WMI permissions

Hi
I have a very specific issue of permissions on WMI. I am reading the shares off a Domain Controller using WMI (Win32_Share management class). I can read the basic share details once the "Remote Enable" is enabled on the WMI Control. However we can still not read the share PATH even with full permissions within WMI Contol and DCOM within Component Services. Once the user I am logged in as is a member of the Builtin Administrators, I can read the path.
How can I read the share path with lesser permissions than Builtin administrators and without having to submit an administrator username and password with the WMI  request, (as storing this compromises security). The only suggestion we have so far is that the permissions must be via a local administrator but this appears to be membership of "administrators" on a domain controller
ConorMcEnteeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
What is your connection string like?

 Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
 Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_Share",, 48)

or is it more like
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}\\" & strComputer & "\root\CIMV2")

?
-rich
ConorMcEnteeAuthor Commented:
Hi Rich, Both is the answer- the permission issue exists either way. However, we are doing it in VB.NET and not script so it looks more like the following:

For the  SELECT *
Dim query As New SelectQuery("Select * From Win32_Share")
MOSearcher = New ManagementObjectSearcher(MScope, query)
Dim MOCol As ManagementObjectCollection
MOCol = MOSearcher.Get()

or as a simple ManagementObjectCollection
MC = New ManagementClass("\\" & RemotePC & "\root\cimv2:Win32_Share")
MyManagementObjectCollection = MC.GetInstances()

and the same thing with impersonation looks a bit like
options = New System.Management.ConnectionOptions
options.Username = AdminName
options.Password = AdminPassword
PathSTR = "\\" & RemotePC & "\root\cimv2:Win32_Share"
MPath = New System.Management.ManagementPath(PathSTR)
MyManagementScope = New System.Management.ManagementScope(MPath, options)
MyManagementScope .Connect()
MOpt = New System.Management.ObjectGetOptions()
MC = New ManagementClass(MyManagementScope MPath, MOpt)
MyManagementObjectCollection = MC.GetInstances()

I can work with either approach to resolve the issue
Rich RumbleSecurity SamuraiCommented:
Try using the scripo-matic, or the code below to see if the vbscript works, I don't know vb.net
Replace "ip.ip.ip.ip" with an IP that you use.
I've tried it on various DC's and hosts and it works just fine for our environment.
I've looked around and there does appear to be a bug with win2k8 in a failover cluster when using win32_share perhaps this is your situation?
http://support.microsoft.com/kb/971403
Basically there is a new wmi provider that should be used against such hosts
Win32_ClusterShare
-rich
strComputer = "ip.ip.ip.ip"
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colShares = objWMIService.ExecQuery("Select * from Win32_Share")
For each objShare in colShares
    Wscript.Echo "AllowMaximum: " & vbTab &  objShare.AllowMaximum   
    Wscript.Echo "Caption: " & vbTab &  objShare.Caption   
    Wscript.Echo "MaximumAllowed: " & vbTab &  objShare.MaximumAllowed
    Wscript.Echo "Name: " & vbTab &  objShare.Name   
    Wscript.Echo "Path: " & vbTab &  objShare.Path   
    Wscript.Echo "Type: " & vbTab &  objShare.Type   
Next

Open in new window

10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

ConorMcEnteeAuthor Commented:
Hi Rich
Using Scriptomatic2, the results can indeed be replicated and are as follows:

With the logged on user as a domain administrator, we get the path (and type) ie
----------------------------------------------------------------
AccessMask:
AllowMaximum: True
Caption: Instructor12
Description:
MaximumAllowed:
Name: Instructor12
Path: D:\Training\Tutors\Cover\Instructor12
Status: OK
Type: 0
----------------------------------------------------------------

With someone who is not a member of Builtin Administrators, (once WMI permissions have been set to Remote Enable) we get the following ie no Path (or Type)
----------------------------------------------------------------
AccessMask:
AllowMaximum:
Caption: NightInstructor12
Description:
MaximumAllowed:
Name: NightInstructor12
Path:
Status: OK
Type:
----------------------------------------------------------------

It seems very easy to replicate as this is the case on other domain controllers.
So the question is what lesser permissions (than Builtin Administrators) can we use to access WMI on a Domain Controller.

Conor.
Rich RumbleSecurity SamuraiCommented:
I see, WMI practically requires Admin rights for most things to work. You can adjust wmi permissions.
use wmimgmt.msc you can connect to the local computer (default natually) or a remote computer... right-click wmi control ->properties -> security(tab)
root->cimv2
with cimv2 highlighted, click security
You'll see authenticated users only have so many rights, and obviously they need more, or you can add a user to the list with more permissions. We always use an account that has local/admin rights to read wmi, but we deny that user interactive logon so it can only be used in scripts.
This explains the permissions available to the users better:
http://technet.microsoft.com/en-us/library/cc787533%28WS.10%29.aspx

Without editing the MOF database, I don't know how one gets more granular than that... M$ and most everyone else assumes your using Admin for reading and writing to WMI. It's an assumption that M$ has made many times over, I wish there were another way, but I know of none...
-rich
ConorMcEnteeAuthor Commented:
It seems like your answer is as good a solution as there is until M$ (I'll borrow your naming convention)  reconsider the area.
The account does have be be a local/admin as you point out. However, on a Domain Controller (as is the case here -Server 2003),  there is no such feature as MyComputer->Manage-LocalUsers&Groups etc.. Any googling the area indicates that membership of Builtin-Administrators (or Domain Admins) is the nearest option.
So putting your suggestion into practise means making the user a member of this group, and then trying to override some other AD powers such as interactive logon (and perhaps some restrictions within WMI itself such as readonly).
Does this sound like what you are doing at the moment?
Conor
Conor

Rich RumbleSecurity SamuraiCommented:
Yes that is what we are doing, DC's don't have "local" groups as AD is "local" to them, built-in is the way to go there. You can use a scheduled task to run as System on a DC as well...
Best practice from a security perspective is to create a new user, allow them to the Root and or CIMV2 namespace, and not put them in the domain-admin group, this is what we are moving to, but for now we are using the less secure method of a "locked down" domain admin account.
You can do this via GPO to help get this out to all assests in AD: http://blogs.msdn.com/b/spatdsg/archive/2007/11/21/set-wmi-namespace-security-via-gpo-script.aspx
I'll let you know if I find a better way :)
-rich

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rich RumbleSecurity SamuraiCommented:
I just found: http://technet.microsoft.com/en-us/library/cc738214%28WS.10%29.aspx
I haven't read it all yet, but there may yet be some added wmi/com security!
You may also want to look at the dcomcnfg.exe
http://blogs.technet.com/b/askperf/archive/2007/08/14/wmi-troubleshooting-permissions.aspx
-rich
LeeTutorretiredCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.