WinCollect Virtual Accounts
New in WinCollect 10.1.4 WinCollect 10 now supports Virtual Accounts.
What's new and what are Virtual Accounts?
In previous versions of WinCollect 10,
the agent runs as the LocalSytem
built-in user. This was initially done because of
the extensive access that is required for WinCollect to properly monitor event logs and
the service itself. With the growing push to make applications more configurable and to keep up with
the best practice of least privilege, WinCollect is moving to a more modern
approach.
The concept of virtual accounts was introduced in Windows 7. These accounts function in a similar
way to other built-in accounts, like NT AUTHORITY\Network Service
and
LocalService
, with some additional functions. However, WinCollect requires more access, and
modifying those accounts would change the access rights for any other application or service that
also uses the account. Virtual accounts are fully customizable service accounts that you can modify
tohave the least number of privileges that are needed to function. You can now set up your own
custom set of user rights, access permissions, and local groups, to provide a more tailored security
experience.
Usually, this update provides a substantial improvement to application security that is not
noticeable to the user. The fact that WinCollect no longer uses the
LocalSystem
user, along with the added configuration options, gives you the ability
to customize your own agent, based on the environment it is in. The installer handles all the
details that most users require:
- Setting up the WinCollect agent
service to use the
NT SERVICE\WinCollect
virtual account. - Giving the virtual account the correct user rights to handle things like service control and log auditing.
- Adding file permissions to include the virtual account to the WinCollect folder structures for logging and configuration.
- Adding the virtual account to the
Event Log Readers
group to monitor local application sources. - Letting the user select whether the virtual account is added to the
Administrators
group. - Cleaning up the previous permissions when WinCollect is uninstalled.
- Providing the ability to perform a full repair if any of the previous options are changed and need to be reset back to a known state.
Further steps can be found here to answer any other questions about implementation and tweaks you might want to make to your own environment.
Why is being added to the Administrators group an option
One of the new options on the WinCollect installer is the ability to select if the created virtual account is added to the
Administrators
local group. This selection is required to help your upgrade or
installation go smoothly.
- Added to Administrator group
- Select this option in most cases. This option gives the WinCollect agent more access by default. You then don't need to worry about manually adding the virtual account access to any local log source directories or files that WinCollect monitors.
- Not added to the Administrator group
- This more advanced option allows for a more secure application by adhering to the practice of least privilege. Any log location or directory WinCollect needs access to must be manually added, as do user groups for things such as advanced IIS. The amount of effort that is required varies based on the sources your WinCollect agent is collecting from.
How to customize the Virtual Account
- How to modify the group policy and user rights
- You can change the user rights of any account or group by using the Local Group Policy
Editor. to see all available policies. Then, you can add or remove
NT SERVICE\WinCollect
from any of them. - How to modify local groups
- Use an administrator instance of Power Shell to run key commands view local groups and make any
needed updates.
net localgroup
lists all the groups on your machine.net localgroup Administrators
lists all users who are a part of the Administrators group.net localgroup Administrators /add NT SERVICE\WinCollect
adds the virtual account to the Administrators group.net localgroup Administrators /remove NT SERVICE\WinCollect
removes the virtual account from the Administrators group. - How to change file and folder permissions
- The simplest way to modify permissions of various files or folders is to use the GUI.
Right-click the file or folder that you want to change in the file explorer, and select
Edit, and then can add the
NT SERVICE\WinCollect
account to either add or deny permissions.If you have a folder that contains multiple logs, the simplest way to quickly modify the permissions of all the files is to use inheritance. From the Advanced to see more settings. Click Change Permissions, select any of the user permissions you want to make inheritable, select Add, and then select the inheritance type you want from the Applies to menu.
menu, select
. Select
How the Virtual Account changes command-line installation
Command-line installation now requires an extra flag for a
valid installation. You can set the ADMIN_GROUP
flag to either
true
or false
, where true
adds the virtual
accounts to the Administrators
local group. This flag appears in the copyable text
block when you run the installer in custom mode.
Domain Controllers
A WinCollect agent installed on a
domain controller cannot be configured to use a local virtual account as domain controllers do not
allow the use of local accounts. Therefore, WinCollect will be installed and configured
to run as the LocalSystem account. For security purposes we recommend creating a separate account
for the WinCollect service and specifying
it on installation using the ACCOUNT_NAME
flag.
Using a different account to run WinCollect
The default option on installation is to use the virtual account by providing the
ADMIN_GROUP
flag. On domain controllers, the ADMIN_GROUP
flag is
not required and the default account is instead the LocalSystem account. It is recommended that the
virtual account is used whenever possible, but on domain controllers or when a separate service
account should be used, users have the option to specify a separate account. This can be done by
providing the ACCOUNT_NAME
option on installation, in the format of
<Domain>\<Account name>
. The domain and back-slash can be omitted if not
required. The account used should have permissions to log on as a service and should not require a
password to log on. We recommend using a managed or group managed service account.
During setup, the provided account will be given permissions to any necessary folders. However, the account will not be added to any groups. The account should be manually added to the local Administrators group if access to any folders outside of the WinCollect specific folders are required, and should be added to the local Event Log Readers group if access to the Security channel is required.
FAQ
Question | Answer |
---|---|
Can I still just use the LocalSystem account? | Yes. It's not recommended, but you always have the option of modifying local service to run
as any user, or installing with ACCOUNT_NAME as LocalSystem. |
Why not just use a user account? | The short answer is management. It's simpler to handle the lifetime of a virtual account, and it does away with many larger roadblocks such as password management. |
What happens if I don't setup the correct folder or file permissions for a log location? | The agent still runs, but logs that it can't access the location with incorrect permissions. Events are not collected until the issue is addressed. |