Using NT AUTHORITY\SYSTEM Account on Windows Workers

#1

Hi Everyone;

I’m on 5.1.0 and have found that with windows workers, it’s using the SYSTEM account to run everything. This is probably okay for setup/installation, but when it comes to running applications that are not designed to be run under that account, it results in problems.

Is there a way to specify which user to use? Privileged is not enabled, and I’ve tried specifying an admin user in the run configuration. I expected they were only for Linux, but tried those settings anyway.

I’m running scripts in powershell, and am able to start a new powershell process with the correct credentials, but the whole thing aborts when the “child” powershell process finishes. It works without issue when running my script manually on the same machine (obviously I’m logged in with an actual account here). I’ve even tried just running commands directly with the new prowershell process but this also doesn’t work when initiated from Concourse.

The best solution here is to be able to specify which windows account to use. Sometimes it does make sense to use the system account, but when it comes to running applications, or normal usage, it’s better to optionally specify a user account.

One more side effect of always running under system is that now the script has, for all practical purposes, unrestricted access to the system.

Edit: one way to change this is also to change the user that starts the related services, but I’m not sure what other side effects this might have.

Thanks.

#2

Hello,
we had the same concerns. We run on AWS, we bake the Windows VMs with Packer and use Salt (but if you have nothing, please use Ansible instead) at Packer time to add a concourse user, with less privileges. We then use https://nssm.cc/ (although we are not completely satisfied by it) to supervise the concourse worker.

So yes, it is possible to run with a unprivileged user.

#3

Thanks for letting me know what you did and that it’s working for you too. In case anyone else has this question, what I ultimately ended up doing was making a powershell script run by Concourse that creates/updates a new user with a random password, then provides the role to start services, then changes the Log On user for the service and then use Invoke-WmiMethod with nssm.

I didn’t have the option of saving a VM to use as a base.