All Apps and Add-ons

Lowest possible right to run heavy forwarder on Windows

Path Finder

Hello All,

This is what we try to achieve:

1- In this Splunk document -->, it is written that you need these Windows privileges to execute Splunk (in our case a Heavy Forwarder - HFs) on Windows platform in a general manner:
a. Permission to log on as a service.
b. Permission to log on as a batch job.
c. Permission to replace a process-level token.
d. Permission to act as part of the operating system.
e. Permission to bypass traverse checking

2- We want to check if we can avoid granting some of these 5 privileges to the Windows user that will execute the Splunk Windows Heavy forwarder. Especially the most “critical ones” like “Permission to replace a process-level token”, “Permission to act as part of the operating system”, “Permission to bypass traverse checking”

3- The reason being that we want to reduce the “attack surface” of this Windows user that will execute Splunk (less “high” privileges this user have, less attack surface will exists).

4- Our particular use case in which we want to reduce these privileges is the following:
a. Splunk Windows HFs will be installed and running on Windows servers configured as “Windows Event Collector” (WEC) servers (see
b. These WEC servers will collect Windows events from different Windows source machines (Windows 10 desktop/laptop endpoints, Windows servers like Exchange or SQL Server or …, Windows Domain Controllers, Windows DHCP or DNS servers, …)
c. The Splunk HFs will only have to access and collect events forwarded by these different types of source machines to our WEC servers (with Splunk HFs running locally on these WEC servers)

5- Provided this very specific and pretty limited use case, we would like to know what are the minimum privileges the Windows user executing the Splunk HF process needs to access the WEC servers events “database” …

Thanks in advance

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...