I want to configure access during the installation of Management Service, Host Management Service and Management Console components using the recommended best practices to avoid any access related issues in the future with my 5nine Cloud Security product. How do I do that?
Management Service Setup
1. Set the user that will run the Management Service:
Note: Recommended best practice is to select the User option and enter either the local or domain user credentials depending upon the environment in which the Management Service is being installed. This credential will be the default credential that will be used by the Management Console and the Host Management Service components.
If you select Local system, all the Hosts must be added to the Management Console with custom credentials.
2. Select the database server and the authentication method:
- Select the database server from the list: If there is no database server detected by the installer, please type it manually (this could happen if the SQL Server Browser service is not running). The default port is 1433. If your SQL server uses a different port, please specify this port using the following format: SQLSERVER, 1433 (port number). For example, if the SQL server hostname is SQLSRV and it uses port 1435 instead of standard 1433, please specify the following string into the Database Server field: SQLSRV, 1435
- Select the authentication method:
- Windows authentication - select if the user has been granted the necessary permissions on the selected SQL Server
- SQL authentication - select the credentials used to set up the SQL Server account (sa)
Note: If Local system had been selected at the previous step as an account to run Management Service, only SQL authentication is allowed.
Based on, if you are performing a fresh installation of the 5nine Cloud Security product or if there are no previously created security admins that exist in your prior vFirewall database in the selected data source, you will be prompted to choose whether or not to create a security global admin:
If you choose the option Create global administrator, you will be requested to specify the credentials for the new global admin:
Select the user type:
- Custom user. This option lets you create custom users independently from AD. This type of access is used only within 5nine Cloud Security to identify the 5nine Cloud Security application permissions. If you’re working in a mixed environment, please select this option. You can select any username and password for this user type.
- Windows user. This option applies to a single domain environment only and this user type must be registered in Active Directory (AD).
The global admin is a user who has full access to the 5nine Cloud Security product. Once you create global admin user, you will be able to connect to Cloud Security Management Service only under this user.
If you choose the option Do not create admin, the installation will proceed without prompting for a user’s credentials.
Note: In the event that you have kept the old vFirewal database from a previous installation in your selected data source, and there was at least one admin registered to it, the installer will detect and skip this step entirely.
Host Management Service Setup
Local Host Install
Set the user that will run under Host Management Service:
Note: These credentials are entered for the local host on which the Host Management Service is being installed and may differ from those entered for the remote Host Management server if the program is used in a mixed environment.
Select the authentication method:
- Use default credentials: The current user’s credentials will be used. Use this option if a single domain is used in the environment and the current user is granted all the necessary rights on the remote server(s)
- Use custom credentials: Specify the credentials for remote host. Use this option if different credentials should be used on the remote host. In the event multiple hosts are added, please alter the credentials for each host as applicable.
Please ensure that the Service logon account is properly set.
Right click each host to edit the installation and/or service logon accounts:
- Click Edit install credentials to specify/alter the credentials for the host management service installation onto the target host:
- Click Edit service credentials to specify/alter the credentials under which 5nine.VirtualFirewall.HostManagementService (display name 5nine Cloud Security Host Service) will be running on the target host:
- Then specify/alter the credentials in the dialog that will open:
- Check the credentials for all added hosts:
Note: Remote install option allows you to install the Host Management Service onto multiple hosts remotely over a network.
Management Console Setup
Select one of the following options:
- Use default credentials: current user credentials will be used to connect to the Management Service each time the Management Console is started.
- Use custom credentials: users will be prompted to enter their credential to connect to the Management Service each time the Management Console is started.
Note: To install the Management Console on a server where multiple users with different privileges work, the best practice is to select the Use default credentials option so that each time the Management Console is started, the necessary privileges are already in place to connect to the Management Service.
Summary of Service Accounts – Permissions
Management Service Account
- WMI access. Full access to the namespace Hyper-V WMI provider (V2) (ROOT\virtualization\v2) is required.
- SQL database or file access (read/write) – for Management Service user account only if Windows authentication is used.
- Allow to control Hyper-V. In most cases, this requirement is covered since the local administrator’s privileges requirement is already met.
- Logon as a service privilege.
Host Service Account
- Best practice – Use the same account for service for the Host Service account and in the Server Settings in the Management Console.
- Host Service user should have local administrator’s privileges. This requirement is usually met when the user is a member of local administrators group on the Hyper-V host or Administrators group in the Active directory in a domain environment.
- If the host is managed remotely from a centralized management console, there should also be an account with similar permissions used in the Server Settings.
- Logon as a service privilege.
For workgroup/mixed domains environment
- The Account for workgroup environment should also have similar permissions for the currently managed host.
- Managed and Management servers should be marked as trusted hosts if the workgroup environment is to be used on several domain environments.
5nine Manager Cloud Security, Management Service, Host Management Service, Management Console, Access, Credentials, vFirewall
5nine Cloud Security, How do I upgrade to the latest version of 5nine Cloud Security?, What are the prerequisites for 5nine Cloud Security installation?, How can I ensure that 5nine Cloud Security is operating correctly?