Hello All,

This is what we try to achieve:

1- In this Splunk document --> https://docs.splunk.com/Documentation/Splunk/7.3.3/Installation/ChoosetheuserSplunkshouldrunas, it is written that you need these Windows privileges to execute Splunk (in our case a Heavy Forwarder - HFs) on Windows platform in a general manner:
a. Permission to log on as a service.
b. Permission to log on as a batch job.
c. Permission to replace a process-level token.
d. Permission to act as part of the operating system.
e. Permission to bypass traverse checking

2- We want to check if we can avoid granting some of these 5 privileges to the Windows user that will execute the Splunk Windows Heavy forwarder. Especially the most “critical ones” like “Permission to replace a process-level token”, “Permission to act as part of the operating system”, “Permission to bypass traverse checking”

3- The reason being that we want to reduce the “attack surface” of this Windows user that will execute Splunk (less “high” privileges this user have, less attack surface will exists).

4- Our particular use case in which we want to reduce these privileges is the following:
a. Splunk Windows HFs will be installed and running on Windows servers configured as “Windows Event Collector” (WEC) servers (see https://docs.microsoft.com/en-us/windows/win32/wec/windows-event-collector)
b. These WEC servers will collect Windows events from different Windows source machines (Windows 10 desktop/laptop endpoints, Windows servers like Exchange or SQL Server or …, Windows Domain Controllers, Windows DHCP or DNS servers, …)
c. The Splunk HFs will only have to access and collect events forwarded by these different types of source machines to our WEC servers (with Splunk HFs running locally on these WEC servers)

5- Provided this very specific and pretty limited use case, we would like to know what are the minimum privileges the Windows user executing the Splunk HF process needs to access the WEC servers events “database” …

Thanks in advance