RestrictedService
From FaHWiki
Just for piece-of-mind, there are things that can be done to add a few extra layers of security when running any program on modern operating systems, the FAH client included. The most significant is probably running the program in its own, restricted user account, and works best when running a program as a service. The idea is to limit a program's access to only its needs.
[edit]
Windows example:
- This example is written for running the "text-only console client" as a service under any NT-based Windows, e.g. 2000 / XP Professional / 2003. If using XP, make sure "Use simple file sharing" is disabled. This is also possible under XP Home, but only with some additional steps to work around some of Home's missing features.
- Create a FoldingAtHome user account with a password. On a non-domain machine, remove it from all groups to further restrict access. A domain account requires a primary group, defaulted to "Domain Users". I work with this by creating a group called "RestrictedService", and using that as the primary group, since it won't have any special privileges linked to it.
- Modify the permissions on the client folder (e.g. C:\Folding@Home) so that the user account (FoldingAtHome) has necessary permissions (basically, everything but full). Right-click on the folder, Properties, Security. Click Add, type in the user name, and hit OK. Then check to enable "Modify" in the "Allow" column, and hit OK.
- Open up the Windows Services console. Find the "FAH@..." entry, right-click, properties. Click the "Log On" tab, choose "This Account", enter the selected username and password, and hit OK. For a new user account, Windows should notify you that the account has been granted the "Log On As Service" right. Restart the service, if it starts without a warning from Windows, and if your CPU activity resumes, the operation is a success!
[edit]
