Getting Data In

Running Universal Forwarder with non-administrator service account

mas
Path Finder

Hello everybody,

due to strict security requirements, I am trying to setup the Splunk Universal Forwarder service to run with a domain account that has NOT administrative privileges on the server.

I have granted to the account the minimum permissions specified by Splunk Documentation and I also gave the account full permissions on folder %programfiles%\SplunkUniversalForwarder. I tried to set the account as owner of the entire %programfiles%\SplunkUniversalForwarder folders hierarchy. I have tried to specify the domain account during Forwarder setup and but I also tried to install the Forwarder to run with Local System account and to change the account afterwards.

Anyway the service always fails to start, without any specific event in the event logs, even if I tried to rise auditing of security events at maximum level (just to track if some required privilege was missing). Again, nothing gets written to Splunk logs. The only event in the System event log is: "The SplunkForwarder service terminated unexpectedly".

Could you give me any suggestion, please?

Please note that, due to our requirements, the Forwarder MUST run as a domain account.

Thank you for your help.

0 Karma
1 Solution

wcolgate_splunk
Splunk Employee
Splunk Employee

I'm sorry this question languished for so long, with no answers!

In 6.1 we introduced a low-privileged UF. It installs just like a normal UF, but you can choose to install as a domain user: and on that installation page there is a check box to choose whether the UF runs with full admin privs or a restricted set of rights and privileges. The following is the required set of process rights and privileges (and groups):

SeServiceLogonRight -- allow to log on as a service
SeSecurityPrivilege -- to access all the security event log
SeSystemProfilePrivilege-- to access all perfmon data
SeImpersonatePrivilege -- future use: if we completely lock down the UF, we may need to launch a subprocess with appropriate credentials (e.g. log in) that is above the station of the UF.

We also add the domain-user the UF is running under to the following local groups:

Performance Log Users
Event Log Readers

The installer takes care of all the necessary account modifications. When uninstalled, the splunk uninstaller will undo any changes it made to the run-as account local to that machine.

Note: there are some things that a low-privilege UF cannot do: for example, monitor or tail a file that it does not have permissions to access (this makes sense, right?). There are a few Windows apps that require admin rights to access specific data. In these cases, a low privilege UF will not work properly.

In all other respects the low-priv UF will run the same as a full admin installed UF.

View solution in original post

anand_singh17
Path Finder

Yes, Wcolgate.

0 Karma

wcolgate_splunk
Splunk Employee
Splunk Employee

Anand: Would you like to follow up on your issue directly?

0 Karma

wcolgate_splunk
Splunk Employee
Splunk Employee

I'm sorry this question languished for so long, with no answers!

In 6.1 we introduced a low-privileged UF. It installs just like a normal UF, but you can choose to install as a domain user: and on that installation page there is a check box to choose whether the UF runs with full admin privs or a restricted set of rights and privileges. The following is the required set of process rights and privileges (and groups):

SeServiceLogonRight -- allow to log on as a service
SeSecurityPrivilege -- to access all the security event log
SeSystemProfilePrivilege-- to access all perfmon data
SeImpersonatePrivilege -- future use: if we completely lock down the UF, we may need to launch a subprocess with appropriate credentials (e.g. log in) that is above the station of the UF.

We also add the domain-user the UF is running under to the following local groups:

Performance Log Users
Event Log Readers

The installer takes care of all the necessary account modifications. When uninstalled, the splunk uninstaller will undo any changes it made to the run-as account local to that machine.

Note: there are some things that a low-privilege UF cannot do: for example, monitor or tail a file that it does not have permissions to access (this makes sense, right?). There are a few Windows apps that require admin rights to access specific data. In these cases, a low privilege UF will not work properly.

In all other respects the low-priv UF will run the same as a full admin installed UF.

anand_singh17
Path Finder

We tried the same for Win Server 16, and via GPO, but the services never came up, but when assigning local administrative privileges, the services executes.

According to MSA (user needs to be part of local administrator group).

We are currently struggling to make it up.

0 Karma

mas
Path Finder

Thank you very much for your answer: I think that this new capability will be really useful in environments with strict security requirements.

By the way: in the meantime, four our specific needs, we moved to "DB Connect" app as a workaround. In fact our requirement was directly related to low-privileges access to a Microsoft SQL Server instance from the Universal Forwarder installed on the same server. A Universal Forwarder was preferred, compared to direct connections to DB, due to the possibility to encrypt traffic on the network and to the need to reduce firewall ports openings.

Just one annotation: in security-hardened environments, it is common to remove system privileges from default groups. As a result, adding the domain account to "Performance Log Users" and "Event Log Readers" groups could not lead to the expected result (that is, forwarder could be unable to read performance logs and event logs). In this scenario, Splunk administrator should be warned to assign these permissions explicitly, for instance by means of Group Policy Objects.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...