• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 868
  • Last Modified:

Lock down WMI information

We have a company that wants to monitor primarly security events and etc of all servers in our domain.
They also want to pull all WMI information from all the servers and send to their appliance\application\server.

I want to know is there a way to filter what WMI information they get on our servers, and limit to only what they need. security event logs. I do not want them to have all WMI information.
Can we filter this to only the service account we create
Can we do this via a GPO
I need help restricting this company of what WMI information they see on our servers.
I dont want them seeing everything.
Thanks in advance

3 Solutions
Rather than allowing them any access to extract the data, could you look at simply providing them the "relevant" data?

WMI security is provided at the namespace level. Event log data is provided by the Win32_NTLogEventLog WMI class which is in the root/cimv2 namespace. You can set a security descriptor (with a user account) on the namepace, but not at the level of the class. And even if you could, that would apply to all event logs and not just the security log.

I think the only way to do what you want is as Psy053 says, proxy the access on the external company's behalf. You could write whatever WMI query(s) you like and wrap that up in some sort of IPC mechanism - perhaps a web service.
IndyrbAuthor Commented:
The system that they use, pulls the information automatically per say. So me handing off only relevant data, would probably be a huge feat.

I am confused. How would you set a security descriptor on a namespace and tie it to a user account.
I am new to WMI so I need further explanation.
Thank you
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

1. Open the Computer Management MMC from Control Panel/Administrative Tools
2. Connect to whichever computer you want.
3. Expand the Services and Applications node, right click WMI Control and select Properties.
4. Expand the root node and select the CIMV2 node.
5. Click the Security button and set the user permissions you need.
IndyrbAuthor Commented:
Can you do this via a GPO?
Good article on MSDN about how to do this:

I've tried it and it works perfectly..
Ted BouskillSenior Software DeveloperCommented:
Pulling the information for them is trivial using a free tool called Log Parser from Microsoft or using PowerShell.  If their application lacks flexibility it might not be able to handle the permission denied response if the do lock the other logs from them.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now