You are here: Home / Information Centre / Zenoss / Windows WMI

Windows WMI

Setting up WMI on Windows

We will implement the security principle of least privilege by creating, and using, a non-privileged AD domain user for remote WMI access. I will be using an account named zenwmiq in my example. We will need to set permissions in a few different areas to allow our zenwmiq user to query and return the required data.

Local Security Groups

We will need to add our user to a few local security groups. Run these commands from an elevated PowerShell prompt:

PS> net localgroup "Distributed COM Users" zenwmiq /ADD

PS> net localgroup "Performance Monitor Users" zenwmiq /ADD

PS> net localgroup "Event Log Readers" zenwmiq /ADD

 

WMI Namespace Security

Steve Lee (Microsoft Senior Test Manager) created a pair of PowerShell WMI namespace security scripts. The Get-WmiNamespaceSecurity.ps1 and Set-WmiNamespaceSecurity.ps1 scripts allow us to get/set the WMI namespace permissions on the local computer as well as a remote one. We will need to add the Enable Account and Remote Enable permissions for our zenwmiq user to the Root/CIMV2 namespace.

List the current security settings for the Root/CIMV2 namespace. Run this command from an elevated PowerShell prompt:

PS> Get-WmiNamespaceSecurity.ps1 -Namespace root/cimv2

 

Add our access control entry (ACE) to the Root/CIMV2 access control list (ACL). Run this command from an elevated PowerShell prompt:

PS> Set-WmiNamespaceSecurity.ps1 -Namespace root/cimv2 -Operation add -Account tendocalc\zenwmiq -Permissions Enable,RemoteAccess

 

Let’s verify our ACE was correctly added to the namespace ACL. Run this command from an elevated PowerShell prompt:

PS> Get-WmiNamespaceSecurity.ps1 -Namespace root/cimv2 | ? {$_.Name -like '*zen*'} | fl

Name : TENDOCALC\zenwmiq 
Permission : {Enable, RemoteAccess}
Inherited : False

 

Service Control Manager

The Service Control Manager ACL will also need to be modified to allow our zenwmiq user to enumerate and list the status of the services on our host. We first need to get the security identifier (SID) of our domain user. Run these commands from an elevated PowerShell prompt:

PS> $account = New-Object Security.Principal.NTAccount "tendocalc\zenwmiq"

PS> $account.Translate([Security.Principal.SecurityIdentifier]).Value

S-1-5-21-4215953012-3604629762-2942499649-1497

 

We will use the service control (sc) command-line tool to get/set the security descriptor for the Service Control Manager (SCM). The sc command-line tool lets system administrators query and change the system privileges assigned to services. Let’s first display the current security descriptor for SCM. Run this command from an elevated PowerShell prompt:

PS> sc.exe sdshow scmanager

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

 

We now need to add our user (and linked rights) to the current ACL in the SDDL format. The following table shows the required rights we will need for our user:

StringAccess RightDescription
CC SC_MANAGER_CONNECT Required to connect to the service control manage
LC SC_MANAGER_ENUMERATE_SERVICE Required to call the EnumServicesStatusEx function to list the services that are in the database
RP SC_MANAGER_QUERY_LOCK_STATUS Required to call the QueryServiceLockStatus function to retrieve the lock status information for the database.
RC READ_CONTROL Required to call the QueryServiceObjectSecurity function to query the security descriptor of the service object.

 

“Inject” the ACE as the last entry of the Discretionary Access Control List (DACL). Run this command from an elevated PowerShell prompt:

PS> sc.exe sdset scmanager 'D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;S-1-5-21-4215953012-3604629762-2942499649-1497)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)'

 

Firewall

If the host firewall is enabled, we need to verify the proper inbound ports are open for connectivity with Zenoss. You can enable the rule (and rule groups) with the Windows Firewall with Advanced Security console, but I will use the netsh utility in my examples.

 

SNMP

The installation of the SNMP components should enable the required firewall rule. You can verify this by running this command from an elevated PowerShell prompt:

PS> netsh advfirewall firewall show rule name="SNMP Service (UDP In)"

 

WMI

WMI traffic is blocked by default, so we will need to enable the WMI rule group to open the ports. Run this command from an elevated PowerShell prompt:

PS> netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes

 

ICMP

The ICMPv4 echo request packet type will need to be allowed for Zenoss to verify availability thru ping. Run this command from an elevated PowerShell prompt:

PS> netsh advfirewall firewall set rule name="File and Printer Sharing (Echo Request - ICMPv4-In)" new enable=yes

Document Actions

Distributions
To see exactly what is included in BastionLinux™, visit our online RPMDistro Builder.
Buy Now
Bastion CD
Subscribe Now
and get BastionLinux™ ...
Sponsored Links