Securing service accounts

Applies To: Forefront Client Security

A Client Security deployment uses the service accounts described in the following table.

Account Type Description

Data Access Server (DAS) account

Domain user and, in some cases, local administrator on collection server

If you are reusing the DAS account for the action account, you must grant the DAS account local administrator privileges on the collection server.

The collection server uses the DAS account to access the collection database.

Client Security automatically grants the DAS account permissions as part of setup.

Reporting account

Domain user

The reporting server uses the reporting account to access the reporting database and the collection database.

Action account

Domain user and local administrator on the collection server

The action account must be a local administrator on the collection server. You must either grant the action account these privileges, or if you're reusing the DAS account for the action account, grant the DAS account these privileges.

The collection server uses the action account to run server-side scripts and SSA scans. The action account must be a domain user account.

Data Transformation Services (DTS) account

Domain user

The reporting server uses the DTS account to run a Windows Scheduler task (a DTS job) that transfers data from the collection database to the reporting database.

For the most secure deployment, use a different user account for each Client Security service account; however, due to the complexity of maintaining four separate accounts and updating their passwords regularly, it is recommended that you use a single domain user account for all Client Security service accounts.

It is further recommended that you do not use a Client Security administrator account to run services related to Client Security. This protects Client Security from unauthorized administrator access if a malicious user succeeds in compromising the credentials used to run services.