Archived community.zenoss.org | full text search
Skip navigation
104031 Views 11 Replies Latest reply: Mar 27, 2013 10:33 AM by Mark Clegg RSS
alzoo Rank: White Belt 74 posts since
May 11, 2009
Currently Being Moderated

Nov 19, 2009 9:18 AM

HOW TO CONFIGURE WMI ACCESS ON WINDOWS FOR A NON ADMIN USER

Hi,
If you, like me have to configure WMI access on Windows servers for a non admin user in order for Zenoss to read the eventlog etc, read on...

Introduction

Zenoss is able to read & query Windows servers via WMI  in order to obtain Eventlog information. Windows Management Instrumentation  (WMI) is the infrastructure for management data and operations on Windows-based  operating systems. WMI also supplies management data to other parts of the  operating system and products like zenoss. For security purposes you can use a limited domain user account to  access the WMI infrastructure and relevant components. The domain user acount has rights to only access the  appropriate areas of the server to obtain information for Zenoss.

As the  main objective is read & query the Windows event logs via WMI. Modifications  to the windows server security will need to have access granted to the specific  account (zenwmi) at 4 different levels in order for Zenoss to function  correctly and obtain the event log information the Windows team requires to be  displayed in Zenoss.

The following information describes the 4  levels or areas that require acess to be configured for the specific user.  These 4 requirements are all needed and are in logical order as one  follows on to the next as shown in this diagram attached .


1. DCOM

DCOM stands for Distributed COM and COM stands for  Component Object Model (COM). COM is the standard method for communication  between client/server apps and highlevel APIs for Windows developers. DCOM users  Remote Procedure Call to expose COM objects on a computer to remote clients on  other computers.
Prior to XP SP2 (and the introduction of these 2 DCOM  security settings), it was difficult for an administrator to assess or control  which COM objects were available to remote users and this is even more important  since COM objects can allow anonymous access. Each COM object has its own ACL  and you would have had to look at each COM object's ACL to determine if remote  access were allowed and to whom. This policy and DCOM: Machine Access  Restrictions In Security Descriptor Definition Language (SDDL) syntax put a  system wide access check that all DCOM clients (local or remote) must pass  before hitting the individual COM object's ACLs. This system-wide DCOM check is  like share permissions on a shared folder. Many files may be accessible through  a given network share and each file may have it's own unique permissions but you  must first pass the share level permissions before the file permissions are  checked.

Security in WMI is related to connecting to a WMI namespace. WMI  uses DCOM to handle remote calls. One reason for failure to connect to a remote  computer is due to a DCOM failure, Therefore, this is the first access that must  be granted to the specific user and happily can be granted by adding the user to  the local or domain distributed COM users group on the Server. There is a  domain GPO which adds the domain user to the relevant grounds need by  Zenoss. Specific user access can be granted by following & applying the  following link.
http://msdn.microsoft.com/en-us/library/aa393266.aspx

2. WMI

Windows Management Instrumentation (WMI) is the Microsoft  implementation of Web-based Enterprise Management (WBEM), which is an industry  initiative to develop a standard technology for accessing management information  in an enterprise environment. WMI uses the Common Information Model (CIM)  industry standard to represent systems, applications, networks, devices, and  other managed components. CIM is developed and maintained by the Distributed  Management Task Force (DMTF). The ability to obtain management data from remote  computers is what makes WMI useful. Remote WMI connections are made through  DCOM.

WMI provides a uniform interface for any local or remote  applications or scripts that obtain management data from a computer system, a  network, or an enterprise. The uniform interface is designed such that WMI  client applications and scripts do not have to call a wide variety of operating  system application programming interfaces (APIs). Many APIs cannot be called by  automation clients like scripts or Visual Basic applications. Other APIs do not  make calls to remote computers.

To obtain data from WMI, an application  like Zenoss accesses WMI Classes or provides data to WMI by writing a WMI  provider.

