Windows Servers discovery and WMI User Access
- Enterprise IT
- Mayuresh Balaji Kamble (Unlicensed)
Network and system administrators looking to who want to monitor and manage devices have a choice of two popular methods:
- Simple Network Management Protocol (SNMP is part of the TCP/IP network protocol).
- Windows Management Instrumentation (WMI), part of the infrastructure for management data and operations on Windows-based operating systems.
In this document, we are going to focus on Windows Management Instrumentation (WMI)
What is WMI?
WMI (Windows Management Instrumentation) is a technological invention of Microsoft, whose purpose is to take care of the different operational environments of Windows.
The Windows Management Toolkit (WMI) consists of a set of extensions of Windows Driver Model, which provide an operating system interface so that its components give us information and different types of notifications.
WMI makes system information retrieval easier by using well-documented object models, and queries that resemble those used with SQL, but with fewer and more easily readable software codes. It is regulated by the Distributed Management Task Force (DMTF), which standardizes desktop PCs and the development of management standards for distributed desktops, networks, and enterprise environments. The DMTF has certain management initiatives such as the desktop management interface (DMI), common information model (CIM) and directory-enabled network (DEN).
WMI Access with Normal Account
Privileges for WMI discovery with Workgroup and Active Directory (AD) users
To create local user or AD account, perform the following steps:
- Add user account to the local group named “Performance Log Users” and use WMI Control Properties to provide account access.
Figure: Service Manager screen - Open Run command and type wmimgmt.msc .Click OK.
- Right-click WMI Control in the console and then click Properties.
- Click the Security tab.
Figure: Security tab - Select “\Root\CIMV2” namespace to choose which user or group will have access, and then click Security.
Figure: Namespace - In the Security dialog box, click Add.
In the Select Users, Computers, or Groups dialog box, enter the name of the object (user or group) that you want to add, click OK and then choose Advanced.
Figure: Advanced screen- Click Advanced Security dialog box under Permissions, edit the permissions and check the Enable Account and Remote Enable boxes. Select Apply to This namespace and sub namespaces.
Apply all changes.
WMI User Access for Domain User
Privilege to Windows DCOM
- In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
- In the My Computer Properties dialog box, click the COM Security tab.
Figure: COM Security tab - Under Launch and Activation Permissions, Edit Limits, In the Launch Permission dialog box, select ‘Distributed COM Users‘. In the Allow column under Permissions for User, select Remote Launch and select Remote Activation
- Under Access Permissions, Edit Limits, In the Access Permission dialog box, select ‘Distributed COM Users‘. In the Allow column under Permissions for User, select Remote Access
- Add the user account to the Distributed COM Users Group in Computer Management, Local Users and Groups on the Server.
- Add the user account to the Performance Log Users Group in Computer Management, Local Users and Groups on the Server.
WMI permission for CIMV2 Namespace
- Type wmimgmt.msc in run command.
Figure: WMI Control Window - In the console tree, right-click WMI Control, and then click Properties.
Click the Security tab.
Figure: Security tabSelect the CIMV2 namespace and then click Security.
In the Security dialog box, click Add.
In the Select Users, Computers, or Groups dialog box, enter the user
Click the Check Names button to verify your entry and then click OK.
In the Security dialog box, under Permissions, select ‘Enable Account’ and ‘Remote Enable’ for the user account.
Ensure the permissions propagate to all
Under Security, Click Advanced and double click user/group to open properties
- Select ‘This namespaces and subnamespaces’ to propagate permissions
Windows Firewall and ports
Windows Server 2008 / 2012 / 2016, Windows 7/10 Firewall Rules:
https://docs.microsoft.com/en-us/windows/desktop/WmiSdk/connecting-to-wmi-remotely-startingwith- vista
Setting up a Remote WMI Connection
Connecting to a WMI namespace on a remote computer may require changing the settings for Windows Firewall, User Account Control (UAC), DCOM, or Common Information Model Object Manager (CIMOM).
The following sections are discussed in this topic:
- Windows Firewall Settings
- User Account Control Settings
- DCOM Settings
- CIMOM Settings
- Related topics Windows Firewall Settings
WMI settings for Windows Firewall settings enable only WMI connections, rather than other DCOM applications as well. An exception must be set in the firewall for WMI on the remote target computer. The exception for WMI allows WMI to receive remote connections and asynchronous callbacks to Unsecapp.exe. For more information, see Setting Security on an Asynchronous Call.
If a client application creates its own sink, that sink must be explicitly added to the firewall exceptions to allow callbacks to succeed.
The exception for WMI also works if WMI has been started with a fixed port, using the winmgmt/standalonehost command.
For more information, see Setting Up a Fixed Port for WMI.
You can enable or disable WMI traffic through the Windows Firewall UI.
To enable or disable WMI traffic using firewall UI
- In the Control Panel, click Security and then click Windows Firewall.
- Click Change Settings and then click the Exceptions
- In the Exceptions window, select the check box for Windows Management Instrumentation (WMI) to enable WMI traffic through the firewall. To disable WMI traffic, clear the check box.
