check_wmi_plus WMI/local Permissions

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
storkie2010
Posts: 7
Joined: Mon Nov 03, 2014 6:21 am

check_wmi_plus WMI/local Permissions

Post by storkie2010 »

Hiya,

We use the check_wmi_plus (http://www.edcint.co.nz/checkwmiplus/) module for agent less monitoring of our Windows server estate. For checks such as the Disk drive checking this works adequately once the host OS is configured, however for other services such as services monitoring this seems to require 'local administrator' access. This seems like a huge vulnerability and increases the risk foot print of the Nagios server.

This is the process we follow for adding suitable WMI access for disk checking;

1) Open MMC with Administrator permissions
2) Add in WMI Control. Right-click, properties, Security.
3) Under Root\CIMV2, add "WMI-Read-Only", and grant "Execute Methods", "Enable Account", "Remote Enable", and "Read Security":
4) Run DCOMCNFG with Administrator permissions
5) Expand Component Services\Computer\My Computer
6) Right-click, properties, COM Security.
7) Under "Launch and Activation Permission", click Edit Limits. Add "WMI-Read-Only", and grant "Local Launch", "Remote Launch", "Local Activation", and "Remote Activation"
8) Under My Computer, expand "DCOM Config\Windows Management and Instrumentation". Right-click, properties, security.
9) Under "Launch and Activation Permission", click Edit. Add "WMI-Read-Only", and grant "Local Launch", "Remote Launch", "Local Activation", and "Remote Activation"

I've diddled somewhat extensively on the WMI and DCOM permissions, including granting access at the root and allowing these permissions to propagate.

Any thoughts are welcome!
jdalrymple
Skynet Drone
Posts: 2620
Joined: Wed Feb 11, 2015 1:56 pm

Re: check_wmi_plus WMI/local Permissions

Post by jdalrymple »

I suggest reviewing this document:

http://assets.nagios.com/downloads/nagi ... ios-XI.pdf

Have you already? As indicated by that document there is no need to make the user a local administrator.
User avatar
Box293
Too Basu
Posts: 5126
Joined: Sun Feb 07, 2010 10:55 pm
Location: Deniliquin, Australia
Contact:

Re: check_wmi_plus WMI/local Permissions

Post by Box293 »

I've seen this problem before.

Try these settings on a TEST server.

First we need to determent the SID of the user “wmiagent”, from the command prompt enter:

Code: Select all

wmic useraccount where name='wmiagent' get sid
In my output the SID is: S-1-5-21-3412302875-2573218200-1610287713-1007

Now we have the SID, we will use it in the next command to grant the rights to the service control manager. In the following example you will need to replace the SID with the one you obtained from the previous step. From the command prompt enter:

Code: Select all

sc sdset SCMANAGER D:(A;;CCLCRPRC;;;S-1-5-21-3412302875-2573218200-1610287713-1007)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Afterwards reboot the TEST server to make sure it boots OK.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
storkie2010
Posts: 7
Joined: Mon Nov 03, 2014 6:21 am

Re: check_wmi_plus WMI/local Permissions

Post by storkie2010 »

Thanks - I'll double check the Nagios instructions are all present and correct - else I'll try the other notes on a test server. Will post back the responses in a day or so.
jolson
Attack Rabbit
Posts: 2560
Joined: Thu Feb 12, 2015 12:40 pm

Re: check_wmi_plus WMI/local Permissions

Post by jolson »

Sounds great - be sure to let us know. Thanks!
Twits Blog
Show me a man who lives alone and has a perpetually clean kitchen, and 8 times out of 9 I'll show you a man with detestable spiritual qualities.
storkie2010
Posts: 7
Joined: Mon Nov 03, 2014 6:21 am

Re: check_wmi_plus WMI/local Permissions

Post by storkie2010 »

Hiya,

Sorry for the delay in replying, I've tested the official 'Monitoring Windows Using WMI and Nagios guide', created a local user and added in relevant permissions. This was on a Windows 2008R2 on domain server.

This local account could pull back drive data, but again not Windows services status.

root@nagiosapp01:/usr/local/nagios/libexec# ./check_wmi_plus.pl -H UCSLOG03 -u wmiagent -p xxxxxx -m checkdrivesize -a C: -w _Free%=5: -w _FreeGB=5: -c _Free%=1: -c _FreeGB=1:
OK - C: Total=63.90GB, Used=32.92GB (51.5%), Free=30.98GB (48.5%) |'C: Space'=32.92GB; 'C: Utilisation'=51.5%;

root@nagiosapp01:/usr/local/nagios/libexec# ./check_wmi_plus.pl -H UCSLOG03 -u wmiagent -p xxxxxx -m checkservice -a auto -w 0 -c 1
UNKNOWN - The WMI query had problems. The error text from wmic is: [wmi/wmic.c:212:main()] ERROR: Retrieve result data.
NTSTATUS: NT code 0x80041003 - NT code 0x80041003

I then tried the suggestion by Box293 using the SID of the local account and it resulted in server not coming back after a reboot (it didn't even gracefully reboot).

Microsoft TechNet claims that the error code 0x80041003 states that the user needs administrator access - I don't always think much of TechNet articles, but it does seem to ring true.... what do you all think?

Thank you

Paul

https://technet.microsoft.com/en-gb/lib ... 92772.aspx

0x80041003 (WBEM_E_ACCESS_DENIED)
This typically results when the process trying to access the namespace does not have the required WMI privileges. The account attempting remote access should be an administrator on the target computer; in addition, the account might need to have a specific privilege enabled.
To troubleshoot this error, check the namespace security on the remote namespace to see the privileges enabled for the account.
jdalrymple
Skynet Drone
Posts: 2620
Joined: Wed Feb 11, 2015 1:56 pm

Re: check_wmi_plus WMI/local Permissions

Post by jdalrymple »

From an administrative command prompt on the Windows box run this trainwreck of a command:

Code: Select all

sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Sourced from here:
http://support.microsoft.com/kb/907460

This is just a more broad version of what you did above, but I think that will fix it for you.

It is NOT necessary to have local admin rights to achieve what you want:
Attachments
Clipboard01.jpg
storkie2010
Posts: 7
Joined: Mon Nov 03, 2014 6:21 am

Re: check_wmi_plus WMI/local Permissions

Post by storkie2010 »

OK, thank you. I'll try that on one of our legacy servers.

We were experiencing the issue with 2003/2008R2 and 2012R2 servers. Do you think it also applies to the newer OS's?

I wonder if it has something to do with the fact that we are using a domain user account to query the service status?
jdalrymple
Skynet Drone
Posts: 2620
Joined: Wed Feb 11, 2015 1:56 pm

Re: check_wmi_plus WMI/local Permissions

Post by jdalrymple »

I don't think that should have anything to do with it storkie.

As for me - the command I shared from that MSDN page solved the issue on my Win7 box - which generally correlates to 2008R2. I ran the command on a 2012R2 box and it succeeded, so apparently it still applies.
User avatar
Box293
Too Basu
Posts: 5126
Joined: Sun Feb 07, 2010 10:55 pm
Location: Deniliquin, Australia
Contact:

Re: check_wmi_plus WMI/local Permissions

Post by Box293 »

jdalrymple wrote:As for me - the command I shared from that MSDN page solved the issue on my Win7 box - which generally correlates to 2008R2. I ran the command on a 2012R2 box and it succeeded, so apparently it still applies.
Did the machine boot up again after executing the command?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Locked