0

I've got one server in a DMZ which has limited access via SMB to another one in the internal network. A web server on that external machine needs access to a whole partition on that internal server.

I'm still using a quick and dirty solution. the web server still runs as a SYSTEM user. I managed to mount the share for that user.

The main problem: this setup is not reboot-safe. After a reboot the connection has to be re-established, because there's no way to save the credentials fot hat share.

P.s. the DMZ server is not in the windows domain

Sn0opy
  • 157
  • 1
  • 10

1 Answers1

1

To clarify: the Web Server is a Windows machine in your DMZ, with IIS running under the SYSTEM account? Not ideal (as the SYSTEM account is not supposed to have access to network resources) but possibly doable, in a lab environment.

In any case, it sounds like you need to issue a NET USE to the target server, under the context of the SYSTEM user.

Scheduled Tasks can be run under the SYSTEM account.

Putting these together, how about creating a Scheduled Task with the following settings:

  • Action: "%WINDIR%\system32\net.exe" USE \\TheSmbServer\TheNetworkShare /USER:TheDomain\TheUser Th3_P@55w0rd
  • Logon User: NT AUTHORITY\SYSTEM (use blank password -- Windows will manage)
  • Trigger/Schedule: At system startup
  • Options: Run whether user is logged in or not; Run with highest privileges

That should bind the necessary authentication credentials at (or close to) startup.

If it needs to be able to access all shares, try using \\TheSmbServer\IPC$ as the share.

jimbobmcgee
  • 2,675
  • 4
  • 27
  • 43
  • Good idea, but as you already said, it's not the best idea running those services as SYSTEM, which I want to change of course. In this case it's a single partition z$ which will be accessed. I assume this should be possible with the correct domain user / rights. I'll test it later today – Sn0opy Jan 15 '13 at 08:29
  • `Z$` as in, the default admin share `\\TheSmbServer\Z$`? You will probably need to grant local Administrator rights to TheServer. If you have to give access to a logical drive (i.e. `Z:`) for non-administative users, I would create a new explicit share and set permission appropriately on the share object itself (e.g Change/Read), rather than using the default admin shares. – jimbobmcgee Jan 15 '13 at 11:08