ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Endpoint Protection Manager 12.1 RU5 and later installs services with reduced privileges and permissions

book

Article ID: 161102

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When you install Symantec Endpoint Protection Manager (SEPM) 12.1.5 (RU5) on Windows 7 or Windows Server 2008 R2 and later versions, you notice that the accounts which run the following services are "NT SERVICE\semsrv", "NT SERVICE\semwebsrv", and "NT SERVICE\SQLANYs_sem5", respectively.

  • Symantec Endpoint Protection Manager service
  • Symantec Endpoint Protection Manager Webserver service
  • Symantec Embedded Database service

When you install Symantec Endpoint Protection Manager 12.1.5 on Windows Server 2003 or Windows XP, you notice that the account which runs these same services is "Network Service Account".

Earlier versions of Symantec Endpoint Protection Manager configured these services to run with the local SYSTEM account.

Cause

To increase security, Symantec Endpoint Protection Manager services now use virtual service accounts (VSAs) which have more secure permissions and privileges for Windows 7 / Server 2008 R2 or later. Earlier operating systems are not affected.

A process launcher service securely launches additional processes with the elevated permissions and privileges they need.

Resolution

When you install or upgrade to Symantec Endpoint Protection Manager 12.1.5, the installation configures the relevant services to use the following accounts:

Windows 7 / Server 2008 R2 and later

  • Symantec Endpoint Protection Manager: NT SERVICE\semsrv
  • Symantec Endpoint Protection Manager Webserver: NT SERVICE\semwebsrv
  • Symantec Embedded Database: NT SERVICE\SQLANYs_sem5

During installation, Symantec Endpoint Protection Manager adds the required rights to local security policies. However, if the Symantec Endpoint Protection Manager computer is part of a domain, the domain policies override the local policies.

Symantec Endpoint Protection Manager does not have the ability to access the domain controller to assign the correct user rights in the domain policies. However, you can manually check domain policies for the presence of required accounts and privileges before you begin a new installation or upgrade.

Windows XP / Server 2003 / Server 2008

  • Symantec Endpoint Protection Manager: Network Service Account
  • Symantec Endpoint Protection Manager Webserver: Network Service Account
  • Symantec Embedded Database: Network Service Account