Important security considerations
If you plan to run Publi PDF in a corporate environment with unattended queues, it is very important to fully understand how Publi PDF is dependent on system security. Almost ANY problem you might face will be related to absence of one or more access rights granted to the account the Publi PDF Service (PubliPDF.exe) is run under.
By default the Publi PDF Service will be installed under the »Local System« account. In most cases that works fine as long as any Publi PDF queue writes its output to a local disk. However, if you want the output from a Publi PDF queue directed to a file share on another server/remote machine it's most likely NOT possible within the scope of the »Local System« account.
Good reasons apply. Granting such rights to the »Local System« account is dangerous because this particular account can be programmatically impersonated and used without any password. Hence, granting special rights to the »Local System« account will make your system vulnerable to malicious attacks.
A good thing to do instead could be to create a special account that is NOT member of any groups, and then grant all needed access rights directly to this special account.
When the account is created you can login with it and use PubliClient.exe to simulate how Publi PDF will respond as a Windows NT Service under that account, except for potential Windows NT Service specific security policies that does not exist for normal login accounts. Hence, even though you thought you have granted all the rights required to run the Publi PDF NT Service component with access to remote file shares, this component may still not respond as you expect even though PubliClient.exe may run the same queues perfectly well. To avoid or work around such Windows NT Service problems, see Optimizing performance.
Generally, the account under which Publi PDF is run must be able to:
- Start and stop Windows NT services.
- Run applications as a Windows NT Service.
- Look up users both locally and on a domain, including the ability to look up group memberships for each user.
- Start other applications (in the same folder as PubliPDF.exe).
- Fully administer local printers, including the ability to create, modify, execute and delete files in the folder specified as DefaultSpoolDirectory, see Optimizing performance.
- Fully access the Windows Registry. When run as a NT Service Publi PDF usually doesn't write to the registry at run-time, but it reads from several registry keys both upon startup and at run-time.
- Fully access any destination path for output, including the right to create, rename and delete folders and files in any subdirectory hereunder.
- Fully access the installation folder, including the right to create, rename and delete folders and files in any subdirectory hereunder.
When you have the new account properly prepared you can use the Windows NT Service Control Manager to change the account under which the Publi PDF Service is run. In some cases PubliPDFService.exe may not be able to do that for you.
Note: These considerations does NOT apply when Publi PDF is running attended queues (i.e. NOT as a NT Service). In that case Publi PDF (run via PubliClient.exe) usually doesn't require any special access rights, except from rights to to create, modify, execute and delete files in the folder specified as DefaultSpoolDirectory, see Optimizing performance.
Last revised: 28-11-2008.