Apache on Windows - Folder Permissions

By ohm.paul ·
I am trying to tighten the security with Apache running on my web server (also called Jailing apache). Going on the recommendations of many, I have created a separate user for the httpd service of Apache. I have prohibited local and network login via group policy for this user (named "apache", a member of the "users" group). Most people say that I should completely deny access to all local drives, and then specifically allow read/execute access to the apache software folder.

I have apache, mysql, and php installed in a folder on my E partition. I have my doc root in a folder on my \ partition.

So far, I have Denied full control (using Properties -> Security -> Advanced and checked Replace permission entries on child objects to my C, D, and E partitions. I then went into my E: drive to the Apache folder and unchecked "Allow inheritable permissions from the parent..." so that I can make specific permissions. I then allow the following permissions under Properties -> Security -> Advanced: (Traverse Folder/Execute file, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions)
The rest is specifically denied. I check "replace permission entries on child objects"

I then repeat this process for the "logs" folder except I also allow the writing attributes.

However, when I go to start the service, it doesn't let me and tells me to refer to the Event viewer, where there is no entry. I know this is a permissions issue, because if I grant the apache user full control to everything on the drive, it starts fine.

I have tried messing with the permissions, but I can't seem to get the service to start while denying the user the ability to see what is on the drive (read and execute). I know it is possible, because it is recommended to do this by so many, but I must be messing up somewhere.

Can anyone help me with this?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

While I can't tell you exactly what permissions to assign

by jimmy-jam In reply to Apache on Windows - Folde ...

If you do an explicit deny it over rides an allow. Rather than explicitly denying permission just don't grant permission to the user(s) or group(s) that you do not want to have access. Then give read/write/execute to the user you want to start the service.

Collapse -

don't deny

by ohm.paul In reply to While I can't tell you ex ...

I know that a deny overrides an allow, but that is why I unselect Allow parent objects to propogate permissions, this removes the deny all permission that was assigned to the parent folder. I am guessing that just the fact that the parent folder is denied means that the user cannot get to the child folder regardless of the permissions on the child. Although if this is the case, i do not understand why so many people recommend specifically denying access to the entire drive, and then just allowing the folders needed...

Collapse -

why does apache need these?

by ohm.paul In reply to While I can't tell you ex ...

After a few hours of narrowing down which files/folders needed read/execute access in order for apache to start, I came up with this.

Under the system32 directory:

under the \windows\winSxS directory:

Why oh why are these files needed by apache? How am I the only one that has run into this problem? it seems like everyone else doesn't need to give the apache user any access at all to C, but if I do not give access to these specific files, the service will not start. I used the binary of Apache to install it, could that be the problem? does it install files all over the place when you use the binary? This has been such a pain...any help is greatly appreciated.

Also, here are the modules that I currently have enabled. We are running MySQL/PHP also if that makes any different, but if you notice some modules that you don't think we will need, let me know please.

LoadModule alias_module modules/
LoadModule auth_basic_module modules/
LoadModule authn_default_module modules/
LoadModule authn_file_module modules/
LoadModule authz_default_module modules/
LoadModule authz_groupfile_module modules/
LoadModule authz_host_module modules/
LoadModule authz_user_module modules/
LoadModule dir_module modules/
LoadModule headers_module modules/
LoadModule isapi_module modules/
LoadModule log_config_module modules/
LoadModule mime_module modules/
LoadModule negotiation_module modules/
LoadModule rewrite_module modules/
#LoadModule setenvif_module modules/
LoadModule ssl_module modules/
LoadModule unique_id_module modules/


Collapse -

There is a Win32 installation of Apache...

by ThumbsUp2 In reply to why does apache need thes ...

The binary is used on Unix/Linux systems. It doesn't register itself as a service which is needed by Windows. Try using the Win32 installation of Apache and I'll bet your permission issues go away.

Collapse -

I used the Win32 MSI

by ohm.paul In reply to There is a Win32 installa ...

The one I used is apache_2.2.9-win32-x86-openssl-0.9.8h-r2.msi

I'm pretty sure that's the only Win32 binary there is, only difference between it and the other is that it comes with OpenSSL lite...

You said that you play with a similar situation and it works fine, but do you have the apache service set to run via a separate "apache" user like I do? If so, have you also removed "Everyone" or "Authenticated Users" from the permissions of C: and its subdirectories? Because otherwise, your "apache" user would have acceses to read/execute files on C:

Collapse -

Use the MSI

by jimmy-jam In reply to why does apache need thes ...

If you are installing on Windows, your best bet is to use the msi file to install it. I have not used Apache in production but we have a test server here that we "play" with and we installed Apache and PHP using the msi files and have not had any difficulty.

Collapse -

You play too?

by ThumbsUp2 In reply to Use the MSI

I've got the same set up. I'm glad to hear that other people have toys to play with too! After all, we have to keep ourselves up to date on this stuff, just in case it's thrown at us without notice.


Collapse -

I play alot

by jimmy-jam In reply to You play too? ;)

cuz like you said, you have to be as up to date as you can on as many technologies as possible just in case... if nothing else it allows you to speak intelligently when the subject is brought up, or at least make it seem like your intelligent.

Related Discussions

Related Forums