WMI (Windows Management Instrumentation) is the nice automation technology that allows local users to query most system tables (WMI classes) for load of useful information. But. By default, remote access to WMI is enabled for members of local Administrators group only.
It is just like with admin shares (C$, Admin$). Although they are shared by default, only members of local Administrators are allowed remote access. It is a matter of default security. If something is open by default, rather not allow regular users to connect too easily.
In secure environments with separated administrative roles, on the other hand, it is often required to have the remote connection options even for less powerful accounts.
How to do it? WMI is just a DCOM server. Note that we are enabling this on a domain member servers for some domain users who will work as WMI operators.
- select some or create a new AD domain group for the users that will have access. In my example, I have created group called Remote WMI Operators.
- on the target servers, verify that the group has been granted Access this computer from network user right. You can do it by using the Local Security Policy console and its User Rights Assignment node. This setting is just the first filter that our operators must pass before they are allowed access to the WMI DCOM server.
- still on the target servers, open Component Services console, expand Component Services / Computers / My Computer, right-click the My Computer node and select Properties
- once you are in the My Computer Properties dialog box, switch to the Default Properties tab and verify that the Enable Distributed COM on this computer checkbox is enabled. If it is not enabled, just enable it :-)
- still in the My Computer Properties dialog box, switch to the COM Security tab. Click the second Edit Limits button which you will find in the Launch and Activation Permissions section
- click the Add button and add your custom AD group (in my case it is the Remote WMI Operators group)
- enable all the checkboxes for your group - it should be Allow for Local Launch, Remote Launch, Local Activation, Remote Activation. What we have just done? This is the second filter that the users must pass on their way from network to the local WMI DCOM service.
- Apply the settings and close the My Computer Properties dialog box
- now expand the DCOM Config sub-node and find the WMI DCOM server which name is exactly Windows Management and Instrumentation. And open its Properties.
- in the Windows Management and Instrumentation Properties dialog box switch to the Security tab
- click the first Edit button in the section called Launch and Activation Permissions. Once again add your Remote WMI Operators group and enable all the checkboxes in the Allow column - I mean, Allow to Local Launch, Remote Launch, Local Activation, Remote Activation. Now we passed the third barrier that stays in front of the remote WMI server. With this, you have free access to the DCOM server. But not further.
- Apply everything and close the Component Services console.
- open Computer Management console (you can try the magic Win-X key on Windows 2012), expand the Services - WMI Control node and open its Properties.
- once there, switch to the Security tab. You can investigate the whole WMI namespaces tree. The most often used namespace is actually CIMv2, but we can also enable access to the whole tree by configuring the Root node only
- open Properties dialog box of the Root namespace node. Click Advanced button and Add you Remote WMI Operators group.
- in regard to the permissions that you need to assign to your group, you must Allow them the Remote Enable permission. In all, your group should have Execute Methods, Provider Write, Enable Account and Remote Enable, but the others are granted to Authenticated Users anyway, so why bother. The last one, Remote Enable, is actually the one flag, that makes the magic.
- don't forget about the ACE inheritance. Verify that the Apply to field specifies the This namespace and subnamespaces. This way, your ACE entry will propagate down to all inheriting subnamespaces automatically.
- Apply everything and try you magic. You can try it with MSINFO32 tool from a remote machine. Just click the View menu item and specify your target server in the Remote Computer dialog box.
To wrap it, you can also take a look at some pictures which may make the whole precedure a bit clearer:
... and that's all folks.
Except if you were interested in WMI auditing.