Hi

I am being told my my Active Directory guy that we cannot just install SEP (and the SEPM) and have it run as SYSTEM or Domain Admin - They are telling me that we must use a service account.  Which is fair enough, from a security stand point, I fully appreciate where they are coming from.

The problem is that I can find very little in relation to SEP and service accounts.  Everything in the manuals and forums suggest that the services must run as SYSTEM and that you must use a Domain Admin account to install the software and use features such as remote push.  As stated above, numerous people in my orgainsation (including me if I'm honest) aren't happy with that. 

Is this correct? Can we not use service accounts?

Is there a best practice document or something that describes what accounts you must use.

Thanks in advance

D.

You need admin rights to install so unless the service account has admin rights, you will run into some trouble.

To push the client software, you should use a domain administrative account if the client computer is part of an Active Directory domain. Remote Push Installation requires elevated privileges. any account which has this level of access will work

http://www.symantec.com/business/support/index?page=content&id=HOWTO55065

Thanks for the quick response.  One thing I love about these forums!

Saying that you need admin rights or domain admin rights is fair enough but I know my AD guys are going to push back and ask what actual permissions do I need.  And I have to say, I probably agree with them.

It's too easy (and I've seen it time and time again) for software suppliers etc.  to simply state you need admin or domain admin for their software to work.  Why? Because admin is essentialy access everything and it just works.  Why would you not just ack for that?

Security wise, we're slowly moving to a position where admins should not even be logging on to workstation or servers using admin accounts because of various reasons, not withstanding the whole "Pass the Hash" issue.  And the same is true of applications and services.  Compromise an application or service running as Admin and you essentially own the machine. Hence the whole reason for service accounts to try and limit such possibilities.

Do you know if there is anything in relation to SEP that is more detailed in terms of what permisions it requires, other than just  'Admin'. 

should have access c$ admin share.

The Symantec Endpoint Protection Manager requires access to the system registry for installation and normal operation.

This explains all the rights

Troubleshooting Symantec Endpoint Protection installations: Checking rights and permissions

Hello dhsgaile,

Unfortunately, I haven't seen any documentation along the lines of what you're looking for in my time supporting the product.

You might send the forum user Paul Murgatroyd a PM (https://www-secure.symantec.com/connect/user/paul-murgatroyd) and see if he knows of anything I may have missed.

Regards,

James

I think I'll just insist on using a domain admin to install the software.  From the documentation I've seen, SEP services need to run as SYSTEM. 

Running it as something else will probably cause a support headache if we ever need to invovle symantec support.

I'm going through this same issue with several pieces of software.  If managed service accounts are not supported by the software, the recommendation from Microsoft is to create a domain account specific to the software. I.E. "SEPManager" or some such name.  Give it a good password, and change it from time to time.  That way, if you see repeated authentications to your workstations with your monitoring platform (if/when you get one), you'll have some kind of clue as to what's happening.  Otherwise, you'd see a bunch of authentication events for "Administrator" or dhsgaile, and it wouldn't be quite as easy to figure out.

I realize this is about a month too late for you, but perhaps it might help someone in the future.

Kilgore