I found out that actually, the LocalService account doesn’t restrict the service to the extent that I would like. In particular, the service can still read and write at will. I noticed the events.log was still being maintained, and I could still install bindings from PaperUI. For now, I left it at LocalService, since I don’t see any reason why it should run as LocalSystem.
Restricting access further would require making a custom user group and user for OH. And then troubleshoot in case it (or Java) wouldn’t run. That was more hassle than I was willing to go through. So I decided on a different approach.
I decided to have the firewall block inbound connections to OpenHab from the network, and use Internet Information Services to set up a reverse proxy with authentication. I think this is only available on windows professional or better. So from “Programs and Features”, “Turn Windows features on or off”, I activated Internet Information Services. By default, not all components are installed, so I had to drill down into “security” and additionally activate “Windows Authentication”. From the web, I additionally installed URLRewrite and Application Request Routing.
In the configuration for the default server, I clicked the Application Request Routing icon, and under “server proxy settings” in the right pane, I clicked “activate proxy”. Below, I activated “reverse proxy” with the address of my server and port 80 (e.g 126.96.36.199:80). Then, in the default site configuration, I clicked the Authentication Icon, deactivated anonymous authentication and activated windows authentication. Under “server farms” I created a new server farm and set the server with the advanced configuration to 127.0.0.1 port 8080 (where openhab presents its web interface).
So now I am presented with a login screen whenever I want to go to the openhab web interface (on standard http port 80 now). Credentials are the same as my windows server user account. BTW, I never had Karaf available to the network, I only use it via remote desktop and a local terminal application. So now, Openhab and it’s web server are no longer openly exposed to the network, they are now proxied through IIS which presents a login screen. So any security flaws are not exploitable unless one passes the proxy, and I don’t have to prohibit configuration from the web interface since it is now password protected.
Optionally, one could also activate SSL encryption to further secure the session. I am leaving that out for now.
If you want to still use visual studio code remotely this is possible. For that, also basic authentication has to be installed and activated in IIS. In visual studio, you have to change the user settings to use the rest API for code completion and store the username and password. Note that (when not using SSL) credentials are then transmitted in cleartext over the network, so this is less secure.