Appendix H - Running Snare Agent with Non-admin Service Account
In general it is recommended to run the snare agent with local system or a local administrative account however some customers may want to run with some reduced permissions but it does reduce some of the agent features and capabilities that are usable. PLEASE NOTE THE IMPACTS BELOW.
For non-admin user, following additional steps are required to run the Snare Enterprise Agent.
This page is applicable to:
Snare Enterprise Agent for Windows
Snare Enterprise Agent for Windows Desktop
Snare Enterprise Agent for Windows with Event Collection (WEC)
Â
Prior to installation
Grant non-admin service account "Log on as a Service" rights. The details are given here https://learn.microsoft.com/en-us/system-center/scsm/enable-service-log-on-sm?view=sc-sm-2022
Non-admin service account is a member of Event Log Readers
Full Permissions to the following registry keys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\eventlog\Application
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\eventlog\System
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\eventlog\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My
After installation
Full Permissions to the following registry key for Snare Enterprise and Snare Desktop:
HKEY_LOCAL_MACHINE\SOFTWARE\InterSect Alliance\AuditServiceFull Permissions to the following registry key for Snare WEC:
HKEY_LOCAL_MACHINE\SOFTWARE\InterSect Alliance\SnareWECIf Snare Agent’s configuration is managed via a Group Policy (GPO), grant the service account
at least Read permissions to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\InterSect Alliance\AuditServiceIf Agent Web UI is not accessible, it may be needed to find the Snare Agent self-signed certificate in the Local Computer > Personal certificates store and grant the service account access to this certificate.
To find the certificate that is in use by the Agent, the certificate thumbprint can be cross-referenced with the value in Agent settings, stored in HKEY_LOCAL_MACHINE\SOFTWARE\InterSect Alliance\AuditService\Certificate\WebCertId in the Windows registry.
Â
A restart of the Snare service is required after that
Â
THE FOLLOWING AREAS WILL BE IMPACTED WITH RUNNING WITH REDUCED PERMISSIONS.
Further more, with non-admin user, these settings from General Configuration page will not work
Allow SNARE to automatically set audit configuration? - the agent wont be able to enable audit settings on the host.
Use Advanced Auditing - the agent wont be able to control any of the advanced audit policies.
Including for 'Any event(s)' audit policies - the agent wont be able to enable audit settings on the host.
Allow Snare to automatically set auditing of file/folder and registry for FAM/RAM policies? - the agent wont be able to control the audit subsystem.
Allow SNARE to automatically set max event log cache size - the agent wont be able to adjust the event log sizes.
Enable active USB auditing - the agent may not collect USB kernel events.
IIS Log Flushing? - the agent wont be able to force disk syncing so file log data will be buffered in memory until windows can sync it to disk resulting in delays for the agent to see the data to collect and send.
Some additional caveats with running the agent using a custom service account:
The Snare agent can still collect windows events for FAM and RAM if this is managed from Active Directory GPO or local policies.
If the service account does not have permissions to read other file locations then FIM functions may also not work as intended and generate hashes and check file permissions of system files.
If the service account does not have permissions to read Registry keys then the RIM functions may also not work as intended and generate hashes and check the registry permissions of the registry keys and values.