Versions Compared

Old Version 8

changes.mady.by.user Svetlana Sheptiy

Saved on

compared with

New Version 9

changes.mady.by.user Steve Challans

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In general it is recommended to run the snare agent with local system or a local administrative account however some customers may want to run with some reduced permissions but it does reduce some of the agent features and capabilities that are usable. PLEASE NOTE THE IMPACTS BELOW.

For non-admin user, following additional steps are required to run the Snare Enterprise Agent.
This page is applicable to:

...

A restart of the Snare service is required after that

THE FOLLOWING AREAS WILL BE IMPACTED WITH RUNNING WITH REDUCED PERMISSIONS.

Further more, with non-admin user, these settings from General Configuration page will not work

  • Allow SNARE to automatically set audit configuration? - the agent wont be able to enable audit settings on the host.

  • Use Advanced Auditing - the agent wont be able to control any of the advanced audit policies.

  • Including for 'Any event(s)' audit policies - the agent wont be able to enable audit settings on the host.

  • Allow Snare to automatically set auditing of file/folder and registry for FAM/RAM policies? - the agent wont be able to control the audit subsystem.

  • Allow SNARE to automatically set max event log cache size - the agent wont be able to adjust the event log sizes.

  • Enable active USB auditing - the agent may not collect USB kernel events.

  • IIS Log Flushing? - the agent wont be able to force disk syncing so file log data will be buffered in memory until windows can sync it to disk resulting in delays for the agent to see the data to collect and send.

Some additional caveats with running the agent using a custom service account:

  • The Snare agent can still collect windows events for FAM and RAM if this is managed from Active Directory GPO or local policies.

  • If the service account does not have permissions to read other file locations then FIM functions may also not work as intended and generate hashes and check file permissions of system files.

  • If the service account does not have permissions to read Registry keys then the RIM functions may also not work as intended and generate hashes and check the registry permissions of the registry keys and values.