Database Reference
In-Depth Information
priate icon in the eXist group on the Start menu, or following the instructions in
“Windows Linux and Other Unix” on page 407
.
By default the eXist service will run under the user account that you used to install
eXist. Once you have set up your unprivileged account and the necessary permis‐
sions, you can reconfigure the service to run under your unprivileged account by
opening the Services Manager, locating
eXist-db
in the Windows Services list, and
editing its properties (double-click on the service). Go to the Log-On tab, change the
setting from Local System Account to This Account, and specify the details of the
unprivileged account that you created.
Reducing the Attack Surface
eXist comes as a very full-featured product with many things enabled by default, and
several of these features are delivered as network services. In its default configuration
eXist presents a rather large surface that an outside intruder could attempt to exploit.
Fortunately, eXist is very configurable, and we can reduce the chance of an attack
vector being found by disabling various features and services that eXist provides.
Disabling extension modules
eXist ships with extension modules, and many of these are enabled by default. These
modules provide additional functionality to eXist in one of three areas:
• XQuery functions
• Security realms
• Indexing
Whatever the functionality, these extension modules have to be enabled in a two-step
process. First, they have to be compiled into the eXist release, and second, they have
to be enabled in eXist's configuration file (
$EXIST_HOME/conf.xml
) or in the Secu‐
rity Manager configuration (
/db/system/security/config.xml
).
While these extension modules provide a wealth of features, they are useful for differ‐
ent reasons and for different projects. It is unlikely that you will need to make use of
many of these extension modules, and thus it is recommended that you only enable
the extension modules that you absolutely require for your project. If you do not
know if you are using an extension module, then most likely you are not.
To disable an extension module that was previously enabled, you can optionally
remove its compiled code from your eXist installation (if you opted to install the
source code); then you must disable it in eXist's configuration file.
Search WWH ::
Custom Search