From the Principle of Least Privilege, I understand that I should install a network service as its own user.
Where should the software be installed to?
For example, say I create a user Tomcat (for running Apache Tomcat as a service). Should I install this to Program Files/Tomcat and give Tomcat it's permissions? Or install Tomcat to /users/tomcat/...
Program Files is incredibly inconvenient, for example to edit a config file I need to run Notepad as an Admin, find the right folder, FileType=all, find the file and open it, instead of just double clicking.
If I should install it in /users/tomcat/... , which folder is common to do so in?
Why when I create a new user in Control Panel does it have no folders in /users/ until I log on as them?
This kind of accesses should be configured using groups. See: Wikipedia RBAC
You will need a group for each role:
CATALINA_HOME can be
Program Files\Tomcatand CATALINA_BASE can beProgram Files\tomcat_application1You don't want to install it in
c:\users\tomcatbecause that convenience of editing config files as the tomcat user means any exploit coming in over the web has permissions to edit the Tomcat configuration, too.If you don't want to be doing the awkward config edit, better to give your sepearate administrative account full access to the Program Files\Tomcat folder, than to give Tomcat write access to itself.
Program Files is better in the sense that it's where Windows people expect software to be installed, too.