ControlUp Monitor Permissions & Security - Cloud ONLY

One of the most important ControlUp components is the ControlUp Monitor. You install it from within the ControlUp Real-Time Console, and it is the entity in charge of constantly monitoring all endpoints, hypervisors, and more, 24\7.

The monitor also monitors endpoints for alerts based on the triggers that you have set up, and uploads the data into our Hybrid Cloud reporting system, Insights.

The best practice is to install the monitor on its own dedicated server and provision it with the necessary resource, as explained in ControlUp Sizing Guidelines.

The following article explains how the ControlUp Monitor works and what permissions we must grant it in order to properly work

If you're using the on-premises solution, see ControlUp Monitor Permissions & Security - On-Premises ONLY.

The Monitor in Cloud Environments

After you deploy the monitor, it will be recognized on the machine by its process, cuMonitor.
There are two entities that the monitor uses on its end:

1. The cuMonitor.exe runs as the NETWORK SERVICE account on the monitor machine only.
2. The monitor uses an AD account that you configure when you set up the monitor for several purposes:
   1. Deploy the ControlUp Agents on remote machines (if the user had administrative rights on the remote machines).
   2. Connect to the machines using port 40705 in order to monitor them (for Insights, alerting, etc.).
3. The monitor uploads data to our cloud servers to populate data into Insights.

US (+Non-EU) customers:
fe2.controlup.com
fe4.controlup.com
rt-app.controlup.com
rt-app.controlup.com
cu-ca-us.controlup.com
mp.controlup.com
s3.amazonaws.com
insights-hec.controlup.com

EU customers:
fe1.controlup.com
fe3.controlup.com
rt-app.controlup.com
rt-app.controlup.com
cu-ca-eu.controlup.com
mp.controlup.com
s3.eu-central-1.amazonaws.com
insights-hec.controlup.com
uploader-eu-central-1.controlup.com

Permissions in the Security Policy pane

In the ControlUp Real-Time Console, you must delegate the proper security permissions for the AD account that the monitor uses. It must be within the console in the Security Policy pane.

1. In the Perform organization-wide actions section:
   • View All Hypervisors.
   • Connect to Data Source.
   • Use Shared Credentials, in the Shared Credentials Store sub-section.
2. In the Run Computer Actions section, Connect to Windows Computer.
   Note

   If you have Linux machines in your environment, include the Connect to Linux Computer permissions as well.

It's best practice to configure the credentials that you use in the environment as Shared. To learn more, see Configuring Shared Credentials.

Local Policy requirements

The monitor AD account defined in the monitor requires the Allow Log on Locally user permission on the monitor machine (the service account defined in the Monitor Settings > Domain identity tab).

Verify the following in Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment.

1. The AD account has the Allow log on locally permission.
2. The AD account isn't part of the Deny log on locally permission.

Administrative privileges

The monitor has the ability to install the ControlUp Agent on machines. For example, machines that are booted up agentless.
In Monitor Settings, we state the following:

It's best practice, but not mandatory, to configure the AD with admin privileges on the endpoint. If you have the ControlUp Agent baked in the golden image or installed on a machine that isn't going to boot without the agent, the AD account used in the monitor can be a non-admin user.