At work we use opennms monitoring (http://www.opennms.org/) to monitor the vast amounts of infrastructure that we have to take care of, generally the system works fairly well, however SNMP for windows based systems is lacking unless you use a third party snmp plugin, unfortunately the documentation for ONMS is very lacking on how to actually set up a reasonably secure user credentials and GPO practices for domain based wmi monitoring.
This document assumes that you have some basic knowledge of windows systems.
I have found several issues with this system, I will update this document when my examinations have been complete, I suggest that you test this out on your test systems before you deploy it, this may not work on clustered hyper-v systems and systems with IIS (maybe) ill update as more information comes up.
Install WMI SNMP provider
To install the SNMP Provider
- Open Server Manager and go to features
- Select Add Features
- Select SNMP Services (SNMP Service, SNMP WMI Provider)
- Follow Prompts.
Group membership, security policy assignments and permissions
1. Create domain user (wmiuser)
2. Create a group (wmigroup)
3. Place wmiuser into this newly-created group.
4. Put the newly created wmigroup into the following domain groups:
- Performance Log Users
- Distributed COM Users
- Certificate Service DCOM Access
- Performance Monitor Users
5.: Run one of the following three Microsoft Management Console (MMC) snap-ins, I recommend creating a new GPO specifically for this, assign wmigroup and domain computers to the access rights of the policy
- the Local Security Policy snap-in (
secpol.msc) for member servers, or
- the Default Domain Security Policy snap-in (
dompol.msc) if you wish to configure these settings domain-wide as a GPO, or
- the Default Domain Controller Security Settings snap-in (
dcpol.msc) if you wish to assign the rights only on domain controllers.
6. Once the snap-in is started, expand Security Settings, then Local Policies, and finally User Rights Assignment.
7. Assign your new group at least the following rights:
- Act as part of the operating system
- Log on as a service
- Replace a process level token
8. Exit the Policy Settings utility.
Distributed Component Object Model rights assignments
Now, you must configure DCOM security for wmigroup.
1. Run Component Services by selecting Start -> Administrative Tools -> Component Services.
2. Once there, expand Console Root, then Computers, and finally My Computer. Right-click on My Computer and select Properties…
3. In the window that appears, click on the COM Security tab.
4. Under Access Permissions, click Edit Limits.
5. Review that the Distributed COM Users group has all items checked under Allow.
6. (optional) Add the wmi group to this list and ensure that they have full Allow access as well.
Note: This step is not required, since the wmi group is a member of Distributed COM Users.
7. Once you’ve reviewed the presence of Distributed COM Users, or added the wmi group, click OK to save your changes and be returned back to the COM Security tab.
8. Now, under “Launch and Activation Permissions”, click Edit Limits.
9. Like with the “Access Permissions” window, you are presented with a list of groups and permissions. You need to make sure that the Distributed COM Users group has all items checked under Allow.
10. (optional) Add the wmi group here, and assign full Allow access.
Note: This step is not required, since the wmi group is already a member of Distributed COM Users.
11. Click OK to save your changes.
12. Exit the Component Services utility.
WMI namespace security assignments
Next, set WMI namespace security so that the wmi group has access to WMI objects.
1. From the Start menu, select Run…, and in the window that opens, type in wmimgmt.msc in the “Open:” field and click OK.
2. Once there, right-click on WMI Control (Local) and click Properties.
3. Click on the Security tab.
4. Click on the Security button at the bottom right of the window. This action edits the security settings for the Root WMI namespace.
5. You’ll now see a window that has the security settings for WMI on this machine. Click Advanced…
6. You’ll now see the Advanced security settings for this WMI namespace. Add the wmi group to the list, and give at least the following “Allow” permissions:
- Execute Methods
- Enable Account
- Remote Enable
- Read Security
Note: Make sure that these permissions apply to this namespace and all the namespaces under it. Do that by selecting This namespace and subnamespaces in the dropdown box above the permissions list window.
7. Click OK to save the new permissions.
8. Then, click OK again to exit out of the Advanced Security Settings.
9. Click OK a third time to exit the security properties.
please note that changes to the user will usually require a server reboot before these settings take effect.
WMI related Firewall ports for Opennms
The following ports should be opened if there are any firewalls between your monitoring system and your servers
DCOM Dynamic Range (5000-5100)
SMB (139 and 445)
Configuration of default port usage via GPO with Registry key
For added security of not having to deal with a dynamic range of ports that WMI use, you can limit it with this registry file, I recommend deploying this via GPO to ensure that all your servers have the same settings.
To set the default ports for all the servers via gpo a registry key file needs to be imported to all the machines
Windows Registry Editor Version 5.00
this registry key will set default ports as per MS article 217351
the KB recommends that a min of 100 ports above 5000 should be set for use, this registry key will set ports 5000-5100 for use on the systems.
to manually import this copy above lines into a .reg file and execute, for windows core create the file and run regedit /s blah.reg.
Hope this helps.