Jump to content

Era Server - Service Account Requirements


Staj
 Share

Recommended Posts

Hello,

We're redoing our permissions for our services to ensure best security practice and I would like to know what minimum permissions are required for the ESET ERA Server service accounts?

 

  • ESET HTTP Server
  • ESET RA HTTP Server
  • ESET Remote Administrator Server
  • ESET Service
  • ESET SHA Server

Some material says to give Domain Administrator permissions but this is too broad.

 

We have a SCCM instance so endpoint installations will not be using ESET ERA push installations.

 

Regards,

Link to comment
Share on other sites

Hello Staj,

 

If the Remote Administrator (ERA) Server services are configured to use a service account, the service account will need the following permissions:

  • Write permission to Program Files\ESET folder
  • Read/write permission to ProgramData\ESET folder
  • Network access rights
  • Read/write permission to ESET’s HKLM registry
  • Read/write permission for ERA database (either on local system or external database)

Thank you,

ChadH

Link to comment
Share on other sites

Hello ChadH,

Do these services support Managed Service Accounts (MSAs)? It seems odd that Program Files\ESET only has write permissions? This is my Powershell script so far:

<# ESET Configuration for Environment #>
$ESETServiceAccount = "DOMAIN\exampleuser"
$ESETInstallationDirectory = "%PROGRAMFILES(X86)%\ESET"
$ESETDataDirectory = "%PROGRAMDATA%\ESET"
$ESETRegistryBranch = "HKLM:\"

<# Add NTFS Permissions for ESET Service Account #>
$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule( `
    $ESETServiceAccount, "Write", "Allow" `
)
$ACL = Get-Acl $ESETInstallationDirectory
$ACL.AddAccessRule($Rule)

$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule( `
    $ESETServiceAccount, "Read, Write", "Allow" `
)
$ACL = Get-Acl $ESETDataDirectory
$ACL.AddAccessRule($Rule)


<# Add Registry Rermissions for ESET Service Account #>
$ACL = Get-Acl $ESETRegistryBranch
$Rule = New-Object System.Security.AccessControl.RegistryAccessRule( `
    $ESETServiceAccount, "ReadKey, WriteKey", "Allow" `
)
$ACL.AddAccessRule($Rule)

Regards,

Edited by Staj
Link to comment
Share on other sites

  • ESET Support

Hello Staj,

 

Some additional information is necessary from your environment to continue troubleshooting your issue. I've sent you a PM with more details. I'll wait for your response.

 

Thank you!

Edited by tmartinez
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...