Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
DM-AVAL

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 79
Reply with quote  #1 
I'm managing a situation where an application (more details in link below) apparently needs access to WMI for discovery purposes (creation of inventory, business map, and so forth). The easy solution is to make the service account used a member of the local administrators group (already questionable) and domain admins group on domain controllers.

https://community.servicenow.com/community?id=community_question&sys_id=30c347a5dbd8dbc01dcaf3231f96199a

Ideally, from a security best practices perspective (least privilege), we would simply exclude domain controllers from discovery but if that is not possible for whatever reason (politics), I would prefer to grant read-only access to WMI rather than making the account used a member of domain admins.

Has anyone had to do this?

It looks like "authenticated users" already has read access to WMI but the application may have to authenticate as a specific account - from what I'm reading.

More here too:

https://docs.servicenow.com/bundle/geneva-it-operations-management/page/product/discovery/reference/r_PermissionReqWinCredentials.html

So would I create a simple domain user account but grant them explicit read-only access to WMI?

EDIT - it looks like there's other locations too: registry for example.

As usual, thanks in advance!
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 229
Reply with quote  #2 
From what I remember it's a two-step process:

1. Grant remote DCOM permissions for the WMI service
2. Grant WMI permissions on relevant classes.

No clue about how to automate this ...

hth.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
jsclmedave

Administrator
Registered:
Posts: 455
Reply with quote  #3 
Quote:
Originally Posted by DM-AVAL
I'm managing a situation where an application (more details in link below) apparently needs access to WMI for discovery purposes (creation of inventory, business map, and so forth). The easy solution is to make the service account used a member of the local administrators group (already questionable) and domain admins group on domain controllers.

https://community.servicenow.com/community?id=community_question&sys_id=30c347a5dbd8dbc01dcaf3231f96199a

Ideally, from a security best practices perspective (least privilege), we would simply exclude domain controllers from discovery but if that is not possible for whatever reason (politics), I would prefer to grant read-only access to WMI rather than making the account used a member of domain admins.

Has anyone had to do this?

It looks like "authenticated users" already has read access to WMI but the application may have to authenticate as a specific account - from what I'm reading.

More here too:

https://docs.servicenow.com/bundle/geneva-it-operations-management/page/product/discovery/reference/r_PermissionReqWinCredentials.html

So would I create a simple domain user account but grant them explicit read-only access to WMI?

EDIT - it looks like there's other locations too: registry for example.

As usual, thanks in advance!


Good Luck on this!  We are using various tools such as iQuate and I have tried to minimize access but due to timelines and archaic security rules we have been forced to use the Local Admin access approach. 

I am going to look at Willem's suggestions for DCOM and see if that is a viable option.

If you find a read only approach that works I would be interested to see your notes.

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
DM-AVAL

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 79
Reply with quote  #4 
The application performing discovery can now access everything it needs to (in the WMI structure) except the following:

Network Adapters

Storage Devices

File Systems

TCP Connections


Does anyone know to which folders I have to grant access for those elements?

I think hardware is one - I'm still looking.




0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.