When using a custom sensor, I want to use PowerShell's CIM sessions to query information from a remote computer, but I do not want to require the Windows username/password combo to be an administrator for the remote system.

Article Comments

I have figured it out for Windows 2012 R2 (it may work on 2012):

1. Download PowerShellAccessControl Module from https://gallery.technet.microsoft.com/scriptcenter/PowerShellAccessControl-d3be7b83

2. Copy PowerShellAccessControl to C:\Program Files\WindowsPowerShell\Modules

3. Open WMI Control MMC snapin. Grant 'WinRMRemoteWMIUsers__' Execute Methods, Enable Account, Remote Enable for Root and all sub namespaces.

4. To enable remote access to SCMANAGER database, run the following from an elevated command prompt: sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)

5. Run in elevated PowerShell session (as SYSTEM, psexec -i -s Powershell.exe ):

  1. Add ACE to service DACL to enable remote WMI over WinRM. Get-Service | Get-SecurityDescriptor | Add-AccessControlEntry -Principal "Authenticated Users" -ServiceAccessRights Start,Read -Apply -Force

Now you can use a Custom Sensor leveraging PowerShell Remoting (WinRM):

Custom Sensor settings

• Parameters: -RemoteHost:%host -Domain:%windowsdomain -Username:%windowsuser -Password:%windowspassword

• Security Context: Use windows credentials of parent device


May, 2015 - Permalink

Hi Aaron!

Thanks for sharing the knowledge! :)

Best,
Stephan


May, 2015 - Permalink