Monitoring Service Security

The SentryOne monitoring service is a Windows service that runs in the context of a domain account. It is used by SentryOne Software (i.e. SQL Sentry, DW Sentry, V Sentry, etc.) and SentryOne Monitor (part of SentryOne Cloud).

Security Requirements

Important:  Prior to version 19.1.1, the account must have sysadmin privileges on each watched SQL Server. We do not support watching targets on SQL Server version 2008 R2 or earlier without sysadmin privileges in any version of SQL Sentry.

  • If the monitoring service account and interactive user do not have sysadmin privileges, then: 
    • They must, at a minimum, be a principal on the SQL Server target with the Control server permission granted.
    • They must be a member of the SQLAgentOperatorRole role on the msdb database. 
      • This automatically adds membership to the SQLAgentReaderRole and SQLAgentUserRole.
    • The securityadmin server role may be required to guarantee the collection of SQL Agent Log events, depending on the exact SP/CU of the SQL Server version. 
  • The account must also have Windows Administrator privileges on any computer with a watched Windows Task Scheduler instance to collect system level performance metrics with SentryOne Performance Analysis. If the monitoring service does not have Windows Administrator privileges, instance level metrics can still be collected using the Limited Access option.
  • It isn't necessary for this account to be a domain administrator account. 
    • It's recommended that the service account be a standard user domain account that's added to the local administrators group of each monitored target. 
    • For more information about security and SentryOne Performance Analysis, see the Performance Analysis Security Requirements topic.
  • The monitoring service does not support using MSA (Managed Service Accounts) or GMSA (Group Managed Service Accounts) for the monitoring service account.

Important:  There are some limitations when not using sysadmin privileges:

  • SQL Sentry will not be able to collect VLF and log file data for targets that are on SQL Server version 2016 SP 1 or earlier.
  • Last DBCC CHECKDB time is available only if the targets have the following SQL Server versions with the appropriate SP or CU:
    • 2014 SP 3+
    • 2016 SP 2+
    • 2017 CU 7+
    • 2019+
  • You will not be able to start or stop the SQL Server Agent from the SentryOne client unless the target Access Level is Full Access and the interactive user is a Windows admin on the associated Windows target for that watched SQL Server.
  • The watch status of SQL Agent Alerts cannot be changed.

Additional Information: See the SentryOne v19.1.1 : Monitoring Service Security Requirements blog post for additional details on not using sysadmin privileges.

Note:  As of SQL Server 2008 the local administrators group of a Windows server isn't automatically given access to a SQL Server instance installed on that Windows server. Keep this in mind when installing SentryOne for use with SQL Server 2008 and above.

Important:  Adding the service account to the local Windows Administrators group for the SentryOne database server doesn't automatically grant the service user access to the SentryOne database.

Changing the Monitoring Service Credentials

After the initial installation, the Service Configuration utility is used to update or change the credentials of the SentryOne monitoring service account. The Service Configuration utility is accessed within the SentryOne program group in the Windows Start menu.

Important: 

  • Using the Service Configuration utility is the only supported way of changing the SentryOne monitoring service credentials. For more information, see the Monitoring Service Logon Account topic.
  • For SentryOne Monitor, you only use the Service Configuration utility to change the monitoring service credentials, not the actual database to which the monitoring service connects.
  • Always verify that the service account has full access to the instance where SentryOne is installed.
    • For SentryOne Monitor, this is the SQL Server Express instance that was installed with the configuration client.

SentryOne Service Configuration Utility

Monitoring Service Connection Properties

If the Monitor Performance setting is set to False for a target, and you don't need to utilize General Performance Monitoring features, you may configure the monitoring service to use SQL Server Authentication. This is done through an instance's Monitoring Service Connection Properties.

To access the Monitoring Service Connection Properties for an instance complete the following steps: 

  1. Open the Navigator pane (View > Navigator).
    SentryOne Navigator pane
  2. Right-click the desired instance, and then select the Monitoring Service Connection Properties command to open the Service Connection Properties dialog.
    SentryOne select Monitoring Service Connection Properties in the Navigator
  3. Uncheck Use Integrated Authentication, and then enter the SQL Server Authentication account you'd like the monitoring service to use for the instance. Select OK to save your changes.
    SentryOne Service Connection Properties

Adjusting Target Access Level

You may wish to monitor an instance where OS level metrics through WMI and/or the Windows Performance Library are inaccessible. This is occasionally the case for cloud based or hosted servers. In these circumstances, a target may be added with Limited Access. This suspends attempts to access resources that are required for some functionality like the Disk Space and Activity tabs, and Windows Metrics on the Performance Analysis Dashboard. If access to those resources have been resolved, the Access Level can be set to Full Access in the Monitoring Service Connection Properties at the target level in the Navigator pane. Similarly, if a Watched target starts generating errors due to connectivity issues with the OS level resources that can't be resolved, changing the Access Level to Limited allows you to continue monitoring non-OS metrics without triggering connectivity errors for the target.

Important:  If you configure SQL Authentication for an instance that's being monitored with SentryOne Performance Analysis, Performance Analysis won't be able to collect Windows level metrics for that instance. This is because Performance Analysis collects various performance and configuration data directly from Windows, and requires a higher level of access to the operating system than Event Calendar. For more information, see the Performance Analysis Security Requirements topic.

Starting the Monitoring Service

If the service fails to start, complete the following steps to start the service manually.

Note:  The SentryOne monitoring service starts automatically after installation.

  • For SentryOne Software, it activates upon detecting a valid license on the SentryOne database.
  • For SentryOne Monitor, it activates upon entering valid credentials to the SentryOne Cloud Login dialog during onboarding. If valid credentials are not entered, the monitoring service will not be able to validate your license.
  1. Open the Services window in Windows by selecting Control Panel > System and Security >Administrative Tools > Services.
    Control Panel > System and Security > Administrative Tools
  2. Select SentryOne Monitoring Service from the list of services. Right-click SentryOne Monitoring Service, and then select Start from the context menu or select the Play button on the toolbar to start the service.
Start SentryOne Monitoring Service
Right-click
Start SentryOne Monitoring Service
Select Play

Success: You've manually started the SentryOne Monitoring Service.

SentryOne Monitoring Service Running