Windows Server Monitoring and Principle of Least Privilege

Last updated on 26 October, 2023

Microsoft recommends Administrator group membership to ensure remote WMI functionality. However, you can run the remote WMI functionality without administrator privileges with some additional settings. This method works in most cases but not for all cases. Therefore, the assistance provided by your LogicMonitor support team may be limited and on a best-effort basis.

Note: The information in this article also applies to Active Directory Domain Controllers. Group membership adjustments for domain controllers are performed using ADUC (Active Directory Users and Computers) rather than “Local Users and Groups”.

When a Windows host is promoted to a Domain Controller, local users and groups are migrated to the BUILTIN groups within ADUC. For more details, see Active directory accounts

You can complete the following steps to run the services without administrator privileges.

  1. Create the new user, commonly an active directory service account or a Windows local user for each monitored host.
  2. Granting the user remote WMI rights.
  3. Granting the user remote DCOM rights, if applicable.
  4. Granting Windows Service Permissions.

Granting Remote WMI Rights

To give the user remote WMI rights, log on to each system to be monitored and complete the following procedure:

  1. In the Control Panel, double-click Administrative Tools.
  2. In the Administrative Tools window, double-click Computer Management.
  3. In the Computer Management window, expand the Services and Applications tree and double-click the WMI control.
  4. Right-click the WMI Control icon and select Properties, and then select the Security tab.
  5. Select the Root object, then click Security.
  6. Click Add to add the user that the service is to run as to the list.
  7. Check Execute Methods and Remote Enable.
  8. Click Advanced.
  9. Select the new user, and click Edit.
  10. Change the Apply To drop-down menu to This namespace and subnamespaces.
  11. Click OK three times to close the dialog boxes.

Granting Remote DCOM Rights

Note: As per Windows User Management best practices, it is recommended that you create a user group and grant DCOM rights to the group. If needed, you can add or remove users from the group.

If any of the following apply to the LogicMonitor Collector services, you may need to grant DCOM rights:

  • Collector service running as a non-domain account
  • Collector resides in a different domain that is untrusted by the monitored host
  • Collector connects to remote computers, not as a local administrator

To grant group DCOM rights, log on to each system to be monitored and complete the following procedure:

  1. Click Start, click Run, type DCOMCNFG, then click OK.
  2. In the Component Services dialog box, expand Component Services > Computers, then right-click My Computer and click Properties.
  3. In the My Computer Properties dialog box, select the COM Security tab.
  4. Under Launch and Activation Permissions, click Edit Limits.
  5. In the Launch Permission dialog box, complete the following steps if your name or your group does not appear in the Groups or group names list:

    a. Click Add.

    b. In the Select Users, Computers, or Groups dialog box, add the group name in the Enter the object names to select field and then click OK.
  6. In the Launch Permission dialog box, select your group in the Group or user names box.
  7. Navigate to Permissions for User > Allow, select Remote Launch and Remote Activation, and click OK.

For more information on Windows user/group management, see Best Practices for Securing Active Discovery.

Granting Windows Service Permissions

Even after employing the mentioned methods, you may be required to review and adjust Windows Service permissions.

You can use one of the following tools to adjust Windows service permissions granting read-only access to the account in which you are using to monitor the host.

Process Explorer



Manually Changing Permissions for Windows Services 

To change the permissions of Service Control Manager (SCManager) and the Win32_services, complete the following steps:

Note: The steps to change permissions for SCManager and Win32_services are the same.

1. To get the SID of the LogicMonitor user, run the following command in Powershell to retrieve the SID.

    [wmi] "win32_useraccount.domain='<domainName>',name='<userName>'"

2. To get the SDDL of a SCManager, run the following command in the cmd prompt.
sc sdshow scmanager

Sample of the retrieved SDDL:

3. Modify the retrieved SDDL.

Note: You can either create your own ACL’s or you can copy the segment from the SDDL which ends with Interactive Users (IU), i.e (A;;CCLCRPRC;;;IU). For more information on creating ACLs, see ACE Strings.

4. Once you retrieve the SDDL using the sc sdshow scmanager command, copy the segment that ends with IU in SDDL. For eg. (A;;CCLCRPRC;;;IU).

5. Replace IU with the SID of the LogicMonitor user.

Example: (A;;CCLCRPRC;;;S-1-5-21-265800110-2195697097-2714329818-1112).

6. After replacing SID, paste the new segment after the IU segment in the retrieved SDDL.

Following is the example of the new SDDL:

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU) (A;;CCLCRPRC;;;S-1-5-21-265800110-2195697097-2714329818-1112)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA) S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Note: The earlier example allows various permissions to the LogicMonitor user. You can either restrict the user from having multiple permissions or grant minimal permissions. 

For example, the ACL (A;;RPRC;;;IU) allows the Read Permissions to read all the properties of a Windows Service. If you want to grant more permissions, refer to ACE Strings and add the strings between double semi colons(;;) and triple semi colons(;;;) of the ACL.

6. Set the new SDDL as the security descriptor of the SCManager.

sc sdset scmanager “D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU) (A;;CCLCRPRC;;;S-1-5-21-265800110-2195697097-2714329818-1112)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA) S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Note : To change the Win32_services, you can perform all the steps for changing permissions of SCManager. Ensure to replace scmanager with serviceName of your windows service.

The following command would display the security descriptor of the  App-Management service.

sc sdshow AppMgmt 

In This Article