Description

During installation of Data Insight product, Data Insight services are installed and configured using ‘LocalSystem’ account which gives a service complete unrestricted access to local resources.

This document explores the impact of running various services with a lesser privilege account service account.

Minimum privileges required to Install Data Insight

To install Data Insight on a machine, user should be a domain user having administrative privileges on that machine. This will allow the user to install Data Insight product & services on the machine, and perform registration of the node to the Management Server.

Prerequisites for configuring minimum privilege user account for all Data Insight services

Ensure that the following prerequisites are met to configure a minimum privilege account for the Data Insight services:

· User account must be a domain user having ‘Domain users’ group privilege. Also ensure that the user is added to the Group Policy object with the Log on as a service privilege in your Active Directory domain controller.

· All Data Insight services perform read & write operations in Data directory & Installation directory of Data Insight. Therefore, the user must have Full Control permissions on these Data Insight directories.

Minimum privileges required for each Data Insight service.

In addition to the above mentioned required user privilege for Data Insight service, each service needs some extra privilege or configuration for Data Insight to work properly.

Below is the list of all Data Insight services & their required privileges.

DataInsightWeb:

This service is responsible for the All GUI operations. Also it is responsible for installation & registration of the device related services like DataInsightFpolicy on the Management Server node. When it runs under a minimum privilege user (i.e. domain user member of ‘Domain users’ group & having Log on as a service privileges from GPO) GUI operations works as expected.

User cannot configure / install device services like DataInsightFpolicy using non admin privilege user on Data Insight Management Server node. If user wants to configure device services on Management Server, then DataInsightWeb service should run under admin user/ LocalSystem to install/ configure services. Once the device service configuration/ installation is done then user can change DataInsightWeb service account from admin user/Local System to minimum privilege account.

DataInsightWeb service requires Admin privileges for the following tasks:

1.      To query status of all DataInsight services on the Management Server node for display in the console under Settings->DataInsight Servers->Server Details->Services. If minimum privilege user is used for DataInsightWeb, then you won't be able to see actual status of services on Services page of Management Server: DataInsightComm, DataInsightConfig, DataInsightWatchdog services appear to be in stopped state & device services like DataInsightFpolicy, DataInsightFpolicyCmod, DataInsightCelerra, DataInsightGeneric, DataInsightWorkflow, and DataInsightPortal appear to be in a not configured state, even if they could all be in running state.

2.      Reconfiguration of device services for Management Server node from Server Details->Services page.

3.      Policy creation under Policies tab in Management Console.

4.      Listing of workflow jobs on GUI under jobs page of Management server node.

DataInsightComm:

DataInsightComm service runs on each Data Insight server. DataInsightComm service is responsible for:

1.      Driving various components like scanner, indexer, collector through scheduled jobs

2.      Share discovery

3.      Report execution

4.      File transfer

5.      Execution of report queries

6.      Config updates

7.      Configuration of services on the local node (except MS - For MS, this is done by DataInsightWeb)

8.      Job scheduling

9.      Execution of specific jobs

10.   Test connection (Filer & scan) (except MS - For MS, this is done by DataInsightWeb)

All above mentioned DataInsightComm tasks using minimum privilege user work fine on all three types of nodes: Management Server, Indexer & Collector except below mentioned conditions.

User cannot configure / install device services like DataInsightFpolicy using non admin privilege user on Data Insight Indexer/Collector nodes. If user wants to configure device services on Indexer/Collector, then DataInsightComm service should run under admin user/ LocalSystem to install/ configure services. Once the device service configuration/ installation is done then user can change DataInsightComm service account from admin user/Local System to minimum privilege account.

DataInsightComm service requires Admin privileges for the following tasks:

1.      To query status of all Data Insight services on the Indexer, Collector, windows file server agent & portal node for display in the console under Settings->Data Insight Servers->Server Details ->Services. If minimum privilege user is used for DataInsightWeb, then you won't be able to see actual status of services on Services page of Indexer, Collector, windows file server agent & portal node: DataInsightComm, DataInsightConfig, DataInsightWatchdog services appear to be in stopped state & device services like DataInsightFpolicy, DataInsightFpolicyCmod, DataInsightCelerra, DataInsightGeneric, DataInsightWorkflow, and DataInsightPortal appear to be in a not configured state, even if they could all be in running state.

2.      Reconfiguration of device services for Indexer and collector node from Server Details->Services Page.

3.      Listing of workflow jobs on GUI under jobs page of Indexer, collector node which are configured as a portal & portal node.

DataInsightConfig:

DataInsightConfig service runs on each Data Insight server. DataInsightConfig service have local node level presence & this service is responsible for responding to requested queries & updating its own config cache.

Using minimum privileged user, all queries related to Data Insight GUI for dashboard, shares, folders, files, users, groups, reports etc. are executed without any error for all three type of nodes of Data Insight (MS, Indexer, Collector).

DataInsightWatchdog:

DataInsightWatchdog service runs on each Data Insight server. This service monitors the CPU, disk, and memory on each node. If CPU, disk, and memory are consistently high for a server, the service sends out notifications to configured email recipients. If there is any state change in various services on Data Insight servers then this service sends the notification to the Management Server node to compute node health.

The DataInsightWatchdog service enforces safeguards on the Windows File Server agent node & monitors the disk usage on it to prevent it from running out of disk space by implementing safeguards.

