We are investigating lower the permissions of our IDR service account since you can now collect DC security events directly from the Insight Agent. However, I was reviewing the documentation for Microsoft DNS/DHCP, and Rapid7 recommends Domain Admin privileges for collection via the native service logs. Has anyone tried using a regular domain account for this?
Hi @michael DNS and DHCP are directory watcher event sources, in order to set this up correctly the service account needs read access to the directories over a network share, it does not require domain admin permissions.
David
Excellent. Rapid7 may want to modify the Microsft DHCP/DNS documentation as it recommends Domain Admin permissions.
Using a regular domain service account is not supported in Rapid7IDR. They get you started, but there’s problems with this method. If you have a small domain/company it may be fine for you to do this, but you will need to configure and grant permissions to the service account for DCOM and WMI on the domain controller itself. There is Rapid7 documentation on this at:
https://docs.rapid7.com/insightidr/non-admin-domain-controller-account/
David Smith is correct though, the DNS and DHCP event sources will only require an account with read privileges on the remote share that you create on a ‘watch directory’. There’s documentation on this at:
https://docs.rapid7.com/insightidr/microsoft-dns
P.S. - highly encourage you to use the PowerShell Script to 1) enable log file rotation, and 2) enable log file deletion after 2 or 3 days - otherwise your DNS and/or DHCP logs will fill up your server. You will need to set up a Scheduled Task or Cron Job to run periodically (this is a single task command).
If you have terabytes of space, no problem to skip this portion. If you have a smaller partition like most do for a VM Domain Controller, you’ll want to keep space small and use PS for this.
Lee