Miscellaneous
Miscellaneous other things.
Seconfig XP Other software Miscellaneous
Stats
  • Page visited 505705 times
Site search
Page translation
Visitor locations
Other counters
  Search Results  
Articles - Running OpenVPN process in unprivileged account on Windows
It is considered a security risk to run software accepting connections from untrusted networks (such as the Internet) under privileged user accounts (such as LocalSystem). Unlike most IPSec based VPN implementations OpenVPN can be executed under unprivileged user account. It only needs to access device objects of its own TAP driver and Windows TCP/IP driver to function properly (of course access to necessary files also is required). There are two simple ways to achieve this.

Less restrictive, more easy
This will work only with OpenVPN 2.0.9 (and probably up) and Windows XP and later. TAP driver included in this version of OpenVPN by default allows Everyone to access its device objects (although these objects are accessible only when OpenVPN isn't using them). So only problem here is access to Windows TCP/IP diver. This can be granted by adding this unprivileged account to Network Configuration Operators group. This method seems to be very easy, but has several drawbacks:
  • Isn't possible on Windows 2000.
  • Requires OpenVPN 2.0.9 (or probably up).
  • TAP driver device objects remain accessible by Everyone while they are not used by OpenVPN.
  • User account running OpenVPN has full access to networking configuration.

More restrictive, less easy
Access permissions for device objects can be customized by command line utility WDevSec. To make OpenVPN functional in a limited user account this script may be used with WDevSec. It takes one or two command line parameters - user/group name that will run OpenVPN and any string as second parameter to start OpenVPN service after setting permissions. This script will make TAP driver device objects accessible only to specified user/group (and additionally Administrators group). Also access to Windows TCP/IP driver device objects will be granted to this account, so it will be able to make volatile changes to Windows TCP/IP configuration (flush ARP cache, add non-persistent routes etc.). It is also recommended to set Non-Admin Access setting (in TAP network "adapter" advanced properties) to Not Allowed. This setting will protect TAP driver device objects even before execution of the script. When using this method OpenVPN must be started after execution of this script (if OpenVPN is used as service, Startup type of this service should be set to Manual and the script should be used to start it). It is recommended to make this script run on every system startup. This can be achieved by adding Scheduled Task scheduled to run At System Startup or by adding it to startup scripts in Group Policy. Also if TAP driver is restarted (for example when its virtual Ethernet adapter is disabled and then re-enabled or when new virtual Ethernet adapters are added) this script must be executed again to regain proper permissions on TAP driver.
This method is more restrictive, because TAP driver is secured (only specified user/group will be able to access it) and also this user/group will have access to only volatile part of Windows TCP/IP configuration (it wont be able to add persistent routes, change IP addresses persistently etc.). This method is more complex, but it solves all drawbacks mentioned on previous method. Also it doesn't work with ip-win32 netsh OpenVPN option, because netsh makes persistent changes to Windows TCP/IP configuration.

Regardless of method used to make TAP and TCP/IP drivers accessible, additionally permissions on OpenVPN files/folders must be set. OpenVPN requires Read, Write & Execute access to its log files, although when it creates new log files they are fully accessible by Everyone (so they need to be secured). Also it is recommended to make configuration (especially key) files (or whole OpenVPN folder) inaccessible by other unprivileged users. So recommended file/folder permissions are:
  • On whole OpenVPN folder Full Control to SYSTEM, Full Control to Administrators, Read & Execute to user running OpenVPN process.
  • On log folder additionally Write to user running OpenVPN process, with Reset permissions on all child objects and... enabled (this should be reapplied every time a new log file is created).

Implementing abovementioned methods will improve security of computer running OpenVPN, because it would be much harder to compromise the system in case some kind of remote execution attack would be targeted at OpenVPN.

Posted on 2006.10.21., last modified on 2006.11.03.

Share |
© 2006-2012