BMC Performance Manager Windows Security White Paper DCOM / WMI Problem The IT department delivers user IT services to their internal and external customers. The IT department wants to maintain control over their own systems and network resources while simplifying Windows remote monitoring and reduce the level of access to resources. Solution The technology features that will be implemented in Windows remote monitoring will be based on the priorities that the IT department has expressed. The members of the IT department need clearly defined access control to the Windows OS. The members of the IT department need to reduce the level of access exposed for remote monitoring Primary Message The BMC Performance Manager Express for Servers based remote monitoring solution facilitates the OS underlying authentication and access control infrastructure. Description BMC Performance Manager Express for Servers does not modify the DACL / ACL / SACL of your Windows OS infrastructure in any way. The solution requires proper access to the resources being monitored. The difficulty of remote monitoring and performing administrative tasks on remote computers becomes more complex. The underlying architecture of the Windows OS can make remote monitoring and administration somewhat more tortuous. BMC PM for Servers - Secure Remote Monitoring Version 1.0 Page 1 of 8
Change History Date Version Comment Change by April 07 1.0 First initial draft V. Scheithauer Contents Understanding Remote Monitoring and Administration... 3 Security and Permissions... 3 Firewall Permission... 3 DCOM Permission... 3 WMI Permission... 4 Remote monitoring with Administrator rights... 5 Remote Monitoring with User rights... 6 BMC PM Express for Servers WMI Requirements... 7 Configuring DCOM configuration properties... 7 Configuring the WMI control... 7 Configuring remote WMI collection by an account not included in an Administrator group 7 Products involved BMC Performance Manger Express for Servers BMC PM Express for Servers 2.3 BMC PM Express for Servers 2.x Legal Note This document is provided for information purposes only and BMC Software, Inc. make no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written permission of BMC Software, Inc. BMC PM for Servers - Secure Remote Monitoring Version 1.0 Page 2 of 8
Understanding Remote Monitoring and Administration Any kind of remote monitoring and administration requires you to navigate through a set of security layers associated with your elements like: Low-level network Local / remote Firewall Distributed Component and WMI services Remote Procedure Call (RPC) Exposed COM / WMI Objects There are two types of permissions involved in most forms of remote monitoring and administration. The first one is connectivity permission the permission to connect to a service or object and execute a specific task. The second permission is executing permission the permission to execute an object s method or task. There s subtle difference between the two. Security and Permissions Firewall Permission The Windows Firewall provides a high level of local security for computers on which the Firewall is enabled. However, by default, the Firewall blocks most of the connections required for remote monitoring and administration. In this case, you simply need to modify the Firewall to allow this kind of network traffic: File and Folder access enable a Firewall exception for File Sharing WMI access enable remote management and DCOM connections o DCOM-In o WMI-In o WMI-Out o ASync-In Other remote monitoring access enable incoming DCOM connections and possible RPC connections DCOM Permission Permissions are governed by Windows Component Services security layer, which can be configured through the Component Services console or Active Directory group policies. DCOM can be configured with permissions that control the local launch or remote launch and local activation and remote activation. You must have at least the remote launch and activation permission in order to remotely monitor your Windows OS via DCOM and WMI. You can also configure permissions to control access to the DCOM object after it has been launched and activated. By default, only the local Administrator group has full access to DCOM and all associated components and objects. BMC PM for Servers - Secure Remote Monitoring Version 1.0 Page 3 of 8
WMI Permission Windows Management Instrumentation has its own layer of security, which can be administered through the WMI Control MMC snap-in or by executing the appropriate methods in a scripted fashion. You can change the access to a WMI namespace using the WMI Control or programmatically. It is recommended that changes to security descriptors be done with great caution so that the security of the object is not compromised. Be aware that the order of ACEs in a DACL can affect access security. Default Permissions on WMI Namespaces Starting with Windows Vista, the default security groups are: Authenticated Users LOCAL SERVICE NETWORK SERVICE Administrators (on the local computer) Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0: The default security groups are: Administrators LOCAL SERVICE NETWORK SERVICE