Home > Run As Profiles, Security > RunAs Profile or Low Privileged Account

RunAs Profile or Low Privileged Account

In general I would say it is easier (administratively) to use local system as the agent action account and use run as profiles to elevate permissions when needed (e.g. for SQL Server \ possibly AD replication). It is impossible to give a full answer as it varies by management pack and security requirements of different enterprises so there is no “correct” answer here.

When you install the agent you specify the action account. This is by default local system but you can specify a low privileged account – a windows account with “minimal” permissions. Just be aware that many management packs do not support the use of low privileged accouts and even when they do, low privilege is actually very misleading. For instance with SQL Server, low privilege requires local windows administrator and SQL sysadmin if you want all the functionality of the MP to work. Not exactley low privilege. Likewise for AD client monitoring – the “client” side of the check needs local windows admin. You don’t gain anything by using a low privilege account in many situations. So in general I would leave the agent action account as local system. If you have a secure environment where permissions need to be tied down then you can look to use a low privilege account for those servers but be careful what it is you are monitoring on the box.

With the agent running as local system you might find SQL discovery \ monitoring fails as does AD monitoring \ replication monitoring. Again, it depends on how your environment is setup. If the login to SQL for built-in administrators and local system has been removed then running the agent action account as local system won’t work. So then you need to use a run as profile configured as follows on R2:

 Go to Administration, Run As Configuration, Profiles
 SQL Server Discovery Account.
 Double Click SQL Server Discovery Account
 Click Next on the General Properties window
 Click Save on the Run As Accounts Window
 On the Completion Window, there will be a yellow warning triangle under “More Secure Run As Accounts”. Click on the hyperlink that states “SQL Monitoring Account”
 Next to Selected Computers, click ADD and add in the new SQL Server
 Click Save and Close

If your company has a SQL DBA AD group that has local windows rights to the SQL Servers and SQL Sysadmin rights then I generally create the SQL Run As Account \ assign it to the Profile and make this account a member of that AD group. But as I’ve mentioned this depeneds on the environment.

On domain controllers you might need to run HSLockdown to allow local system to run scripts … or you might want to configure a seperate run as profile. It all depends …

Perhaps these 2 links will help:
http://technet.microsoft.com/en-us/library/bb735423.aspx
http://technet.microsoft.com/en-us/library/bb735419.aspx

Advertisements
Categories: Run As Profiles, Security
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: