Corrections to Security Configuration for Service Accounts #3214
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. Deleted "Local administrator group membership on the computer where the Application Service is running." for the Application Service service account. This user (or any IIS App Pool account) must NOT be added to the local administrators group. It has never been required for CRM/Dynamics/Power Apps in a proper least privilege configuration. 2. Updated references to SeServiceLogonRight and SeBatchLogonRight to use the correct label and constant. https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/log-on-as-a-service https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job 3. Performance Log Users membership is required for the Application Service and Deployment Web Service accounts only. Removed from Asynchronous Processing Service. Added to Deployment Web Service. 4. Asynchronous Processing Service also requires SeBatchLogonRight. 5. Deployment Web Service also requires SeBatchLogonRight. 6. Updated two references to the CRM_WPG local group to state that "The CRM_WPG group is granted Log on as a service (SeServiceLogonRight) and Log on as a batch job (SeBatchLogonRight) permissions in the Local Security Policy" since client group policy configurations may undo this.
|
Happy to jump on a call and review the recommended updates with @Mattp123 if it would help. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Deleted "Local administrator group membership on the computer where the Application Service is running." for the Application Service service account. This user (or any IIS App Pool account) must NOT be added to the local administrators group. It has never been required for CRM/Dynamics/Power Apps in a proper least privilege configuration.
Updated references to SeServiceLogonRight and SeBatchLogonRight to use the correct label and constant. https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/log-on-as-a-service https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job
Performance Log Users membership is required for the Application Service and Deployment Web Service accounts only. Removed from Asynchronous Processing Service. Added to Deployment Web Service.
Asynchronous Processing Service also requires SeBatchLogonRight.
Deployment Web Service also requires SeBatchLogonRight.
Updated two references to the CRM_WPG local group to state that "The CRM_WPG group is granted Log on as a service (SeServiceLogonRight) and Log on as a batch job (SeBatchLogonRight) permissions in the Local Security Policy" since client group policy configurations may undo this.