Can I configure the agent to run under a non-privileged account, instead of the default "LocalSystem"?

Article ID: 184
Category: Security
Applies to: All Versions
Updated: 2018-02-12

By default, the EventSentry agent runs under the LocalSystem account, which has unrestricted access to Operating System resources, which ensures that all components of the system can be monitored accurately.

You can change the account the agent is running under through the Services application in the Administrative Tools, but some manual configuration and privilege assignment will be necessary. The number of steps involved depends mostly on the EventSentry features being utilized.

Basics
Please follow the necessary steps in the Best Practices guide to have the agent run under a specific user account: Security > Agents.

Event Log Monitoring, Compliance Tracking
In order for a non-privileged account to access the security event log, custom privileges are necessary. The best practices guide above covers this scenario.

Log File Monitoring
The account the agent is running under needs NTFS permissions to access the files to be monitored.

System Health Monitoring
Service Monitoring: The agent needs access to query and optionally to control services and drivers.
Disk Space Monitoring: No special privileges should be required.
Application Scheduler: No special privileges should be required, but depends on scripts being run.
Performance Monitoring: The best practices guide above covers this scenario.
File Checksum Monitoring: The account the agent is running under needs NTFS permissions to access the files to be monitored.
Process Monitoring: No special rights are necessary, however Vista and higher systems require elevated permissions to query all processes on the system.
Software/Hardware Inventory: No special privileges should be required.
NTP Monitoring: No special privileges should be required for monitoring, right to change the system time is required if that functionality is enabled.

Environment Monitoring
Only rights to access the serial port should be required.




Try EventSentry on-premise

FREE 30-day evaluation

Download Now