Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Current »

In general it is recommended to run the snare agent with local system or a local administrative account however some customers may want to run with some reduced permissions but it does reduce some of the agent features and capabilities that are usable. PLEASE NOTE THE IMPACTS BELOW.

For non-admin user, following additional steps are required to run the Snare Enterprise Agent.
This page is applicable to:

  • Snare Enterprise Agent for Windows

  • Snare Enterprise Agent for Windows Desktop

  • Snare Enterprise Agent for Windows with Event Collection (WEC)

Prior to installation

  • Grant non-admin service account "Log on as a Service" rights. The details are given here https://learn.microsoft.com/en-us/system-center/scsm/enable-service-log-on-sm?view=sc-sm-2022

  • Non-admin service account is a member of Event Log Readers

  • Full Permissions to the following registry keys:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\eventlog\Application
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\eventlog\System
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\eventlog\Security
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My


After installation

Full Permissions to the following registry key for Snare Enterprise and Snare Desktop:
HKEY_LOCAL_MACHINE\SOFTWARE\InterSect Alliance\AuditService

Full Permissions to the following registry key for Snare WEC:
HKEY_LOCAL_MACHINE\SOFTWARE\InterSect Alliance\SnareWEC

A restart of the Snare service is required after that

THE FOLLOWING AREAS WILL BE IMPACTED WITH RUNNING WITH REDUCED PERMISSIONS.

Further more, with non-admin user, these settings from General Configuration page will not work

  • Allow SNARE to automatically set audit configuration? - the agent wont be able to enable audit settings on the host.

  • Use Advanced Auditing - the agent wont be able to control any of the advanced audit policies.

  • Including for 'Any event(s)' audit policies - the agent wont be able to enable audit settings on the host.

  • Allow Snare to automatically set auditing of file/folder and registry for FAM/RAM policies? - the agent wont be able to control the audit subsystem.

  • Allow SNARE to automatically set max event log cache size - the agent wont be able to adjust the event log sizes.

  • Enable active USB auditing - the agent may not collect USB kernel events.

  • IIS Log Flushing? - the agent wont be able to force disk syncing so file log data will be buffered in memory until windows can sync it to disk resulting in delays for the agent to see the data to collect and send.

Some additional caveats with running the agent using a custom service account:

  • The Snare agent can still collect windows events for FAM and RAM if this is managed from Active Directory GPO or local policies.

  • If the service account does not have permissions to read other file locations then FIM functions may also not work as intended and generate hashes and check file permissions of system files.

  • If the service account does not have permissions to read Registry keys then the RIM functions may also not work as intended and generate hashes and check the registry permissions of the registry keys and values.

  • No labels