How to run Apache ModSecurity firewall without system privileges on Windows OC-server

Document ID : KB000010439
Last Modified Date : 14/02/2018
Show Technical Document Details

How to run CA Spectrum webservice without system privileges - which is a common securing requirement. Here in case to run with enabled CA Spectrum Apache ModSecurity Firewall to harden network access to the CA Spectrum OneClick-Tomcat-service.

Target is now to reconfigure the  CA Spectrum Apache webservice (hosting the ModSecurity firewall) as part of the CA Spectrum install to run without system privileges then.



By default CA Spectrum install procedure the CA Spectrum Apache ModSecurity firewall implementation hosted via Apache Webservice is installed and configured as a Windows Service to run by default with system privileges. 

CA Spectrum Oneclick-Web-Server R10.1(++) for all platforms / OS.Major difference is the "service registration" which is different for Windows (with assigned service account) - versa Linux hosts for which i.e. runlevel scripts are used.

Once the CA Spectrum OneClíck-server install (standalone OC-server - or in bundle with CA Spetrum SpectroSERVER install) is done, this will install and appyl the CA Spectrum Apache ModSecurity files and services too. 

The installation - once completed - is owned by CA Spectrum install owner account at local host OS-level.  When install is completed, enable the CA Spectrum Apache ModSecurity setup (see here:

Now - make use of the Windows service panel - find and select the CA Spectrum installed Apache service and change the assigned service account to a "limited"  (local / non_local) account. When doing this the Windows service verification will grant automatically the required "service rights" to enable this account to be able to host the service-context. 

In addition - and this is important - you have to grant the now assigned "service account" to the $SPECROOT/apache/logs and the $SPECROOT/apache/tmp for read/write permission.