Forgot your password?
New user?
python3-jenkins-1.8.2-1.lbn36.noarch
Windows WMI
We will implement the security principle of least privilege by creating, and using, a non-privileged AD domain user for remote WMI access. I will be using an account named zenwmiq in my example. We will need to set permissions in a few different areas to allow our zenwmiq user to query and return the required data.
Local Security Groups
We will need to add our user to a few local security groups. Run these commands from an elevated PowerShell prompt:
PS> net localgroup "Distributed COM Users" zenwmiq /ADD
PS> net localgroup "Performance Monitor Users" zenwmiq /ADD
PS> net localgroup "Event Log Readers" zenwmiq /ADD
WMI Namespace Security
Steve Lee (Microsoft Senior Test Manager) created a pair of PowerShell WMI namespace security scripts. The Get-WmiNamespaceSecurity.ps1 and Set-WmiNamespaceSecurity.ps1 scripts allow us to get/set the WMI namespace permissions on the local computer as well as a remote one. We will need to add the Enable Account and Remote Enable permissions for our zenwmiq user to the Root/CIMV2 namespace.
List the current security settings for the Root/CIMV2 namespace. Run this command from an elevated PowerShell prompt:
PS> Get-WmiNamespaceSecurity.ps1 -Namespace root/cimv2
Add our access control entry (ACE) to the Root/CIMV2 access control list (ACL). Run this command from an elevated PowerShell prompt:
PS> Set-WmiNamespaceSecurity.ps1 -Namespace root/cimv2 -Operation add -Account tendocalc\zenwmiq -Permissions Enable,RemoteAccess
Let’s verify our ACE was correctly added to the namespace ACL. Run this command from an elevated PowerShell prompt:
PS> Get-WmiNamespaceSecurity.ps1 -Namespace root/cimv2 | ? {$_.Name -like '*zen*'} | fl
Name : TENDOCALC\zenwmiq
Permission : {Enable, RemoteAccess}
Inherited : False
Service Control Manager
The Service Control Manager ACL will also need to be modified to allow our zenwmiq user to enumerate and list the status of the services on our host. We first need to get the security identifier (SID) of our domain user. Run these commands from an elevated PowerShell prompt:
PS> $account = New-Object Security.Principal.NTAccount "tendocalc\zenwmiq"
PS> $account.Translate([Security.Principal.SecurityIdentifier]).Value
S-1-5-21-4215953012-3604629762-2942499649-1497
We will use the service control (sc) command-line tool to get/set the security descriptor for the Service Control Manager (SCM). The sc command-line tool lets system administrators query and change the system privileges assigned to services. Let’s first display the current security descriptor for SCM. Run this command from an elevated PowerShell prompt:
PS> sc.exe sdshow scmanager
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
We now need to add our user (and linked rights) to the current ACL in the SDDL format. The following table shows the required rights we will need for our user:
| String | Access Right | Description |
|---|---|---|
| CC | SC_MANAGER_CONNECT | Required to connect to the service control manage |
| LC | SC_MANAGER_ENUMERATE_SERVICE | Required to call the EnumServicesStatusEx function to list the services that are in the database |
| RP | SC_MANAGER_QUERY_LOCK_STATUS | Required to call the QueryServiceLockStatus function to retrieve the lock status information for the database. |
| RC | READ_CONTROL | Required to call the QueryServiceObjectSecurity function to query the security descriptor of the service object. |
“Inject” the ACE as the last entry of the Discretionary Access Control List (DACL). Run this command from an elevated PowerShell prompt:
PS> sc.exe sdset scmanager 'D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;S-1-5-21-4215953012-3604629762-2942499649-1497)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)'
Firewall
If the host firewall is enabled, we need to verify the proper inbound ports are open for connectivity with Zenoss. You can enable the rule (and rule groups) with the Windows Firewall with Advanced Security console, but I will use the netsh utility in my examples.
SNMP
The installation of the SNMP components should enable the required firewall rule. You can verify this by running this command from an elevated PowerShell prompt:
PS> netsh advfirewall firewall show rule name="SNMP Service (UDP In)"
WMI
WMI traffic is blocked by default, so we will need to enable the WMI rule group to open the ports. Run this command from an elevated PowerShell prompt:
PS> netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
ICMP
The ICMPv4 echo request packet type will need to be allowed for Zenoss to verify availability thru ping. Run this command from an elevated PowerShell prompt:
PS> netsh advfirewall firewall set rule name="File and Printer Sharing (Echo Request - ICMPv4-In)" new enable=yes
Document Actions
Builder
