BCAAA Service Account: Least Privilege Requirements for Windows Server and Active Directory
search cancel

BCAAA Service Account: Least Privilege Requirements for Windows Server and Active Directory

book

Article ID: 407444

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Can you please explain in details what privileges should BCAAA account have? We are constantly struggling with our compliance trying to define this is non-functional or functional ID.

The main questions are:

- What least privileges should account has on Win Server?

- What least privilege should account has on AD?

- Can this account Write to System on Windows server it runs on?

Resolution

The BCAAA (Blue Coat Authentication and Authorization Agent) account is a service account used by Edge SWG (ProxySG) to authenticate users via Active Directory (AD). It is a non-functional ID, meaning it does not represent a human user and should be tightly scoped to perform only its intended function.

To ensure compliance and minimize security risk, this account must adhere to least privilege principles across both Windows Server and AD environments.

1)  What least privileges should account has on Win Server?

To run BCAAA effectively without elevating to Domain Admin, follow these guidelines:

- Local "Log on as a service" right: This allows the BCAAA service to run under a dedicated account.

- Read access to domain resources: Sufficient to query user and group information.

- Membership in "Server Operators" group (recommended for Windows Server 2019+)

- Administrative privileges only during installation:

You need admin rights to install BCAAA, but not to run it afterward.

Avoid

- Do not use a Domain Admin account.

- Do not grant write access to system directories or registry unless explicitly required for troubleshooting.

2) What least privilege should account has on AD?

Recommended Setup:

- Dedicated domain service account:

Should be a domain user, not a domain admin.

Must have permission to query user and group membership.

-Group membership:

If using domain controller querying, the account may need to be added to a group like "Server Operators" or explicitly granted access to NetSessionEnum() via ACL changes.

-Password policy exemption:

Ensure the account is exempt from forced password changes to avoid service disruption.

3) Can this account Write to System on Windows server it runs on?

Generally, no. The BCAAA account:

- Should not write to system files or registry during normal operation.

- May require write access during installation or if modifying ACLs for NetSessionEnum() (via PowerShell script).

- Should be restricted from making system-level changes post-installation to maintain compliance and reduce risk.

Powered by Wolken Software