When the disk usage crosses the configured threshold the DataInsightWatchdog service initiates the following safeguards:

1.      It ensures that the Communication service stops all activities that generate data. For example, scanning.

2.      It deletes files from the scanner/err & outbox folder.

3.      If the threshold is crossed and there is no other data that can be deleted, then DataInsightWatchdog service stops the DataInsightWinnas service & Communication service. 

When the Windows File Server agent is in the safeguard mode, its status appears as Failed on the Data Insight servers listing page on the Management Console.

Once the safeguard mode is reset, the DataInsightWinnas service and the Communication service, if stopped, is started, and scanning resumes normally. 

DataInsightWatchdog service requires Admin privileges for the following tasks:

1.      To notify correct state of service on all nodes DataInsightWatchdog service should run under Admin privilege

2.      On Windows File server to start/stop DataInsightWinnas service and the Communication service.

DataInsightWinnas:

The process runs on the Windows File Server. The service receives event information from the Windows File Server filter driver and transfers it to the Collector node that is configured for the filer.

DataInsightWinnas service requires Admin privileges for the following task:

To Install, load and register filter driver on Windows Filer Server & to run DataInsightWinnas service on Windows Filer Server, DataInsightWinnas service must run under LocalSystem /Admin privilege user.

DataInsightCelerra:

DataInsightCelerra service runs on the Collector Worker node or the Management Server. This service is responsible for registering the Data Insight server with the EMC Celerra filer and enables Data Insight to receive access events from the filer.

Using minimum privileged user, auditing and scanning of Celerra & Isilon shares when CEE running locally or on remote collector node works fine without any error.

To Install DataInsightCelerra service on Management Server, DataInsightWeb must be running under admin privilege user or LocalSystem and on other nodes DataInsightComm must be running under admin privilege user or LocalSystem. You can change the privilege for these services back to the minimum privileged user after configuring DataInsightCelerra.

DataInsightFpolicy:

DataInsightFpolicy service runs on the Collector node or the Management Server. This service is responsible for registering the Data Insight server with the NetApp filer and enables Data Insight to receive access events from the filer.

Using minimum privileged user, auditing and scanning of NetApp shares works fine without any error.

For latency based meta-data scanner throttling to work properly for NetApp filers, DataInsightComm & DataInsightFpolicy services must be running under same minimum privileged user account.

To Install DataInsightFpolicy service on Management Server, DataInsightWeb must be running under admin privilege user or LocalSystem and on other nodes DataInsightComm must be running under admin privilege user or LocalSystem. You can change the privilege for these services back to the minimum privileged user after configuring DataInsightFpolicy.

DataInsightFpolicyCMod:

DataInsightFpolicyCMod service runs on the Collector node or the Management Server. It is responsible for interacting with the NetApp Cluster Management host to receive access events from the nodes in the cluster

Using minimum privileged user, auditing and scanning of NetApp cluster File Server shares works fine without any error.

For latency based meta-data scanner throttling to work properly for NetApp CMod filers, DataInsightComm & DataInsightFpolicyCMod services must be running under same minimum privileged user account.

To Install DataInsightFpolicyCMod service on Management Server, DataInsightWeb must be running under admin privilege user or LocalSystem and on other nodes DataInsightComm must be running under admin privilege user or LocalSystem. You can change the privilege for these services back to the minimum privileged user after configuring DataInsightFpolicyCMod.

DataInsightGenericCollector:

The service runs on the Collector associated with a generic file server. The service collects all incoming events from generic file servers and web API clients, and copies them to a specific folder on the Collector.

Using minimum privileged user, scanning of Generic device shares works fine without any error.

To Install DataInsightGenericCollector service on Management Server, DataInsightWeb must be running under admin privilege user or LocalSystem and on other nodes DataInsightComm must be running under admin privilege user or LocalSystem. You can change the privilege for these services back to the minimum privileged user after configuring DataInsightGenericCollector.

DataInsightWorkflow:

By default, this service runs only on the Management Server & this service gets installed automatically when an indexer / collector node is configured as a portal node. This service is responsible for managing the lifecycle of various actions initiated from the Management Server.  On other node this service is responsible for execution of portal workflows.

Using minimum privileged user, creation of workflow templates, execution of workflow jobs on Management Server & portal node & execution of workflows works fine without any error

To Install DataInsightWorkflow service on Indexer / Collector nodes DataInsightComm must be running under admin privilege user or LocalSystem. You can change the privilege for these services back to the minimum privileged user after configuring DataInsightWorkflow.

DataInsightPortal:

The service runs on any server that is designated as the Portal node. It provides an interface to the portal where the custodians can log on to take remediation action.

Using minimum privileged user for this service, various actions performed on Portal GUI works fine without any error.

To Install DataInsightPortal service on Management Server, DataInsightWeb must be running under admin privilege user or LocalSystem and on other nodes DataInsightComm must be running under admin privilege user or LocalSystem. You can change the privilege for these services back to the minimum privileged user after configuring DataInsightPortal.

DataInsightWeb on Management server node & DataInsightComm service on other DataInsight node must be running under admin privileged user / LocalSystem to show actual state of this service & its related jobs.

Miscellaneous:

Installation of Indexer, collector & windows file server agent from GUI requires Admin privileged user on that server.

Discovery, scanning & auditing of site collection is working fine when all services of Collector are running under the minimum privilege user.