ControlUp Monitor Permissions & Security - On-Premises ONLY

Summary

One of the most important ControlUp components is the ControlUp Monitor. You install it from within the ControlUp Real-Time Console, and it is the entity in charge of constantly monitoring all endpoints, hypervisors, and more, 24\7.

The monitor also monitors endpoints for alerts based on the triggers that you have set up, and uploads the data into our Hybrid Cloud reporting system, Insights.

The best practice is to install the monitor on its own dedicated server and provision it with the necessary resource, as explained in ControlUp Sizing Guidelines.

The following article explains how the ControlUp Monitor works and what permissions we must grant it in order to properly work

If you're using the Hybrid Cloud solution, see ControlUp Monitor Permissions & Security - Cloud ONLY.

The Monitor in On-Premises Environments

In On-Premises deployments, there's a different process than the Hybrid Cloud deployment, since Insights is also on-prem (if you purchased it). The monitor writes Activity Files into an SMB share, and Insights reads the files from there.
After you deploy the monitor, it will be recognized on the machine by its process, cuMonitor.exe.
There are two entities that the monitor uses on its end:

1. The cuMonitor.exe runs as the NETWORK SERVICE account on the monitor VM only.
2. The monitor uses an AD account that you configure when you set up the monitor for several purposes:
   1. Deploy the ControlUp Agents on remote machines (if the user had administrative rights on the remote machines).
   2. Connect to the machines using port 40705 in order to monitor them (for Insights, alerting, etc).
   3. For on-premises only. Impersonating as the AD account in order to write the activity files to the designated folder. (Activity Files Folder).

In addition, there are permissions that you need to configure to the Activity Files share that holds the files that the monitor sends to Insights.

Settings for the Activity files folder (Shared & NTFS)

1. NTFS permissions

   • IOP computer account needs to have:
     ​

   • Monitor AD account needs to have:
     ​

2. Shared permissions

   • IOP computer account needs to have:
     ​​

   • Monitor AD account needs to have:
     

Permissions in the Security Policy (within ControlUp)

In the ControlUp Real-Time Console, you must delegate the proper security permissions for the AD account that the monitor uses. This must be within the console in the Security Policy pane.

1. In the Perform organization-wise actions section:
   • View All Hypervisors.
   • Connect to Data Source.
   • Use Shared Credentials, in the Shared Credentials Store sub-section.
2. In the Run Computer Actions section, Connect to Windows Computer.

It's best practice to configure the credentials that you use in the environment as Shared.To learn more, see Configuring Shared Credentials.

Local Policy requirements

The Monitor AD account defined in the monitor requires the Allow Log on Locally user permission on the monitor machine (the service account defined in the monitor settings-> identity tab).

Verify the following in Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment.

1. The AD account has the Allow log on locally user permission.
2. The AD account is not part of the Deny log on locally user permission.

Administrative privileges

The monitor has the ability to install the ControlUp agent on machines. For example, machines that are booted up agent-less.
In the Monitor settings, we state the following-

It's best practice, but not mandatory, to have the AD configured with admin privileges on the endpoint. If you have the ControlUp Agent baked in the golden image or installed on a machine that isn't going to boot without the agent, the AD account used in the monitor can be a non-admin user.