Security Best Practices for Running Agent as a Windows Service
Run the Files.com Agent under a dedicated user account, not the default LocalSystem account. LocalSystem carries extensive privileges across the machine, well beyond what the Agent needs. A dedicated account, scoped to the directories and network shares the Agent actually touches, follows the principle of least privilege and limits the blast radius if the account is ever compromised.
Use a Dedicated User Account
Create a Windows account specifically for the Agent service. Grant it only the permissions the Agent requires: read, write, update, and delete on the directories or network shares the Agent reads from and writes to. Do not reuse a human user's account, and do not grant administrative rights.
Configure Service Logon Settings
Configure the Files.com Agent service to log on as the dedicated account. In the Services management console (services.msc), open the service's properties, switch to the Log On tab, and specify the account. The account must have the "Log on as a service" right assigned, or the service will fail to start.
Manage Password Policies
Apply a strong password policy to the service account. Rotate the password on a regular cadence and do not set it to never expire. Where the environment supports it, use a Managed Service Account (MSA) or Group Managed Service Account (gMSA) so Windows handles password rotation automatically.
Monitor and Audit Service Account Activity
Audit the service account's login attempts and resource access through Windows auditing, and review the logs on a regular schedule. Unexpected logons, access to directories outside the Agent's normal scope, or activity outside expected hours are signals to investigate.
Document Configuration Details
Record the account's assigned permissions, password rotation schedule, and any configuration changes. This record is what you reference during audits, when handing the Agent off to another administrator, or when diagnosing a permission-related failure.