PRTG and WMI Security

Votes:

1

Your Vote:

Up

Down

Is there a means to better secure WMI with PRTG? Everything seems to indicate that the correct/supported method is to ensure that the PRTG monitoring user/service account is a member of Domain Admins. While this does in fact work for us, having an account with Domain Admin priveledges in use either by IT or by users/developers who are monitoring their software on our servers, seems excessive and unsecure. Can we not create a PRTG_SERVICE account, provide it rights to remotely read WMI (as we only need to read performance counters, CPU load, disk space, but no need to change/write - essentially, SNMP but with the WMI interface), and ensuring that the PRTG_SERVICE account is NOT a member of Local Administrators on the server or Domain Admins?

best-practice prtg security wmi

Created on Apr 28, 2010 4:58:37 PM by netadmin1 (1) 1

Last change on Jul 9, 2010 1:50:15 PM by Daniel Zobel [Paessler Support] (21,383) 3 3



Best Answer

Accepted Answer

Votes:

0

Your Vote:

Up

Down

This should be possible, of course, although it is probably not too easy to achieve. Did you read the MSDN article http://msdn.microsoft.com/en-us/library/aa393266%28v=VS.85%29.aspx about this topic?

However, please bear in mind that setting up specific restrictions on DCOM and WMI might result in WMI sensors ceasing to function with very vague error messages and unpredictable and unsupportable phenomenons.

A good idea would be to test this limited account using our WMI tester, before setting it up in PRTG.

Kind regards,
- Volker

Created on Apr 29, 2010 2:17:51 PM by Volker Uffelmann [Paessler Support] (1,547) 2 3



3 Replies

Votes:

0

Your Vote:

Up

Down

Hello,

you can of course try this, and to our knowledge some customer seem to do so already. However some (or most) thing related to DCOM and WMI (in order to do it successfully) seem to require nearly full permissions of a Domain Admin.

Best Regards.

Created on Apr 28, 2010 5:01:14 PM by Torsten Lindner [Paessler Support] (15,450) 3 1



Votes:

0

Your Vote:

Up

Down

I am/have been trying to do this. I'm trying to determine if there is an already known way to perform this task. It seems risky to have a domain admin level account login to multiple servers every 1-5 minutes for monitoring. How would one be able to audit this? If the PRTG account was compromized, it would be very hard to identify the intrusion through security logs, as the PRTG account would be shown as logging in potentially hundreds of times per day. It would be far more beneficial to have a restrictied rights account used for WMI read only, that could have limited/no other rights on the network.

Created on Apr 28, 2010 5:03:21 PM by netadmin1 (1) 1



Accepted Answer

Votes:

0

Your Vote:

Up

Down

This should be possible, of course, although it is probably not too easy to achieve. Did you read the MSDN article http://msdn.microsoft.com/en-us/library/aa393266%28v=VS.85%29.aspx about this topic?

However, please bear in mind that setting up specific restrictions on DCOM and WMI might result in WMI sensors ceasing to function with very vague error messages and unpredictable and unsupportable phenomenons.

A good idea would be to test this limited account using our WMI tester, before setting it up in PRTG.

Kind regards,
- Volker

Created on Apr 29, 2010 2:17:51 PM by Volker Uffelmann [Paessler Support] (1,547) 2 3



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.

Back to www.paessler.com

PRTG
Network Monitor
Intuitive to Use.
Easy to manage.

150.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Visit
www.paessler.com

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

Top Tags


View all Tags