Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • How To Use A Non-Admin Account For WMI-SIEM

    Enviado por

    Sajin Shivdas
    98 visualizações4 páginas
    SIEM

    Título original

    How to use a non-Admin account for WMI-SIEM

    Direitos autorais

    © © All Rights Reserved

    Formatos disponíveis

    DOCX, PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    SIEM

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato DOCX, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    98 visualizações4 páginas

    How To Use A Non-Admin Account For WMI-SIEM

    Enviado por

    Sajin Shivdas
    SIEM

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato DOCX, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 4

    How to use a non-Admin account for WMI

    Technical Articles ID: KB74126


    Last Modified: 6/3/2016
    Rated:

    Environment
    McAfee SIEM Event Receiver 9.6.x, 9.5.x, 9.4.x
    Microsoft Windows Server 2012*
    Microsoft Windows Server 2008
    Microsoft Windows Server 2003
    *

    Security Log collection on Windows Server 2012 requires at least Local


    Administrator privileges.
    Summary
    The following procedures describe how to use a non-Admin account for WMI.
    Group membership, security policy assignments, and permissions
    1. Create a domain user account to represent the user that will be used in
    your environment for log collection.
    2. Create a domain group that will receive all of the rights that the WMI
    collection user needs.
    NOTE: Always assign permissions to a domain group, instead of directly to a
    user.
    3. Put the WMI collection user into this newly created group.
    4. Put the newly created WMI collection group into the following domain groups:
    o

    Performance Log Users

    Distributed COM Users

    5. Run one of the following three Microsoft Management Console (MMC) snapins:

    the Local Security Policy snap-in (secpol.msc) for member servers

    the Default Domain Security Policy snap-in (dompol.msc) if you want to


    configure these settings domain-wide as a GPO

    the Default Domain Controller Security Settings snap-in (dcpol.msc) if


    you want to assign the rights only on domain controllers

    6. When the snap-in has started, expand Security Settings, Local Policies,
    User Rights Assignment.
    7. Assign your new group at least the following rights:
    o

    Act as part of the operating system

    Log on as a batch job

    Log on as a service

    Replace a process level token

    8. Close the Policy Settings utility.


    Distributed Component Object Model rights assignments
    Use the following steps to configure DCOM security for the WMI collection group:
    1. Click Start, Administrative Tools, Component Services.
    2. Expand Console Root, Computers, My Computer.
    3. Right-click My Computer and select Properties.
    4. In the window that appears, click the COM Security tab.
    5. Under Access Permissions, click Edit Limits.
    6. Confirm that the Distributed COM Users group has all items selected
    under Allow.
    7. (Optional) Add the WMI collection group to this list and ensure that they
    have full Allow access.
    NOTE: This step is optional because the WMI collection group is normally

    already a member of Distributed COM Users.


    8. When you have reviewed the presence of Distributed COM Users or added
    the WMI collection group, click OK to save your changes and return to the
    COM Security tab.
    9. Under Launch and Activation Permissions, click Edit Limits.
    10.In the list of groups and permissions, confirm that the Distributed COM
    Users group has all items selected under Allow.
    11.(Optional) Add the WMI collection group here, and assign full Allow
    access.
    NOTE: This step is optional because the WMI collection group is
    normally already a member of Distributed COM Users.
    12.Click OK to save your changes.
    13.Close the Component Services utility.
    WMI namespace security assignments
    Use the following steps to set WMI namespace security so that the WMI collection
    group has access to WMI objects:
    1. Click Start, Run, type wmimgmt.msc, and click OK.
    2. Right-click WMI Control (Local) and click Properties.
    3. Click the Security tab.
    4. Click Security at the bottom of the window. This action edits the security
    settings for the Root WMI namespace.
    5. Click Advanced to see the Advanced security settings for this WMI
    namespace.
    6. Add the WMI collection group to the list, and assign it at least the following
    Allow permissions:
    o

    Execute Methods

    Enable Account

    Remote Enable

    Read Security

    NOTE: Make sure these permissions apply to this namespace and all the
    namespaces under it by selecting This namespace and subnamespaces
    in the drop-down box above the permissions list window.
    7. Click OK to save the new permissions.
    8. Click OK again to close the Advanced Security Settings, and then click OK a
    third time to exit the security properties.
    You can now use the WMI collection user to collect events from WMI without having
    to use WMI domain admin privileges.

    Você também pode gostar