Currently we are looking to transition to Windows WMI monitoring with Nagios.
We have followed the following procedure as described here::
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
After configuration, we are still finding that we are unable to query the status of a Windows Service. unless the monitoring account is a local admin on the box. From when we are reading on Technet, this seems to be an "accepted risk"
Has anyone been able to solve this with using a limited service account as opposed to local admin?
Monitor Windows with WMI
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Monitor Windows with WMI
As far as I know, the minimum amount of permissions required is what is outlined in the article you linked above.
Re: Monitor Windows with WMI
You can do it, but you need to get pretty creative with your security descriptors and users/groups assigned to services:
https://docs.microsoft.com/en-us/window ... or-objects
You could try the "Additional Permissions" section of the official troubleshooting documentation:
https://support.nagios.com/kb/article.php?id=579
Which essentially just takes your service account and manually sets the object access level of that service account to that of the service control manager. It's less heavy-handed than granting the service account local admin, but it's also less universal between Windows versions. Additionally, all it would take to escalate past this to local admin is an ill configured Windows service and a vulnerable process. Still, far better than just handing the service account local admin from a security perspective (though definitely not from a "usability" perspective).
Be *super duper mindful* of how you run the commands mentioned in that article and read the documentation -- don't blindly copy+paste through this situation .
https://docs.microsoft.com/en-us/window ... or-objects
You could try the "Additional Permissions" section of the official troubleshooting documentation:
https://support.nagios.com/kb/article.php?id=579
Which essentially just takes your service account and manually sets the object access level of that service account to that of the service control manager. It's less heavy-handed than granting the service account local admin, but it's also less universal between Windows versions. Additionally, all it would take to escalate past this to local admin is an ill configured Windows service and a vulnerable process. Still, far better than just handing the service account local admin from a security perspective (though definitely not from a "usability" perspective).
Be *super duper mindful* of how you run the commands mentioned in that article and read the documentation -- don't blindly copy+paste through this situation .
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact: