At installation time, domain administrator rights are required to install Galileo on a Windows Server system that is a member of a domain. The reason for this is that Galileo's proxy user and proxy rights universal security group both need to be created in the domain. Once the user and group have been created, the installer goes on to grant the proxy rights group membership in the BUILTIN\Administrators group on the server where the Engine is being installed, and a set of LSA privileges are also granted to the proxy rights group.
For the deployment of the Agent component, local administrator rights are required to install the Agent on a Windows Server system. Once the Agent component is running, it will automatically make the proxy rights group a member of the BUILTIN\Administrators group and grant it the set of LSA privileges that are required to perform a scan of the locally mounted NTFS volumes.
Manual Deployment Steps:
Every share that is going to be used as a scan target path must have its permissions modified to grant full control to the proxy rights group. This step is not performed automatically, and scans will fail under certain situations if this step is not performed properly. Having change or read access to the share is not sufficient as it will block our usage of LSA privileges during the scanning process.
If a Windows Server is hosting shares that will be used as scan targets and the system is not running the Agent component, then that system needs to be configured to be scanned by “proxy”, meaning that an Agent running on a different server will perform scans over the network. In order for this to be done successfully, the proxy rights group must be granted membership in the BUILTIN\Administrators group on the server, and a specific subset of LSA privileges need to be granted to the proxy rights group as well. And, as mentioned above, the shares on the server must all give full control access to the proxy rights group.
LSA Privilege Requirements:
On systems where the Engine and/or Agent components are running, or where a share is being scanned by an Agent running on another server (a proxy configuration), the proxy rights group must be granted the following LSA privileges & rights:
- Access this computer from the network
- Act as part of the operating system
- Back up files and directories
- Bypass traverse checking
- Create a token object
- Create symbolic links
- Impersonate a client after authentication
- Log on as a batch job
- Manage auditing and security log
- Restore files and directories
- Take ownership of files or other objects
BUILTIN\Administrators Membership Requirement:
The proxy rights group must have membership in the BUILTIN\Administrators group on every system where the Engine or Agent components are installed & running, and also on every system that is being scanned by proxy. This requirement exists due to limitations in Microsoft’s Win32 API functions that get share information and in the implementation of the File Server Resource Manager’s RPC Server that is used to get information about directory quotas. There are no specific LSA privileges that grant a specific user the ability to successfully call these functions or use these COM interfaces, and having membership in the local administrators group is required to use the functions & COM interfaces successfully.