache2.2 "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-2738286421-3044359772-2946809952-1001)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

    5. Go to C:\Program Files and set the write/modify permission to the Users group for the Novell directory (including all sub folders and files) by right-clicking Novell > Properties > Security > Edit > select Write and Modify permission > Apply.