Must the SphereShield Services run with Local Service and Local System?

Owned by Agat Support
Last updated: Mar 27, 2022 by Avi J. Levin (Unlicensed)
Security may require to change the user running the SphereShield Services (Bastion or SIP filter). It is possible but requires giving permissions for that user. 
It is recommended that the password for this user will never expire. 

For Bastion:

  1. Open Services.msc
  2. Right click on the Bastion service
  3. Open the Log On Tab
  4. Change the "Log on as" field to the desired user
  5. Add permissions to that user to the Bastion folder and Logs folder
In order to use the Windows Machine Certificate Store (for the Bastion listeners) the user should be Local Admin on the machine. Alternatively, you could use File System for the certificate or use Windows User Certificate Store.

For SIP Filter:

  1. Open Services.msc
  2. Right click on the SIP Filter service
  3. Open the Log On Tab
  4. Change the "Log on as" field to the desired user
  5. Add permissions to that user to the SIP Filter folder and Logs folder
  6. Open lusrmgr.msc
  7. Add the user to the "RTC Server Applications" groups