[ZBX-15606] Minimum and recommended user account permissions for Zabbix Agent on Windows Created: 2019 Feb 06  Updated: 2024 Apr 10  Resolved: 2019 Mar 17

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Agent (G)
Affects Version/s: None
Fix Version/s: 4.2 (plan)

Type: Documentation task Priority: Major
Reporter: Aleksejs Petrovs Assignee: Michael Veksler
Resolution: Fixed Votes: 0
Labels: agent, windows
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
Team: Team A
Team: Team A
Sprint: Sprint 49 (Feb 2019), Sprint 50 (Mar 2019)
Story Points: 0.5

 Description   

Please document the following information:

  • Minimum User Account permission in Windows environment to launch Zabbix Agent and collect the local metrics
  • Recommended by Zabbix User Account permissions in Windows environment so the Agent could operate without interruption.

As a part of hardening and securing Zabbix Agent would be good to note, that if

EnableRemoteCommands=1

is configured
then in order to audit the remote commands and system.run items you must configure following:

LogRemoteCommands=1

 

Expected documentation update -

 

 Comments   
Comment by Dmitrijs Lamberts [ 2019 Feb 07 ]

IMO minimal permissions for user running Zabbix agent service strictly depends on required tasks/metrics to collect from the device.
Long story short, it will vary in multiple scenarios, and such minimal requirement would only add some frustration and questions like - why do I need that if the only task of this agent is to report agent.ping

Comment by Martins Valkovskis [ 2019 Mar 05 ]

Added to documentation for 3.0, 4.0, 4.2.

Comment by Michael Veksler [ 2019 Mar 19 ]

"Functionality is limited" - what does it means:

  1. to access windows event log via eventlog[], you need to do: https://support.microsoft.com/en-us/help/323076/how-to-set-event-log-security-locally-or-by-using-group-policy
    if this is just txt log for log[]/logrt[] - right to read the file is enough.
  2. If system.run makes access to resources with limited access - for example, files or windows registry, the result will depend on the user rights to access these resources.
  3. vfs.file - the result will depend on the user's rights to access the polled resources.
  4. wmi.get - a complete answer is not possible. Access depends on vendor settings. Different vendors can expand/change wmi with limited access. You need to consult your vendor's documentation.
Generated at Sat Apr 20 01:32:44 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.