Harden the Splunk Enterprise installation directory on Windows
If you choose to install Splunk Enterprise in a directory that is outside of the Windows Program Files
application directory on the drive that booted your Windows machine, that installation directory does not get the automatic protections that directories inside the Program Files
directory receive.
Follow these instructions to ensure that Windows enforces the proper access controls to the Splunk software installation directory and that low-privilege users cannot access that directory.
Harden Splunk software installation directories with Windows Explorer
- From an Explorer window, right click on the target installation folder and select Security > Advanced > Disable Inheritance > Remove all inherited permissions from this object.
- Click Add > Select a principal > Administrator > Check Names.
- Click OK.
- Click Check full control.
- Click OK.
- Click Add > Select a principal > SYSTEM > Check Names.
- Click OK.
- Click Check full control.
- Click OK.
- Click Apply. then click OK
Harden Splunk software installation directories from a PowerShell window or command prompt
These instructions were tested and work as described on Windows versions 8.1 and higher, and Window Server versions 2008 R2 and 2012 R2. As an example, this procedure uses C:\Splunk
as the installation directory.
- Open a command prompt or PowerShell window.
- Run the following command to break inheritance from parent directories.
C:\>icacls C:\Splunk /inheritance:d
- Run the following command to remove the Users group from the directory.
C:\>icacls C:\Splunk /remove "Users" /T
- Run the following command to remove the "Authenticated Users" group from the directory.
C:\>icacls C:\Splunk /remove "Authenticated Users" /T
About default certificate authentication | Secure Splunk Enterprise on your network |
This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1
Feedback submitted, thanks!