Securing your GpsGate platform with a dedicated Windows user
For security reasons, it is recommended to run the GpsGate service with a dedicated Windows user instead of running it as an Administrator.
This recommendation is especially important in systems where 3rd party plugins are installed on GpsGate.
Creating a new Windows user
First, you want to create a new Windows User which will be used to run the service behind GpsGate. This step might slightly differ between different versions of Windows, but under Windows Server 2012 R2, the steps are as follows:
- Navigate to Windows Control Panel
- Click on User Accounts
- Click on Manage another account
- Click on Add a user account
- Fill in all the required information in order to create a new user. For this guide, the username will be GpsGateService
Giving the new user write access to the installation folder
Once you have created the user, you need to give it full rights to the GpsGate installation folder.
- Navigate to the location where you have installed GpsGate. By default, this would be C:\GpsGateServer
- Right-click within the folder (but not on a file) and select Properties
- Navigate to the Security Tab, click on Edit, and then on Add
- Enter the username of the newly created user (in our case GpsGateService) in the object name field. Make sure the username is correct by clicking on Check Name
- Click OK, check Full Control in the privileges window, click on Apply, and then OK
- Click on OK to the folder properties window
Now the newly created user has full access to only your GpsGate installation folder and cannot modify files that are present outside of that folder.
Running the GpsGate Service as the new user
Once the user has been properly created and given write privileges to the GpsGate installation folder, we can set up the GpsGate Service to run as the new user.
- Navigate to Windows Administrative Tools and click on Services
- Find Franson NMEA Service in the list of services, right-click on it, and select Properties
- Navigate to the Log On tab and select This account
- Click on Browse, enter the newly created username (GpsGateService in our example), click on Check Names, ensure the name is correct, and then click on OK
- Fill in the user password and click on OK
Granting access to NMEA Service listeners
You also need to grant access to the HTTP based NMEA services by using netsh command.
For real-time data service:
netsh http add urlacl http://+:80/comGpsGate/ user=GpsGateService where GpsGateService needs to be the username you have chosen to run the NMEA service above.
netsh http add urlacl https://+:443/comGpsGate/ user=GpsGateService where GpsGateService needs to be the username you have chosen to run the NMEA service above.
For Http Listener, you need to add the following netsh rule:
netsh http add urlacl http://+:8008/ user=GpsGateService where GpsGateService needs to be the username you have chosen to run the NMEA service above.
Note: Port 8008 has been deprecated. It hasn't been removed yet, but we recommend switching to port 80.
For Web Service Script, you need to add the following netsh rule:
netsh http add urlacl http://+:80/webservicescript user=GpsGateService where GpsGateService needs to be the username you have chosen to run the NMEA service above.
Adding the user to the Network Configuration Operators Group
- Click Start and Open Control Panel.
- Open Administrative Tools.
- Open Computer Management.
- Expand Local Users and Groups.
- Click on the Groups folder.
- Right-click on Network Configuration Operators and click Add To Group.
- Write username (GpsGateService) and click Check Names. Click OK.
- Click OK and close the Properties dialog box.
Conclusion
The service will be run as this user upon the next service start. Therefore you can do a service restart by right-clicking on the Franson NMEA Service service and selecting restart.
And you’re done. Congratulations on making your GpsGate account more secure!