Remote WMI with read-only account

As a general rule, all Exoprise components operate in read-only mode. In most trial environments, running the Exoprise components as domain admin is the quickest installation option. If using a domain admin account is not acceptable, follow the steps below to configure Exoprise components with least privilege access.

In addition to read-only access to Active Directory (AD), Active Directory Federated Service (ADFS), or Exchange Server endpoints, some Exoprise components require Windows Management Instrumentation (WMI) access. WMI gives Exoprise access to the performance counters exposed by the target machine. Information collected via WMI is often a critical component of the overall service health. Therefore, a least privilege configuration will require that WMI access is provided to Exoprise components. The steps detail how you would enable access to WMI providers for Exoprise components without using administrator-level accounts in your AD domain or forest.

The steps below are based on a Windows Server 2003 R2 Active Directory domain controller. Exact procedure steps may differ slightly if you are using Windows Server 2008 or 2012, Windows 7, or Windows Vista.

Prerequisites

  • Full administrator rights to the domain or forest in which you will be making the changes.

  • Administrator rights to all servers in your AD for which you wish to enable WMI access.

Group membership, security policy assignments, permissions

  1. If you haven't already done so, create a domain account that will represent the user that Exoprise will run as in your environment.

  2. Create a domain group that will receive all of the rights that the Exoprise user needs.

    As a best practice, always assign permissions to a domain group rather than directly to a user account.

  3. Add the Exoprise user to the newly created group.

  4. Add the newly created Exoprise group to the following domain groups:

    • Performance Log Users

    • Distributed COM Users

  5. Run one of the following three Microsoft Management Console (MMC) snap-ins:

    • Local Security Policy snap-in (secpol.msc) for member servers.

    • Default Domain Security Policy snap-in (dompol.msc) if you wish to configure these settings domain-wide as a GPO.

    • Default Domain Controller Security Settings snap-in (dcpol.msc) if you wish to assign the rights only on domain controllers.

  6. Once the snap-in is started, expand Security Settings > Local Policies > User Rights Assignment.

  7. Assign your new group at least the following rights:

    • Act as part of the operating system

    • Log on as a batch job

    • Log on as a service

    • Replace a process level token

  8. Exit the Policy Settings utility.

DCOM rights assignments

To configure Distributed Component Object Model (DCOM) security for the Exoprise group, follow the steps below:

  1. Run Component Services by selecting Start > Administrative Tools > Component Services.

  2. Once there, expand Console Root > Computers > My Computer. Right-click My Computer and select Properties.

  3. In the window that appears, click the COM Security tab.

  4. Under Access Permissions, click Edit Limits.

  5. Review that the Distributed COM Users group has all items checked under Allow.

  6. Optionally, add the Exoprise group to this list and assign full Allow access.

    This step is not required since the Exoprise group is already a member of Distributed COM Users.

  7. Once you've reviewed the presence of Distributed COM Users or added the Exoprise group, click OK to save your changes and return to the COM Security tab.

  8. Under Launch and Activation Permissions, click Edit Limits.

  9. As with the Access Permissions window, you will see a list of groups and permissions. Ensure that the Distributed COM Users group has all items checked under Allow.

  10. Optionally, add the Exoprise group here and assign full Allow access.

    This step is not required since the Exoprise group is already a member of Distributed COM Users.

  11. Click OK to save your changes.

  12. Exit the Component Services utility.

WMI namespace security assignments

Set WMI namespace security so that the Exoprise group has access to WMI objects.

  1. From the Start menu, select Run, and in the window that opens, type wmimgmt.msc in the Open: field, then click OK.

  2. Once there, right-click WMI Control (Local) and then click Properties.

  3. Click the Security tab.

  4. Click the Security button at the bottom right of the window. This action edits the security settings for the Root WMI namespace.

  5. You'll now see a window that has the security settings for WMI on this machine. Click Advanced.

  6. In the Advanced Security Settings for this WMI namespace, add the Exoprise group to the list and grant at least the following Allow permissions:

    • Execute Methods

    • Enable Account

    • Remote Enable

    • Read Security

      Make sure that these permissions apply to this namespace and all the namespaces under it. Do that by selecting This namespace and subnamespaces in the drop-down menu above the permissions list window.

  7. Click OK to save the new permissions.

  8. Click OK to exit the Advanced Security Settings.

  9. Click OK to exit the Security Properties.

Firewall changes, UAC, restarts, testing

Now that you've configured WMI namespace security, ensure that Windows Firewall is not blocking WMI traffic.

  1. Make sure that you've either disabled or configured Windows Firewall services on both the Exoprise endpoints and the server you wish to get data from over WMI. For more information, refer to the following Microsoft articles:

  2. If you're running Windows Server 2008 or 2012, Windows Vista, or Windows 7, you'll need to make changes to or disable User Account Control settings. For more information, refer to this Microsoft article: User Account Control and WMI.

  3. Rebooting the endpoints that have Exoprise components installed will force the security changes above to take effect. This is required because the Exoprise user logs into the domain and only then receives a new authentication token at service start.

    Once the Exoprise endpoint has been restarted, you should be able to make WMI calls to the remote servers configured above.

If you are configuring a non-administrator Exoprise user for a large AD forest, you may need to wait up to 15 minutes for AD replication to complete before remote queries over WMI will work.

Summary

Exoprise components operate in read-only mode when communicating with AD. Additional components within the sensor query the server via the WMI interfaces, and this functionality requires specific privileges on the server.

In a lab environment, it is often easier to use a domain admin account for the sensor installation credentials because the AD and WMI functionality runs smoothly as domain admin. However, in a production environment, the preferred approach is to limit and restrict the permissions of the sensor account as detailed above.