Installation and Permission Recommendations

In the event of IT policy requiring details about permissions and privileges, it can be helpful to have a detailed explanation of what Checkbox does, with what permissions, and why.  This document can be shared to meet that requirement.

 

It is strongly recommended that Checkbox be installed as an administrator, because it must have file server access to IIS.  However, the actual app itself will run on a new app pool created with default IIS app pool permissions.  This is done because using the default app pool is bad practice, and the needed permissions to access the Checkbox directories will be automatically set up correctly when the new app pool is created.

It is not necessary or recommended to install Checkbox on a non-admin account, because IIS will handle well-formed restrictive permissions for the new app pool by default.  Attempting to manually set up or circumvent this just creates more work for yourself with no appreciable improvement in security.

 

By default, the IIS app pool should have the needed access to write data to its own log directory.  If you are not seeing app logs even after turning them on, you should verify that this is true.

 

Moving on from the app/api, with respect to the Checkbox Service, if Windows Authentication is used to access the SQL server (this is configured during install), then the account used during installation *will* be used by the Checkbox Service.  However, Checkbox recommends using SQL Authentication since this requires no special permissions.  After installation, the Checkbox Service can be run on a simple service account, only requiring permission to write data to its own log directory and to create and store temp files in memory.

Have more questions? Submit a request

0 Comments

Article is closed for comments.