Cerberus FTP Server version 12.3.0 includes some significant changes to the installer. These changes have to do with setting the Cerberus FTP Server service credentials.

What are Service Credentials?

Every process has a Windows identity which determines what files, folders, AD users and groups it can access. Normal programs inherit the logged-in user’s identity, whereas Services have their own configured identity. 

This information is available in the Services control panel under the “Log On” tab for every service configured on the server:

Service credentials as seen in Services -> “Log On”

What’s New?

The Cerberus FTP Server 12.3.0 installer brings service credentials to the forefront of the install process. The key benefits are:

  • Set Service Credentials During Install
    The Cerberus FTP Server installer can now customize service credentials while Cerberus is being installed or upgraded.
  • Easier Upgrades
    The installer will not change the service configuration unless directed to do so. This makes upgrading much simpler, especially in Windows Domain environments where custom service accounts are more common.
  • Improved Security
    New installations create an unprivileged local computer user named ‘Cerberus’ and the service runs with these credentials. This replaces the old behavior of running as ‘LocalSystem’.

Set Service Credentials During Install

This dialog now appears at the beginning of installation. First-time install and upgrade present different options.

First-Time Installation

Service configuration dialog displayed for first-time install

The installer offers three options during first-time installation:

  • Standard Cerberus Account
    This option creates a new, unprivileged local computer account named ‘Cerberus’ and configures the Cerberus FTP Server service to run as this user. You’ll be prompted to create a password for this account.
  • Existing Local Account
    For security purposes, some administrators choose to run services as specific local accounts. This option allows you to configure the service to run with these local computer accounts.
  • Existing Domain Account
    Likewise, Windows Domain environments may require that specific accounts be used. This account may, for instance, be granted access to the domain directory.

When username, password, or domain are required, the installer requests this information:

Installer requesting local computer username and password

The ‘Validate’ button checks the username and password and alerts you if the user can’t be found or if the password is incorrect. Both Local Computer and Domain credentials can be validated, however validating domain credentials requires that the installer be run by a domain user:

Warning shown when adding domain credentials while installing as local user

Easier Upgrades

When upgrading using the manual update method, the installer offers the same three options as first-time installation as well as a new one (Note: the Auto-updater method presents no options and runs in “Use Current” mode automatically):

  • Use Current
    Continue using the current service credentials during the upgrade.

The 12.3.0 installer gives you the option of leaving the current Cerberus FTP Server service configuration unchanged when upgrading from version 12.2.0 or later. The Welcome dialog tells you when this is possible:

Welcome dialog indicating “service unchanged” upgrade is possible
No need to provide credentials when upgrading from 12.2.0 or higher

When upgrading from version 12.1.0 or older, the installer will only retain the username (and domain name) and must collect the password from you:

When upgrading from 12.1.0 or earlier, you must provide the password.

Improved Security

New deployments of Cerberus FTP Server will use a new, unprivileged local account named ‘Cerberus’. 

‘Cerberus’ local computer account

The previous default, ‘LocalSystem’, is still available for backward compatibility during upgrade:

Continuing with ‘LocalSystem’ is supported, but not recommended

As we continue to improve Cerberus FTP Server’s security, we try to follow the “principle of least privilege”. Cerberus FTP Server does not need the low-level access granted to the ‘LocalSystem’ account, so it should stop using it.

Use Caution when Changing Service Credentials

Moving away from ‘LocalSystem’ is the right choice in the long run. However, a change to service credentials should be tested thoroughly before being applied to production environments. 

You must ensure the new service account has privileges on all virtual directory paths used by Cerberus FTP Server. Files referenced in configuration, like certificate and private key files must also be accessible. When moving to a domain service account, you must also ensure the account has read-access to all users and groups integrated with Cerberus FTP Server.

Conclusion

We are pleased to get these improvements into version 12.3.0. We hope they make the job of managing Cerberus FTP Server easier. As always, we would love to hear your feedback.