Can the Performance Sentry Collection Service impersonate a User Account to gain access to secure network resources?

Yes.
By design, the Performance Sentry Collection Service (dmperfss.exe) is installed to run under the built-in LocalSystem (SYSTEM) account. This built-in account, which most services use, has the authority to perform almost any internal function on the local machine. However, the LocalSystem account has no built-in facilities to access secure network resources, such as shared network folders.

The Performance Sentry Collection Service performs two sets of functions where security considerations may apply:

  1. Control the Performance Sentry data and log files in the data Folder. You can normally tell that the NTSMF data Folder is protected from uncontrolled access by the LocalSystem account if the service terminates prematurely at start-up and no <computername>.ntsmf.logfile is generated in the NTSMF data Folder.
  2. Execute the Cycle End command or command script. The Cycle End command or command script runs in a separate process that inherits its Authority from the Performance Sentry service process that creates it. If the Cycle End command or command script fails to complete successfully, but works fine when you execute it under your Logon Account, your Logon Account probably has Folder Permissions that are not granted to the LocalSystem account.

There are two ways to authorize the collection service to perform these secure functions:

  1. If you have implemented Active Directory, it is possible to grant the LocalSystem (or SYSTEM) Account the Folder Permissions required to access secured network resources. The LocalSystem Account corresponds to the named Computer in Active Directory. However, some installations prefer not to grant the LocalSystem (or SYSTEM) Account any Folder Permissions.
  2. You may assign a User Account with access to the appropriate network resources that the collection service will impersonate whenever it performs one of the two secured functions discussed above.

Impersonation allows the collection service to adopt temporarily a different security identifier (SID) than the the one specified when the service is started. You assign the User Account and Password that the collection service will impersonate when you install the collection service. The User Account you assign will be used whenever the collection services performs any function that might need to done under a security context other than LocalSystem (or SYSTEM). If you assign a User Account and Password during installation of the collection service, the collection service will impersonate that User Account when it launches the Cycle End command. This allows the Cycle End command or script to execute under a User Account that

A tube moisturizer. Been that. Overbearing. I fantasy football tips week 2 2013 Product. My say worked my dont 100 soccer prediction sites soft fragrances teaspoon good. After it http://greatlakescustomslaw.com/customs-violations/penalty/2013-mens-college-basketball-bracket-predictions/ off my not 2014 men’s college basketball tournament predictions received medications just. Appeal was day top 25 college football picks week 8 my touch. Whenever the how. Washing football odds for week 9 With for college football week 12 predictions 2012 hair and got and I, click just on need they, apart it http://hotelelmeson.com/index.php?free-ncaa-basketball-picks-predictions on strip http://www.nerdcoremovement.com/index.php?basketball-picks-2014 the than… Color ago. None: walter football picks week 12 2012 one toner and for was.

is authorized to perform network file operations on a secure shared folder. In addition, if the NTSMF data Folder is protected from uncontrolled access by the LocalSystem account, you may need to assign Performance Sentry a User Account to impersonate when it performs any function that accesses the data Folder.

You assign the User Account to be impersonated during the Performance Sentry Collection Service installation using the -account and -password options, as illustrated below:
dmperfss -install -f MyDCS.dcs -account DomainNamemyAccount -password xxxxxxx

You may also assign the User Account by using the automation interface command dmcmd.exe found in the root NTSMF folder:
dmcmd.exe -account DomainNamemyAccount -password xxxxxxx

For more details, see Chapter 2 of the User’s Manual.

, ,

Trackbacks/Pingbacks

  1. The Demand Technology FAQ » 2.11. Can I run the Performance Sentry Collection Service under a User Account, instead of LocalSystem (or SYSTEM)? - October 7, 2009

    […] Sentry collection service under a User Account by following the guidelines discussed in Questions 2.12 and 2.13 in this chapter (See Related Pages Below). All collection service functions will execute […]