You can enable or disable WMI traffic through the firewall at the command prompt. Use the following commands to enable or disable WMI traffic at command prompt using WMI rule group at a command prompt:
Type the following to enable WMI traffic through the firewall.
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
Type the following command to disable WMI traffic through the firewall.
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=no
Rather than using the single WMI rule group command, you also can use individual commands for each of the DCOM, WMI service, and sink. To enable WMI traffic using separate rules for DCOM, WMI, callback sink and outgoing connections:
To establish a firewall exception for DCOM port 135, use the following command:
netsh advfirewall firewall add rule dir=in name="DCOM" program=%systemroot%\system32\svchost.exe service=rpcss action=allow protocol=TCP localport=135 To establish a firewall exception for the WMI service, use the following command.
netsh advfirewall firewall add rule dir=in name ="WMI" program=%systemroot%\system32\svchost.exe service=winmgmt action = allow protocol=TCP localport=any To establish a firewall exception for the sink that receives callbacks from a remote computer, use the following command.
netsh advfirewall firewall add rule dir=in name ="UnsecApp" program=%systemroot%\system32\wbem\unsecapp.exe action=allow To establish a firewall exception for outgoing connections to a remote computer that the local computer is communicating with asynchronously, use the following command.
- netsh advfirewall firewall add rule dir=out name ="WMI_OUT"program=%systemroot%\system32\svchost.exe service=winmgmt action=allow protocol=TCP localport=any
To disable WMI traffic using separate rules for DCOM, WMI, callback sink and outgoing connections, perform the following steps:
To disable the DCOM
netsh advfirewall firewall delete rule name="DCOM" To disable the WMI service
netsh advfirewall firewall delete rule name="WMI" To disable the sink exception.
netsh advfirewall firewall delete rule name="UnsecApp" To disable the outgoing exception.
netsh advfirewall firewall delete rule name="WMI_OUT"
User Account Control Settings
User Account Control (UAC) access-token filtering can affect which operations are allowed in WMI namespaces or what data is returned. Under UAC, all accounts in the local Administrators group run with a standard user access token, also known as UAC access-token filtering. An administrator account can run a script with an elevated privilege—"Run as Administrator".
When you are not connecting to the built-in Administrator account, UAC affects connections to a remote computer differently depending on whether the two computers are in a domain or a workgroup. For more information about UAC and remote connections, see User Account Control and WMI.
DCOM Settings
For more information on DCOM settings, see Securing a Remote WMI Connection. However, UAC affects connections for nondomain user accounts. If you connect to a remote computer using a non-domain user account included in the local Administrators group of the remote computer, then you must explicitly grant remote DCOM access, activation, and launch rights to the account.
CIMOM Settings
The CIMOM settings need to be updated if the remote connection is between computers that do not have a trust relationship; otherwise, an asynchronous connection will fail. This setting should not be modified for computers in the same domain or in trusted domains.
The following registry entry needs to be modified to allow anonymous callbacks:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\AllowAnonymousCallbackDatatype REG\_DWORD |
---|
If the AllowAnonymousCallback value is set to 0, the WMI service prevents anonymous callbacks to the client. If the value is set to 1, the WMI service allows anonymous callbacks to the client.
Setting Up a Fixed Port for WMI
https://docs.microsoft.com/en-us/windows/desktop/WmiSdk/setting-up-a-fixed-port-for-wmi
WMI runs as part of a shared service host with ports assigned through DCOM by default. However, you can set up the WMI service to run as the only process in a separate host and specify a fixed port.
The following procedure is an automated setup to allow WMI to have a fixed port. The procedure uses the winmgmt command-line tool.
To set up a fixed port for WMI
- At the command prompt, type winmgmt -standalonehost
- Stop the WMI service by typing the command net stop "Windows Management Instrumentation", or use the short name of net stop winmgmt
- Restart the WMI service again in a new service host by typing net start "Windows Management Instrumentation" or net start winmgmt
- Establish a new port number for the WMI service by typing netsh firewall add portopening TCP 24158 WMIFixedPort
- To undo any changes you make to WMI, type winmgmt /sharedhost, then stop and start the winmgmt service
Windows Server 2003 Firewall Rules
By default, DCOM communicates with the client on a random port, so to write firewall rules, specifying a port range is also described.
- Click Start, choose Run, type exe and click OK.
- Expand Component Services, expand Computers, right click My Computer, and select Properties.
- Click the Default Protocols tab, click Properties
- Click the Add
Add a port range for COM services.
In this example the range is from 5000-5020 selected depending on the environment. Click OK when done. Allow the port range through the windows firewall. This command will open ports from 5000-5020 to match the COM Internet Services Range.
From the command prompt enter:
FOR /L %I IN (5000,1,5020) DO netsh firewall add portopening TCP %I "COM"%I Lastly, open DCOM port 135. |
---|
From the command prompt type:
netsh firewall add portopening TCP 135 "DCOM" |
---|
Confluence Cloud Migration Alert: Please refer to known issues you may encounter in Confluence Cloud: https://eitdocs.atlassian.net/wiki/x/wDGwAQ