Tuesday, March 11, 2014

Remote WMI monitoring Windows Service permissions with non-admin account

I've been trying to get remote WMI to check if a service is running or not and I want to use a non-admin account to do it. 

I found a lot online about setting up permissions for Remote WMI and it "mostly" gets you everything, but in the end I found that a lot of services still didn't show properly.  http://community.zenoss.org/thread/12048

Using this Excellent post https://msmvps.com/blogs/erikr/archive/2007/09/26/set-permissions-on-a-specific-service-windows.aspx we can begin to understand what the different options mean and run the sc config with the proper permissions (rather than running the Zenoss or MS cmd blindly).

  1. Open cmd prompt on the server in question
  2. type sc sdshow scmanager
  3. Take note of the existing permissions.  Notice that they are different for each OS version.
    1. Windows 2012 = D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
    2. Windows 2008 R2 = D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
We also know that AU (Authenticated users) has limited permissions compared to pre Windows 2003 SP1.  Zenoss and MS articles give AU access to all (with a big caveat of it's not really all services which I talk about in a minute).  So, rather than doing this we can add our own account / group in instead of just blasting AU if desired.
  1. use pstools to get the SID of the account you want to use
    1. psgetsid username
      1. This gives you the SID for your username
    2. sc sdshow scmanager
      1. gives you the existing permissions
    3. Merge the permissions together for your new command (example on 2012 Server).  Note that you ALWAYS want to APPEND what already exists.
      1. sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPRC;;;YOURSIDHERE)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
      2. Note that this is appended prior to the S: section!
    4. Now if we test using that user account we see that we get back results, but wait surely I have more than 14 services set to auto... Yes, yes I do.

I don't know why, but this doesn't show all the services by far!
But, I found that adding permissions to the services in particular that you do want to monitor will fix.

For instance, query dfsr and you get the following (Found 0 Services)

So, lets get the permissions for the specific services and modify. 
  1. sc sdshow DFSR
  2. Merge in your permissions
  3. Test :)
Either I'm missing something dumb or this is rediculous imo.  I would have never thought that on my journey to setup a non-admin account for remote monitoring that I would be messing with permissions like this.

No comments:

Post a Comment