ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Symantec WSS Auth Connector Service Account permissions

book

Article ID: 240492

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

As an administrator, I am looking to lower the permission level for the Symantec WSS Auth Connector Service Account.

What is the minimum permission level that the WSS service account must have according to Broadcom's recommendation?

Environment

  • Web Security Service
  • WSS Auth Connector
  • Windows Server 2012
  • Windows Server 2019

 

Resolution

When installing the Primary Auth Connector on a Member Server.

This installation process grants this account the Log on as a service and acts as a part of the operating system privileges.

  1. In Windows Server 2012, The user needs to be a member of the authenticated users group were able to perform the call because any account that logged in automatically became a member of the authenticated users group while logged in.

  2. In Windows Server 2019, Microsoft removed the authenticated users group and replaced it with the administrators, server operators, and power users groups.
     
    • Option 1

      This is the simplest but least secure option because the permission levels are elevated. In fact, your organization's security guidelines might rule that this option is unacceptable. Add the Auth Connector service account user to the server operators group, as this group exists only on servers. The administrators' group elevates the permissions too high and the power users group exists only on workstations.

    • Option 2

      Change the registry value that Microsoft uses for NetSessionEnum() to allow the Auth Connector service user access. This option is the more secure choice. 

      See Step 8—For Windows Server 2019 and DCQ Method Only to review the configuration steps.