We're in the process of hardening DMAs for one of our clients by removing local admin accounts to adhere to security policies set by InfoSec. In a separate Dojo post called, How to Disable Windows Administrator in Production DMS? this seems to be quite doable, but I have a question. Wouter said in the comments:
Hi Bruno, it is a misconception that agents communicate with each other using the Administrator account by default.
The default behavior is that the machines try to authenticate using their system/machine account. This usually works as machines are in the same domain.
Currently each DMA has a local account with the same UN/PW that has local admin rights. In the past I recall we attempted to use a domain account instead of a local admin when installing the DM software and ran into a lot of problems with communications between the DMAs. Unfortunately it's been a while and I don't remember the exact error, but it was something about unauthorized users. I do seem to think by rerunning the installers with the local admin account, it cleared things up.
Based on what I read in the article posted above, it seems we SHOULD NOT have had issues, so I'm trying to figure out what happened to make sure we can avoid that problem when we remove the local admin accounts. We'd like to avoid using connection strings, but I'm unsure what we need to do to make sure the "default behavior" is successful. Are there any requirements we can check, procedures to test or other suggestions prior to removing the local admin accounts just to make sure we don't break anything?
Thanks!
Hi Jamie,
First of all, I'm very happy you're hardening your DataMiner System!
The inter-DMA authentication will authenticate using the LocalSystem user, which will only work if the agents are joined to the same domain. If they are not in the same domain, you will have to set up connection strings.
Other than this requirement, I don't expect disabling the Administrator accounts to pose any problems, but I will try this in a testing environment and get back to you with my findings.
Thanks Jens! All of the machines are on the same domain, so sounds like we’re good to go. Thanks for testing it out.
Feel free to ping me if you would have issues
I’ve tested this (2 machines in the same domain), both have their local Administrator disabled and I was able to set up a DataMiner cluster. I had some issues with NATS but these were unrelated to the Local Administrator account being disabled. Other than this I don’t see any obvious issues