Choose from several options for complete web, email and data security.
Learn more
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Come work for the global leader in unified information security. Go
Why does the DC agent need domain/enterprise admin permissions in version 7.6? Our existing environment (7.1 for Web and 7.5 for Data Security) is able to do this with just a regular account.
Here are some questions from a Support Webinar related to DC Agent. This is straight out of the Q&A section of the webinar.
72. Q. What are the consequences when DC Agent runs without domain admin rights?
A. Without proper domain admin rights, users may not be properly identified transparently or identified as a blank user name. This results in incorrect filtering/reporting.
73. Q. Does DC Agent need domain admin settings to run correctly, or can it use a lower security account?
A. Per our deployment guide, Websense requires domain admin privileges in order to work properly.
74. Q. Does the DC Agent support users across domain trusts?
A. Yes. If not trusted, then the domain administrator account used for DC Agent must reside in each domain with the same password, or an enterprise domain administrator account must be assigned to DC Agent.
75. Q. Can you elaborate on what DC Agent does that requires Admin privileges?
A. There are many things that DC Agent does; specifically it looks for net sessions on your domain controller. This allows transparently identifying your Active Directory (AD) users to apply proper filtering and logging of activity. Furthermore, in AD infrastructures with elevated security levels a Domain User or read-only LDAP user will not suffice.
76. Q. How about when I have two domains?
A. If the domains are trusted, then the DC Agent should be able to pull users from both domains. If not trusted, then the domain administrator account used for DC Agent must reside in each domain with the same password, or an enterprise domain administrator account must be assigned to DC Agent.
77. Q. Can the DC agent be run on the V5000 appliance? If so does it need domain admin credentials to run properly?
A. The DC Agent cannot be installed on any V-Series appliance. It MUST be on a Windows operating system. It is NOT supported on a Linux operating system.
I think most of us have read the documentation and see that it says DC Agent requires domain admin privledges. However, the question as to why it does in version 7.6 has not been answered. I run websense in a large enterprise environment, and there is no way our Active Directory group will give a piece of software Write permissions to the AD server, especially without any explanation as to why it requires them. All it should need it to look up users, and it should not require Write access to do this. Version 7.1 didn't, so why the sudden need to break our security protocols and policies by allowing an application uncontrolled permission to write to our directory servers.
Does it need write permissions? Absolutely not. It doesn't use any writing ability whatsoever. It doesn't change passwords, it doesn't add new users, and it doesn't make/modify group objects. DC Agent only does two things:
Can you assign specific permissions so that DC Agent to look at the remote registries and the remote domain controller command calls? Sure. Absolutely. Without a doubt.
JACOB SLOAN, CCNA, WCSE
