Control Compliance Suite

Hi All,

 

We are using CCS 8.6. For the purpose of data collection we run queries on Windows and Non Windows platform ( UNIX/ Solaris).

 

For the same is it necessary to have local administrative rights on the target systems. But providing the rights on crtitical servers is considered a security threat.

 

The doubts are that without admin rights what data can be collected form target servers or what data collection requires admin rights.

 

Thanks in advance for any help.

 

 

 

We do not have a document that lists all available bvc-Windows fields and which specific privileges are needed to retrieve them from a remote target.  Because every environment has its own unique security surface area on its machines, and unique GPOs coming down from the domain, we don't even have a "rule of thumb" except to say "it's probably not worth the hassle to configure non-Administrative queries".

 

This exposure can be minimized by creating a special domain account with a special massively long impossible-to-remember password, and configure CCS (and *only* CCS) to use that account for its remote queries.  You could even disable that account except during times that CCS is using it to gather data.

 

If you absolutely must run non-Administrator, then I suspect trial-and-error is your best bet.  You can look over your standards and see which fields they care about, and then use RMS to experiment until you've assigned your query account just exactly enough access to satisfy those fields.

 

That may turn out to be a lot of work.  Our Professional Services people are good at that sort of thing, so if the task makes you feel tired, consider letting them deal with it for you.

 

KDH

 

hi SSE
you have provided quite goos explanation; thnks for the same at one of the client place we were dealing with same kind of issue; and now without opening support case with symantec we could resolve the case.