Skip to end of metadata
Go to start of metadata

Running the Apache Service as a Domain Account

After confirming that the web server is accessible when launched by the default Local System account, Apache must be configured to run as a service account with limited privileges on the web server, for the following reasons:* Apache must run as a domain account to access the network resources it needs.

  • To prevent unauthorized access to the entire system if Apache is compromised.

    Workflow and additional information

    To secure the Apache Service account by setting it to run as a Domain account, you must do the following:* Modify the Local Security policy.
    For more information about, see "Running Apache as a Service" at
  • Grant permissions to the Apache Service account.
  • Modify the Apache Service account.

To modify the Local Security Policy

  1. Log in to machine winpb01 using the account BI4PATTERN\BIPattern01.

  2. Click Start > Administrative Tools > Local Security Policy.
    The "Local Security Policy" dialog box opens.

  3. Expand Local Policies > User Rights Assignment.

  4. Double-click Act as Part of the Operating System.
    The "Act as part of the operating system Properties" dialog box opens.

  5. Click Add Users or Group.
    The "Select Users, Computers, Service Accounts, or Groups" dialog box opens.
  6. In the Enter the object names to select box, type BI4PATTERN\SVC_WEBTIER, and click OK.

  7. In the "Local Security Policy" dialog box, double-click Log on as a service, add the BI4PATTERN\SVC_WEBTIER account, and then click OK.

  8. Close the "Local Security Policy" dialog box.

To grant Permissions to the Apache service account

You need to grant the SVC_WEBTIER account the necessary privileges to run Apache. To add the SVC_WEBTIER account to the local Users group:

  1.  Go to Start > Administrative Tools > Active Directory Users and Computers>BI4PATTERN.COM > Builtin >
  2.  Double-click Users>Members >
  4. Click OK all the way out to complete the process.

Users Group Privileges

Members of the Users group inherit Read access to resources on the local machine. Apache requires Read access to most resources within its directory structure, but permissions must be added manually (as shown in the next task) to ensure only the minimum required rights are applied.

To modify the Apache Service account

  1. To open Apache, click Start > Run, and in the Open box type C:\Apache24.
  2. Right-click the logs directory, and select Properties.
    The "logs Properties" dialog box opens.
  3. On the Security tab, click Edit.
    The "Permissions for logs" dialog box opens.
  4. Click Add.
    The "Select Users, Computers, Service Accounts, or Groups" dialog box opens.
  5. In the Enter the object names to select box, type BI4PATTERN\SVC_WEBTIER, and click OK.
  6. In the "Permissions for logs" dialog box, grant to the SVC_WEBTIER account the Modify, Read & execute, Read, and Write permissions to the logs directory, and then click OK.
  7. Stop the Apache Service:
    a) Click Start > Run, and in the Open box type services.msc.
         The "Services" dialog box opens.
    b) Select Apache 2.4, and click Stop.
  8. Return to the C:\Apache2.4 directory, and double-click logs.
  9. To clear the directory for the new service account, delete all files in the logs directory.
  10. Return to the "Services" dialog box, and double-click the Apache 2.4 service.
  11. On the Log On tab, click This account.
  12. For the account, type BI4PATTERN\SVC_WEBTIER.
  13. For the password, type WebTier*123, and then click OK
  14. Restart the Apache 2.4 service.

    If the service fails to start, to troubleshoot the problem, follow the steps shown here:

  • No labels