Namespace Access Settings

You can change the access to a WMI namespace using the WMI  Control or programmatically.
TermDescription
Execute MethodsPermits the user to execute  methods defined on WMI classes. Corresponds to the WBEM_METHOD_EXECUTE access  permission constant.
Full WritePermits full read, write,  and delete access to WMI classes and class instances, both static and dynamic.  Corresponds to the WBEM_FULL_WRITE_REP access permission constant.
Partial WritePermits write access to  static WMI class instances. Corresponds to the WBEM_PARTIAL_WRITE_REP access  permission constant.
Provider WritePermits write access to  dynamic WMI class instances. Corresponds to the WBEM_WRITE_PROVIDER access  permission constant.
Enable AccountPermits read  access to WMI class instances. Corresponds to the WBEM_ENABLE access permission  constant.
Remote EnablePermits access to  the namespace by remote computers. Corresponds to the WBEM_REMOTE_ACCESS access  permission constant.
Read SecurityPermits read-only access to  DACL settings. Corresponds to the READ_CONTROL access permission constant.
Edit SecurityPermits write access to  DACL settings. Corresponds to the WRITE_DAC access permission  constant.


This is the second access requirement that is  needed for Zenoss. For the DMSI Windows team, the zenwmi domain user is manually  given Remote Enable & Enable Account permissions to the CIMV2 class. This is  done by a user written program, WMISecurity that can be run in a command line.
The syntax is as follows:
WmiSecurity.exe /C="%computername%" /A /N=Root/CIMV2 /M=" DOMAIN\USER:REMOTEACCESS" /R

Specific user access can be granted by following &  applying the following link.
http://technet.microsoft.com/en-us/library/cc787533%28WS.10%29.aspx

3.  Service Control Manager

The service control manager (SCM) is started at system  boot. It is a remote procedure call (RPC) server, so that service configuration  and service control programs can manipulate services on remote machines. SCM  maintains a database of the installed services and driver services that allow  the operating system to start successfully, and provides a unified and secure  means of controlling them. The database, which is stored in the Windows system  registry, includes configuration and security information about each service or  driver service.

System administrators should use the Services snap-in or  the sc.exe command-line tool to query or configure services.

The service  functions provide an interface for the following tasks performed by the  SCM:

Maintaining the database of installed services.
Starting services  and driver services either upon system startup or upon demand.
Enumerating  installed services and driver services.
Maintaining status information for  running services and driver services.
Transmitting control requests to  running services.
Locking and unlocking the service database.

Zenoss  requires access to this manager in order to scan the machine for which windows  services are installed on it and subsequently provide status information on the  event page besides gaining access to the eventlog (which is a service). This is  the third access requirement which needs to be modified for Zenoss. This is  configured by command line (sc.exe) and is also included in the tasks section of  the automatic network install. Specific user access is the only method of  configuration for this type of access & can be granted by following &  applying the following link.
http://support.microsoft.com/kb/907460

The command line used for Windows servers is:
sc sdset  SCMANAGER  D:(A;;CC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPRC;;;S-1-5-21-1248577188-10479689-3873521419-99999)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

4. Event  Log Permissions

Finally to read and list the Windows events in Zenoss  event page, the user defined in the properties of Zenoss Orangiser has to be  given rights to read the log. Unfortuntely as you have just read, you are not  able to just add the rights to the event log and be done with it, the above  modifications needed to have been actioned beforehand. The easiest way to perfom  this task for the hundreds of Windows servers at Sopra was to create a domain  wide GPO.

A policy setting determines which user accounts have access  to log files and what usage rights are granted. Individual setting may be  specified for each of the Application, Security, Setup, and System event log  channels. For Zenoss each Log must by modified in order the the ZenEventlog  connection is UP.

Enabling this setting allows you to enter a security  descriptor for the log file. The security descriptor controls who can read,  write, or clear the event log. You enter the security descriptor using Security  Definition Description Language (SDDL) as we have read above. The following link  explains how to add specific user access to the Eventlog via a GPO
http://support.microsoft.com/default.aspx/kb/323076

The structure of the Eventlog key is as follows:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application,Security,System,CustomLog

Note that domain controllers record events in the  Directory service and File Replication service logs and DNS servers record  events in the DNS server.

CustomSD Restricts access to the event log.  This value is of type REG_SZ. The format used is Security Descriptor Definition  Language (SDDL). Construct an ACL that grants one or more of the following  rights:

  • Read (0x0001)
  • Write (0x0002)
  • Clear (0x0004)

To be a syntactically valid SDDL, the CustomSD value  must specify an owner and a group owner (for example, O:BAG:SY), but the owner  and group owner are not used. If CustomSD is set to a wrong value, an event is  fired in the System event log when the event log service starts, and the event  log gets a default security descriptor which is identical to the original  CustomSD value for the Application log. SACLs are not supported.

