Cerberus FTP Server version 12.3.0 includes some significant changes to the installer. These changes have to do with setting the Cerberus FTP Server service credentials.
What are Service Credentials?
Every process has a Windows identity which determines what files, folders, AD users and groups it can access. Normal programs inherit the logged-in user’s identity, whereas Services have their own configured identity.
This information is available in the Services control panel under the “Log On” tab for every service configured on the server:
The Cerberus FTP Server 12.3.0 installer brings service credentials to the forefront of the install process. The key benefits are:
- Set Service Credentials During Install
The Cerberus FTP Server installer can now customize service credentials while Cerberus is being installed or upgraded.
- Easier Upgrades
The installer will not change the service configuration unless directed to do so. This makes upgrading much simpler, especially in Windows Domain environments where custom service accounts are more common.
- Improved Security
New installations create an unprivileged local computer user named ‘Cerberus’ and the service runs with these credentials. This replaces the old behavior of running as ‘LocalSystem’.
Set Service Credentials During Install
This dialog now appears at the beginning of installation. First-time install and upgrade present different options.
The installer offers three options during first-time installation:
- Standard Cerberus Account
This option creates a new, unprivileged local computer account named ‘Cerberus’ and configures the Cerberus FTP Server service to run as this user. You’ll be prompted to create a password for this account.
- Existing Local Account
For security purposes, some administrators choose to run services as specific local accounts. This option allows you to configure the service to run with these local computer accounts.
- Existing Domain Account
Likewise, Windows Domain environments may require that specific accounts be used. This account may, for instance, be granted access to the domain directory.
When username, password, or domain are required, the installer requests this information:
The ‘Validate’ button checks the username and password and alerts you if the user can’t be found or if the password is incorrect. Both Local Computer and Domain credentials can be validated, however validating domain credentials requires that the installer be run by a domain user:
When upgrading using the manual update method, the installer offers the same three options as first-time installation as well as a new one (Note: the Auto-updater method presents no options and runs in “Use Current” mode automatically):
- Use Current
Continue using the current service credentials during the upgrade.
The 12.3.0 installer gives you the option of leaving the current Cerberus FTP Server service configuration unchanged when upgrading from version 12.2.0 or later. The Welcome dialog tells you when this is possible:
When upgrading from version 12.1.0 or older, the installer will only retain the username (and domain name) and must collect the password from you:
New deployments of Cerberus FTP Server will use a new, unprivileged local account named ‘Cerberus’.
The previous default, ‘LocalSystem’, is still available for backward compatibility during upgrade:
As we continue to improve Cerberus FTP Server’s security, we try to follow the “principle of least privilege”. Cerberus FTP Server does not need the low-level access granted to the ‘LocalSystem’ account, so it should stop using it.
Use Caution when Changing Service Credentials
Moving away from ‘LocalSystem’ is the right choice in the long run. However, a change to service credentials should be tested thoroughly before being applied to production environments.
You must ensure the new service account has privileges on all virtual directory paths used by Cerberus FTP Server. Files referenced in configuration, like certificate and private key files must also be accessible. When moving to a domain service account, you must also ensure the account has read-access to all users and groups integrated with Cerberus FTP Server.
We are pleased to get these improvements into version 12.3.0. We hope they make the job of managing Cerberus FTP Server easier. As always, we would love to hear your feedback.