Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LUA for STAS service account

I understand that STAS is watching the Security log on a DC from a remote machine in order to map users to IP addresses. Typically, you have to be a member of Administrators to read the Security log. On a DC, that means you have to be a member of Domain Admins. Using a Domain Admin account for a service account is a security worst practice.

I was unable to locate any documentation on Sophos web site for creating a service account that had only the minimal permissions needed for this, but I found that Juniper has recommendations for their equivalent for STAS that sounds like it could work for STAS--

https://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/nt291/Windows%202008_2012%20non-admin%20for%20event%20log%20query.pdf

If I do steps 1-5 in that article, will that provide the permissions needed for a STAS service account? Will Sophos consider writing a similar article for their KB?

Thanks!



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi IT IT7, 

    The minimum permissions required for a non-administrator domain account to install and configure STAS are Execute method and Remote Enable. You have to allow those two permissions to the user. 

    Thanks,

  • I'm not asking about install or config permissions; I've no concerns with elevating to do that.

    I'm asking about the least permissions the STAS service account needs in order to query WMI and read the Security log on the DC (or any other activity it needs to do in the course of operation). It's the service account that I don't want to make a member of Domain Admins.

    That's what the Juniper article was about.

Reply
  • I'm not asking about install or config permissions; I've no concerns with elevating to do that.

    I'm asking about the least permissions the STAS service account needs in order to query WMI and read the Security log on the DC (or any other activity it needs to do in the course of operation). It's the service account that I don't want to make a member of Domain Admins.

    That's what the Juniper article was about.

Children