The SDDL  permissions used for Windows servers  is:
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x1;;;S-1-5-21-1248577188-10479689-3873521419-99999)

Error  Summary

I have figured out the following after lots of trial and  error. It is a logical process, almost like walking through one security door  after another to get to the windows Eventlog. If you see the following  ZenWin or ZenEventlog errors in the event page you need to check the  relevant section or link to determine where the fault  lies.


Component: ZenWin
Message: Could not read the status of  Windows services (NT_STATUS_ACCESS_DENIED). Check your  username/password settings and verify network connectivity.

Component:  ZenEventlog
Message: Could not read the Windows event log (NT_STATUS_ACCESS_DENIED). Check your  username/password settings and verify network connectivity.

This error  relates to the DCOM Permissions & is  resolved by implementing
http://msdn.microsoft.com/en-us/library/aa393266.aspx, check that the ZenWMI user is a member of the Distributed COM users  group on the server.


Component: ZenWin
Message: Could not read the  status of Windows services (NT code  0x80041003). Check your username/password settings and verify network  connectivityconnectivity.

Component: ZenEventlog
Message: Could not  read the Windows event log (NT code  0x80041003). Check your username/password settings and verify network  connectivity

This error relates to the WMI  Permissions & is resolved by implementing
http://technet.microsoft.com/en-us/library/cc787533.aspx, Check to see that the ZenWMI users has Enable Account & Remote  Enable access to the CIMV2 namespace in WMI Control on the  server

Component: ZenWin
Message: Could not read the status of Windows  services (NT code 0x80041001). Check  your username/password settings and verify network connectivity

This  error relates to the SCM Permissions & is  resolved by implementing
http://support.microsoft.com/kb/907460, check to see if the ZenWMI user Unique SID has been added to the  SCM SSDL, type "sc sdhow scmanager", if not copy and pase the above command,  once this is done you should get a cleared "zenwin wmi connection is up"  message

Component: ZenWin
Message: Could not read the status of  Windows services (NT code 0xc002001b). Check your username/password settings and verify network  connectivity.

Component: ZenEventlog
Message: Could not read the  Windows event log (NT code  0xc002001b). Check your username/password settings and verify network  connectivity.

This error relates to the Eventlog Permissions & is resolved by  implementing
http://support.microsoft.com/kb/323076,  As this is set by GPO, check to see if the GPO was correctly enforced and use  the regisitry editior to check that the above SDDL is present, goto  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\"LOG" and read the  Custom SD string value, once this is modified correctly, you should get a  cleared "zeneventlog wmi connection is up" message

Other  Errors

Component: ZenEventlog
Message: Could not read the  Windows event log (ExecNotificationQuery  (WBEM_E_ACCESS_DENIED)). Check your username/password settings and  verify network connectivity.

This usually relates to an missing EventLog  permission and that the SSDL has not been applied to all the event logs,  application system, security, etc.

Component: ZenPerfwmi
Message:  Could not read the WMI value (NT code  0x80010105). Check your username/password settings and verify network  connectivity.

I forget.. will have to recall how I fixed it... I think it  was due to the "users" group being removed the right to log
onto the computer in the local policy..

Component:  ZenPerfwmi
Message: Could not read the WMI value (NT code 0x80041010). Check your  username/password settings and verify network connectivity.

This usually  relates to a missing WMI namespace, check that Service pack 2 is installed,or  recreate/reset the WMI namespaces.
The command  winnts2k\system32\wbem\wmiadap.exe /f will often restore missing WMI performance  counters.

Sources:
http://msdn.microsoft.com/en-us/library/aa392740%28VS.85%29.aspx
http://support.microsoft.com/kb/820847
http://msdn.microsoft.com/en-us/library/aa394528%28VS.85%29.aspx

Final thanks to all the forum members for their help and input over time.

Alzoo
Attachments:
  • pTy Rank: White Belt 14 posts since
    Nov 16, 2009

    Great post Alzoo.

     

    Sure it will be really helpful for every new Windows monitoring's user.

     

    Your WMISecurity link explains us how to edit WMI access security remotely ?

     

    If so i'd want to add another link to edit it by GPO :

     

    http://blogs.msdn.com/spatdsg/archive/2007/11/21/set-wmi-namespace-security-via-gpo-script.aspx

     

    which is really easy and works on W2003 et W2008 hosts.

     

    Cheers !

  • jmp242 ZenossMaster 4,060 posts since
    Mar 7, 2007

    I would post this on the Wiki...

