Getting Data In

Deployment Server cannot restart deployment clients after new changes have been downloaded

calvinmcelroy
Path Finder

We use a Deployment server to manage config of our UF fleet. Recent changes to privileges on clients are preventing the UF from restarting it's service after new config or systemclass has been downloaded. The company doesn't want to provide Splunk with a DA-level account or something similar. 

What is the best "Least Privilege" way for the Splunk UF to be able to restart it's own service and collect needed logs within a windows domain?

Labels (1)
0 Karma

rafamss
Contributor

Hi @calvinmcelroy,

This doc contains a few instructions related to scenarios as you mentioned: Install a Windows universal forwarder - Splunk Documentation

About the least-privileged user

For security purposes, avoid running the universal forwarder as a local system account or domain user, as it provides the user with high-risk permissions that aren't needed. When you install version 9.1 or higher of the universal forwarder, the installer creates a virtual account as a "least- privileged" user called splunkfwd, which provides only the capabilities necessary to run the universal forwarder.

Since local user groups are not available on the domain controller, the GROUPPERFORMANCEMONITORUSERS flag is unavailable, which might affect WMI/perfmon inputs. To mitigate input issues, when you're installing with the installer, the default account is the local system on the domain controller.

If you choose a different account to run the universal forwarder during installation, the universal forwarder service varies based on your choice:

  • If you choose Local System, the universal forwarder runs Windows administrator full privilege.
  • If you choose a domain account with Windows administrator privilege, the universal forwarder runs Windows administrator full privilege.
  • If you choose a domain account without Windows administrator privilege, you select the privilege.

Once you choose a non-administrator user to run the universal forwarder, this user becomes a "least privilege user" with limited permissions on Windows.

Also, take a look at this point: 

PermissionFunction
SeBackupPrivilegeCheck to grant the least privileged user READ(not WRITE) permissions for files.
SeSecurityPrivilegeCheck to allow the user to collect Windows security event logs.
SeImpersonatePrivilegeCheck to enable the capability to add the least privilege user to new Windows users/groups after the universal forwarder installation. This grants more permissions to the universal forwarder to collect data from secure sources.

 

Happy Splunking,
Rafael Santos

Please,  don't forget to accept this solution if it fits your needs

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...