Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Deployment Server cannot restart deployment clients after new changes have been downloaded

calvinmcelroy
Path Finder
‎05-06-2024 11:47 AM

We use a Deployment server to manage config of our UF fleet. Recent changes to privileges on clients are preventing the UF from restarting it's service after new config or systemclass has been downloaded. The company doesn't want to provide Splunk with a DA-level account or something similar. 

What is the best "Least Privilege" way for the Splunk UF to be able to restart it's own service and collect needed logs within a windows domain?

Labels (1)
Labels
0 Karma
Reply

rafamss
Contributor
‎05-06-2024 12:19 PM

Hi @calvinmcelroy,

This doc contains a few instructions related to scenarios as you mentioned: Install a Windows universal forwarder - Splunk Documentation

About the least-privileged user

For security purposes, avoid running the universal forwarder as a local system account or domain user, as it provides the user with high-risk permissions that aren't needed. When you install version 9.1 or higher of the universal forwarder, the installer creates a virtual account as a "least- privileged" user called splunkfwd, which provides only the capabilities necessary to run the universal forwarder.

Since local user groups are not available on the domain controller, the GROUPPERFORMANCEMONITORUSERS flag is unavailable, which might affect WMI/perfmon inputs. To mitigate input issues, when you're installing with the installer, the default account is the local system on the domain controller.

If you choose a different account to run the universal forwarder during installation, the universal forwarder service varies based on your choice:

  • If you choose Local System, the universal forwarder runs Windows administrator full privilege.
  • If you choose a domain account with Windows administrator privilege, the universal forwarder runs Windows administrator full privilege.
  • If you choose a domain account without Windows administrator privilege, you select the privilege.

Once you choose a non-administrator user to run the universal forwarder, this user becomes a "least privilege user" with limited permissions on Windows.

Also, take a look at this point: 

PermissionFunction
SeBackupPrivilegeCheck to grant the least privileged user READ(not WRITE) permissions for files.
SeSecurityPrivilegeCheck to allow the user to collect Windows security event logs.
SeImpersonatePrivilegeCheck to enable the capability to add the least privilege user to new Windows users/groups after the universal forwarder installation. This grants more permissions to the universal forwarder to collect data from secure sources.

 

Happy Splunking,
Rafael Santos

Please,  don't forget to accept this solution if it fits your needs

Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...