Solved: Re: QLIK-NPrinting requires Local Admin Account to... - Qlik Community

GARCIA · ‎2022-08-22

Hi,

Base on QLIk documentation, QLIK-NPrinting requires Local Admin Account to run the Service.

Will this security problem be address in future releases?

Best regards.

Frank_S · ‎2022-08-22

Qlik NPrinting requires a domain account that is member of the local administrators group.

https://help.qlik.com/en-US/nprinting/May2022/Content/NPrinting/DeployingQVNprinting/User-accounts.h...

Requirements

The Windows service administrator must:

Be a member of the local Windows Administrators group.

Be a domain user.

Have Log on as a service rights.

If you have a security concern, please create a submit a support request outlining the details of your concern and we will forward that internally to our SSO (Software Security Office) for review. Please include the ID of your related CVE (security vulnerability ID) with your support case.

Kind regards...

Please remember hit the 'Like' button and for helpful answers and resolutions, click on the 'Accept As Solution' button. Cheers!

View solution in original post

Frank_S · ‎2022-08-22

Qlik NPrinting requires a domain account that is member of the local administrators group.

https://help.qlik.com/en-US/nprinting/May2022/Content/NPrinting/DeployingQVNprinting/User-accounts.h...

Requirements

The Windows service administrator must:

Be a member of the local Windows Administrators group.

Be a domain user.

Have Log on as a service rights.

If you have a security concern, please create a submit a support request outlining the details of your concern and we will forward that internally to our SSO (Software Security Office) for review. Please include the ID of your related CVE (security vulnerability ID) with your support case.

Kind regards...

Please remember hit the 'Like' button and for helpful answers and resolutions, click on the 'Accept As Solution' button. Cheers!

David_Friend · ‎2022-08-23

@GARCIA as Frank already stated this is a requirement, any specific reason this is viewed as a security vulnerability/problem?

eric99 · ‎2022-09-02

This is not unusual policy; Putting a service account in the local admin's group should not be required. The account should follow the principals least privilege. This requirement of having the NPrinting account be an administrator does not make sense.

GARCIA · ‎2022-09-05

@eric99 , thanks! That's exactly what I meant. Furthermore, in our environment we are running Qlik-Sense and Qlik-Nprinting and for Qlik-Sense admin priviledges are not required for running the services. I hope in the near future this gets solved.

ISOgv · ‎2022-09-05

Hi everyone! We have the same problem in our company, this is consider as a Security risk, the reason for that, as said by @eric99 is the principle or minimum privilege, because a misuse of the account can leads to distruption on the data/service availablity. WEB application is running under admin rights. Any vulnerabilities on the server will allow the attacker to take control on the server and the environment using the admin privileges. Hope this comment to solve this issue in near future.

David_Friend · ‎2022-09-07

@ISOgv @GARCIA please use Qlik Ideation to submit product ideas:

https://community.qlik.com/t5/Suggest-an-Idea/idb-p/qlik-ideas

I've tried searching to see if this has been submitted by someone else already, but did not see any close matches, so perhaps a new one is needed.

QLIK-NPrinting requires Local Admin Account to run the Service.

Qlik NPrinting May 2022

Qlik Sense

Requirements

Requirements