Product Documentation

Windows Server Monitoring and Principle of Least Privilege

Last updated on 14 December, 2021

Microsoft recommends Administrator group membership to ensure remote WMI functionality. However, you can run the remote WMI functionality without administrator privileges with some additional settings. This method works in most cases but not for all cases. Therefore, the assistance provided by your LogicMonitor support team may be limited and on a best-effort basis.

Note: This information also applies to Active Directory Domain Controllers. Also, you can run the group membership adjustments for domain controllers via “Active Directory Users and Computers” rather than “Local Users and Groups”. When a Windows host is promoted to a Domain Controller local group memberships are migrated into the BUILTIN groups within ADUC.

You can complete the following steps to run the services without administrator privileges.

  1. Create the new user, commonly an active directory service account or a Windows local user for each monitored host.
  2. Granting the user remote WMI rights.
  3. Granting the user remote DCOM rights, if applicable.
  4. Granting Windows Service Permissions.

Granting Remote WMI Rights

To give the user remote WMI rights, log on to each system to be monitored and complete the following procedure:

  1. In the Control Panel, double-click Administrative Tools.
  2. In the Administrative Tools window, double-click Computer Management.
  3. In the Computer Management window, expand the Services and Applications tree and double-click the WMI control.
  4. Right-click the WMI Control icon and select Properties, and then select the Security tab.
  5. Select the Root object, then click Security.
  6. Click Add to add the user that the service is to run as to the list.
  7. Check Execute Methods and Remote Enable.
  8. Click Advanced.
  9. Select the new user, and click Edit.
  10. Change the Apply To drop-down menu to This namespace and subnamespaces.
  11. Click OK three times to close the dialog boxes.

Granting Remote DCOM Rights

If any of the following apply to the LogicMonitor Collector services, you may need to grant DCOM rights:

  • Collector service running as a non-domain account
  • Collector resides in a different domain that is untrusted by the monitored host
  • Collector connects to remote computers, not as a local administrator

To grant the user DCOM rights, log on to each system to be monitored and complete the following procedure:

  1. Click Start, click Run, type DCOMCNFG, then click OK.
  2. In the Component Services dialog box, expand Component Services > Computers, then right-click My Computer and click Properties.
  3. In the My Computer Properties dialog box, select the COM Security tab.
  4. Under Launch and Activation Permissions, click Edit Limits.
  5. In the Launch Permission dialog box, complete the following steps if your name or your group does not appear in the Groups or user names list:

    a. Click Add.

    b. In the Select Users, Computers, or Groups dialog box, add the account name in the Enter the object
    names to select field and then click OK.
  6. In the Launch Permission dialog box, select your user in the Group or user names box.
  7. Navigate to Permissions for User > Allow, select Remote Launch and Remote Activation, and click OK.

Granting DCOM remote access for certain users and groups

The following procedure describes how to grant DCOM remote access permissions for certain users and groups. If you are connecting computer A to computer B remotely. You can set permissions on computer B to allow a user group that is not a part of the Administrator’s group on computer B to connect to computer B.

  1. Click Start, click Run, type DCOMCNFG, then click OK.
  2. In the Component Services dialog box, expand Component Services > Computers, then right-click My
    Computer and click Properties.
  3. In the My Computer Properties dialog box, select the COM Security tab.
  4. Under Access Permissions, click Edit Limits.
  5. In the Access Permission dialog box, select ANONYMOUS LOGON in the Group or user names box.
  6. In the Allow column under Permissions for User, select Remote Access, and then click OK.

For more information, see Securing a Remote WMI Connection.

Granting Windows Service Permissions

Even after employing the mentioned methods, you may be required to review and adjust Windows Service permissions.

You can use one of the following tools to adjust Windows service permissions granting read-only access to the account in which you are using to monitor the host.

Process Explorer

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

subinacl.exe

https://social.technet.microsoft.com/wiki/contents/articles/51625.subinacl-a-complete-solution-to-configure-security-permission.aspx

sc.exe

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754599(v=ws.11)

Manually Changing Permissions for Windows Services 

To change the permissions of Service Control Manager (SCManager) and the Win32_services, complete the following steps:

Note: The steps to change permissions for SCManager and Win32_services are the same.

1. To get the SID of the LogicMonitor user, run the following command in Powershell to retrieve the SID.

    [wmi] "win32_useraccount.domain='<domainName>',name='<userName>'"

2. To get the SDDL of a SCManager, run the following command in the cmd prompt.
 
sc sdshow scmanager

Sample of the retrieved SDDL:
       
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

3. Modify the retrieved SDDL.

Note: You can either create your own ACL’s or you can copy the segment from the SDDL which ends with Interactive Users (IU), i.e (A;;CCLCRPRC;;;IU). For more information on creating ACLs, see ACE Strings.

4. Once you retrieve the SDDL using the sc sdshow scmanager command, copy the segment that ends with IU in SDDL. For eg. (A;;CCLCRPRC;;;IU).

5. Replace IU with the SID of the LogicMonitor user.

Example: (A;;CCLCRPRC;;;S-1-5-21-265800110-2195697097-2714329818-1112).

6. After replacing SID, paste the new segment after the IU segment in the retrieved SDDL.

Following is the example of the new SDDL:


D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU) (A;;CCLCRPRC;;;S-1-5-21-265800110-2195697097-2714329818-1112)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA) S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Note: The earlier example allows various permissions to the LogicMonitor user. You can either restrict the user from having multiple permissions or grant minimal permissions. 

For example, the ACL (A;;RPRC;;;IU) allows the Read Permissions to read all the properties of a Windows Service. If you want to grant more permissions, refer to ACE Strings and add the strings between double semi colons(;;) and triple semi colons(;;;) of the ACL.

6. Set the new SDDL as the security descriptor of the SCManager.

sc sdset scmanager “D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU) (A;;CCLCRPRC;;;S-1-5-21-265800110-2195697097-2714329818-1112)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA) S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Note : To change the Win32_services, you can perform all the steps for changing permissions of SCManager. Ensure to replace scmanager with serviceName of your windows service.


Example:
The following command would display the security descriptor of the  App-Management service.

sc sdshow AppMgmt 

In This Article