{"id":536,"date":"2019-02-21T19:31:51","date_gmt":"2019-02-22T01:31:51","guid":{"rendered":"http:\/\/zewwy.ca\/?p=536"},"modified":"2019-02-21T19:31:51","modified_gmt":"2019-02-22T01:31:51","slug":"wmi-and-the-wbemtest","status":"publish","type":"post","link":"https:\/\/zewwy.ca\/index.php\/2019\/02\/21\/wmi-and-the-wbemtest\/","title":{"rendered":"WMI and the WBEMTEST"},"content":{"rendered":"

<\/span>WMI and the WBEMTEST<\/strong><\/span><\/h1>\n

I’ll try and keep this post short, as I have many things to catch up on, and this just happened to be one of those things I haven’t done in a while and had to do today for some newer servers that have been configured.<\/p>\n

Now since I hadn’t blogged about this myself I went out to the interests to give me a good reminder on how to accomplish this. My first hit was, Sysops<\/a>… and I usually really like this site…. well till i read this…<\/p>\n

“Access denied should be self-explanatory. The credentials you use must have administrator rights.”<\/p>\n

Ughhhhh I’m sorry what did you just say? No I don’t think so, WMI maybe, by default, restricted, but it doesn’t require such drastic permissions to utilize.<\/p>\n

My second find was a lot nicer<\/a>, in particular telling you how to manage those permissions, without ahem need administrator access lol.<\/p>\n

So lets follow along shall we! so much for short..<\/p>\n

First order of busy-nas is creating a user:<\/p>\n

\"\"<\/a><\/p>\n

Of course WMI being Windows Management Interface, means I’m making obviously a windows domain user. Nothing special, especially no admin.. \ud83d\ude1b<\/p>\n

\"\"<\/a><\/p>\n

Again, nothing special here. Alright now I need two servers, well I guess in this case the server being monitored is sort of like a client… ugh anyway…<\/p>\n

I guess fo r now I’ll just login to my exchange server and wmi query another server to test out first off… mhmm all I have besides that are core servers, oh boy ok… I think I’m going to need to spin up a new testing server one second…<\/p>\n

\"\"<\/a><\/p>\n

OK all basic settings…<\/p>\n

remove floppy boot into EUFI:<\/p>\n

\"\"<\/a><\/p>\n

Boot system… attach disc from local host…<\/p>\n

\"\"<\/a><\/p>\n

lets find us some windows erver 2016…. bug CD-ROM stuck “connecting”…
\nClose vSphere, reopen console, try again…<\/p>\n

\"\"<\/a><\/p>\n

always loved this trick over uploading a ISO to a datastore….<\/p>\n

\"\"<\/a><\/p>\n

Ahh modern Windows still giving off that great nostalgic feel.. \ud83d\ude00<\/p>\n

yada yada, setup, vmware tools, and join domain, you get the jist of it.<\/p>\n

<\/span>Ping and the Firewall<\/span><\/h2>\n

First order of Business Ping and the Firewall!<\/p>\n

\"\"<\/a><\/p>\n

Ahh yes connectivity verified (I knew it was good cause I joined the system to the domain, but I like ping… just nothing like a good ICMP) good thing that m is not a u….<\/p>\n

Anyway time to run WBEMTEST, bet the first attempt fails cause the firewall again…. hour glass… and (not responding) yeah…. sounds like a stupid firewall…<\/p>\n

\"\"<\/a><\/p>\n

What?! no way RPC error… lol I totally saw this coming cause again a default server installation doesn’t allow these connections through the firewall by default.<\/p>\n

This is a bit old,<\/a> but lets see if it still works…<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

Amazing it worked… but yes this was just to verify connectivity through the firewall… so…<\/p>\n

<\/span>WBEMTEST Testing WMI with Least Privileges<\/span><\/h2>\n

OK now that we verified connectivity to the wmi stack with wbemtest using our admin account, lets do it again as a normal domain user. Just to validate these credentials were OK as a standard user i logged into a normal workstation with it, if you want to protect this even further you’d use GPOs to disallow this account local logon. Anyway…<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

What?! Access denied… lol again expected.. now instead of granting this account admin access, which is overkill, lets grant it the basic enable and remote access on the WMI object… so back on the server we want to be monitored via WMI…<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a>\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

Hope that was easy enough to follow without even saying anything.. anyway lets try that connection again…<\/p>\n

<\/span>Try 2, Scale-able<\/span><\/h2>\n

Mhmmm access still denied… lets see here<\/a><\/p>\n

This is how I normally do it for a monitoring account anyway cause it usually needs more permissions when mointoring a server so lets try it that way… revert the direct permissions… and grant performance group access…<\/p>\n

\"\"<\/a><\/p>\n

Now lets add wmi reader account to the dcom groujps and the performance monitor group and reboot the server…<\/p>\n

\"\"<\/a><\/p>\n

Server rebooting, back up, and lets test that connection again on wbemtest!<\/p>\n

\"\"<\/a><\/p>\n

and….<\/p>\n

\"\"<\/a><\/p>\n

Bazzaaaaaa! An account thats not a admin anywhere with permissions needed to monitor your server with WMI! Use these accounts on software such as PRTG, Splunk, Zenoss, etc etc.<\/p>\n

Hope everyone enjoyed this tutorial on WMI configuration and testing. \ud83d\ude00<\/p>\n","protected":false},"excerpt":{"rendered":"

WMI and the WBEMTEST I’ll try and keep this post short, as I have many things to catch up on, and this just happened to be one of those things I haven’t done in a while and had to do today for some newer servers that have been configured. Now since I hadn’t blogged about … <\/p>\n

Continue reading “WMI and the WBEMTEST”<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"sfsi_plus_gutenberg_text_before_share":"","sfsi_plus_gutenberg_show_text_before_share":"","sfsi_plus_gutenberg_icon_type":"","sfsi_plus_gutenberg_icon_alignemt":"","sfsi_plus_gutenburg_max_per_row":"","footnotes":""},"categories":[4,8],"tags":[159,158,160],"class_list":["post-536","post","type-post","status-publish","format-standard","hentry","category-infosec","category-server-administration","tag-wbemtest","tag-wmi","tag-wmimgmt"],"_links":{"self":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/536","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/comments?post=536"}],"version-history":[{"count":1,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/536\/revisions"}],"predecessor-version":[{"id":537,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/536\/revisions\/537"}],"wp:attachment":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/media?parent=536"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/categories?post=536"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/tags?post=536"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}