| Overview | Architecture | Download | Register | FAQ | Support |
Connections to the Directory Sizer Scanner service (i.e. from Directory Sizer Central) are required to be able to write to a value in the registry under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DSZscan\Parameters
By default the protection on this key is limited to the Administrators of the machine, and SYSTEM. Directory Sizer Central must run under an account which has been granted permission to write to this key on each machine.
Many sites have an account which has administrator access to all machines. To simplify configuration of Directory Sizer, you can run Directory Sizer Central under such an account, e.g. Administrator. More security conscious sites may want to use regedt32 to set the permissions on this key to include the account in the domain that is used to run the Directory Sizer Central service.
To bypass all security checks, you can change the ClientCheck value to 0. See Registry settings for more information.
Directory Sizer Scanner uses NT's back up files and directories right to bypass any file permission that would otherwise prevent discovering the size of a file, but only the name and size of directories is recorded. The Directory Sizer Scanner service is usually run under the SYSTEM account which has this right, but if you change the service to use another account, you should grant it the back up files and directories right.
The Directory Sizer Database stores some arguably sensitive information - the name of a directory may in some circumstances be a security risk, e.g. "Staff redundancies for October". By default the Directory Sizer Database is only accessible to adminstrators of the SQL Server machine. There are several roles defined within the Directory Sizer Database and you can add users to these roles to meet specific needs.
You should also follow SQL Server good practice, e.g. key up with service packs and patches, deny access to or remove stored procedures not required, and setting the SA password. www.sqlsecurity.com is a good source of information on this topic.
Directory Sizer Setup creates two SQL logins - dszWebAdmin and dszWebUser - and adds them to their corresponding roles. The passwords are stored in the web - see below. This is typical of IIS based applications accessing SQL Server databases on other machines.
This arrangement can be avoided if SQL Server and IIS are running on the same machine by using NT authentication of end users - using a trusted connection.
This service needs to run under an account that is an administrator of the local machine, has access to the database in the dszCentralSA-role and has access to the registry key for Directory Sizer Scanner for all your remote machines.
In an NT 4 single domain model, the simplest account is clearly an Administrator account, but for other models, you will be best placed to consider this issue - you have two choices, a good choice of account, or changing permissions on registry keys on the remote machines (see the Directory Sizer Scanner section above).
The web must interact with the Directory Sizer Database and should restrict access from normal users. To this end, the directory in which you install the web needs to have permissions set such that only those users who you wish to have access can read these files.
Directory Sizer Setup sets the web folder to use challenge/response (NT Integrated in Windows 2000) so that these file permissions are honoured. An alternative is to use digital certificates with mapped accounts.
If the web can pass authentication information to the SQL machine, e.g. if IIS and SQL are installed on the same machine, you can change the connection string for the database to use trusted_connection=yes. Edit dszConnection.asp in the include folder and dszConnectionA.asp in the admin folder, comment out the existing line, and uncomment the other example line.