Sophos Management Service: significant files and registry entries

Significant files
MgntSvc.exe
MgntSvc-<Timestamp&rt;.log
Msgs.dll

Significant registry keys
HKLM\SOFTWARE\Sophos\EE\Management Tools\DatabaseConnectionMS
HKLM\SOFTWARE\Sophos\EE\Management Tools\Server Location
HKLM\SYSTEM\CurrentControlSet\Services\Sophos Management Service
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Sophos Management Service
HKLM\SOFTWARE\Sophos\EE\Management Tools\DBPurgeIntervalInMinutes
HKLM\SOFTWARE\Sophos\EE\Management Tools\

The following key is located differently for 32-bit and 64-bit computers:

• 32-bit:- HKLM\SOFTWARE\Sophos\EE\Management Tools\DatabaseUser
• 64-bit:- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432node\sophos\EE\Management Tools\DatabaseUser

Significant files

Significant registry keys

____________________________________________

HKLM\Software\Sophos\EE\Management Tools\DatabaseConnectionMS
Defines how the management service connects to the database. An example connection string would be:
Provider=SQLOLEDB;Integrated Security=SSPI;Initial Catalog=SOPHOS2;Data Source=<ServerName>\SOPHOS
Where:

• Initial Catalog refers to the database name, i.e. SOPHOS2
• Data Source is the server name and instance name in the format <ServerName>\SOPHOS

If there is no named instance, this could just be: Data Source=<ServerName>.

____________________________________________

HKLM\Software\Sophos\EE\Management Tools\ServerLocation
This registry key is strictly used by the Enterprise Console to locate the management server. In the case of a remote console this would be the server name. If the Enterprise Console is local to the management service this would be a ‘.’.

____________________________________________

HKLM\SYSTEM\CurrentControlSet\Services\Sophos Management Service
The service key for MgntSvc.exe. Start-up type automatic runs as Local System.

____________________________________________

HKLMSYSTEM\CurrentControlSet\Services\Eventlog\Application\Sophos Management Service
Enables the Management Service to hook into the Application event log.

____________________________________________

HKLM\Software\Sophos\EE\Management Tools\DBPurgeIntervalInMinutes
DWORD, default value: 1440 (24 hours)
This specifies the alert purge interval in minutes. The timer is reset when the Management Service starts. Changes to the purge interval will not be applied until the Management Service it is restarted.

The principle that is applied by the installer is that access to keys is generally made available to those that may require access to it, except where that might present a security loophole.

Full Control permission is explicitly set on the root registry key for the Administrators group - and for the Sophos Console Administrators group if it exists on this machine (i.e. if the Management Server feature is being installed). Otherwise this key will inherit all of the permissions of its parent.

____________________________________________

HKLM\SOFTWARE\Sophos\EE\Management Tools
As above Full Control permission is explicitly granted to Administrators (and Sophos Console Administrators) and SYSTEM. Read permission is granted to the group Everyone. All other rights to access this key are removed. These permissions are inherited by all descendants except for DatabaseUser as described below.

____________________________________________

For 32-bit computers:- HKLM\SOFTWARE\Sophos\EE\Management Tools\DatabaseUser

For 64-bit computers:- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432node\sophos\EE\Management Tools\DatabaseUser

As above Full Control permission is explicitly granted to Administrators (and Sophos Console Administrators). All other rights to access this key are removed.