000031903 - What are the minimum privileges the service account must have in RSA Archer?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Apr 3, 2019
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000031903
Applies ToRSA Product Set: Archer
RSA Product/Service Type: Archer Services, Archer Application Pool
RSA Version/Condition: 5.x, 6.x
Platform: Windows
IssueThis Article documents the minimum privileges the service account running the RSA Archer Services and the RSA Archer Application pool needs to have.
Tasks

Least Privilege for Archer Service Account



  1. Create a domain Service Account in Active Directory (ArcherService)
  2. On the SQL Server add the ArcherService as a Windows Integrated db_owner for the instance and config database 
  3. Log onto the Webserver as an Administrator
    1. In Local Security Policy, User Right Assignment, add the domain ArcherService to Allow log on locally, Allow log on through Remote Desktop Service and Log on as a service.
    2. In Local Users and Groups, Groups, add the domain ArcherService to Users group, IIS_IUSER and Administrators group (needed for installation or upgrade)
  4. Log onto the Webserver as ArcherService
  5. Run the Archer Installer as the ArcherService.  Note: if you run the installer as the Administrator you will be configuring the SQL connection string for the Administrator and not the ArcherService. 
  6. Setup Archer to connect to the Archer Configuration Server as Windows Integrated
  7. Setup Archer to connect to the Instance Database as Windows Integrated
  8. In IIS create an Application pool (ArcherAppPool) set it to run as the ArcherService account and assign it to the RSAarcher site, api site, contentapi and platformapi. 
  9. Log back in as the Administrator and remove ArcherService from the local administrator group.
  10. Run the delete ACL batch file (delete_archer_impersonation_win2k8_50) located in (…\RSA.Archer.GRC.Platform.Installer_v6.x.x64\support\Tools\Utilities\ImpersonationUtils\ACL Config)
  11. Configure the add ACL batch file with the domain\ArcherService account and run (add_archer_impersonation_win2k8_50) add to this the following (netsh http add urlacl url=https://+:13200/ConfigService/rest user="Domain\User") and remove the non-http port ACL for 13200.) located in (…\RSA.Archer.GRC.Platform.Installer_v6.x.x64\support\Tools\Utilities\ImpersonationUtils\ACL Config)

    When setting up additional servers it is critical that the initial Archer installation certificate is exported and used for each subsequent server or the Archer Service account will likely not work when it is not part of the Local Administrators group.  The RSAarcher requires a X.509 certificate, configuration page in the installer must use the same certificate one each web server and services server.     

    Additional settings (seem unnecessary as Archer seems to work ok without these extra steps)


  12. Company_files folder security add ArcherService with Modify, Read& execute, List folder contents, Read and Write.
  13. Archer Index folder security add ArcherService with Modify, Read& execute, List folder contents, Read and Write.
  14. Archer Log folder security add ArcherService with Modify, Read& execute, List folder contents, Read and Write.
  15. Archer File Repository folder security add ArcherService with Modify, Read& execute, List folder contents, Read and Write.
  16. RSA Archer folder security add ArcherService with Modify, Read& execute, List folder contents, Read and Write.
  17. C:\Windows\Temp folder security add ArcherService with Modify, Read& execute, List folder contents, Read and Write.
  18. C:\Temp folder security add ArcherService with Modify, Read& execute, List folder contents, Read and Write.
  19. Temporary ASP.net folder security add ArcherService with Modify, Read& execute, List folder contents, Read and Write. (by default C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files)
  20. Archer installation directory security add ArcherService with Modify, Read& execute, List folder contents, Read and Write. (By default C:\Program Files\RSA Archer can be different depending on your environment)

We have also seen performance improvements if the service account is added to the local administrator’s groups in the servers. This step is not necessary but can be considered. 





 

Attachments

    Outcomes