Configuring a non admin user for WMI monitoring
Zitat von mpachmann am 4. Oktober 2022, 11:32 Uhrhttps://pitstop.manageengine.com/portal/en/kb/articles/how-to-configure-a-non-admin-user-for-wmi-monitoring#Configuring_a_non-admin_user_for_WMI_monitoring
You can configure a regular Windows user to access WMI information by adding the necessary user account to the Distributed COM Users and the Performance Monitor Users group using lusrmgr.msc, and then configuring the DCOM security settings to allow the groups to access the system remotely (using dcomcnfg).
Note: These configurations are required to be performed in the User profiles of the client devices that are to be monitored.
Configuring Distributed COM Users in Local user and Groups Setting:
To begin with, we are adding the DCOM user group in our local user settings.
- 1. Click Start → Run, type lusrmgr.msc and click OK.
- 2. In the Users folder, right-click the user to bring up the menu, and select Properties .
- 3. Click over to the Members of tab, and click Add .
- 4. Under 'Enter the object names to select', type 'Distributed COM Users' (without quotes), click Check Names , then click OK .
- 5. Click Add .
- 6. Repeat steps 3-5 for the Performance Monitor Users group and Event Log Readers group.
Configuring the DCOM Security Settings to allow the groups to access the system remotely:
Next, we're providing basic access permissions to the user groups (Distributed COM Users and Performance Monitor Users) to be able to gain control of the device remotely.
- 7. Click Start → Run , type dcomcnfg and click OK.
- 8. Drill down into the Component Services tree until you get to My Computer. Right-click ' My Computer' to bring up the menu, and click Properties .
- 9. Click the COM Security tab, then click Edit Limits under the Launch and Activation Permissions section.
- 10. Click Add.
- 11. Under 'Enter the object names to select', type 'Distributed COM Users' (without quotes), click Check Names , then click OK .
- 12. Click Add .
- 13. Repeat steps 9-12 for the Performance Monitor Users group.
- 14. Check Allow for each of the permissions (Local Launch, Remote Launch, Local Activation, Remote Activation) for each of these groups, and click OK .
Setting the WMI Control security settings to be applied to all namespaces:
Finally, access is provided for all classes under all namespaces for both the user groups, in order to enable OpManager to fetch those data using WMI.
- 15. Click Start → Run , type wmimgmt.msc and click OK.
- 16. Right-click WMI Control (Local) to bring up the menu, and click Properties .
- 17. Click over to the Security tab, then click Root , and click the Security button.
- 18. Click Add .
- 19. Under 'Enter the object names to select', type 'Distributed COM Users' (without quotes), click Check Names , then click OK .
- 20. Make sure the Distributed COM Users group is selected, and click Advanced .
- 21. Highlight the row with Distributed COM Users in it and click Edit .
- 22. From the ' Applies to ' drop-down list, select 'This namespace and subnamespaces' .
- 23. Under the 'Allow' column, check Execute Methods, Enable Account and Remote Enable , and then click OK .
- 24. Repeat steps 17-23 for the Performance Monitor Users group.
- 25. Click OK to close all windows.
Set permissions to Service Control Manager Security for Windows Service Monitoring:
If you wish to monitor whether Windows Service monitors are up/down, you need to grant permission to SCManager. The access to the Windows services is controlled by the Security Descriptor of Service Control Manager, which by default is restricted for hardened OS. The below mentioned steps will grant remote access to Service Control Manager in user level, to get the list of services on a server.
Retrieve the user SID of the User Account
- From the monitored device, open Command Prompt in Administrator mode.
Run the below command to retrieve the user SID. Replace UserName with the user name for the User account.
wmic useraccount where name="UserName" get name,sid
Example:
wmic useraccount where name="administrator" get name,sid
- Note down the SID. (Ex. S-1-0-10-200000-30000000000-4000000000-500)
Retrieve the current SDDL for the SC Manager
Run the below command which will save the current SDDL for the SC Manager to the CurrentSDDL.txt.
sc sdshow scmanager > CurrentSDDL.txt
- Edit the CurrentSDDL.txt and copy the entire content.
The SDDL will be look like below:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Update the SDDL:
Frame new SDDL snippet for above SID
(A;;CCLCRPWPRC;;; <SID of User> )
Ex.
(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)
- Now place this snippet in before "S:" of original SDDL.
Updated SDDL will be like this:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Finally Execute the below command with Updated SDDL:
sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
- If some windows services are still not listed, permissions have to be granted for individual services as below.
- For setting permission on RPC Endpoint Mapper (ServiceName: RpcEptMapper), run the following command, to get its current SDDL.
sc sdshow RpcEptMapper > CurrentSDDL.txt
- Then form the SDDL as in the above step and update it as the following
sc sdset RpcEptMapper <SDDL formed in above step>
- Once done, check if the Windows Service is listed.
- This will grant the following permissions to the user:
CC - To Get Service's current configuration
LC - To Get Service's current status
RP - To Read Properties/Start the Service
WP - To Write Properties/Stop the Service
RC - To Read the Security Descriptorhttps://www.shellhacks.com/windows-list-services-cmd-powershell/
sc queryex type=service state=all | find /i "SERVICE_NAME:"
You can configure a regular Windows user to access WMI information by adding the necessary user account to the Distributed COM Users and the Performance Monitor Users group using lusrmgr.msc, and then configuring the DCOM security settings to allow the groups to access the system remotely (using dcomcnfg).
