Update: The purpose in this blogpost is about giving permission of specific windows service to specific monitoring user. So, you can replace step-6 (setting DNS service permission to specific account that will monitor service) with easier methods in my new blog post.
There are three methods for monitoring windows servers:
- By installing Agents (such as Zabbix,SCOM Agents).
- SNMP v1,v2, v3 regardless of platforms.
- WMI Monitor for windows servers.
And today, I’m going to make the WMI monitoring in a couple
of steps, plus how to monitor the missing windows services that is unavailable
in the default monitor method. Here, I’ll use the Microsoft DNS Server as a
monitoring client for DNS Service + basic resource monitoring.
Things that I used in this tutorial:
- Server 2012R2x64bit, named as “DNS-test.contoso.com”
- Solarwind Server and Application Monitor(in a Trial version), on the server named as “monitor.contoso.com”
- Some windows Built-in Tools
·
Wmimgmt (windows management instrumentation
management)
·
Dcomcnfg (DCOM configuration)
·
Sc (Service Controller) and scmanager
Note: Although you
can give the full administrator permission for WMI monitoring if you want to save yourself from some headaches, it’s highly not a recommended way to do so.
Therefore, let’s see how we can do with the principle of least privileges for
WMI monitoring.
Read This Please:
Some part of this tutorial contains modifying system services’ security permission
(here is the DNS service) which might be critical if it is in production
systems . I tested solely purposed for my lab. And, I’m not guaranteed that it
works on your environment. And, I do not know the effects after changing
individual’s services permission. So, it is better to test on UAT environment
and the last word, do it at your own risk and I do not take the responsibility
for this.
Step-1: Install the pre-requisites, and what’s next …?
Install Windows Server 2012R2 and DNS Role (you can use any
other OS versions starting from Server 2003SP2)
Also, I installed the trial version of SolarWinds Server and
Application Monitor for testing purpose. However, you can use any monitoring
software that supports WMI Monitoring method.
These installation steps are easy enough, so I don’t go into
details.
Step-2: Permission is needed for WMI
to allow remote users.
I created one user account for monitoring services,
“monitoruser” and added it to the group “performance monitor users”, since I’m
planning to give the permission to that group and not directly to that user.
Figure 1 – Create monitor user and add to Performance
Monitor Users group
After that we have to give the permission to query the wmi
classes, which is the Microsoft Management Framework,since Windows 2000 to
touch system classes and hardware in an abstract model.
So,,, I give the permission here. See the figure-2.
- In the Run box type wmimgmt
- In the console, right-click Properties > Security > Root >> CIMV2 > Add Performance Monitor Users > Check the Enable Account and Remote Enable
- OK, Save the settings
- In the console, right-click Properties > Security > Root >> MicrosoftDNS > Add Performance Monitor Users > Check the Enable Account and Remote Enable
- OK, Save the settings.
Note: Most Windows Services and namespace lies in
CIMV2, so it is necessary to give the permission to access these components.
Figure-2 Add permission to WMI Namespaces
Step-3: Give some permissions to
DCOM also.
In this step, we will give the permission to access the DCOM,
the Distributed Component Object Model which is used to communicate the
software components among Distributed Computers.
1)
In the Run box type dcomcnfg
2)
In the console, Right-click My Computer >
Properties > COM Security and give permissions to Access Permissions and Launch
and Activation Permission (red rectangles in Figure-3)
3)
Add Performance
Monitor Users group and give Local
Access and Remote Access
permissions for both properties.(Fig-4)
4)
OK, Save the settings.
Figure-3 – Properties of DCOM
Figure-4 Security
Settings for Performance Monitor Users
As of now, we can monitor the system processes and CPU,
Memory, Network of computers. But, to monitor the state of service, we need to
add one setting. This step comes since Server 2003SP2 as Microsoft fixed it as
a security issue. You can check at the Microsoft KB article here. So, type the
below command in the elevated command
prompt as an Administrator, as shown in Figure-5.
sc
sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Figure-5: Change the Service Control Manger Security Settings
Step-4: Let’s start Monitoring, let’s
see if it works ?
Now, Let’s add the server node to our monitoring software, I
assumed that the solarwinds is already installed. The username is ‘admin’ and
blank password.
So, you can add the
node as shown in figure-6.
Figure-6: Add the
Node to Solarwinds Console
In next page you can choose for basic monitoring as shown in
figure-7.
Figure-7: Selection for
the basic monitoring
The next page is about the specified service or roles that
you want to monitor. I choose the DNS server
and test it.
Oops, it has some alerts ! It is about DNS service cannot be
monitored although DNS service is running…
It is because we have to monitor the DNS service and it
seems it’s not available to our pre-configured user, monitoruser (which is in the special group to be able to monitor ;P
). See the figure-8.
For this we can check if our user has the necessary
permission using the windows built-in tools in the next step.
Figure-8: Testing DNS
service and it failed
Step-5: Always check if the
monitoring user has necessary permission to do something
Microsoft has a tool to view or modify CIM classes or WMI
classes, using WQL queries. From there, you can query the system services or
DCOM objects. We are going to use it now.
1)
Run > wbemtest > Connect and put the parameters
In the namespace field, use \\servername\root\cimv2.
Use usernames and passwords for monitoring
user and Connect. See my figure-9.
2)
Type select
* from win32_services in the query field. And it should return the list of
available services to our monitoring user. See figure-10 and figure-11.
3)
Check if the service we want to monitor is
listed in the results. Here, we want to monitor DNS Server of which the service name is DNS. (you can check the service name as Run > services.msc and check the properties of that service).
4)
We do not find the “DNS” but instead we find the
Dnscache which is the DNS Client service.
5)
So, we can conclude that DNS service is unavailable to service control manager even we have
given permission just before Step-4.
So, we have to specifically change the security settings for DNS service.
Figure-9: Connection settings of WBEMTest to connect to
remote computer
Figure-10: WQL query to list all available windows services
Figure-11: The result list of services.
Step-6: Modifying the Security
Permission of Service
Please take this step carefully because every syntax in
these commands are sensitive to changes and may affect the system adversely unless
you have a saved copy of previous settings. You can refer to figure-12.
1) From the elevated command prompt, check the service settings of DNS service by the following command.
sc sdshow dns
2) Copy the output exactly as it is to notepad
3) Put the following parameter between the end of the first bracket and the start of the second bracket.
(A;;CCLCSWLOCRRC;;;AU)
(A;;CCLCSWLOCRRC;;;AU)
4) So, the new line would be
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5) Change the the DNS service security by adding some commands to the above parameters. (everything is in one line)
sc sdset scmanager D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Note: Let me explain a bit on this command. sc sdshow dns is to show
the security descriptor of the service. And then, we put our monitor group
(aliased as AU for Performance
Monitor Users) with the necessary permission in line 3.
The capital A in the first
letter is for Allow. The capital D: in the 4th line is Discretionary
ACL (DACL).
The capital S: in the first of the last bracket means System Access
Control List(SACL). Each alias CC, LC, SW, LO, CR, RC has a special meaning for
access permission. You can find more about these here.
https://msdn.microsoft.com/en-us/library/aa379602%28v=vs.85%29.aspx
Step-7: OK, Back to
Monitoring, Let’s see the results
OK, now the our user can see the
service. Figure-14 is the result of a successful WMI monitoring.
Figure-13: Now can poll the service
status
Figure-14: The overview of the
added node
nice write up. Top 10 Best Free Open Source DNS Servers.
ReplyDeleteyour article is awesome explains about how to modified that sailpoint applications easily thank you for sharing useful content
ReplyDeleteNice article. Thanks for sharing.
ReplyDeleteSplunk Development Online Training
Nice article ......!
ReplyDeleteAdvanced Java Training
SharePoint Training
Linux Training
Tableau Training
Python Training
Puppet Training