Versions Compared

Old Version 1

changes.mady.by.user Naman Varma

Saved on

compared with

New Version Current

changes.mady.by.user Mayuresh Balaji Kamble

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space WSPlat and version Sierra_SP1

...

In this document, we are going to focus on Windows Management Instrumentation (WMI)

What is WMI?

WMI (Windows Management Instrumentation) is a technological invention of Microsoft, whose purpose is to take care of the different operational environments of Windows.

...

WMI makes system information retrieval easier by using well-documented object models, and queries that resemble those used with SQL, but with fewer and more easily readable software codes. It is regulated by the Distributed Management Task Force (DMTF), which standardizes desktop PCs and the development of management standards for distributed desktops, networks, and enterprise environments. The DMTF has certain management initiatives such as the desktop management interface (DMI), common information model (CIM) and directory-enabled network (DEN).

WMI Access with Normal Account

Privileges for WMI discovery with Workgroup and Active Directory (AD) users 

To create local user or AD account, perform the following steps:

  1. Add user account to the local group named “Performance Log Users” and use WMI Control Properties to provide account access.
    Image Added
    Figure: Service Manager screen
  2. Open Run command and type wmimgmt.msc .Click OK.
  3.  Right-click WMI Control in the console and then click Properties.
  4.  Click the Security tab.
    Image Added
    Figure: Security tab
  5. Select “\Root\CIMV2” namespace to choose which user or group will have access, and then click Security.
    Image Added
    Figure: Namespace
  6. In the Security dialog box, click Add.

  7. In the Select Users, Computers, or Groups dialog box, enter the name of the object (user or group) that you want to add, click OK and then choose Advanced.
    Image Added
    Figure: Advanced screen

  8. Click Advanced Security dialog box under Permissions, edit the permissions and check the Enable Account and Remote Enable boxes. Select Apply to This namespace and sub namespaces.

  9. Apply all changes.

WMI User Access for Domain User

...

  1. Type wmimgmt.msc in run command.

    Figure: WMI Control Window
  2. In the console tree, right-click WMI Control, and then click Properties.

  3. Click the Security tab.

    Figure: Security tab

  4. Select the CIMV2 namespace and then click Security.

  5. In the Security dialog box, click Add.

  6. In the Select Users, Computers, or Groups dialog box, enter the user

  7. Click the Check Names button to verify your entry and then click OK.

  8. In the Security dialog box, under Permissions, select ‘Enable Account’ and ‘Remote Enable’ for the user account.

  9. Ensure the permissions propagate to all

  10. Under Security, Click Advanced and double click user/group to open properties

  11. Select ‘This namespaces and subnamespaces’ to propagate permissions

Windows Firewall and ports

Windows Server 2008 / 2012 / 2016, Windows 7/10 Firewall Rules:

...

  1. To disable the DCOM

    netsh advfirewall firewall delete rule name="DCOM"

  2. To disable the WMI service

    netsh advfirewall firewall delete rule name="WMI"

  3. To disable the sink exception.

    netsh advfirewall firewall delete rule name="UnsecApp"

  4. To disable the outgoing exception.

    netsh advfirewall firewall delete rule name="WMI_OUT" 

User Account Control Settings

User Account Control (UAC) access-token filtering can affect which operations are allowed in WMI namespaces or what data is returned. Under UAC, all accounts in the local Administrators group run with a standard user access token, also known as UAC access-token filtering. An administrator account can run a script with an elevated privilege—"Run as Administrator".

...

For more information on DCOM settings, see Securing a Remote WMI Connection. However, UAC affects connections for nondomain user accounts. If you connect to a remote computer using a non-domain user account included in the local Administrators group of the remote computer, then you must explicitly grant remote DCOM access, activation, and launch rights to the account.

CIMOM Settings

The CIMOM settings need to be updated if the remote connection is between computers that do not have a trust relationship; otherwise, an asynchronous connection will fail. This setting should not be modified for computers in the same domain or in trusted domains.

...

The following procedure is an automated setup to allow WMI to have a fixed port. The procedure uses the winmgmt command-line tool.

To set up a fixed port for WMI

  • At the command prompt, type winmgmt -standalonehost
  • Stop the WMI service by typing the command net stop "Windows Management Instrumentation", or use the short name of net stop winmgmt
  • Restart the WMI service again in a new service host by typing net start "Windows Management Instrumentation" or net start winmgmt
  • Establish a new port number for the WMI service by typing netsh firewall add portopening TCP 24158 WMIFixedPort
  • To undo any changes you make to WMI, type winmgmt /sharedhost, then stop and start the winmgmt service

Windows Server 2003 Firewall Rules

By default, DCOM communicates with the client on a random port, so to write firewall rules, specifying a port range is also described.

...