Even though the EventSentry agents have little attack surface and no security vulnerabilities have been discovered with the EventSentry agents in the past, it might be desirable to modify the account the EventSentry service is running under.
By default, the EventSentry service runs under the LocalSystem account, which gives the EventSentry agent nearly unlimited access to most system resources on the local machine. This is necessary since a regular user, for example, does not have enough permissions to read the security event log or read performance data.
If you are running Windows 2000 or higher, then you can manually change the account the agent is running under by following these steps below:
Create User Account
1. Create a new regular domain user account in your domain, e.g. "EventSentry". It is recommended that you specify in the user account description that this account is used by the EventSentry agents.
Give Permissions for EventSentry Configuration
2. Windows 2003 & later: Open the registry editor regedit.exe and select the key HKLM\Software\netikus.net\EventSentry. Then, right-click the key and select Permissions from the menu and add the newly created user account to the list with Full permissions.
3. If you plan on using debug logging, then the newly added user also needs write access to the %SYSTEMROOT% directory so that the debug log files which reside in this directory can be created and updated.
Give Permissions for Security Event Log
4. Open the Domain Security Policy (Start -> Programs -> Administrative Tools) and navigate to Security Settings -> Local Policies -> User Rights Assignment.
5. Add the newly added user to Log on as a service.
6. Add the newly added user to Manage auditing and security log.
Give Permissions for Performance Monitoring
7. Windows 2003 & later: Open the registry editor regedit.exe and select the key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib. Then, right-click the key and select Permissions from the menu and add the newly created user account to the list with Read permissions.
Change Service
8. Open the Services application (Start -> Programs -> Administrative Tools) and locate the EventSentry service. Double-click the service and select the Log On tab.
9. Select "This account" and specify the new user account for the service.
10. You will have repeat steps 5-6 on all computers running the EventSentry agent.