Note: These configurations are required to be performed in the User profiles of the client devices that are to be monitored.
Configuring Distributed COM Users in Local user and Groups Setting:
To begin with, we are adding the DCOM user group in our local user settings.
- 1. Click Start → Run, type lusrmgr.msc and click OK.
- 2. In the Users folder, right-click the user to bring up the menu, and select Properties .
- 3. Click over to the Members of tab, and click Add .
- 4. Under 'Enter the object names to select', type 'Distributed COM Users' (without quotes), click Check Names , then click OK .
- 5. Click Add .
- 6. Repeat steps 3-5 for the Performance Monitor Users group and Event Log Readers group.
Configuring the DCOM Security Settings to allow the groups to access the system remotely:
Next, we're providing basic access permissions to the user groups (Distributed COM Users and Performance Monitor Users) to be able to gain control of the device remotely.
- 7. Click Start → Run , type dcomcnfg and click OK.
- 8. Drill down into the Component Services tree until you get to My Computer. Right-click ' My Computer' to bring up the menu, and click Properties .
- 9. Click the COM Security tab, then click Edit Limits under the Launch and Activation Permissions section.
- 10. Click Add.
- 11. Under 'Enter the object names to select', type 'Distributed COM Users' (without quotes), click Check Names , then click OK .
- 12. Click Add .
- 13. Repeat steps 9-12 for the Performance Monitor Users group.
- 14. Check Allow for each of the permissions (Local Launch, Remote Launch, Local Activation, Remote Activation) for each of these groups, and click OK .
Setting the WMI Control security settings to be applied to all namespaces:
Finally, access is provided for all classes under all namespaces for both the user groups, in order to enable OpManager to fetch those data using WMI.
- 15. Click Start → Run , type wmimgmt.msc and click OK.
- 16. Right-click WMI Control (Local) to bring up the menu, and click Properties .
- 17. Click over to the Security tab, then click Root , and click the Security button.
- 18. Click Add .
- 19. Under 'Enter the object names to select', type 'Distributed COM Users' (without quotes), click Check Names , then click OK .
- 20. Make sure the Distributed COM Users group is selected, and click Advanced .
- 21. Highlight the row with Distributed COM Users in it and click Edit .
- 22. From the ' Applies to ' drop-down list, select 'This namespace and subnamespaces' .
- 23. Under the 'Allow' column, check Execute Methods, Enable Account and Remote Enable , and then click OK .
- 24. Repeat steps 17-23 for the Performance Monitor Users group.
- 25. Click OK to close all windows.
Set permissions to Service Control Manager Security for Windows Service Monitoring:
If you wish to monitor whether Windows Service monitors are up/down, you need to grant permission to SCManager. The access to the Windows services is controlled by the Security Descriptor of Service Control Manager, which by default is restricted for hardened OS. The below mentioned steps will grant remote access to Service Control Manager in user level, to get the list of services on a server.
-
Retrieve the user SID of the User Account
- From the monitored device, open Command Prompt in Administrator mode.
-
Run the below command to retrieve the user SID. Replace UserName with the user name for the User account.
wmic useraccount where name="UserName" get name,sid
Example:wmic useraccount where name="administrator" get name,sid
- Note down the SID. (Ex. S-1-0-10-200000-30000000000-4000000000-500)
-
Retrieve the current SDDL for the SC Manager
-
Run the below command which will save the current SDDL for the SC Manager to the CurrentSDDL.txt.
sc sdshow scmanager > CurrentSDDL.txt
- Edit the CurrentSDDL.txt and copy the entire content.
-
The SDDL will be look like below:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
-
-
Update the SDDL:
-
Frame new SDDL snippet for above SID
(A;;CCLCRPWPRC;;; <SID of User> )
Ex.(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)
- Now place this snippet in before "S:" of original SDDL.
-
Updated SDDL will be like this:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
-
-
Finally Execute the below command with Updated SDDL:
sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
-
- If some windows services are still not listed, permissions have to be granted for individual services as below.
- For setting permission on RPC Endpoint Mapper (ServiceName: RpcEptMapper), run the following command, to get its current SDDL.
- For setting permission on RPC Endpoint Mapper (ServiceName: RpcEptMapper), run the following command, to get its current SDDL.
- If some windows services are still not listed, permissions have to be granted for individual services as below.
sc sdshow RpcEptMapper > CurrentSDDL.txt
-
-
- Then form the SDDL as in the above step and update it as the following
- Then form the SDDL as in the above step and update it as the following
-
sc sdset RpcEptMapper <SDDL formed in above step>
-
- Once done, check if the Windows Service is listed.
- This will grant the following permissions to the user:
CC - To Get Service's current configuration
LC - To Get Service's current status
RP - To Read Properties/Start the Service
WP - To Write Properties/Stop the Service
RC - To Read the Security Descriptor
https://www.shellhacks.com/windows-list-services-cmd-powershell/
sc queryex type=service state=all | find /i "SERVICE_NAME:"