Skip to main content

Windows WSMAN Configuration tutorial

Introduction​

WS-Management (Web Services-Management) is a DMTF open standard defining a SOAP-based protocol for managing servers, devices, applications and various web services. WS-Management provides a common way for systems to access and exchange management information across the IT infrastructure.

WinRM configuration​

WSMAN configuration​

On your Windows server, open PowerShell with administrator privileges and run the following commands.

Enable WinRM and allow remote access:

winrm quickconfig

Enable basic authentication:

winrm s winrm/config/service/auth '@{Basic="true"}'

Firewall configuration​

  1. Open Server Manager.
  2. From the Tools menu, select Windows Defender Firewall with Advance Security.
  3. Click on Inbound Rules.
  4. Click on New Rule....
  5. Click on Port, then Next.

image

  1. Enter the value 5986 in the field for Specific local ports and click on Next.

image

  1. Check that Allow the connection is selected, then click Next.

image

  1. On the next page, select the firewall profiles for which the rule should apply, and click Next.

image

  1. On the next page, give the rule a name, and click Finish.

image

Create a self-signed certificate​

Open PowerShell with administrator privileges and run the following command, replacing @HOSTNAME@ with the correct value.

New-SelfSignedCertificate -Subject 'CN=@HOSTNAME@' -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1'

Copy the Thumbprint for the next step:

image

Create the WinRM HTTPS listener by replacing the values @HOSTNAME@ and @THUMBPRINT@ with the correct values.

winrm create winrm/config/Listener?Address=*+Transport=HTTPS  '@{Hostname="@HOSTNAME@";CertificateThumbprint="@THUMBPRINT@"}'

From here, you can monitor your Windows server by using the local administrator account.

We strongly discourage the utilization of an administrator account within Centreon.

Dedicated user configuration​

This section describes how to configure a local user and minimum privileges to monitor your server.

Create user​

Open a PowerShell with administrator privileges.

Create your user:

net user @USERNAME@ @PASSWORD@ /add

Group configuration​

Open Computer Management and add your user to the following groups:

  • Distributed COM Users

  • Event Log Readers

  • Performance Log Users

  • Performance Monitor Users

  • Remote Management Users.

    image

WMI access configuration​

In PowerShell, run the following command:

WMImgmt.msc

Right-click on WMI Control, then on Properties:

image

Click on Security:

image

Select Root and click on Security:

image

Click on Add..., select the Remote Management Users group and set the following permissions:

  • Enable Account
  • Remote Enable

image

Click on Apply and OK

The permissions are not applied recursively, so you will have to repeat the previous process on the following directories:

  • Root
  • Root/CIMV2
  • Root/DEFAULT
  • Root/RSOP
  • Root/RSOP/Computer
  • Root/WMI
  • Root/CIMv2/Security/MicrosoftTpm

Click Apply and OK. Close the WMImgmt.WMI window.

Allow script execution​

In PowerShell, run the following command:

winrm configSDDL default

Add the Remote Management Users group. Set the following rights:

  • Read(Get,Enumerate,Subscribe)
  • Execute(Invoke)

image

Click Apply and OK.

Grant permissions for services​

Retrieve the user SID​

Run the following command in PowerShell, replacing the value @USERNAME@ with the correct value.

wmic useraccount where name="@USERNAME@" get name,sid

Output:

Name          SID

@USRNAME@  S-1-5-21-3051596711-3341658857-577043467-1000

Retrieve current SDDL for Service Control Manager​

From a Windows Command Prompt (cmd), run the following command:

sc sdshow scmanager

Your SDDL looks something like this:

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CC;;;S-1-15-3-1024-528118966-3876874398-709513571-1907873084-3598227634-3698730060-278077788-3990600205)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Modify SDDL​

Copy this output and add the following section in the D: section just before the S: one: (A;;CCLCRPRC;;;@USERSID@).

In this example, the SDDL is now looking like this:

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CC;;;S-1-15-3-1024-528118966-3876874398-709513571-1907873084-3598227634-3698730060-278077788-3990600205)(A;;CCLCRPRC;;;S-1-5-21-3051596711-3341658857-577043467-1000)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Set security credentials for accessing the Service Control Manager​

In your Windows Command Prompt (cmd) run the following command, replacing @NEWSDDL@ with the correct value:

sc sdset scmanager "@NEWSDDL@"

In this example:

sc sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CC;;;S-1-15-3-1024-528118966-3876874398-709513571-1907873084-3598227634-3698730060-278077788-3990600205)(A;;CCLCRPRC;;;S-1-5-21-3051596711-3341658857-577043467-1000)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"

Your dedicated user is now working and can monitor your Windows server without requiring a local Administrator account.