We have password audits and with Sophos installed on the DC's it shows as an AD account that has a password set to never expire. Can I set it to expire and reset it?
This thread was automatically locked due to age.
Hello B_B,
Please see What is the SophosSAU account? It should answer most of your questions.
And give my regards to your auditor [;)]. A password set to never expire - so what? What's the significance of changing the password of this account? A reasonable lockout policy thwarts any password guessing attack. The account's rights are limited (although it has Log on as a service). And if someone manages to grab the obfuscated value from the registry and deobfuscate it or otherwise obtains the actual value - what the hacker could do with this account is probably your least concern.
Christian
Hello B_B,
Please see What is the SophosSAU account? It should answer most of your questions.
And give my regards to your auditor [;)]. A password set to never expire - so what? What's the significance of changing the password of this account? A reasonable lockout policy thwarts any password guessing attack. The account's rights are limited (although it has Log on as a service). And if someone manages to grab the obfuscated value from the registry and deobfuscate it or otherwise obtains the actual value - what the hacker could do with this account is probably your least concern.
Christian
Hello B_B,
directions are not accurate
except that they refer to a local account only (on a DC it's a domain account) they seem to be correct. I've just tested the procedure on a 2016 (though not a DC but that shouldn't make a difference). What makes you think it can no longer be done?
Christian
Hello B_B,
if you open the file from Explorer the editor (Notepad, whatever) is normally in user mode. If it's a location where approval is required you can't subsequently save the file. Some editors recognize the situation and offer you to elevate themselves. For Notepad run it as admin and use the Open dialog to edit the config.
Christian
I think we are in different places in our lives. I blame Sophos first for pretty much everything at this point in my life.
It has nothing to do with it being in ProgramData folder or it being a DC because I can modify other files in ProgramData that are not in the Sophos folder.
I guess I should have asked if you realize I am posting in the sophos central forum because of the issues I am having.
So from my understanding the directions give you two options. Either change the account used or change the password with a new value.
Yes. You will need to edit the HKLM\Software\Sophos\AutoUpdate\Service registry key and enter the credentials of an account that can be used for this impersonation.
There isn't a AutoUpdate in HKLM\Software\Sophos\
Changing the password This is for on prem. I do not see these settings for Sophos Central Agent
Hello B_B,
I have to apologize, I didn't think. As to posting in the sophos central forum - no offence intended but posts don't always end up in the most applicable forum.
As said, I did not think. The minor shortcoming: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\
- I missed the missing reference to bitness, most Sophos components are 32bit and the keys are under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
on 64bit systems. The bigger mistake is the oversight w.r.t. the local GUI - guess the GUI for Central Endpoint doesn't display the update settings as changing them doesn't make sense.
Thinking it over I'm pretty sure that AutoUpdate doesn't need the impersonation account in a Central installation. The account is used when accessing an update location via UNC. It might be that the account is only impersonated when updating via UNC is attempted, and Central updates via HTTPS. If you disable the account - does it still update? Could this be a solution?
Christian