WinCollect Virtual Accounts

New in WinCollect 10.1.4 WinCollect 10 now supports Virtual Accounts.

What's new and what are Virtual Accounts?

In previous versions of WinCollect 10, the agent runs as the LocalSytem built-in user. This was initially done because of the extensive access that is required for WinCollect to properly monitor event logs and the service itself. With the growing push to make applications more configurable and to keep up with the best practice of least privilege, WinCollect is moving to a more modern approach.

The concept of virtual accounts was introduced in Windows 7. These accounts function in a similar way to other built-in accounts, like NT AUTHORITY\Network Service and LocalService, with some additional functions. However, WinCollect requires more access, and modifying those accounts would change the access rights for any other application or service that also uses the account. Virtual accounts are fully customizable service accounts that you can modify tohave the least number of privileges that are needed to function. You can now set up your own custom set of user rights, access permissions, and local groups, to provide a more tailored security experience.

Usually, this update provides a substantial improvement to application security that is not noticeable to the user. The fact that WinCollect no longer uses the LocalSystem user, along with the added configuration options, gives you the ability to customize your own agent, based on the environment it is in. The installer handles all the details that most users require:

  • Setting up the WinCollect agent service to use the NT SERVICE\WinCollect virtual account.
  • Giving the virtual account the correct user rights to handle things like service control and log auditing.
  • Adding file permissions to include the virtual account to the WinCollect folder structures for logging and configuration.
  • Adding the virtual account to the Event Log Readers group to monitor local application sources.
  • Letting the user select whether the virtual account is added to the Administrators group.
  • Cleaning up the previous permissions when WinCollect is uninstalled.
  • Providing the ability to perform a full repair if any of the previous options are changed and need to be reset back to a known state.

Further steps can be found here to answer any other questions about implementation and tweaks you might want to make to your own environment.

Why is being added to the Administrators group an option

One of the new options on the WinCollect installer is the ability to select if the created virtual account is added to the Administrators local group. This selection is required to help your upgrade or installation go smoothly.

Added to Administrator group
Select this option in most cases. This option gives the WinCollect agent more access by default. You then don't need to worry about manually adding the virtual account access to any local log source directories or files that WinCollect monitors.
Not added to the Administrator group
This more advanced option allows for a more secure application by adhering to the practice of least privilege. Any log location or directory WinCollect needs access to must be manually added, as do user groups for things such as advanced IIS. The amount of effort that is required varies based on the sources your WinCollect agent is collecting from.

How to customize the Virtual Account

How to modify the group policy and user rights
You can change the user rights of any account or group by using the Local Group Policy Editor. Select Computer Configuration > Windows Settings > Security Settings > Local policies > User rights Assignment to see all available policies. Then, you can add or remove NT SERVICE\WinCollect from any of them.
How to modify local groups
Use an administrator instance of Power Shell to run key commands view local groups and make any needed updates.

net localgroup lists all the groups on your machine.

net localgroup Administrators lists all users who are a part of the Administrators group.

net localgroup Administrators /add NT SERVICE\WinCollect adds the virtual account to the Administrators group.

net localgroup Administrators /remove NT SERVICE\WinCollect removes the virtual account from the Administrators group.

How to change file and folder permissions
The simplest way to modify permissions of various files or folders is to use the GUI. Right-click the file or folder that you want to change in the file explorer, and select Properties > Security. Select Edit, and then can add the NT SERVICE\WinCollect account to either add or deny permissions.

If you have a folder that contains multiple logs, the simplest way to quickly modify the permissions of all the files is to use inheritance. From the Properties > Security menu, select Advanced to see more settings. Click Change Permissions, select any of the user permissions you want to make inheritable, select Add, and then select the inheritance type you want from the Applies to menu.

How the Virtual Account changes command-line installation

Command-line installation now requires an extra flag for a valid installation. You can set the ADMIN_GROUP flag to either true or false, where true adds the virtual accounts to the Administrators local group. This flag appears in the copyable text block when you run the installer in custom mode.

Domain Controllers

A WinCollect agent installed on a domain controller cannot be configured to use a local virtual account as domain controllers do not allow the use of local accounts. Therefore, WinCollect will be installed and configured to run as the LocalSystem account. For security purposes we recommend creating a separate account for the WinCollect service and specifying it on installation using the ACCOUNT_NAME flag.

Using a different account to run WinCollect

The default option on installation is to use the virtual account by providing the ADMIN_GROUP flag. On domain controllers, the ADMIN_GROUP flag is not required and the default account is instead the LocalSystem account. It is recommended that the virtual account is used whenever possible, but on domain controllers or when a separate service account should be used, users have the option to specify a separate account. This can be done by providing the ACCOUNT_NAME option on installation, in the format of <Domain>\<Account name>. The domain and back-slash can be omitted if not required. The account used should have permissions to log on as a service and should not require a password to log on. We recommend using a managed or group managed service account.

During setup, the provided account will be given permissions to any necessary folders. However, the account will not be added to any groups. The account should be manually added to the local Administrators group if access to any folders outside of the WinCollect specific folders are required, and should be added to the local Event Log Readers group if access to the Security channel is required.

FAQ

Question Answer
Can I still just use the LocalSystem account? Yes. It's not recommended, but you always have the option of modifying local service to run as any user, or installing with ACCOUNT_NAME as LocalSystem.
Why not just use a user account? The short answer is management. It's simpler to handle the lifetime of a virtual account, and it does away with many larger roadblocks such as password management.
What happens if I don't setup the correct folder or file permissions for a log location? The agent still runs, but logs that it can't access the location with incorrect permissions. Events are not collected until the issue is addressed.