Creating a dedicated user account
The GFI LANguard S.E.L.M. services will connect to the machines specified in the configuration to retrieve security event logs. During installation you will be asked for a user account under which to run the GFI LANguard S.E.L.M. services.
Because GFI LANguard S.E.L.M. needs to login to the systems it monitors, it will itself generate security related events from the account under which the GFI LANguard S.E.L.M. services are running. These events will trigger GFI LANguard S.E.L.M. intrusion alerts.
To avoid this, you need to run the GFI LANguard S.E.L.M. services under an account dedicated to running these services. GFI LANguard S.E.L.M. can then ignore logon/logoff/clear event log events generated by this account
This dedicated account must have the following security policy privileges enabled:
- Generate Security Audits.
- Managing Auditing and Security Log.
Procedure for creating a dedicated account in Windows 2000
To be able to assign these rights in a Windows 2000 domain, one needs to create an OU and assign a custom Group Policy to this OU. Then one needs to add the dedicated user account to this OU, so that the custom Group policy will be applied to the dedicated GFI LANguard S.E.L.M. account. To create a dedicated user account for GFI LANguard S.E.L.M.:
Active directory Users and Computers MMC snap-in
1. Open the "Active Directory Users and Computers" MMC console, right Click on the users container and choose new > user.
End user account details
2. You are asked for the new user account details. You must remember the user logon name since this account will be used by the GFI LANguard S.E.L.M. services. Click on Next. NOTE : There is no need to create a mailbox for this user.
New organizational unit dialog
3. After you have created a new user, you have to create a new organizational unit for this dedicated user. To do this Open the "Active Directory Users and computers" MMC console. Right click on the domain name and choose new > organizational unit.
Move object dialog
4. Now right click on the GFI LANguard S.E.L.M. user and choose "move". Choose the new Organizational Unit, which you created and move the dedicated user to it. This will enable you to apply a different Group Policy for this account.
Dedicated S.E.L.M. User properties
5. After the user is moved to the new organizational unit, you need to assign a group policy to this OU. Right click on the new Organizational Unit and Choose "Properties". Go to the "Group Policy" tab, press "New" and assign a new Group policy name. Edit the group policy by clicking the "Edit" button.
Group policy snap-in
6. Now you need to assign rights to the Group policy:
- Generate Security Audits.
- Managing Auditing and Security Log.
In the Group Policy snap in: Open "Computer Configuration" > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Double click on "Manage auditing and security log", tick 'Define these policy settings, and click 'Add' to add the dedicated GFI LANguard S.E.L.M. user account.
Add user or group dialog
7. Once the user has been added you will be asked to confirm the application of the policies to the listed users. Repeat the above steps for the security option "Generate Security Audits". Add the dedicated S.E.L.M. user the rights to this policy as well.
Dedicated GFI LANguard S.E.L.M. user properties dialog
8. After you have made these edits, close the group policy MMC snap-in. You will be returned to the OU properties, Group Policy tab. Select the Group policy you have created, and click on the "Options" button. This will bring up the Group Policy options.
Group Policy Options dialog
9. Now enable the "No override" option. This will make sure that the Group policy will be not be overridden by Group polices of child OU's. (Which you should not create in S.E.L.M. OU)
Done! We now have a dedicated user account with the required permissions and rights.
The GFI LANguard S.E.L.M. dedicated user account must be added to the Local Administrators group of the machine on which GFI LANguard S.E.L.M. is installed on. To do this follow the steps below:
1.Open the "Computer Management" MMC.
2.Open the "Local Users and Groups" tree.
3.Right Click on the "Administrators" group.
4.Choose "Add user" and add the S.E.L.M. to the group.
The S.E.L.M. user does not require LOG ON permission since it will not log on the machine to scan the events, It needs the LOG ON permission only on the machine the S.E.L.M. is running.
However, Domain Controllers do not have a "Local Administrators" group in the "Computer Management" MMC. It is listed as one of the domain groups in the Active Directory as "Administrators". You need to open the "Active directory users and computers" mmc snapin, and bring up the properties of the dedicated GFI LANguard S.E.L.M. account. Click on the "Members of" page and add him to the "Administrators – DOMAIN/builtin" group. If the S.E.L.M account is not added to this group the GFI LANguard S.E.L.M. Collector agent will not be able start up.
| 
