How to run Apache ModSecurity firewall without system privileges on Windows OC-server

Document ID : KB000010439
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

How to run CA Spectrum webservice without system privileges - which is a common securing requirement. Here in case to run with enabled CA Spectrum Apache ModSecurity Firewall to harden network access to the CA Spectrum OneClick-Tomcat-service.

Target is now to reconfigure the  CA Spectrum Apache webservice (hosting the ModSecurity firewall) as part of the CA Spectrum install to run without system privileges then.

 

Background:

By default CA Spectrum install procedure the CA Spectrum Apache ModSecurity firewall implementation hosted via Apache Webservice is installed and configured as a Windows Service to run by default with system privileges. 

Environment:
CA Spectrum Oneclick-Web-Server R10.1(++) for all platforms / OS.Major difference is the "service registration" which is different for Windows (with assigned service account) - versa Linux hosts for which i.e. runlevel scripts are used.
Instructions:

Once the CA Spectrum OneClíck-server install (standalone OC-server - or in bundle with CA Spetrum SpectroSERVER install) is done, this will install and appyl the CA Spectrum Apache ModSecurity files and services too. 

The installation - once completed - is owned by CA Spectrum install owner account at local host OS-level.  When install is completed, enable the CA Spectrum Apache ModSecurity setup (see here: https://docops.ca.com/ca-spectrum/10-2-2/en/administrating/oneclick-administration/oneclick-server-communications-and-network-configuration/enable-modsecurity-web-application-firewall).

Now - make use of the Windows service panel - find and select the CA Spectrum installed Apache service and change the assigned service account to a "limited"  (local / non_local) account. When doing this the Windows service verification will grant automatically the required "service rights" to enable this account to be able to host the service-context. 

In addition - and this is important - you have to grant the now assigned "service account" to the $SPECROOT/apache/logs and the $SPECROOT/apache/tmp for read/write permission.