Info: Configuring the Windows Service of the Venafi Server Agent to run as a limited domain account

Applies To:

Venafi Agent 14.2 and higher



By default, the Venafi Server Agent on Windows runas as "Local System" which gives the agent unrestricted access to the system it is on.  This is important for the agent to be able to discover certificates on the filesystem and CAPI, rotate certificate keystores, as well as doing SSH key discovery and rotation.  Restricting the access of the agent means that there are potentially places where cryptographic material can be stored that can pose a threat, but the agent can discovery or remediate.

There are times though, such as on a Windows Domain Controller, where running the agent as "Local System" may violate enterprise security policies. This KB outlines a possible permission set that is less than "Local System".

Note: The Server Agent is designed for having all access on the system it is installed on.  Certificate/SSH Discovery and rotation may be impacted based on the custom permissions you provide the Agent Service.


Possible Permissions:

  • Domain Account that the agent runs as must have Modify permissions to the installation folder of the agent (default is c:\Program Files\Venafi)
  • Domain Account that the agent runs as must have "Log on as Service" on the "Default Domain Controllers Policy" within Active Directory
  • Domain Account that the agent runs as must be a member of the "Users" security group typically found within the "Builtin" OU.  (Note: This is not to be confused with the "Domain Users" account).
Was this article helpful?
1 out of 1 found this helpful