Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 3899 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can I disable/delete Sophos Domain-Accounts "SophosEmLibUser1" and "SophosEndpointUpdate"

Snaker

Hi guys,

 

I am currently running a cleanup on my Active Directory and looking for domain accounts with too many rights which I can disable (security risks e. g. account can be delegated or password never expires). And SEC creates a lot of groups and users :D For example there's a "SophosSAU<servername>aaa" for each domain controller (description: to download sophos-updates > password never expires). I think because it's not possible to create local admins on a DC, fair enough.

 

But there are two accounts with builtin administrator-rights and I am not able to find any documentation about this accounts:

SophosEmLibUser1 (password never expires, can be delegated, member of builtin groups "Administrators", "SophosAdministrator" and also "Domain-user", description "Sophos EM Library Account")

SophosEndpointUpdate (password never expires, can be delegated, member of builtin groups "Administrators" and "Users" and also "Domain-user", description "Sophos AutoUpdate Account")

Are this old accounts and are they save to delete/disable? I think they were created at a inital installation of sophos EC in the AD. Where should I look if they are used by some services?

I used process explorer to take a look if there's any service on the SEC server that uses one of the accounts, but most of the services runs as local service oor system-account. Some parts are running on a sophos-user I created at the last move of SEC to a new server (Sophos.FrontEnd.Service.exe, PatchServerCommunicator.exe, PatchEndpointOrchestrator.exe and PatchEndpointCommunicator.exe).

Maybe one of them is used to install the clientpart? But why do I have to type in administration-credentials of the client where i want to install Sophos Endpoint Security? And Sophos Update Manager seems to run on a local account on the SEC server named "SophosUpdate".

I hope someone can help me with this two accounts :)

 

Best regards, Toby

 

PS: running on SEC 5.5.1



This thread was automatically locked due to age.
Parents
  • +1

    Hello Toby,

    easy things first: For the SophosSAU<servername>aaa accounts please see What is the SophosSAU account? As you have the latest SEC version only these two accounts are required.

    By default whatever account has been set for the SUM Account is used in the updating policies. Of course if updating policies have been migrated (likely) they might use on "old" account. Shouldn't be too hard to check unless you have lots of updating policies.

    two accounts with builtin administrator-rights
    in the age of EM Library and Enterprise Manager only the Enterprise Manager account (EM) had to be a member of the Administrators group, in addition it required the Logon as a Service right. This was back in the time of NT4 and Windows 2000 and has long since been changed, the architecture has been redesigned with the introduction of SUM. No other account (notably the one used for updating Sophos on the endpoints) ever needed administrative rights.
    These two (bold) accounts are things from the past, unless still in use by a policy you can safely remove them (the prudent approach is to disable them and check if something breaks).

    Sophos Update Manager
    normally runs a Local System.

    used to install the clientpart?
    Please see How the Protect Computers Wizard performs an installation. Of course you need administrative rights to install (system) software on an endpoint. SEC doesn't store any account that requires administrative rights though.

    Christian

Reply
  • +1

    Hello Toby,

    easy things first: For the SophosSAU<servername>aaa accounts please see What is the SophosSAU account? As you have the latest SEC version only these two accounts are required.

    By default whatever account has been set for the SUM Account is used in the updating policies. Of course if updating policies have been migrated (likely) they might use on "old" account. Shouldn't be too hard to check unless you have lots of updating policies.

    two accounts with builtin administrator-rights
    in the age of EM Library and Enterprise Manager only the Enterprise Manager account (EM) had to be a member of the Administrators group, in addition it required the Logon as a Service right. This was back in the time of NT4 and Windows 2000 and has long since been changed, the architecture has been redesigned with the introduction of SUM. No other account (notably the one used for updating Sophos on the endpoints) ever needed administrative rights.
    These two (bold) accounts are things from the past, unless still in use by a policy you can safely remove them (the prudent approach is to disable them and check if something breaks).

    Sophos Update Manager
    normally runs a Local System.

    used to install the clientpart?
    Please see How the Protect Computers Wizard performs an installation. Of course you need administrative rights to install (system) software on an endpoint. SEC doesn't store any account that requires administrative rights though.

    Christian

Children
  • 0 in reply to QC

    Hi QC,

    thank you very much for your very fast reply :) I'll take a look in your referenced articels about SAU-accounts.

    I moved the SEC installation about a year ago und did everything like it was described in the documentation. I created new accounts with the lowest rights and didn't use the old accounts. But I also moved "the installation" and so I am not 100% sure if there's an old account integrated. But if I understand it right, chances are very low. I did it as you suggested and disabled the both accounts and wait if something crashes ;)

     

    Thank you again for your help

Unfiltered HTML