Skip to main content

Windows WSMAN Configuration tutorial

Introduction​

WS-Management (Web Services-Management) is a DMTF open standard defining a SOAP-based protocol for managing servers, devices, applications and various web services. WS-Management provides a common way for systems to access and exchange management information across the IT infrastructure.

WinRM configuration​

WSMAN configuration​

On your Windows server open PowerShell with administrator privileges and run the following commands. , Enable WinRM and allow remote access:

winrm quickconfig

Enable basic authentication:

winrm s winrm/config/service/auth '@{Basic="true"}'

Firewall configuration​

  • Open Server Manager

  • From the Tools menu select Windows Defender Firewall with Advance Security

  • Click on Inbound Rules

  • Click on New Rule...

  • Click on Port, then Next

    image

  • Enter the value 5986 in the field for Specific local ports and click on Next.

    image

  • Check that Allow the connection is selected, then click Next.

    image

  • On the next page, select the firewall profiles for which the rule should apply, and click Next.

    image

  • On the next page, give the rule a name, and click Finish.

    image

Create a self-signed certificate​

Open PowerShell with administrator privileges and run the following command, replacing @HOSTNAME@ with the correct value.

New-SelfSignedCertificate -Subject 'CN=@HOSTNAME@' -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1'

Copy the Thumbprint for the next step:

image

Create the WinRM HTTPS listener by replacing the values @HOSTNAME@ and @THUMBPRINT@ with the correct values.

winrm create winrm/config/Listener?Address=*+Transport=HTTPS  '@{Hostname="@HOSTNAME@";CertificateThumbprint="@THUMBPRINT@"}'

From here, you can monitor your Windows server by using the local administrator account.

We strongly discourage the utilization of an administrator account within Centreon.

Dedicated User configuration​

This section describes how to configure a local user and minimum privileges to monitor your server.

Create user​

Open a PowerShell with administrator privileges.

Create your user:

net user @USERNAME@ @PASSWORD@ /add

Group configuration​

Open Computer Management and add your user into the following groups:

  • Distributed COM Users

  • Event Log Readers

  • Performance Log Users

  • Performance Monitor Users

  • Remote Management Users.

    image

WMI access configuration​

In PowerShell, run the following command:

WMImgmt.msc

Right-click on WMI Control, then Properties:

image

Click on Security:

image

Select Root and click on Security:

image

Click on Add..., select the Remote Management Users group and set the following permissions:

  • Enable Account
  • Remote Enable

image

Click on Apply and OK

The permissions are not applied recursively, so you will have to repeat the previous process on the following directories:

  • Root
  • Root/CIMV2
  • Root/DEFAULT
  • Root/RSOP
  • Root/RSOP/Computer
  • Root/WMI
  • Root/CIMv2/Security/MicrosoftTpm

Click Apply and OK. Close the WMImgmt window.

Allow script execution​

In PowerShell, run the following command:

winrm configSDDL default

Add the Remote Management Users group. Set the following rights:

  • Read(Get,Enumerate,Subscribe)
  • Execute(Invoke)

image

Click Apply and OK.

Grant permissions for services​

Retrieve the user SID​

Run the following command in PowerShell, replacing the value @USERNAME@ with the correct value.

wmic useraccount where name="@USERNAME@" get name,sid

Output:

Name          SID

@USRNAME@  S-1-5-21-3051596711-3341658857-577043467-1000

Retrieve current SDDL for Service Control Manager​

From a Windows Command Prompt (cmd) run the following command:

sc sdshow scmanager

Your SDDL looks something like this:

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CC;;;S-1-15-3-1024-528118966-3876874398-709513571-1907873084-3598227634-3698730060-278077788-3990600205)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Modify SDDL​

Copy this output and add the following section (A;;CCLCRPRC;;;@USERSID@) in the D: section just before the S: one.

In this example, the SDDL is now looking like this:

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CC;;;S-1-15-3-1024-528118966-3876874398-709513571-1907873084-3598227634-3698730060-278077788-3990600205)(A;;CCLCRPRC;;;S-1-5-21-3051596711-3341658857-577043467-1000)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Set security credentials for accessing the Service Control Manager​

In your Windows Command Prompt (cmd) run the following command, replacing @NEWSDDL@ with the correct value:

sc sdset scmanager "@NEWSDDL@"

In this example:

sc sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CC;;;S-1-15-3-1024-528118966-3876874398-709513571-1907873084-3598227634-3698730060-278077788-3990600205)(A;;CCLCRPRC;;;S-1-5-21-3051596711-3341658857-577043467-1000)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"

From here, your dedicated user is operational and can monitor your Windows server without requiring local Administrator account.