Our BigFix v10 environment runs on Windows 2019 using Active Directory service accounts and off box SQL. To increase security through least privilege, I was attempting to lower the BigFix application service account from local administrators to local users (open to using other local groups if needed). This works fine for the off box SQL, but for BigFix masters, some services will not start as local user. Of course, running as local admin works perfectly fine.
Services that will start as domain\username in Local users
GatherDB
BESWebUI
Services that fail to start as domain\username in Local users
FillDB
BESRootServer
BESWebReportsServer
Anyone have documentation, root cause ideas, or knowledge of required changes to address and/or potential issues we will have even we solve running as local user?
I don’t know that we support such a configuration, and haven’t tried it myself.
At minimum you’d have to grant the account write permissions to the install paths under Program Files (x86), and the Registry paths – by default, standard Users can’t write to any of those.
I’m afraid you’re in for a trial of finding and updating permissions on a lot of paths that are writable by Administrators but not by standard Users.
1 Like
In addition to the filesystem and registry permissions, some of these services leverage low-numbered ports which might be restricted to only those in the administrators group or otherwise permitted to bind to those ports. Also, make sure the group you are putting them in has the rights to logon as a service.
Your best way to get this working is to run procmon (available from Microsoft SysInternals site) and watch the processes when they try and start, as well as looking in your Windows Event Log for errors. Between the two, you should be able to locate any easy-to-correct blocks.
2 Likes