BigFix v10.0.8 credentials for MSSQL

Running BigFix v10.0.8 with the new 'ODBC Driver 17 for SQL Server ’ and a remote MSSQL server. I’m trying to switch BigFix to use AD Domain credentials when communicate with MSSQL server rather then the local MSSQL account it currently uses.

In the ODBC settings, everything AD seems to mention Azure which doesn’t seem to apply here. What is the correct way to reconfigure BigFix to use Active Directory credentials when connecting to MSSQL on v10.0.8?
image

“With Windows Integrated Authentication”.
The credential you use here in the wizard is only used to runt he connection test. For the services themselves, you’d change the “Log On As” account in the Services app, and (if changing an existing root that used SQL auth) remove the database credentials from the “BigFix\Enterprise Server” registry key (I’m afraid I can’t lookup the full value names at the moment though)

In the past, any credential changes used by BigFix Root to communicate with our MSSQL (using local MSSQL accounts)I made through the ODBC interfaces. Did the ODBC wizard then auto populate them in the BigFix HKLM registry key?

The BESRootServerService LogOnAs is the only method of having BES Root use domain creds for MSSQL connections?

As far as I know the ODBC wizard won’t populate the credentials in the keys that BigFix uses, but BESAdmin would do that (and runs as part of the server setup).

Using the “Log On As” for the Service is how we usually configure it. I won’t discount that there’s some other way to do it, maybe by tying a SQL login to a Windows account? That’s just not a configuration I’ve tried and wouldn’t recommend

The downside with this method that I see is it would require the domain account to be added to the local Administrators group on the BES Root Server for the service’s LogOnAs to work. Reducing attack vectors with less members in the LAG is a goal.

https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_iem_odbc_configuration.html#c_iem_odbc_configuration__windows_examples talks about ODBC post 10.0.8 with Trusted_Connection=Yes means Windows Authentication (Domain?) but no where mentions where to enter the credentials.

Well, yes, with Windows Authentication the expectation is that the service can authenticate via Kerberos, which means the service is logged on with the Windows account to be used for authentication.

Using a Windows Account for the service does require adding it to the local Administrators group and granting it the “Log on as a service” right, but that actually is more secure in terms of attack surface. It doesn’t require any additional privileges on the Domain, only on the local machine, and a hypothetical exploit against BESRootServer would be worse with the LocalSystem account than with a local Administrator account.

That said, I have managed to configure SQL Server to accept a logon from a computer account by mapping to DOMAIN\COMPUTER$, but required specific configuration on the SQL Server’s rights (adding the computer to the “Access this computer from the network” right), and I don’t think it’s a supported configuration (i.e. it works but the Support team might not be able to help you troubleshoot if you have access problems because it’s an off-normal security configuration)