Staj 5 Posted September 3, 2014 Posted September 3, 2014 Hello, We're redoing our permissions for our services to ensure best security practice and I would like to know what minimum permissions are required for the ESET ERA Server service accounts? ESET HTTP Server ESET RA HTTP Server ESET Remote Administrator Server ESET Service ESET SHA Server Some material says to give Domain Administrator permissions but this is too broad. We have a SCCM instance so endpoint installations will not be using ESET ERA push installations. Regards,
Chadh 45 Posted September 3, 2014 Posted September 3, 2014 Hello Staj, If the Remote Administrator (ERA) Server services are configured to use a service account, the service account will need the following permissions: Write permission to Program Files\ESET folder Read/write permission to ProgramData\ESET folder Network access rights Read/write permission to ESET’s HKLM registry Read/write permission for ERA database (either on local system or external database) Thank you, ChadH
Staj 5 Posted September 4, 2014 Author Posted September 4, 2014 (edited) Hello ChadH, Do these services support Managed Service Accounts (MSAs)? It seems odd that Program Files\ESET only has write permissions? This is my Powershell script so far: <# ESET Configuration for Environment #> $ESETServiceAccount = "DOMAIN\exampleuser" $ESETInstallationDirectory = "%PROGRAMFILES(X86)%\ESET" $ESETDataDirectory = "%PROGRAMDATA%\ESET" $ESETRegistryBranch = "HKLM:\" <# Add NTFS Permissions for ESET Service Account #> $Rule = New-Object System.Security.AccessControl.FileSystemAccessRule( ` $ESETServiceAccount, "Write", "Allow" ` ) $ACL = Get-Acl $ESETInstallationDirectory $ACL.AddAccessRule($Rule) $Rule = New-Object System.Security.AccessControl.FileSystemAccessRule( ` $ESETServiceAccount, "Read, Write", "Allow" ` ) $ACL = Get-Acl $ESETDataDirectory $ACL.AddAccessRule($Rule) <# Add Registry Rermissions for ESET Service Account #> $ACL = Get-Acl $ESETRegistryBranch $Rule = New-Object System.Security.AccessControl.RegistryAccessRule( ` $ESETServiceAccount, "ReadKey, WriteKey", "Allow" ` ) $ACL.AddAccessRule($Rule) Regards, Edited September 4, 2014 by Staj
ESET Support tmartinez 0 Posted September 10, 2014 ESET Support Posted September 10, 2014 (edited) Hello Staj, Some additional information is necessary from your environment to continue troubleshooting your issue. I've sent you a PM with more details. I'll wait for your response. Thank you! Edited September 10, 2014 by tmartinez
Recommended Posts