Monitor Windows with WMI

[cslatzer]

Currently we are looking to transition to Windows WMI monitoring with Nagios.

We have followed the following procedure as described here::
https://assets.nagios.com/downloads/nag ... ios-XI.pdf

After configuration, we are still finding that we are unable to query the status of a Windows Service. unless the monitoring account is a local admin on the box. From when we are reading on Technet, this seems to be an "accepted risk"

Has anyone been able to solve this with using a limited service account as opposed to local admin?

[scottwilkerson]

As far as I know, the minimum amount of permissions required is what is outlined in the article you linked above.

[mcapra]

You can do it, but you need to get pretty creative with your security descriptors and users/groups assigned to services:
https://docs.microsoft.com/en-us/window ... or-objects

You could try the "Additional Permissions" section of the official troubleshooting documentation:
https://support.nagios.com/kb/article.php?id=579

Which essentially just takes your service account and manually sets the object access level of that service account to that of the service control manager. It's less heavy-handed than granting the service account local admin, but it's also less universal between Windows versions. Additionally, all it would take to escalate past this to local admin is an ill configured Windows service and a vulnerable process. Still, far better than just handing the service account local admin from a security perspective (though definitely not from a "usability" perspective).

Be *super duper mindful* of how you run the commands mentioned in that article and read the documentation -- don't blindly copy+paste through this situation .

[scottwilkerson]

Thanks @mcapra