Thanks for the hints. The tast seem to be not fully automatable, so I created a guide for the IfU.
As it may be of use for someone reading this post, I post it here:
To improve system security and minimize potential vulnerabilities, it is strongly recommended that the Firebird database service does not run under the Local System account or any user account with elevated privileges.
Instead, use the provided Firebird tool instsvc.exe to install the service under a dedicated low-privilege user account:
1. Create a Dedicated Local User Account
Press Win + R, type compmgmt.msc, and press Enter to open Computer Management.
Navigate to System Tools → Local Users and Groups → Users.
Right-click on Users and select New User….
Create a new account (e.g., firebird_svc) with the following settings:
Set a strong password (in this example "YourSecurePassword")
Disable "User has to change password ..."
Enable “User cannot change password” and “Password never expires”.
Do not add the user to the Administrators group.
5. Click Create, then Close.
Open secpol.msc
Go to Local Policies → User Rights Assignment
Find Deny log on locally
Add the firebird_svc user
Open a Command Prompt with Administrator rights.
Navigate to the Firebird installation directory (e.g., C:\Program Files\Firebird\Firebird_4_0).
Run the following commands to install the service under the dedicated user:
instsvc stop
instsvc remove
instsvc install -l firebird_svc YourSecurePassword
instsvc start
4. Right-click the Firebird installation directory (e.g., C:\Program Files\Firebird\Firebird_4_0), select Properties, then navigate to the Security tab. Ensure that the firebird_svc account is listed and has Full Control permissions assigned. If the account is not listed, add it and assign the appropriate rights.
The Firebird server now runs under a dedicated user account with limited system permissions, significantly enhancing the overall security of the system by reducing the risk of privilege escalation.
Additionally, access to the database file (YourApplicationsDatabaseFile.fdb) can be restricted to the Firebird service account and system administrators only. This prevents unauthorized users from reading or modifying the file and supports secure system operation.
1. Open Command Prompt as Administrator
2. Navigate to PathWhereYourDbFileIsLocated
cd \ProgramData\MyDbPRogram
3. Remove Inherited Permissions
icacls "YourApplicationsDatabaseFile.fdb" /inheritance:r
4. Grant Access to Firebird Service User
icacls "YourApplicationsDatabaseFile.fdb" /grant firebird_svc:(M)
5. Grant Full Control to Administrators
icacls "YourApplicationsDatabaseFile.fdb" /grant *S-1-5-32-544:(OI)(CI)(F)