    --

    James Pulver

    Information Technology Area Supervisor

    LEPP Computer Group

    Cornell University

     

     

     

    pTy wrote, On 11/18/2009 9:08 AM:

    Great post Alzoo.

     

    Sure it will be really helpful for every new Windows monitoring's user.

     

    Your WMISecurity link explains us how to edit WMI access security remotely ?

     

    If so i'd want to add another link to edit it by GPO :

     

    http://blogs.msdn.com/spatdsg/archive/2007/11/21/set-wmi-namespace-security-via-gpo-script.aspx

     

    which is really easy and works on W2003 et W2008 hosts.

     

    Cheers !

    >

  • mlanner Newbie 4 posts since
    Nov 13, 2009

    Hi Alzoo,

     

    I've been trying to get WMI working but keep on getting the error:

     

    Could not read the Windows event log (NT_STATUS_ACCESS_DENIED). Check   your username/password settings ...

     

    I'm running 2.5.1 and I've been using accounts in the administrators group, including Administrator, to collect WMI info. This is a small test installation and all the machines are on a workgroup, not on a domain.

     

    I posted another question last night here:

     

    message/45616#45616

     

    Any ideas? Thanks in advance.

  • joeadmin Rank: White Belt 80 posts since
    Mar 21, 2009

    Does anyone have relevant experience implementing this with a Windows 2008 domain controller? I have used this document to sucessfully use wmi to monitor a network with a non priveledge account. I was working on a new network and came across a 2008 Domain controller. Everything seemed ok unitl I got to the event logs. I edited the Sceregvl.inf file and rebooted the server but the CustomSD did not appear in the registry or in Group Policy as I have seen on WIndows 2003 servers.

     

    Any thoughts or a work around.

     

    My goal is to have the Windows 2008 server send its events to Zenoss just like the Windows 2003 servers do. This new environment has both 2003 servers and 2008 servers. I must use a non administrator account.

     

    Thanks for your help

  • benchen Rank: White Belt 8 posts since
    Nov 13, 2008

    Thanks alzoo. It actually works. But the strange thing is that not all the services can be queried. Only a part of them is listed in the final query result. Could you please advise the solutions? Thanks.

  • blunsford Newbie 4 posts since
    Jul 23, 2010

    I am trying to set this up on a Domain controller and I am getting errors for some of the WMI commands.

     

    2011-04-29 16:43:52,402 ERROR zen.WMIClient: Received NT code 0x80041003  from query: SELECT * FROM Win32_PerfRawData_PerfDisk_PhysicalDisk

     

    I have this successfully running non domain controllers.

     

     

    I am also getting this erro and I am not sure why.

     

    Could not read the Windows event log (ExecNotificationQuery on XXXX.XXXXX.com (WBEM_E_ACCESS_DENIED)). Check your             username/password settings and verify network connectivity.

     

    Any Ideas on both of these would be a huge help.

     

    Thanks

    Bennie

  • Mark Clegg Rank: White Belt 8 posts since
    Nov 19, 2012

    Excellent article

     

     

    Can I ask if anybody knows how to do the same for winexe, - so that we can run arbitary commands using winexe without requiring admin rights on the target machine. I'm specifically thinking about domain controllers where getting a local admin account isn't a possibility.

     

    Thanks

    Mark.

  • Levina Gill Newbie 2 posts since
    Feb 20, 2013

    Hi,

    I am trying to build a function which is impersonates a non admin user, read some AD entries, and then read the user logged in a remote machine (an ordinary domain user with the proper rights to access WMI remotely on the domain machines.

     

    Network monitoring software

    Server Monitoring Software

    Virtual Machine Monitoring

  • Mark Clegg Rank: White Belt 8 posts since
    Nov 19, 2012

    Hi. I've been battling with getting additional services monitored using the above method, as I found that Zenoss was failing to list 60% of the services on any monitored host.

     

     

    The solution seems to be, that using SC SDSET SCMANAGER... as described in the article doesn't grant permissions to ALL services, but just a subset.

     

     

    To monitor all services, you have to individually set the SDDL string on each service, using...

     

     

    SC SDSET <servicename> <newSDDLstring>

     

     

    The settings for the SDDLstring I've found to work, are the current setting (from SC SDSHOW servicename) with the additional discretionary ACE string added...

     

     

    (A;;GR;;;serviceaccountSID)

     

     

    where: A = Allow, GR = Generic Read, serviceaccoutSID is the SID for the windows account being used.