Windows Agent Permissions and Privileges

Beginning with F5 Distributed Cloud App Infrastructure Protection (AIP) Windows Agent 2.2.1, you can choose to have the Agent run as either a root account or as a least privileged account.

The Distributed Cloud AIP Windows Agent, when run as a root account, uses the LocalSystem account, which is part of the Administrators group. If you do not create an account password during Agent installation, then by default the Agent uses the LocalSystem account.

The Distributed Cloud AIP Windows Agent, when run as a least privileged account, uses a Distributed Cloud AIP account, which is part of the Users group. If you create an account password during Agent installation, then the Agent creates and uses the Distributed Cloud AIP account.

Important

The Windows Agent cannot check the health of the EventLog and/or Sysmon services when run as a least privileged account. A warning message is logged when the Agent starts to record this fact.

Permissions and Privileges used by the Least Privileged Account

The Distributed Cloud AIP Windows Agent 2.2.1 uses the following privileges and permissions attached to the Distributed Cloud AIP account to successfully run the Agent:

Permissions
Name Location Sub-Directory Agent-Related Need
ThreatStackFIM.cat Installation Directory N/A FIM components
ThreatStackFIM.inf Installation Directory N/A FIM components
ThreatStackFIM.sys Installation Directory N/A FIM components
tsagent.exe Installation Directory N/A Agent components
tsagent_message.dll Installation Directory N/A Event Log components
tsagent_performance_message.dll Installation Directory N/A Event Log components
agent.db Common App Data Directory Config Agent components
fim-policy.json Common App Data Directory Config FIM components
tsEventFilter.json Common App Data Directory Config Events
tsEventSubscription.json Common App Data Directory Config Events
Licenses directory Common App Data Directory N/A Software licenses
ThreatStackFIM communication pipeline Common App Data Directory N/A FIM components
ThreatStackFIM minifilter Common App Data Directory N/A FIM components
Privileges
Name Agent-related Need
SeServiceLogonRight Allows Distributed Cloud AIP account to log in as a service and manage the Agent.
Manage Auditing and Security Log Allows Distributed Cloud AIP account to read from Windows Event Logs, which the Agent uses to create winsec events from the Security and Sysmon logs.


Granted by joining Distributed Cloud AIP to the Event Log Readers group at install-time.

SeLoadDriverPrivilege Allows Distributed Cloud AIP account to load and unload drivers, which the Agent needs to manipulate the FIM minifilter and generate FIM events.
Was this article helpful?
0 out of 0 found this helpful