diff --git a/sensu/api_conf.sls b/sensu/api_conf.sls
index 720a63c..26bdec0 100644
--- a/sensu/api_conf.sls
+++ b/sensu/api_conf.sls
@@ -1,4 +1,5 @@
 {% from "sensu/pillar_map.jinja" import sensu with context -%}
+{% from "sensu/configfile_map.jinja" import files with context %}
 
 include:
   - sensu
@@ -6,9 +7,9 @@ include:
 /etc/sensu/conf.d/api.json:
   file.serialize:
     - formatter: json
-    - user: root
-    - group: root
-    - mode: 644
+    - user: {{ files.files.user }}
+    - group: {{ files.files.group }}
+    - mode: 640
     - require:
       - pkg: sensu
     - dataset:
diff --git a/sensu/client.sls b/sensu/client.sls
index 2cfbe7e..53424ed 100644
--- a/sensu/client.sls
+++ b/sensu/client.sls
@@ -29,6 +29,11 @@ sensu_standalone_checks_file:
     - dataset:
         checks: {{ salt['pillar.get']('sensu:standalone_checks') }}
     - formatter: json
+    - user: {{ files.files.user }}
+    - group: {{ files.files.group }}
+    {%- if grains['os_family'] != 'Windows' %}
+    - mode: 640
+    {%- endif %}
     - require:
       - pkg: sensu
     - watch_in:
@@ -42,11 +47,11 @@ sensu_standalone_checks_file:
 /etc/sensu/conf.d/client.json:
   file.serialize:
     - formatter: json
-    - user: {{files.files.user}}
-    - group: {{files.files.group}}
-    {% if grains['os_family'] != 'Windows' %}
+    - user: {{ files.files.user }}
+    - group: {{ files.files.group }}
+    {%- if grains['os_family'] != 'Windows' %}
     - mode: 644
-    {% endif %}
+    {%- endif %}
     - makedirs: True
     - dataset:
         client:
diff --git a/sensu/configfile_map.jinja b/sensu/configfile_map.jinja
index f137f69..277d462 100644
--- a/sensu/configfile_map.jinja
+++ b/sensu/configfile_map.jinja
@@ -1,8 +1,8 @@
 {% set files = salt['grains.filter_by']({
     'default': {
         'files': {
-            'user': 'root',
-            'group': 'root',
+            'user': 'sensu',
+            'group': 'sensu',
         },
     },
     'Windows': {
diff --git a/sensu/rabbitmq_conf.sls b/sensu/rabbitmq_conf.sls
index 1c160fa..c970413 100644
--- a/sensu/rabbitmq_conf.sls
+++ b/sensu/rabbitmq_conf.sls
@@ -7,12 +7,12 @@ include:
 /etc/sensu/conf.d/rabbitmq.json:
   file.serialize:
     - formatter: json
-    - user: {{files.files.user}}
-    - group: {{files.files.group}}
+    - user: {{ files.files.user }}
+    - group: {{ files.files.group }}
     - makedirs: True
-    {% if grains['os_family'] != 'Windows' %}
-    - mode: 644
-    {% endif %}
+    {%- if grains['os_family'] != 'Windows' %}
+    - mode: 640
+    {%- endif %}
     - dataset:
         rabbitmq:
           host: {{ sensu.rabbitmq.host }}
diff --git a/sensu/redis_conf.sls b/sensu/redis_conf.sls
index 5d0b252..90f0d8f 100644
--- a/sensu/redis_conf.sls
+++ b/sensu/redis_conf.sls
@@ -1,11 +1,12 @@
 {% from "sensu/pillar_map.jinja" import sensu with context -%}
+{% from "sensu/configfile_map.jinja" import files with context %}
 
 /etc/sensu/conf.d/redis.json:
   file.serialize:
     - formatter: json
-    - user: root
-    - group: root
-    - mode: 644
+    - user: {{ files.files.user }}
+    - group: {{ files.files.group }}
+    - mode: 640
     - require:
       - pkg: sensu
     - dataset:
diff --git a/sensu/server.sls b/sensu/server.sls
index 606c6c6..90d47e3 100644
--- a/sensu/server.sls
+++ b/sensu/server.sls
@@ -1,4 +1,5 @@
 {% from "sensu/pillar_map.jinja" import sensu with context -%}
+{% from "sensu/configfile_map.jinja" import files with context %}
 
 include:
   - sensu
@@ -10,6 +11,12 @@ include:
   file.recurse:
     - source: salt://{{ sensu.paths.conf_d }}
     - template: jinja
+    - user: {{ files.files.user }}
+    - group: {{ files.files.group }}
+    {%- if grains['os_family'] != 'Windows' %}
+    - file_mode: 640
+    - dir_mode: 750
+    {%- endif %}
     - require:
       - pkg: sensu
     - watch_in:
@@ -22,6 +29,11 @@ sensu_subscription_checks_file:
     - dataset:
         checks: {{ salt['pillar.get']('sensu:checks') }}
     - formatter: json
+    - user: {{ files.files.user }}
+    - group: {{ files.files.group }}
+    {%- if grains['os_family'] != 'Windows' %}
+    - mode: 640
+    {%- endif %}
     - require:
       - pkg: sensu
     - watch_in:
@@ -39,6 +51,8 @@ sensu_handlers_file:
     - name: {{ sensu.paths.handlers_file }}
     - dataset_pillar: sensu:handlers
     - formatter: json
+    - user: {{ files.files.user }}
+    - group: {{ files.files.group }}
     - require:
       - pkg: sensu
     - watch_in:
diff --git a/sensu/transport_conf.sls b/sensu/transport_conf.sls
index 8c2bdd0..7886659 100644
--- a/sensu/transport_conf.sls
+++ b/sensu/transport_conf.sls
@@ -1,4 +1,5 @@
 {% from "sensu/pillar_map.jinja" import sensu with context -%}
+{% from "sensu/configfile_map.jinja" import files with context %}
 
 include:
   - sensu
@@ -6,9 +7,11 @@ include:
 /etc/sensu/conf.d/transport.json:
   file.serialize:
     - formatter: json
-    - user: root
-    - group: root
+    - user: {{ files.files.user }}
+    - group: {{ files.files.group }}
+    {%- if grains['os_family'] != 'Windows' %}
     - mode: 644
+    {%- endif %}
     - require:
       - pkg: sensu
     - dataset:
diff --git a/sensu/uchiwa.sls b/sensu/uchiwa.sls
index f3ad7e6..24dcf4e 100644
--- a/sensu/uchiwa.sls
+++ b/sensu/uchiwa.sls
@@ -1,4 +1,5 @@
 {% from "sensu/pillar_map.jinja" import sensu with context -%}
+{% from "sensu/configfile_map.jinja" import files with context %}
 
 include:
   - sensu
@@ -10,9 +11,9 @@ uchiwa:
   file.serialize:
     - name: /etc/sensu/uchiwa.json
     - formatter: json
-    - mode: 644
-    - user: uchiwa
-    - group: sensu
+    - user: {{ files.files.user }}
+    - group: {{ files.files.group }}
+    - mode: 640
     - require:
       - pkg: uchiwa
     - dataset: