We use a Deployment server to manage config of our UF fleet. Recent changes to privileges on clients are preventing the UF from restarting it's service after new config or systemclass has been downloaded. The company doesn't want to provide Splunk with a DA-level account or something similar.
What is the best "Least Privilege" way for the Splunk UF to be able to restart it's own service and collect needed logs within a windows domain?
Hi @calvinmcelroy,
This doc contains a few instructions related to scenarios as you mentioned: Install a Windows universal forwarder - Splunk Documentation
For security purposes, avoid running the universal forwarder as a local system account or domain user, as it provides the user with high-risk permissions that aren't needed. When you install version 9.1 or higher of the universal forwarder, the installer creates a virtual account as a "least- privileged" user called splunkfwd, which provides only the capabilities necessary to run the universal forwarder.
Since local user groups are not available on the domain controller, the GROUPPERFORMANCEMONITORUSERS flag is unavailable, which might affect WMI/perfmon inputs. To mitigate input issues, when you're installing with the installer, the default account is the local system on the domain controller.
If you choose a different account to run the universal forwarder during installation, the universal forwarder service varies based on your choice:
Once you choose a non-administrator user to run the universal forwarder, this user becomes a "least privilege user" with limited permissions on Windows.
Also, take a look at this point:
Permission | Function |
SeBackupPrivilege | Check to grant the least privileged user READ(not WRITE) permissions for files. |
SeSecurityPrivilege | Check to allow the user to collect Windows security event logs. |
SeImpersonatePrivilege | Check to enable the capability to add the least privilege user to new Windows users/groups after the universal forwarder installation. This grants more permissions to the universal forwarder to collect data from secure sources. |
Happy Splunking,
Rafael Santos
Please, don't forget to accept this solution if it fits your needs