DMZ Secure Proxy Server for IBM WAS start up user permissions
The overall security level of the DMZ Secure Proxy Server for IBM WebSphere Application Server can be hardened by reverting the server process to run as an unprivileged user after startup. Although the DMZ Secure Proxy Server for IBM WAS must be started as a privileged user, changing the server process to run as an unprivileged user provides additional protection for local operating resources.
Like the proxy server, the DMZ Secure Proxy Server for IBM WAS must start under a privileged user because it requires authorization to initialize privileged ports. Ports lower than 1024 are considered privileged ports. After these ports are initialized and access to the protected ports is no longer required, it is possible to change the user association of the DMZ Secure Proxy Server for IBM WAS process. Altering the server process to run using the privileges of a user or a group that does not have authority to access the local operation system resources adds a layer of protection to those resources. The firewall helps protect local operating system resources for the proxy server, but as the DMZ Secure Proxy Server for IBM WAS is installed in the DMZ, this type of protection becomes a higher priority. Although changing the user association of the server process for the DMZ Secure Proxy Server for IBM WAS is not required, continuing to run as a privileged user does not use the extra layer of protection for local operation resources provided when the server process is changed to run as an unprivileged user.
Start up option Definition Run as unprivileged user This is considered a high and medium security level setting. Run as privileged user This is considered a low security level setting.
Related:
WebSphere DMZ Secure Proxy Server for IBM WAS DMZ Secure Proxy Server for IBM WAS routing considerations DMZ Secure Proxy Server for IBM WAS administration options Error handling security considerations for the DMZ Secure Proxy Server for IBM WAS Tune the security properties for the DMZ Secure Proxy Server for IBM WAS ProxyManagement