Running the Blackmoon FTP Service under a non-adminstrator user account
Installation and Configuration



THIS TUTORIAL DOES NOT WORK IN THE TRIAL VERSION OF BLACKMOON FTP SERVER. YOU CAN ONLY USE IT IN THE REGISTERED VERSIONS.


Depending on your security policy, you may need to run the ftp service under a non-administrator or another user account. The tutorial will skip the sections on how to create users on different operating systems. The non-administrator account I will be using in this tutorial is called blackmoon_test.

The first thing to do is to change the service account from the default (LOCALSYSTEM) to the blackmoon_test account. We do this by opening the service control manager (control panel->computer administration->services) and double-clicking on the blackmoon ftp service entry to bring up the service properties. We click on the Log On tab. The service account name change is illustrated in the two screenshots below.

   


After confirming the service account name change, the system will automatically give the blackmoon_test account rights to log on as a service. It will notify you of this change.


Setting Folder Permissions
The blackmoon_test account I am using is not an Administrator account, so it will have only read and list folder permissions since this is the default permission for non-administrator accounts. To add custom permissions to a folder for a user account, right click on the folder and select the security tab. Click on the Add button and enter the account you want to add custom permissions for, in my case blackmoon_test. As in the screenshots below, change the permissions by clicking on the Full Control checkbox to give the user full control over the folder. Do this for the blackmoon folder, the temporary folder and any other folders the ftp server will be serving files from.

Certain ftp server operations may fail without the appropriate folder permissions for your user account.

   



SSL and non-administrator accounts
Blackmoon uses OS managed certificate stores to hold certificates. These certificate stores are controlled by ACL's (Access Control Lists) that make it difficult for non-administrator accounts to access their contents. To use SSL with non-administrator service accounts, click on the start button and select run to bring up the run dialog box. Enter regedt32.exe (this is not the same as regedit!!). Regedt32 has the ability to change permissions on registry keys just like we did above with the folders.

Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates and right click on the registry key to bring up its properties. You will notice there is only one tab which is security. Add your user account, in my case blackmoon_test and give it full permissions to the registry key like in the screenshots below.

   



We still have permissions to the private key of the SSL certificate to deal with. Without access to the private key, the selected ftp server SSL certificate will not work for SSL connections. To make sure your account has access to the private key, download and install a tool called WINHTTPCERTCFG from the Microsoft website. The installation folder is \program files\Windows Resource Kits\Tools.

My SSL certificate is called "blackmoon_cert". To display user accounts with permissions to the private key of my SSL certificate, I open a command prompt to the WINHTTPCERTCFG folder and type

winhttpcertcfg -l -c LOCAL_MACHINE\My -s blackmoon_cert






To grant the blackmoon_test account access to the private key of the "blackmoon_cert" SSL certificate, I would type

winhttpcertcfg -g -c LOCAL_MACHINE\My -s blackmoon_cert -a blackmoon_test






Double checking to see if our blackmoon_test account has been granted access to the private key, we check again





The winhttpcertcfg contains a help file that shows the syntax and sample commands on how to use the tool.