During the installation of Enterprise Console you are required to enter a username and password for two Windows accounts.  These accounts are not automatically created by the installer and therefore must be manually created by you (or your network administrator).  Once created you can then enter the username and associated password for both accounts into the Enterprise Console installer.

This article contains information regarding these Windows user accounts, why they are required, how to create them and also how they are used.

Note: If you are installing just the 'Management Console' component to a computer, i.e. a remote Enterprise Console, the account requested during the installation should be the same as the account the 'Sophos Management Host' service is running as on the Sophos management server.  This is referenced as 'SophosManagement' in this article.

Applies to the following Sophos product(s) and version(s)
Enterprise Console 5.2.2
Enterprise Console 5.3.0
Enterprise Console 5.3.1
Enterprise Console 5.4.0

Why are two accounts required?

Your Sophos management server requires two accounts to be used.  One account is used to run a number of services and provide access to the database and the other is used to enable the clients to update from the 'SophosUpdate' share on the server.

Note: We will refer to the 'Sophos Update Manager' component as 'SUM' from now on.  SUM is a component of your Sophos management server that downloads software and Anti-Virus protection updates from our servers.

We recommend you create two accounts, one for each role. We also recommend that you name the new accounts as follows:

• SophosManagement for the services and database account.
• SophosUpdateMgr for the SUM account.

If your management server is in a domain environment, we recommend these are domain accounts. If your management server is part of a workgroup, these should be local accounts on the management server.

Note: Prior to Enterprise Console 5.x, the database account was not required when all components (e.g., console, database, SUM) were installed on the same server. If you are upgrading to Enterprise Console 5.x from a previous version we recommend you create a new database account for this purpose.

What To Do

Follow steps one and two below.  They will first enable you to determine if you need to create domain or local accounts and then explain how to create the accounts correctly.

If required, more (advanced) information about the accounts and their purpose can be found in the Technical Information section at the bottom of this article.

1. Determine if you need to create domain accounts or local accounts

1. On the computer where you are installing Enterprise Console, open ‘System properties’ by going to: Start | Run | Type: sysdm.cpl | Press return.
2. Click on ‘Change...’,
   Note: For XP/2003 you will need to change to the 'Computer Name' tab to locate the change button. 
3. Under the ‘Member of’ section record what option (either 'Domain' or 'Workgroup') is selected.

If the computer is a member of a domain, it is recommended you create domain accounts (i.e., create the accounts on the computer that is your domain controller), however you could create the accounts on the local server that is not your domain controller - but we do not recommend this.

If it is a member of workgroup, you should create local accounts.

2. Create the accounts

Depending on your environment (as established in step 1 above) following the appropriate section below.

• Domain environment:
  
  1. On the Domain Controller open the ‘Active Directory Users and Computers’ window by going to: Start | Run | Type: dsa.msc | Press return.
  2. Right-click on the ‘Users’ tree node on the left and select ‘New’ - ‘User’. 
  3. Fill the new user account details in 'New Object - User' dialog box:
     ‘First name’: SophosManagement
     ‘User logon name’: SophosManagement
  4. Click ‘Next’
  5. Enter a strong password for the account that meets the complexity of the domain.
  6. Un-check the option: ‘User must change password at next logon’
  7. Check the option: ‘User cannot change password’.
  8. Check the option: ‘Password never expires’
  9. Un-check the option: ‘Account is disabled’
  10. Click ‘Next’ and then 'Finish'
  11. Repeat steps 2-10 to create the second account SophosUpdateMgr. Change the values of step 3 to SophosUpdateMgr for both the ‘First name’ and ‘User logon name’.
      
