Prepare for Installation
In preparation for installation, ensure the following permissions and policy settings are in place before installing the suites.
Auditing & Security Suite Permissions
There are four security roles used by Auditor:
- Install User Account: Used to install Auditor.
- Auditor Server Service Account: Used to run the Auditor Management Server service.
- Auditor Agents Service Account: Used to run the agents for several Auditor applications.
- The Management Console or RSAT Extensions User: Used to run Auditor applications and add-ons.
The following sections outline the required permissions for each of these roles.
Install User Account
Local Permissions
- The user must be a member of the Local Administrators group (either directly or through nesting) on the local machine. The user must also be a member of, and have the appropriate rights for, the domain.
- If the Auditor Suite is being installed on a Domain Controller, the user must be a Domain Admin or Enterprise Admin.
SQL Server Permissions
- The user must have a log-in for the target SQL Server.
- The user must have a db_creator Server Role unless the database is being created manually from a .sql file.
Active Directory Permissions
- The user needs general read permissions granted by default to Authenticated Users.
When running the Configuration wizard:
- Create child objects in the Computer object where the Management Server software will be installed.
- Write all properties for Service Connection Point objects inside the Computer object where the Management Server software will be installed.
- If upgrading from a previous version, the user needs read permissions on the CN=Services container in the Configuration Name Context.
Auditor Server Service Account
By default the Auditor Management Server service will run as Local System. It is recommended that this not be changed; however, if you want to change it, the following permissions are required.
Local Permissions
- The user must be a member of the Local Administrators group (either directly or through nesting) on the local machine.
- For versions prior to 5.8 or upgrades to 5.8 or later, the user needs full access to the Program Files\Beyondtrust\PowerBroker Management Suite\Server folder
- For a new installation, the user needs full access to the installation folder
- For Recovery for AD, the user requires full access to the GPO backup share.
SQL Server Permissions
- The user must have a login for the target SQL Server.
- The user must have a db_owner database role or db_datawriter and db_datareader database roles on the database.
- The user must be able to grant execute permission on all stored procedures. There is no built-in role for this.
Active Directory Permissions
- The user requires Read/Write permissions in the child object under the Computer object.
- The user needs to be a member of the Group Policy Creator Owners group or equivalent. This allows backup and restore of GPOs.
For Deploying Agents:
You can use the current logged on user credentials or select an alternate user name and password to use for the deployment. The user account requires the following:
- Must be an Enterprise Admin or Domain Admin. This is because there is no local administrators group for a Domain Controller.
- Read rights to the registry on the remote DC.
- Can create a share on the remote DC and copy files to it.
- Can remotely create a service, edit it, and start it.
Auditor Agents Service Account
By default, the Agent service will run as Local System. It is recommended that this not be changed however, if you want to change it then the following permissions are required.
Local Permissions
- The user must belong to the Domain Admin group for interacting with the operating system and Active Directory.
- The user must have “Log on as a service” permissions.
SQL Server Permissions
- The user must have a db_owner database role or db_datawriter and db_datareader database roles on the database.
- The user must be able to grant execute permission on all stored procedures. There is no built-in role for this.
Console or RSAT Extensions User
Active Directory Permissions
- The user must have appropriate Active Directory rights to perform the desired task. For example, rollbacks occur on the client side as the logged-on user
- By default, the Permissions assigned to nodes in the Console is: Domain Admins - Full Control and Enterprise Admins - Full Control. Permissions can be changed on applicable nodes by right-clicking the node and selecting Permissions.
Audit Policy Settings
Auditor for AD can attempt to determine whether a password change is one of the following:
- Password Change: the user has changed their own password
- Password Reset: the account password has been reset by an Administrator
For this to work properly, an additional Audit Policy must be set in the Default Domain Controllers GPO (or a similar GPO that is applied to all DCs). You must enable auditing of Successful Account Management events (Policies \ Windows Settings \ Security Settings \ Local Policies \ Audit Policy).
The following 3 policy settings should be enabled:
POLICY |
SETTING |
---|---|
Audit account logon events | Success |
Audit account management | Success |
Audit logon events | Success |
If you do not have the above audit policies enabled on the DC, the password change/password reset event is audited as a 'change to password last set' and due to how AD processes password changes, the Auditor for AD agent only sees it as being performed by the ANONYMOUS LOGON or SYSTEM event.
With the above audit policies set, more accurate event summary text is captured, and also the 'WHO' from ANONYMOUS/SYSTEM will be changed to the actual user making the change.