A Windows Scheduled Task runs as [email protected] on a 2008R2 server. The server's local disk has some files that Joe Blow should not see. Joe Blow knows the serviceAccount password. As far as I know, serviceAccount has no server privileges beyond Log on as a batch job, and local Users group membership via Domain Users. Could Joe read those files?
If so, I should probably create another service account to run the task. But I'd prefer to avoid that clutter, if 'Log on as a batch job' does not expose the files.
The question title may be misleading; I'm asking if I've done due diligence restricting unauthorized access in this particular case. I'm not asking for help reading files... although I am asking if and how files might be read.
I was relieved to get Access Denied attempting to use Enter-PSsession as serviceAccount to create a remote session. But I haven't tested much further.
The server is a VMware virtual machine, but I'm asking here about guest-level as opposed to hypervisor-level security.
edit I tried scheduling a Task on a second server, where serviceAccount is in the local Administrators group. (That membership was not my decision, and i'm aware it's bad practice.) The Task runs test.cmd with contents:
dir \\firstServer\c$\ > C:\temp\out.txt 2>&1
Ran the task as serviceAccount and "Task Scheduler successfully finished" with out.txt contents, 'Access is denied.' - good. As a kind of control test, ran the task as otherAdmin with rights to both servers, and out.txt contained the directory listing from firstServer.
So maybe I should have asked: should I create a new service account for which Joe Blow does not have the password? Or is that unnecessary?
More about this convoluted scenario here.
Joe can read those files if he creates a batch job, sets it to log in as that user, and has that batch job read that data and somehow get it out to him. Or, if he manipulates the existing batch job to somehow read that data.
I assume that Joe Blow is not an administrator and thus cannot create Scheduled Tasks. If this is the case, set the NTFS permissions on the file to only allow "Administrators" and the "BATCH" built-in group to read the file. "BATCH" includes users who are currently logged in via batch mode. Batch mode is only for scheduled tasks. You can't login via batch mode just by creating a .BAT file, so this should work for your purposes. The file will only be readable by admins and accounts logged in via scheduled task.