Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Nov 8, 2021 1:02:46 AM
May 21, 2015 1:14:13 AM
After installation, all the services are running under a service account, but only Qlik Sense Repository Database is running under Local System account:
Qlik Sense Enterprise on Windows
This is mandatory. The Qlik Sense Repository Database service needs to run on a local account and not the specific service account.
From the PostgreSQL Wiki page:
When a hacker gains entry to a computer using a software bug in a package, she gains the permissions of the user account under which the service is run. Whilst we do not know of any such bugs in PostgreSQL, we enforce the use of a non-administrative service account to minimise the possible damage that a hacker could do should they find and utilise a bug in PostgreSQL to hack the system.
This has long been common practice in the Unix world, and is starting to become standard practice in the Windows world as well as Microsoft and other vendors work to improve the security of their systems.
The PostgreSQL service account needs read permissions on all directories leading up to the service directory. It needs write permissions only on the data directory. Specifically, it should not be granted anything other than read permissions on the directories containing binary files. (All directories below the installation directory are set by the installer, so unless you change something, there should be no problem with this).
PostgreSQL also needs read permissions on system DLL files like kernel32.dll and user32.dll (among others), which is normally granted by default, and on the CMD.EXE binary, which may in some scenarios be locked down and need opening.
If you are running PostgreSQL on a multi-user system, you should remove the permissions from all non-administrative users from the PostgreSQL directories.
Qlik Sense Service Account requirements and how to change the account