Everyone The default access permissions for the Authenticated Users, LOCAL SERVICE, and NETWORK SERVICE are: Execute Methods Full Write Enable Account Accounts in the Administrators group have all rights available to them, including editing security descriptors. However, because of User Account Control (UAC), the WMI Control or the script must be running at elevated security. Printers, services, registry keys, DCOM applications, and WMI namespaces are securable objects. The access to securable objects is protected by security descriptors which specify the users who have access. Starting with Windows Vista, many securable objects have methods for getting or setting the security descriptor. With appropriate permissions, you can read or change security descriptors on securable objects. Using these methods, you can control which user accounts or groups have access to a printer, service, WMI namespace or other object. BMC PM for Servers - Secure Remote Monitoring Version 1.0 Page 4 of 8
Remote monitoring with Administrator rights The following grahic may visualize the steps involved when monitoring a Windows OS remoteley with local admin rights. The Domain Administrator provides the credentials to access the Windows OS. A regular user domain account will be used, being memebr of the Local Administors group. Only the local Firewall needs to be adjusted to grant the provided account network access to the system. The assigned account will have full access to DCOM, the WMI namespace as well as the WMI Objects and their respective properties and methods, since the provided acocunt will be in the Local Administrator group on the particular server. Figure I BMC PM for Servers - Secure Remote Monitoring Version 1.0 Page 5 of 8
Remote Monitoring with User rights The following grahic may visualize the steps involved when monitoring a Windows OS remoteley without local admin rights. The Domain Administrator provides the credentials to access the Windows OS. A domain account will be used. Grant access to each component involved. 1. The local Firewall needs to be adjusted to grant the provided account network access to the system. 2. DCOM needs to be adjusted to grant the provided account access to COM objects including WMI. You may use Group Ploicies within Active Directory. 3. Access to the WMI namespace needs to be granted. The manual process is quit tedious, so you might want to consider scripting the DACL, ACL and SACL. 4. In addition the accessing the namespace, you can control the access to the objects and individual methods for any given object. The assigned account will have limited access only to specific DCOM objects, the WMI namespace as well as the WMI Objects and their respective properties and methods. Figure II BMC PM for Servers - Secure Remote Monitoring Version 1.0 Page 6 of 8
BMC PM Express for Servers WMI Requirements By default, accounts contained in the Administrator group have the necessary permissions required to remotely monitor log files and services using the WMI collector. When monitoring Windows computers using the WMI collector, ensure that the RSM computer has the necessary DCOM configuration properties. Configuring DCOM configuration properties The RSM computer that monitors the Event Logs and services must have the following Default Access Permissions in the Distributed COM Configuration properties: Administrators Interactive Network System Configuring the WMI control To successfully read performance data, the appropriate permissions must be configured on both the RSM and the remote system using WMI-based data collection. The following are the permissions that must be enabled on the RSM and the target computer: Execute Methods Provider Write Enable Account Remote Enable Read Security Configuring remote WMI collection by an account not included in an Administrator group With some operating systems, particularly Microsoft Windows 2003 you may only be able to monitor services using the WMI collector with an Administrator account. You must configure this account on both the RSM and the target computer. See BMC Performance Manager Online Help for further details: BMC PM Collector for WMI prerequisites BMC PM for Servers - Secure Remote Monitoring Version 1.0 Page 7 of 8
Reference http://www.bmc.com Microsoft MSDN http://msdn.microsoft.com Feedback & Comments BMC Software, Inc. Product Management BMC Performance Manager e-mail: Volker_Scheithauer@bmc.com Copyright 2007 BMC Software, Inc., as an unpublished work. All rights reserved. BMC Software, the BMC Software logos, and all other BMC Software product or service names are registered trademarks or trademarks of BMC Software, Inc. All other trademarks belong to their respective companies. BMC Software considers information included in this documentation to be proprietary and confidential. Your use of this information is subject to the terms and conditions of the applicable End User License Agreement for the product and the proprietary and restricted rights notices included in this documentation. Disclaimer; Limitation of Liability; Indemnity http://www.bmc.com/legal/ BMC PM for Servers - Secure Remote Monitoring Version 1.0 Page 8 of 8