By default, Windows allows only members of the Administrators or Domain Admin groups to read WMI class information. However, you can configure a regular user to access WMI information by performing the following steps on the server that needs to be monitored.
The following configurations must be performed in the user profiles of the target server that will be monitored in Applications Manager.
Follow the steps below to add the DCOM user group to the local user settings:
1. Go to Start → Run, type lusrmgr.msc and click on OK.
2. Go to the Users folder, right click a username to bring up the menu, and select Properties.
3. Go to the Member Of tab and click on Add.
4. In the 'Enter the object names to select' field , enter Distributed COM Users, click on Check Names, and select OK.
6. Repeat steps 3-5 for the Performance Monitor Users group and the Event Log Readers group.
Providing basic access permissions to the user groups Distributed COM Users and Performance Monitor Users ensures that the necessary permissions are granted for accessing WMI data and monitoring system performance. These permissions allow these user groups to interact with system components and gather relevant information.
7. Go to Start → Run, type in dcomcnfg and click OK.
8. Go to Component Services → Computers → My Computer. Right-click on My Computer to bring up the menu, and click on Properties.
9. Click on the COM Security tab and select Edit Limits under the 'Launch and Activation Permissions' section.
10. Click on Add.
11. In the 'Enter the object names to select' field, type in Distributed COM Users, click on Check Names, and select OK.
12. Click on Add.
13. Repeat steps 9-12 for the Performance Monitor Users group.
14. Check the Allow button for each of the permissions required (Local Launch, Remote Launch, Local Activation, Remote Activation) for each of these groups, and click on OK.
Set the WMI Control security settings to be applied to all namespaces
Finally, we have to set the WMI Control security settings to be applied to all namespaces.
15. Go to Start → Run, type wmimgmt.msc and click OK.
16. Right-click on 'WMI Control (Local)' to bring up the menu and click on Properties.
17. Go to the Security tab, select Root, and click on the Security button.
18. Click Add.
19. In the 'Enter the object names to select' field, type in Distributed COM Users, click on Check Names, and select OK.
20. Make sure the Distributed COM Users group has been selected and click on Advanced.
21. Highlight the row with Distributed COM Users in it and click on Edit.
22. In the Applies to drop-down list, select 'This namespace and subnamespaces'.
23. In the Allow column, check 'Execute Methods', 'Enable Account', 'Read Security', and 'Remote Enable' and click on OK.
24. Repeat steps 16-23 for the Performance Monitor Users group.
25. Click OK and close all the windows.
Set permissions to Service Control Manager Security for Windows Service Monitoring
Access to Windows services is controlled by the Security Descriptor of the Service Control Manager, which is restricted by default in hardened OS. The following steps will grant remote access to the Service Control Manager at the user level, allowing you to retrieve the list of services on a server.
Retrieve the user SID of the User Account
- In the monitored device, open Command Prompt in Administrator mode.
- Run the following command to retrieve the User SID. Replace 'UserName' with the username of the user's account.
wmic useraccount where name="UserName" get name,sid
- Note down the SID. For example: S-1-0-10-200000-30000000000-4000000000-500.
Retrieve the current SDDL for the SC Manager
- Run the following command to save the current SDDL for the SC Manager in CurrentSDDL.txt.
sc sdshow scmanager > CurrentSDDL.txt
- Edit the CurrentSDDL.txt and copy the contents of the file.
- The SDDL will look like this:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Update the SDDL
- Frame a new SDDL snippet for the above SID.
(A;;CCLCRPWPRC;;; <SID of User> )
- Now, place this snippet before the 'S' of the original SDDL. The updated SDDL will look something like this:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Execute the following command with the updated SDDL:
sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
If some of the Windows services are not listed, permissions can be granted for individual services by following the steps below:
- To enable permission for RPC Endpoint Mapper (ServiceName: RpcEptMapper), run the following command, and get its current SDDL.
sc sdshow RpcEptMapper > CurrentSDDL.txt
- Next, form the SDDL as instructed in the above step and update it as following:
sc sdset RpcEptMapper <SDDL formed in above step>
- Once done, check if the required Windows Service is listed in the content.
Completing these steps will grant the user the following permissions:
- CC - Get the service's current configuration
- LC - Get the service's current status
- RP - Read the properties/Start the service
- WP - Write the properties/Stop the service
- RC - Read the security descriptor
This solution has been tested with the following:
- Windows Server 2003 R2 Service Pack 2
- Windows Server 2008 R2 Datacenter
- Windows Server 2012 R2 Standard
- Windows Server 2016 Standard
- Windows Server 2019
- Windows Server 2022