> ## Documentation Index > Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt > Use this file to discover all available pages before exploring further. # SharpHound Enterprise System Requirements and Deployment Process Applies to BloodHound Enterprise only The SharpHound Enterprise service is a critical element in your deployment that collects and uploads data about your environment to your BloodHound Enterprise instance for processing and analysis. SharpHound Enterprise is deployed as a signed Windows service, runs under the context of a domain account, and collects from one or more domains utilizing the configured service account. ## Deployment Process Overview To collect Active Directory data with SharpHound and ingest it into BloodHound for analysis: 1. Provision a Server that meets or exceeds the recommended Hardware, Software, and Network requirements below. 2. Create a Service Account or [gMSA](/install-data-collector/install-sharphound/create-gmsa) that SharpHound will run as with the Service Account Requirements below. 3. [Install and Upgrade SharpHound Enterprise](/install-data-collector/install-sharphound/installation-upgrade) 4. [Create a BloodHound Enterprise collector client](/collect-data/enterprise-collection/create-collector) 5. [Run an On Demand Scan](/collect-data/enterprise-collection/on-demand-scan) or [Create a data collection schedule](/collect-data/enterprise-collection/collection-schedule) ## Server Requirements ### Hardware | Resource | Minimum | Recommended | Large enterprise | | ------------------- | ---------------- | ---------------- | ---------------- | | **Processor Cores** | 2 physical cores | 4 physical cores | 6 physical cores | | **Memory** | 4GB RAM | 16GB RAM | 32GB RAM | | **Hard disk space** | 1GB for logging | 5GB for logging | 20GB for logging | These recommendations should be considered a baseline and may need to be increased depending on the size and complexity of your environments. Minimums apply to test or development deployments. Where multiple collectors are deployed on a single host, scaling will be necessary to maintain performance. ### Software * Windows Server 2019+ * .NET 4.7.2+ ### Network * TLS on 443/TCP to your BloodHound Enterprise SaaS tenant URL (proxy is supported) * LDAP to at least one domain controller in each domain requiring collection. * By default, SharpHound will attempt LDAP over SSL first, then fall back to LDAP if SSL is unavailable. * LDAP over SSL on 636/TCP (configurable port) * LDAP on 389/TCP (configurable port) * LDAP over SSL is enforceable. * [LDAP channel signing](https://www.hub.trimarcsecurity.com/post/ldap-channel-binding-and-signing) is used for all queries. * \[Optional] If performing privileged collection (see [Why perform privileged collection in SharpHound](/collect-data/enterprise-collection/privileged-collection)) * SMB/RPC on 445/TCP to all in-scope domain-joined Windows systems * SMB/RPC on 135/TCP to all in-scope domain-joined Windows systems for NTLM relay-based collection * Approximately 60-100kB network bandwidth per collection to each in-scope domain-joined Windows system * \[Optional] If performing DC Registry and CA Registry collection (see [DC Registry and CA Registry details](/collect-data/sharphound-data-permissions)) * SMB/RPC on 445/TCP to all DCs and domain-joined CAs ## Service Account Requirements Run the SharpHound Enterprise service under a domain-joined account that has the **Log on as a service** User Rights Assignment on the SharpHound Enterprise server. This account can be a traditional user account or a [Group Managed Service Account (gMSA)](/install-data-collector/install-sharphound/create-gmsa). The service account needs permissions to collect data from your target domains and domain-joined systems as detailed in [SharpHound Data Collection and Permissions](/collect-data/sharphound-data-permissions). We recommend following [SharpHound Enterprise Service Hardening](/manage-bloodhound/securing-bloodhound-and-collectors/sharphound-hardening). The SharpHound collection service account does not require `Domain Admin` membership. | Data type | Default permissions | Least-privileged option | | ------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | | [Active Directory Structure](/collect-data/sharphound-data-permissions#active-directory-structure-data) | `Authenticated Users` can read most required data via LDAP | Delegate additional read permissions where needed (for example, restricted AD objects and dMSA) | | [Local Group Membership](/collect-data/sharphound-data-permissions#local-group-membership) | Local `Administrators` | Delegate Remote SAM access with Group Policy configuration | | [User Rights Assignments](/collect-data/sharphound-data-permissions#user-rights-assignments) | Local `Administrators` | No known delegation path today | | [NTLM](/collect-data/sharphound-data-permissions#ntlm) | Local `Administrators` | Delegate registry access with Group Policy or registry configuration | | [Sessions](/collect-data/sharphound-data-permissions#sessions) | Local `Administrators` | On Windows Server, `Print Operators` can be used; Windows desktops still require local `Administrators` | | [Certificate Services](/collect-data/sharphound-data-permissions#certificate-services) | `Authenticated Users` can collect most ADCS LDAP data | Already least-privileged by default for LDAP-collected certificate services data | | [CA Registry](/collect-data/sharphound-data-permissions#ca-registry) | `Authenticated Users` can collect CA registry data when AD CS is installed | No additional delegation is typically required | | [DC Registry](/collect-data/sharphound-data-permissions#dc-registry) | Local `Administrators` on domain controllers | Delegate access via Group Policy or registry configuration for required paths | If Active Directory tombstoning is enabled, the service account must also have [read permissions](https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/non-administrators-view-deleted-object-container) on the deleted objects container. ### Integrated Windows Authentication (IWA) If you want to use IWA for SharpHound, the following additional requirements apply: * Active Directory Federation Services (ADFS) server must be accessible in your network environment Both the system running SharpHound and the BloodHound Enterprise tenant require network connectivity to the ADFS server * Service account must be [configured](/install-data-collector/install-sharphound/configure-adfs-iwa) in ADFS to support Windows authentication for SharpHound * Client ID property must be registered in ADFS (provided during [collector client creation](/collect-data/enterprise-collection/create-collector)) * Local SharpHound configuration must include [IWA-specific properties](/install-data-collector/install-sharphound/local-configuration#integrated-windows-authentication-iwa) in the `settings.json` file