APPX is the Premier Development and Runtime Environment for Business Application Software
(Answer) (Category) FAQ's - APPX Software, Inc. : (Category) APPX Utility : (Category) APPX Installation & Configuration :
Appx Client/Server security considerations
Security administrators might examine the following four areas of Appx interface with site security, in an Appx Windows Server installation using the APPX (Java) Client:

- The owner of the WinAppxD process has to be a member of the Administrators group.

- The owner of the WinAppxD has a local policy of "Act as part of OS".

- APPX users have to have an account on the server.

- SRVANY.EXE is used to run WinAppxD as a service.

_______________________________________________________________________
==>
WinAppxD acts as a login program. When a client process establishes a connection to WinAppxD, we authenticate the user id and create a process that runs with the security credentials of that user.

We don't perform the authentication ourselves, we let Windows do that for us (the client must provide a user id and password and we give those to Windows for authentication). If the user proves his identity to Windows, we use the security token returned to create the child Appx process.

I don't think that the WinAppxD must be owned by a member of the Administrators group, but that is usually most convenient. We need the SeTcbPrivilege ("Act as part of the OS") in order to ask Windows to authenticate the user.

When we start the Appx server process, it inherits the security context of the user logging in. (That's why each user needs an OS account.)

That's all pretty secure. We require a password and user id that is authenticated by Windows. We don't give the Appx server process any privileges other than those held by the user. If we did anything else, we'd be bypassing the Windows security mechanisms. For example, if we supported HTPASSWD authentication, we would have to bypass the normal authentication performed by Windows. 

 ---
The WinAppxD service installation procedure that uses SRVANY has been replaced in 4.2 with a much easier to use "AppxDSvc.exe". While we've not added this to our 4.1.a distribution, this utility works very well with Appx 4.1.a. 
 ---
APPX HTPASSWD is built into appxd and winappxd.exe in 4.1.a. A Windows htpasswd.exe binary from an Apache 2.0 install is at ftp://customerftp.appx.com/pub/misc/htpasswd/ Also included are instructions on running htpasswd.exe. These can be tested on a Windows 2000 APPX Internet server.

The Windows OS user account must exist, but can be disabled (i.e. no password, not just a secret password). One might best be served by reworking his application to use combination of htpasswd and Appx based users, where you could have user tables inside of Appx. 

 ---
ecr #6908
[Append to This Answer]
2003-Nov-11 6:47pm
Previous: (Answer) How to set up License Servers under Novell thick client.
Next: (Answer) How do I setup an APPX/NET client?
This document is: http://board.appx.com/cgi-bin/fom.cgi?file=122
[Search] [Appearance]
This is a Faq-O-Matic 2.719.
Copyright 2003 by APPX Software, Inc. All rights reserved.