Forums  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Member List  Search  FAQ  Ticket List  Log Out

 

Required Rights

  		Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [Networking & Security] >> GFI EventsManager >> Required Rights Page: [1]
Login
Message << Older Topic   Newer Topic >>
Required Rights - 24.Apr.2008 1:38:16 PM   
gmitch64

 

Posts: 1
Score: 0
Joined: 24.Apr.2008
Status: offline 		What rights does the account running the events manager actually NEED? The docs and the FAQ recommend making the account a Domain Administrator, which seems way to many rights for an application.

We're going to try making the account a local machine administrator and see if it still works, but even that seems to be too many rights. So which rights, and where, does it actually NEED?

We're in the process of moving to Windows 2008, so we're trying to lock things down as tightly as we can as we progress.


Graham
Post #: 1
RE: Required Rights - 25.Apr.2008 3:15:45 AM   
Sven Berger

 

Posts: 184
Score: 0
Joined: 25.Feb.2008
Status: offline 		Hi gmitch64,

Unfortunately we do not have any information on the exact rights that are required by Eventsmanager that can be made public. But from the way Eventsmanager works, we can deduce the following:

if you want to run Eventsmanger under User Credentials, that account would require additional rights such as:

- Log on as a batch job (for scheduled tasks)
- Log on as service

It becomes more complicated when you start looking at the privileges required by Eventsmanager. Privileges like "modify morning firmware values" and "create global objects" do require a good understanding of the actual code in Eventsmanager and this information is not made public by the developers. 

There are about 20 to 25 privileges that are automatically asigned to Administrators, and I guess that a good number of there are required by Eventsmanager ( but probably not all).

Personally, I would advise you against attempting to create a User account and add required priviledges as required. You would have to test every single function in Eventsmanager with such an account to be sure that Eventsmanager is working correctly.

There is one other thing to consider: We do not suport such a configuration. We would first advise you to switch back to the Local Administrator Account before we would undertake any troubleshooting.

_____________________________

Sven Berger
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software

(in reply to gmitch64)
Post #: 2
RE: Required Rights - 28.Apr.2008 2:13:25 PM   
mfhjek0

 

Posts: 24
Score: 0
Joined: 14.Jun.2006
Status: offline 		Security in Windows Active Directory has finally begun to breakdown individual permissions in a much more granular manner as a response to a long time weakness that required many products ( and people ) to run as Domain Admins, or Administrator, even that was way to much authority. 

With the new delegation capability Security Administrators now have the capability to only grant the permissions the application needs.  We are asking our vendors to do their homework and know exactly what permissions their software needs, and provide that level of installation information so we can fully utilize the security capablilities that today's business requires.

Can you please submit this as a feature request.

thank you




(in reply to Sven Berger)
Post #: 3
RE: Required Rights - 29.Apr.2008 3:13:47 PM   
Terry Erickson

 

Posts: 11
Score: 0
Joined: 28.Apr.2008
Status: offline
quote:

mfhjek0
Security in Windows Active Directory has finally begun to breakdown individual permissions in a much more granular manner as a response to a long time weakness that required many products ( and people ) to run as Domain Admins, or Administrator, even that was way to much authority.

With the new delegation capability Security Administrators now have the capability to only grant the permissions the application needs. We are asking our vendors to do their homework and know exactly what permissions their software needs, and provide that level of installation information so we can fully utilize the security capablilities that today's business requires.

Can you please submit this as a feature request.

thank you

I have just sent this to Product management for consideration.  Thank you for taking the time to clearly outline your needs.

(in reply to mfhjek0)
Post #: 4
RE: Required Rights - 14.Jul.2009 12:34:01 PM   
Keeper

 

Posts: 1
Score: 0
Joined: 14.Jul.2009
Status: offline 		Have we made any progress on identifying what access the application actually needs?  It has been over a year since this request, and it is pretty critical for us to be able to use the product.

(in reply to Terry Erickson)
Post #: 5
RE: Required Rights - 15.Jul.2009 10:07:40 AM   
DrewE

 

Posts: 1058
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline 		EventsManager performs a series of operations in order to read Windows event logs from the remote machines:
 
-          Connect to the remote computer
-          Connect to the remote registry in order to retrieve the necessary path information and source information
-          Connect to the event log files via corresponding Microsoft API in order to read the actual log entries
-          Get more information about application and system events by connecting to certain resource .DLL files.
 
For operations 1, 2 and 4, one would NOT necessary need administrative user /privileges to achieve. However in order to access the security event log, one needs administrative privileges. This is the way in which Microsoft implemented the security log, in order to protect it. There is no workaround this aspect.
 
If you are not scanning security events, you do not need to use an administrative account.
 
However if you want to scan security event log, you can only use an administrative account to accomplish that.
 
Quote from http://support.microsoft.com/kb/308427 regarding Windows XP:
“You must be logged on as Administrator or as a member of the Administrators group in order to turn on, use, and specify which events are recorded in the security log.”
 
Quote from http://technet.microsoft.com/en-us/library/cc722139(WS.10).aspx regarding Windows Vista and 2008 Server
“Only administrators can gain access to security logs.”
 
 
More information:
 
In order to scan W3C files, one only needs access to those files via NTFS /Share permissions, so again an administrative account is not required.
In order to receive Syslog messages or SNMP traps, you do not require any account.
In order to perform SQL Server audits you need an account which is server administrator on the SQL machine (SQL permissions).

_____________________________

Drew Easley - Technical Support Representative
GFI Software - www.gfi.com

(in reply to Keeper)
Post #: 6
RE: Required Rights - 17.Jul.2009 8:17:08 AM   
mfhjek0

 

Posts: 24
Score: 0
Joined: 14.Jun.2006
Status: offline 		You may want to change your installation instructions which read:

" 7. GFI EventsManager must run under an account which has domain administrative privileges. Enter the user name and password of domain administrator account and click Next to continue. "

I have been able to run with my service account in the Administrators group with no problem.  Domain Admin is not necessary in my case.


(in reply to DrewE)
Post #: 7
Page:   [1]
All Forums >> [Networking & Security] >> GFI EventsManager >> Required Rights Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts