6 Replies Latest reply on Jan 13, 2017 9:13 AM by cbayless

    WMI - W2012R2 - Security Events - Non-Admin Account

    abanaru

      Hei Guys,

       

      What workaround are you using to get the Security events out of a Windows 2012 R2 without using a domain admin or assigning a normal domain user to the local administrators group on each system ?

      My only option now is to use the SIEM Collector which runs as a service.

       

      BR,

      Andrei

        • 1. Re: WMI - W2012R2 - Security Events - Non-Admin Account
          moorej1

          Non-Admin WMI:

          Environment

          McAfee SIEM Event Receiver 9.6.x, 9.5.x, 9.4.x
          Microsoft Windows Server 2012*
          Microsoft Windows Server 2008
          Microsoft Windows Server 2003

          Summary

          The following procedures describe how to use a non-Admin account for WMI.

          Group membership, security policy assignments, and permissions

          1. Create a domain user account to represent the user that will be used in your environment for log collection.
          2. Create a domain group that will receive all of the rights that the WMI collection user needs.

            NOTE: Always assign permissions to a domain group, instead of directly to a user.
          3. Put the WMI collection user into this newly created group.
          4. Put the newly created WMI collection group into the following domain groups:
            • Performance Log Users
            • Distributed COM Users
          5. Run one of the following three Microsoft Management Console (MMC) snap-ins:
            • the Local Security Policy snap-in (secpol.msc) for member servers
            • the Default Domain Security Policy snap-in (dompol.msc) if you want to configure these settings domain-wide as a GPO
            • the Default Domain Controller Security Settings snap-in (dcpol.msc) if you want to assign the rights only on domain controllers
          6. When the snap-in has started, expand Security Settings, Local Policies, User Rights Assignment.
          7. Assign your new group at least the following rights:
            • Act as part of the operating system
            • Log on as a batch job
            • Log on as a service
            • Replace a process level token

          8. Close the Policy Settings utility.
          • Expand Console Root, Computers, My Computer.
          • Right-click My Computer and select Properties.
          • In the window that appears, click the COM Security tab.
          • Under Access Permissions, click Edit Limits.
          • Confirm that the Distributed COM Users group has all items selected under Allow.
          • (Optional) Add the WMI collection group to this list and ensure that they have full Allow access.

            NOTE: This step is optional because the WMI collection group is normally already a member of Distributed COM Users.
          • When you have reviewed the presence of Distributed COM Users or added the WMI collection group, click OK to save your changes and return to the COM Security tab.
          • Under Launch and Activation Permissions, click Edit Limits.
          • In the list of groups and permissions, confirm that the Distributed COM Users group has all items selected under Allow.
          • (Optional) Add the WMI collection group here, and assign full Allow access.

            NOTE: This step is optional because the WMI collection group is normally already a member of Distributed COM Users.
          • Click OK to save your changes.
          • Close the Component Services utility.
          • Right-click WMI Control (Local) and click Properties.
          • Click the Security tab.
          • Click Security at the bottom of the window. This action edits the security settings for the Root WMI namespace.
          • Click Advanced to see the Advanced security settings for this WMI namespace.
          • Add the WMI collection group to the list, and assign it at least the following Allow permissions:
            •     Execute Methods
            •     Enable Account
            •     Remote Enable
            •     Read Security

           

          • Click OK again to close the Advanced Security Settings, and then click OK a third time to exit the security properties.

          You can now use the WMI collection user to collect events from WMI without having to use WMI domain admin privileges.

           

          SIEM Release Notes:

          https://kc.mcafee.com/corporate/index?page=content&id=PD24598&actp=RSS

           

          Windows WMI and SIEM:

          https://kc.mcafee.com/corporate/index?page=content&id=KB74847&actp=LIST

           

          Supported Devices:

          http://www.mcafee.com/us/resources/data-sheets/ds-siem-supported-devices.pdf

          • 2. Re: WMI - W2012R2 - Security Events - Non-Admin Account
            abanaru

            You have copied that information from KB74126 but failed to notice that for Windows 2012 R2 it's not applicable in case of Security events.

            • 3. Re: WMI - W2012R2 - Security Events - Non-Admin Account
              moorej1

              It works for me on Win2012 R2 Datacenter version, what version are you using?

              • 4. Re: WMI - W2012R2 - Security Events - Non-Admin Account
                abanaru

                Standard Edition but it doesn't matter because that procedure it not valid for Security Events from 2012 R2. It clearly stated at the beginning of it.

                • 5. Re: WMI - W2012R2 - Security Events - Non-Admin Account
                  moorej1

                  Wow, ok. BTW: the vendor is not always right forever. Things change. Code changes, features get added.... I'm not going to argue with you. ***However if anyone else reads this article, Win2012 R2 Datacenter version works as of 11/13/2016, and for months before***

                  • 6. Re: WMI - W2012R2 - Security Events - Non-Admin Account
                    cbayless

                    to moorej1

                     

                    did you make any special changes to get 2012r2 to work appropriately?