check_wmi_plus WMI/local Permissions
Posted: Mon Mar 02, 2015 9:58 am
Hiya,
We use the check_wmi_plus (http://www.edcint.co.nz/checkwmiplus/) module for agent less monitoring of our Windows server estate. For checks such as the Disk drive checking this works adequately once the host OS is configured, however for other services such as services monitoring this seems to require 'local administrator' access. This seems like a huge vulnerability and increases the risk foot print of the Nagios server.
This is the process we follow for adding suitable WMI access for disk checking;
1) Open MMC with Administrator permissions
2) Add in WMI Control. Right-click, properties, Security.
3) Under Root\CIMV2, add "WMI-Read-Only", and grant "Execute Methods", "Enable Account", "Remote Enable", and "Read Security":
4) Run DCOMCNFG with Administrator permissions
5) Expand Component Services\Computer\My Computer
6) Right-click, properties, COM Security.
7) Under "Launch and Activation Permission", click Edit Limits. Add "WMI-Read-Only", and grant "Local Launch", "Remote Launch", "Local Activation", and "Remote Activation"
8) Under My Computer, expand "DCOM Config\Windows Management and Instrumentation". Right-click, properties, security.
9) Under "Launch and Activation Permission", click Edit. Add "WMI-Read-Only", and grant "Local Launch", "Remote Launch", "Local Activation", and "Remote Activation"
I've diddled somewhat extensively on the WMI and DCOM permissions, including granting access at the root and allowing these permissions to propagate.
Any thoughts are welcome!
We use the check_wmi_plus (http://www.edcint.co.nz/checkwmiplus/) module for agent less monitoring of our Windows server estate. For checks such as the Disk drive checking this works adequately once the host OS is configured, however for other services such as services monitoring this seems to require 'local administrator' access. This seems like a huge vulnerability and increases the risk foot print of the Nagios server.
This is the process we follow for adding suitable WMI access for disk checking;
1) Open MMC with Administrator permissions
2) Add in WMI Control. Right-click, properties, Security.
3) Under Root\CIMV2, add "WMI-Read-Only", and grant "Execute Methods", "Enable Account", "Remote Enable", and "Read Security":
4) Run DCOMCNFG with Administrator permissions
5) Expand Component Services\Computer\My Computer
6) Right-click, properties, COM Security.
7) Under "Launch and Activation Permission", click Edit Limits. Add "WMI-Read-Only", and grant "Local Launch", "Remote Launch", "Local Activation", and "Remote Activation"
8) Under My Computer, expand "DCOM Config\Windows Management and Instrumentation". Right-click, properties, security.
9) Under "Launch and Activation Permission", click Edit. Add "WMI-Read-Only", and grant "Local Launch", "Remote Launch", "Local Activation", and "Remote Activation"
I've diddled somewhat extensively on the WMI and DCOM permissions, including granting access at the root and allowing these permissions to propagate.
Any thoughts are welcome!