Securing the Service Account ​

AlphaTrust® e-Sign operations occur in the following user contexts by default:

The service account, which is configured as the running account for the AlphaTrust® e-Sign IIS application pools and the “AlphaTrust® e-Sign Service”, a Windows service.

In order to restrict the service account as much as possible, take the following steps:

1. Define the service account as either a localMachine account or a domain account as your needs require. This account must have rights to access the SQL Server Pronto database, if using WIndows authentication to SQL Server. So you will need to grant permissions to this account on the SQL Server Pronto database (discussed later).

2. Make this account a member of the localMachine administrators group during the installation, configuration, and testing process.

3. Remove this account from the localMachine administrators group and leave this account as a member of the localMachine Users group or domain Users group (if the machine is joined to a domain).

4. The service account must have these rights on the localMachine:

   • Interactive user rights.

   • Log on locally rights.

   • Log on as a service rights (see below).

   • File permissions:

     • Normal permissions for localMachine files used by an interactive user.

     • Read and execute permissions on all files in the \AlphaTrust\ directory and subdirectories.

     • Additionally, create and write and delete permissions on all files in the \Alphatrust\Pronto\DB\, \AlphaTrust\Pronto\Images\, \AlphaTrust\Pronto\Programs\AcctData\, and \AlphaTrust\Pronto\Programs\Logs\ directories and sub-directories of these directories. If you configure AlphaTrust® e-Sign to use UNC network shares for the DB and Images directory, then those shares must grant the ProntoServer account equivalent permissions.

       NOTE

       AlphaTrust® e-Sign IIS Application Pools, which do the bulk of the work, are configured to run in the context of the service account. These components read and write to the file system and to the Pronto SQL database. The "AlphaTrust® e-Sign Service", a Windows Server system service, must be configured to run in the context of the service account. You must grant the service account the user right - "Log on as a Service" in order for this to work.