Loading...

Knowledge Center


How to use a non-Admin account for WMI
Technical Articles ID:   KB74126
Last Modified:  11/5/2018
Rated:


Environment

McAfee SIEM Event Receiver (Receiver) 11.x.x, 10.x.x, 9.6.x

Microsoft Windows Server 2012
Microsoft Windows Server 2008
Microsoft Windows Server 2003

Summary

The following procedures describe how to use a non-Admin account for WMI.

NOTE: ​Security Log collection on Windows Server 2012 requires at least local administrator rights.

Group membership, security policy assignments, and permissions
  1. Create a domain user account that is used in your environment for log collection.
  2. Create a domain group that will receive the rights that the WMI collection user needs.

    NOTE: Always assign permissions to a domain group, instead of directly to a user.
           
  3. Put the WMI collection user into this newly created group.
  4. Put the newly created WMI collection group into the following domain groups:
  • Event log Reader
  • Distributed COM Users
  1. Run one of the following three Microsoft Management Console (MMC) snap-ins:
  • The Local Security Policy snap-in (secpol.msc) for member servers.
  • The Default Domain Security Policy snap-in (dompol.msc), if you want to configure these settings domain-wide as a GPO.
  • The Default Domain Controller Security Settings snap-in (dcpol.msc), if you want to assign the rights only on domain controllers.
  1. When the snap-in has started, expand Security Settings, Local Policies, User Rights Assignment.
  2. Assign your new group at least the following rights:
  • Act as part of the operating system.
  • Log on as a batch job.
  • Log on as a service.
  • Replace a process level token.
  1. Close the Policy Settings utility.


Distributed Component Object Model (DCOM) rights assignments

Use the following steps to configure DCOM security for the WMI collection group:

  1. Click Start, Administrative Tools, Component Services.
  2. Expand Console Root, Computers, My Computer.
  3. Right-click My Computer and select Properties.
  4. In the window that appears, click the COM Security tab.
  5. Under Access Permissions, click Edit Limits.
  6. Confirm that the Distributed COM Users group has all items selected under Allow.
  7. (Optional) Add the WMI collection group to this list and ensure that they have full Allow access.
     
    NOTE: This step is optional because the WMI collection group is normally already a member of Distributed COM Users.
     
  8. When you have reviewed the presence of Distributed COM Users or added the WMI collection group, click OK to save your changes and return to the COM Security tab.
  9. Under Launch and Activation Permissions, click Edit Limits.
  10. In the list of groups and permissions, confirm that the Distributed COM Users group has all items selected under Allow.
  11. (Optional) Add the WMI collection group and assign full Allow access. 
     
    NOTE: This step is optional because the WMI collection group is normally already a member of Distributed COM Users.
           
  12. Click OK and save your changes.
  13. Close the Component Services utility.

WMI namespace security assignments

Use the following steps to set WMI namespace security so that the WMI collection group has access to WMI objects:

  1. Click Start, Run, type wmimgmt.msc, and click OK.
  2. Right-click WMI Control (Local) and click Properties.
  3. Click the Security tab.
  4. Click Security at the bottom of the window. This action edits the security settings for the Root WMI namespace.
  5. Click Advanced and change the Advanced security settings for this WMI namespace.
  6. Add the WMI collection group to the list, and assign it at least the following Allow permissions:
     
    • Execute Methods
    • Enable Account
    • Remote Enable
    • Read Security
       
    NOTE: Make sure that these permissions apply to this namespace and all namespaces under it, by selecting This namespace and subnamespaces in the drop-down box, above the permissions list window.
     
  7. Click OK and save the new permissions.
  8. Click OK again and close the Advanced Security Settings.
  9. Click OK a third time and exit the Security Properties.

You can now use the WMI collection user to collect events from WMI without having to use WMI domain admin rights.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.