1. Home
2. Questions
3. Unanswered
4. AI Assist
5. Tags
7. Chat
8. Users
10. Companies
Stack Internal

Stack Overflow for Teams is now called Stack Internal. Bring the best of human thought and AI automation together at your work.
Try for free Learn more
Stack Internal
Bring the best of human thought and AI automation together at your work. Learn more

Windows Task Scheduler Run User

Ask Question

Asked 1 year, 6 months ago

Modified 1 year, 6 months ago

Viewed 419 times

0

We have created a scheduled task in Windows 2019 to cleanup IIS log files per the following link: https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage.

In order to avoid the use of SYSTEM we have created a local, limited privilege account that has modify permissions on the IIS log directory.

We have then configured the task to execute the script as this user. The task is configured with the below settings:

Run whether user is logged on or not
Do not store password. The task will only have access to local computer resources.

The task appears to work as expected, but there are a few items we don't fully understand.

Questions:

Will the task cease execution when the local user's password expires, or will S4U continue to work?
Is this a smart way to execute the task? Most examples use the SYSTEM account which does not seem to be a secure way to accomplish this.

Thank you.

asked Jul 18, 2024 at 12:04

Kimmel

101

Most examples use the SYSTEM account which does not seem to be a secure way why is using system to purge log files insecure?

Greg Askew
– Greg Askew

2024-07-18 13:00:01 +00:00
Commented Jul 18, 2024 at 13:00
If somehow the script was compromised purposefully or accidentally it would run with all of the privileges of SYSTEM.

Kimmel
– Kimmel

2024-07-18 13:06:27 +00:00
Commented Jul 18, 2024 at 13:06
I don't think that's very compelling. The upshot here is you are trading that for a local account that will need to be managed. That includes the password, which will need to be rotated. I don't think you will experience the password expiration scenario outside the usual tests to validate (because you are rotating the password) , expiring it manually and/or testing it on an account allowed it to expire normally.

Greg Askew
– Greg Askew

2024-07-19 11:31:39 +00:00
Commented Jul 19, 2024 at 11:31
Probably worth noting it should be possible to purge logs without incurring the maintenance and liability of "yet another local account who thought it would be a good idea to create these?"

Greg Askew
– Greg Askew

2024-07-19 11:33:35 +00:00
Commented Jul 19, 2024 at 11:33
Lookup using and granting permissions to "NT Authority\LocalService" if you need a slightly less shiny object to use instead.

Greg Askew
– Greg Askew

2024-07-19 11:35:05 +00:00
Commented Jul 19, 2024 at 11:35

Add a comment |

0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.