Overview

During the installation of the Enterprise Console, you are required to enter a username and password for two Windows accounts. These accounts are not automatically created by the installer and therefore must be manually created. Once created, you can then enter the username and the associated password for both accounts into the Enterprise Console installer.

This article contains information regarding these Windows user accounts, why they are required, how to create them and also how they are used.

Note: If you are installing just the Management Console component to a computer, such as a remote Enterprise Console, the account requested during the installation should be the same as the account the Sophos Management Host service is running as on the Sophos management server. This is referenced as SophosManagement in this article.

The following sections are covered:

• Why two accounts are required
• What to do
  • Step one: Determine which type of account to create.
  • Step two: Create the accounts.
    • Domain environment
    • Workgroup environment
• Technical information
  • Database account
  • Sophos Update Manager account
• Related information
• Feedback and contact

Applies to the following Sophos products and versions
Enterprise Console

Why two accounts are required

Your Sophos management server requires two accounts to be used. One account is used to run a number of services and provide access to the database and the other is used to enable the clients to update from the SophosUpdate share on the server.

Note: The Sophos Update Manager or SUM is a component of the Sophos management server that downloads the software and the Anti-Virus protection updates from the Sophos servers.

We recommend creating two accounts for each role using the following account names:

• SophosManagement for the services and database account.
• SophosUpdateMgr for the SUM account.

If your management server is in a domain environment, we recommend that these are domain accounts. On the other hand, if it is part of a workgroup, these should be local accounts on the management server.

Note: Prior to Enterprise Console 5.x, the database account was not required when all components (e.g., console, database, SUM) were installed on the same server. If you are upgrading to Enterprise Console 5.x from a previous version we recommend you create a new database account for this purpose.

What to do

Step one: Determine which type of account to create.

1. On the computer where the Enterprise Console is to be installed, press the Windows key > open the Run window > type sysdm.cpl > press the Enter key.
2. Click on the Change... button.
3. Check whether the Domain or Workgroup is selected.

If the computer is a member of a Domain, it is recommended to create domain accounts on the domain controller computer. However, it is also possible to create the accounts on the local server that is not the domain controller but it is not recommended.

On the other hand, if the computer is a member of a Workgroup, you should create local accounts.

Step two: Create the accounts.

Depending on the environment that you have as described previously, follow the appropriate section below:

Domain environment

1. On the Domain Controller, open the Active Directory Users and Computers window by going to: Start > Run > type dsa.msc > press the Enter key.
2. Right-click on the Users tree node on the left and select New > User.
3. Fill the new user account details in New Object - User dialog box:
   First name: SophosManagement
   User logon name: SophosManagement
4. Click Next.
5. Enter a strong password for the account that meets the complexity of the domain.
6. Uncheck the options User must change password at next logon and the Account is disabled.
7. Check the options User cannot change the password and the Password never expires.
   
8. Click Next and then Finish.
9. Repeat the steps to create the second account SophosUpdateMgr. Change the values of step 3 to SophosUpdateMgr for both the First name and User logon name.
   

Workgroup environment

1. Open the Local users and group window by going to Start > Run > type lusrmgr.msc > press the Enter the key.
2. Right-click on the Users tree node on the left and select New > User.
3. Fill the new user account details in New User dialog box:
   User name: SophosManagement
   User logon name: SophosManagement
4. Enter a password for the user that meets the complexity of the computer.
5. Uncheck the options User must change password at next logon and the Account is disabled.
6. Check the options User cannot change the password and the Password never expires.
   
7. Click Create.
8. Repeat steps to create the second account SophosUpdateMgr. Change the values of step 3 to SophosUpdateMgr for both the User name and User logon name.

Technical information

The additional detailed information below is provided for the advanced user who would like to know how the accounts are used.

Database account

Where is it used?

The database account is used by the Sophos Management Service (the process name is mgntsvc.exe) to connect to the database. During installation, the account is written to the key shown below for the Sophos Management Service to use when connecting to the database.

• 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\EE\Management Tools\DatabaseUser\
• 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\Management Tools\DatabaseUser\

Note: 

• From Enterprise Console 5.5.2 the database account is no longer written to this registry location. It is now saved as part of the Sophos Credential Store.
• The password for the account is obfuscated in the registry.  If you need to change the account or password, it is recommended to re-run the installer (e.g. C:\sec_551\ServerInstaller\setup.exe) to reconfigure the system.
• For advanced distributed installations, where only the database component is selected, the installer also requests the database account. The database account will be added to the Windows group Sophos DB Admins also created by the installer in order to give this account access to the database. This same database account should be selected when installing the management server component to enable the management server to access the database. If you choose to create local accounts, for example, you are using a workgroup, the account names and passwords must match.

The following Sophos services (if they exist) are also set to log on as this account:

• Sophos Management Host (Sophos.FrontEnd.Service.exe)
• Sophos Patch Endpoint Communicator (PatchEndpointCommunicator.exe)
• Sophos Patch Endpoint Orchestrator (PatchEndpointOrchestrator.exe)
• Sophos Patch Server Communicator (PatchServerCommunicator.exe)
• Sophos Encryption Business Logic Service (BLService.exe) 

• Sophos Patch Feed
• Sophos Patch Purge

Enterprise Console also uses the database user to enable it to communicate with the Sophos Management Host service, which implements the web services on the management server. It is for this reason that when installing a remote console, the database account is requested.

The account the Sophos Management Host service runs as should be the same user. It is therefore recommended that the account is a domain account when installing in a domain environment.

What permissions does it require?

The account must fulfill the following requirements:

• To log onto the computer where the Sophos Management Service resides.
• To log on with the Log on as a Service service rights in order to run the services mentioned above.  The installer automatically grants these rights and therefore they do not need to be set up before installing.
• To read and write to the system temporary directory such as C:\Windows\Temp\. By default members of Users have this right.
• To execute the scheduled tasks. 
• To be a member of the Windows security group Sophos DB Admins.  This account will be made part of Sophos DB Admins during the installation.
• To be a member of the Windows security group Sophos Console Service Users.  This account will be made part of Sophos Console Service Users during the installation.
• Should have a UPN associated with the account if the account is a domain account.  For further information see article 114036.
• It is not required to be an administrative account as long as the above conditions are met. 
• User must change password at next logon is disabled.

It is strongly suggested that:

• The account is not set to expire or has any other logon restriction.
• The account is not administrative.
• The account is not changed after installation.
• You test logging on to the management server as this account.

Sophos Update Manager account

Where is it used?

The SUM account is used in the default updating policies within Enterprise Console. It enables the clients to gain access to the distribution locations to perform updates.

What permissions does it require?

The account is required to provide clients read access to the distribution location share, by default: \\[servername]\SophosUpdate\.

It is strongly suggested that the account:

• Is not set to expire or has any other logon restriction.
• Is not administrative.
• Has a UPN associated with the account if the account is a domain account. For further information see article: 114036.
• Only has Read & Execute access rights to the CIDs
• Must not have any elevated rights, including write access to the CIDs

Related information

• The user account provided does not have access to the database. Please change the account or add the account to the Sophos DB Admin group before continuing.

Feedback and contact

If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.