Securing your GpsGate Server with a dedicated Windows user

For security reasons, it is recommended to run the GpsGate Server service with a dedicated Windows user instead of running it as an Administrator.


This recommendation is especially important in systems where 3rd party plugins are installed on GpsGate Server.

Creating a new Windows user

First, you want to create a new Windows User which will be used to run the service behind GpsGate Server. This step might slightly differ between different versions of Windows, but under Windows Server 2012 R2, the steps are as follows:

  • Navigate to Windows Control Panel
  • Click on User Accounts
  • Click on Manage another account
  • Click on Add a user account
  • Fill all the required information in order to create a new user. For this guide the username will be GpsGateService

Giving the new user write access to the installation folder

Once you have created the user, you need to give it full rights to the GpsGate Server installation folder.

  • Navigate to the location where you have installed GpsGate Server. By default, this would be C:\GpsGateServer
  • Right click within the folder (but not on a file) and select Properties
  • Navigate to the Security Tab, click on Edit and then on Add
  • Enter the username of the newly created user (in our case GpsGateService) in the object name field. Make sure the the username is correct by clicking on Check Name
  • At this point click OK, check Full Control in the privileges window, click on Apply, and then OK
  • Click on OK to the folder properties window

Now the newly created user has full access to only your GpsGate Server installation folder and cannot modify files that are present outside of that folder.

Running the GpsGate Service as the new user

Once the user has been properly created and given write privileges to the GpsGate Server installation folder, we can setup the GpsGate Service to run as the new user.

  • Navigate to Windows Administrative Tools and click on Services
  • Find Franson NMEA Service in the list of services, right click on it, and select Properties
  • Navigate to the Log On tab and select This account
  • Click on Browse, enter the newly create username (GpsGateService in our example), click on Check Names, ensure the name is correct, and then click on OK
  • Fill in the user password and click on OK

Granting access to NMEA Service listeners

You also need to grant access to the HTTP based NMEA services by using netsh command.

For real-time data service:
netsh http add urlacl http://+:80/comGpsGate/  user=GpsGateService where GpsGateService needs to be the username you have chosen to run the NMEA service above.
netsh http add urlacl https://+:443/comGpsGate/  user=GpsGateService where GpsGateService needs to be the username you have chosen to run the NMEA service above.

For Http Listener, you need to add the following netsh rule:
netsh http add urlacl http://*:8008/ user=GpsGateService where GpsGateService needs to be the username you have chosen to run the NMEA service above.

For Web Service Script, you need to add the following netsh rule:
netsh http add urlacl http://+:80/webservicescript user=GpsGateService where GpsGateService needs to be the username you have chosen to run the NMEA service above.

Adding the user to the Network Configuration Operators Group

  • Click Start and Open Control Panel.
  • Open Administrative Tools.
  • Open Computer Management.
  • Expand Local Users and Groups.
  • Click on Groups folder.
  • Right click on Network Configuration Operators and click Add To Group.
  • Write username (GpsGateService) and click Check Names. Click OK.
  • Click OK and close Properties dialog box.

Conclusion

The service will be run as this user on next service start, therefore you can do a service restart by right clicking on the Franson NMEA Service service and selecting restart.


And you’re done, congratulation on making your GpsGate Server more secure!