To improve security, Windows MID Servers enforce Windows file permission restrictions. The enforcement limits access to the MID Server files to a restricted whitelist of users and groups.

File permission enforcement for Windows MID Servers goes into effect on the MID Server on start up in Orlando. By default the agent folder is locked to four user accounts and groups: the local admin group, the system account, creator owner, and the user account the Windows MID Server is using. The list of permitted user accounts is managed by a whitelist, which is controlled by the MID Server parameter mid.windows_host.file_permissions.allow_list. This parameter takes a string of comma separated group names, user names, and security identifiers (SID). Group and user names must follow SAM account naming requirements. Domain accounts must be specified by using the SID.

Roll back file permission changes

Changes to the file permissions are recorded, and the last used settings are saved in the /etc folder as a backup. The file is fileperm.aclsave. Open a command prompt and run the command icacls <agent_folder> /restore <agent_folder>/etc/fileperm.aclsave where <agent_folder> is name of your agent folder.

Run a MID Server as a non-admin

To run a MID Server as a non-admin user, it must first be installed using an admin account. Then add the non-admin user to whitelist and restart the MID Server. Once the new enforcement rules run, the MID Server can be switched to the non-admin service account. See Run a Windows MID Server as a non-admin after manual installation for more information on setting up non-admin Windows MID Servers, or Run Linux MID Servers as non-root users for Linux MID Servers.