The following procedures describe how to use a non-Admin account for WMI.
Group membership, security policy assignments, and permissions
- Create a domain user account that is used in your environment for log collection.
- Create a domain group that receives the rights that the WMI collection user needs.
NOTE: Always assign permissions to a domain group, instead of directly to a user.
- Put the WMI collection user into this newly created group.
- Put the newly created WMI collection group into the following domain groups:
- Event log Reader
- Distributed COM Users
- Run one of the following three Microsoft Management Console (MMC) snap-ins:
- The Local Security Policy snap-in (secpol.msc) for member servers.
- The Default Domain Security Policy snap-in (dompol.msc), if you want to configure these settings domain-wide as a GPO.
- The Default Domain Controller Security Settings snap-in (dcpol.msc), if you want to assign the rights only on domain controllers.
- When the snap-in has started, expand Security Settings, Local Policies, User Rights Assignment.
- Assign your new group at least the following rights:
- Act as part of the operating system.
- Log on as a batch job.
- Log on as a service.
- Replace a process level token.
- On Windows Server 2012 or later: Manage Auditing and Security Log.
- Close the Policy Settings utility.
Distributed Component Object Model (DCOM) rights assignments
Use the following steps to configure DCOM security for the WMI collection group:
- Click Start, Administrative Tools, Component Services.
- Expand Console Root, Computers, My Computer.
- Right-click My Computer and select Properties.
- In the window that appears, click the COM Security tab.
- Under Access Permissions, click Edit Limits.
- Confirm that the Distributed COM Users group has all items selected under Allow.
- (Optional) Add the WMI collection group to this list and ensure that they have full Allow access.
NOTE: This step is optional because the WMI collection group is normally already a member of Distributed COM Users.
- When you have reviewed the presence of Distributed COM Users or added the WMI collection group, click OK to save your changes and return to the COM Security tab.
- Under Launch and Activation Permissions, click Edit Limits.
- In the list of groups and permissions, confirm that the Distributed COM Users group has all items selected under Allow.
- (Optional) Add the WMI collection group and assign full Allow access.
NOTE: This step is optional because the WMI collection group is normally already a member of Distributed COM Users.
- Click OK and save your changes.
- Close the Component Services utility.
WMI namespace security assignments
Use the following steps to set WMI namespace security so that the WMI collection group has access to WMI objects:
- Click Start, Run, type wmimgmt.msc, and click OK.
- Right-click WMI Control (Local) and click Properties.
- Click the Security tab.
- Click Security at the bottom of the window. This action edits the security settings for the Root WMI namespace.
- Click Advanced and change the Advanced security settings for this WMI namespace.
- Add the WMI collection group to the list, and assign it at least the following Allow permissions:
- Execute Methods
- Enable Account
- Remote Enable
- Read Security
NOTE: Make sure that these permissions apply to this namespace and all namespaces under it. Select This namespace and subnamespaces in the drop-down box above the permissions list window.
- Click OK and save the new permissions.
- Click OK again and close the Advanced Security Settings.
- Click OK a third time and exit the Security Properties.
For Windows Server 2012 or later, add permission to read the security log:
- Open command prompt with Administrator access.
- To get the SID for the group you are using for SIEM permissions, run the command: wmic group where name=”yourgroup” get sid
- To get the current channelAccess value for permissions to your Security log, run the command: wevtutil gl security
- Using both the values above, run the command: wevutil sl security /ca:[channelAccess value](A;;0x7;;;[SID])
- Verify the channelAccess value to see if it contains the expected results by command: wevtutil gl security
- Apply the changes by running the command: gpupdate /force
- Open regedit and navigate to HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security to give your group read permissions to this key and all subkeys.
Example:
C:\Windows\system32>wmic group where name="siem log reader" get sid
SID
S-1-5-21-2714243513-2981656821-964208712-1125
C:\Windows\system32>wevtutil gl security
name: security
enabled: true
type: Admin
owningPublisher:
isolation: Custom
channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)
logging:
logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx
retention: false
autoBackup: false
maxSize: 134217728
publishing:
fileMax: 1
C:\Windows\system32>wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x7;;;S-1-5-21-2714243513-2981656821-964208712-1125)
C:\Windows\system32>wevtutil gl security
name: security
enabled: true
type: Admin
owningPublisher:
isolation: Custom
channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x7;;;S-1-5-21-2714243513-2981656821-964208712-1125)
logging:
logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx
retention: false
autoBackup: false
maxSize: 134217728
publishing:
fileMax: 1
You can now use the WMI collection user to collect events from WMI without having to use domain admin rights.
