GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → zenoss → microsoft.tools

zenoss / microsoft.tools

Licence: other
Tools for working with Microsoft Software.

Programming Languages

powershell
5483 projects
python
139335 projects - #7 most used programming language
PLpgSQL
1095 projects

Table of Contents

Least Privileged User

This README documents what permissions are needed to monitor a Windows server by a non-administrative user. These changes are automated using the lpu/zenoss-lpu.ps1 powershell script. This script is known to work for Windows 2008 and 2012 member servers. To enable the LPU for a Domain Controller, one will need to run the script and also manually add the user to the Domain level security groups listed below.

Do not delete user without backing out changes made by the LPU script. See lpu/zenoss-backup-lpu.ps1 for an example of saving existing permissions.

Before running the LPU script, you should backup your settings.

The Least Privileged User requires the following privileges:

  • WMI namespace security(Enable, Method Execute, Read Security, Remote Access)
  • Winrm access
  • ReadPermissions, ReadKey, EnumerateSubKeys, QueryValues rights to several registry keys
  • Membership in local groups
  • “Read Folder” access to "C:\Windows\system32\inetsrv\config" if it exists
  • Service permissions

WMI namespace security(Enable, Method Execute, Read Security, Remote Access)

Added by invoking the SetSecurityDescriptor method

See http://blogs.msdn.com/b/spatdsg/archive/2007/11/21/set-wmi-namespace-security-via-gpo-script.aspx for information on using GetSD to backup the Security Descriptor for each namespace

Permission is set on the following namespaces:

  • "Root"
  • "Root/CIMv2"
  • "Root/DEFAULT"
  • "Root/RSOP"
  • "Root/RSOP/Computer"
  • "Root/WMI"
  • "Root/CIMv2/Security/MicrosoftTpm"
If IIS is installed, one of the following namespaces depending upon IIS version
  • "Root/Webadministration"
  • "Root/microsoftiisv2"

Winrm access

Access is given by through "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service\rootSDDL"

To backup the sddl you could do something like the following: 

    $sddlkey = "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service"
    $rootsddlkey = get-itemproperty $sddlkey -Name “rootSDDL”

ReadPermissions, ReadKey, EnumerateSubKeys, QueryValues rights to specific registry keys

To backup registry security you could do something like the following for each registry key 

    $regacl = (get-item $regkey).getaccesscontrol("Access")
    $regsddl = $regacl.sddl

Zenoss needs access to the following registry keys:

  • "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib",
  • "HKLM:\system\currentcontrolset\control\securepipeservers\winreg",
  • "HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}",
  • "HKLM:\SYSTEM\CurrentControlSet\Services\Blfp\Parameters\Adapters",
  • "HKLM:\Software\Wow6432Node\Microsoft\Microsoft SQL Server",
  • "HKLM:\Software\Microsoft\Microsoft SQL Server"

Membership in the following groups

To remove users from a group, you could simply use a GPO.

The following groups are either local to a server or are at the domain level.

  • "Performance Monitor Users",
  • "Performance Log Users",
  • "Event Log Readers",
  • "Distributed COM Users",
  • "WinRMRemoteWMIUsers__"

“Read Folder” access to "C:\Windows\system32\inetsrv\config" if it exists

To backup the sddl 

    $folderfileacl = (get-item $folderfile).getaccesscontrol("Access")
    $sddl = $folderfileacl.sddl

Service permissions

To backup a service sddl you could do something like the following on each service: 

    $servicesddl = [string](CMD /C "sc sdshow `"$service`"")

We assign the following permissions:

  • SERVICE_QUERY_CONFIG
  • SERVICE_QUERY_STATUS
  • SERVICE_INTERROGATE
  • READ_CONTROL
  • SERVICE_START
Some services are owned by the SYSTEM account and the permissions cannot be altered by the administrator. In order to change the permissions on these services, you will need to run the zenoss-system-services.ps1 script as the SYSTEM user.

  • Use the PSExec sysinternals tool to open a cmd shell as the system account.
    psexec.exe -s cmd

  • You can then execute the powershell script to update the system owned service permissions.
    powershell -file "zenoss-system-services.ps1 -u [email protected]"

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].