      
• Workgroup environment:
  
  1. Open the 'Local users and group' window by going to: Start | Run | Type: lusrmgr.msc | Press return.
  2. Right-click on the ‘Users’ tree node on the left and select: New | User
  3. Fill the new user account details in 'New User' dialog box:
     ‘User name’: SophosManagement
     ‘User logon name’: SophosManagement
  4. Enter a password for the user that meets the complexity of the computer.
  5. Uncheck ‘User must change password at next logon’
  6. Check ‘User cannot change password’.
  7. Check ‘Password never expires’
  8. Uncheck ‘Account is disabled’
  9. Click ‘Create’
  10. Repeat steps 3-9 to create the second account SophosUpdateMgr. Change the values of step 3 to SophosUpdateMgr for both the ‘User name’ and ‘User logon name’.

You have now created the two accounts required by the Sophos Enterprise Console installer.

When prompted during the installation of Enterprise Console enter the accounts created in this article.

Technical Information

The additional detailed information below is provided for the advanced user who would like to know how the accounts are used.

Database Account

Where is it used?

The 'database' account is used by the Sophos Management Service (the process name is 'mgntsvc.exe') to connect to the database. During installation the account is written to the key shown below for the Sophos Management Service to use when connecting to the database.

• 64-bit server: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\EE\Management Tools\DatabaseUser\
• 32-bit server: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\Management Tools\DatabaseUser\

Note: 

• The password for the account is obfuscated in the registry.  If you need to change the account or password, it is recommended to re-run the installer (e.g. C:\sec_52\ServerInstaler\setup.exe) to re-configure the system.
• For advanced distributed installations, where only the database component is selected, the installer also requests the ‘database’ account. The ‘database’ account will be added to the Windows group 'Sophos DB Admins' also created by the installer in order to give this account access to the database. This same ‘database’ account should be selected when installing the management server component to enable the management server to access the database. If you choose to create local accounts, for example you are using a workgroup, the account names and passwords must match.

The following Sophos services (if they exist) are also set to log on as this account:

• Sophos Management Host (Sophos.FrontEnd.Service.exe)
• Sophos Patch Endpoint Communicator (PatchEndpointCommunicator.exe)
• Sophos Patch Endpoint Orchestrator (PatchEndpointOrchestrator.exe)
• Sophos Patch Server Communicator (PatchServerCommunicator.exe)
• Sophos Encryption Business Logic Service (BLService.exe) 

• Sophos Patch Feed
• Sophos Patch Purge

Enterprise Console also uses the ‘database’ user to enable it to communicate with the Sophos Management Host service, which implements the web services on the management server. It is for this reason that when installing a remote console, the ‘database’ account is requested.

The account the Sophos Management Host service runs as should be the same user. It is therefore recommended that the account is a domain account when installing in a domain environment.

What permissions does it require?

The account must fulfill the following requirements:

• To log onto the computer where the Sophos Management Service resides.
• To log on with the 'Log on as a Service' service rights in order to run the services mentioned above.  The installer automatically grants these rights and therefore they do not need to be set up before installing.
• To read and write to the system temporary directory e.g., "\windows\temp\".  By default members of 'Users' have this right.
• To execute scheduled tasks. 
• To be a member of the Windows security group 'Sophos DB Admins'.  This account will be made part of 'Sophos DB Admins' during the installation.
• To be a member of the Windows security group 'Sophos Console Service Users'.  This account will be made part of 'Sophos Console Service Users' during the installation.
• Has a UPN associated with the account if the account is a domain account.  For further information see article 114036.
• It is not required to be an administrative account as long as the above conditions are met. 
• 'User must change password at next logon' is disabled.

It is strongly suggested that:

• The account is not set to expire or has any other logon restriction.
• The account is not administrative.
• The account is not changed after installation.
• You test logging on to the management server as this account.

Sophos Update Manager (SUM) account

Where is it used?

The SUM account is used in the default updating policies within Enterprise Console. It enables the clients to gain access to the distribution locations to perform updates.

What permissions does it require?

The account is required to provide clients read access to the distribution location share, by default: \\[servername]\SophosUpdate\.

It is strongly suggested that the account:

• Is not set to expire or has any other logon restriction.
• Is not administrative.
• Has a UPN associated with the account if the account is a domain account.  For further information see article: 114036.
• Only has Read & Execute access rights to the CIDs
• Must not have any elevated rights, including write access to the CIDs