What are the required User Right Assignments for the CCS Service Accounts group in Control Compliance Suite 11.0 ?

book

Article ID: 159111

calendar_today

Updated On:

Products

Control Compliance Suite Unix Control Compliance Suite Windows

Issue/Introduction

What are the required User Right Assignments for the CCS Service Accounts group in Control Compliance Suite 11.0 ?

Resolution

The CCS Service Account group should have the following Users Rights Assignments:

- Logon as a service
- Replace a process level token
- Impersonate a client after authentication

In previous versions of the product, we required that the service account for the Application Server and Directory Support Server both (if unique) be members of the Local Administrators Group which by default gives the accounts many user rights some of which are inherited and not even listed in Local Security Manager. Now with 11.0 we no longer require that the users be in the local administrators group but to be sure that each user has the minimum privileges required we created a new group "CCS Service Accounts" which we grant the rights to during creation and assign the service accounts as members. Hence this account is a part of the aforesaid User Rights Assignments.

The current configuration provides the minimum rights required. The privileges are needed but are far less than previously required when the service accounts needed to be local administrators.