Extended Monitoring Guide

  • Docs Home
  • Community Home

8. Configuring a Standalone Windows Device for a Non-Administrative Account

Monitoring Windows devices normally requires an account with Administrator level privileges. For the Zenoss user that wishes to use a non-administrative account several additional configuration steps must be performed on each Windows device, or by using a Group Policy.

Zenoss uses the Windows Management Instrumentation (WMI) feature to collect Event Log and Service information in the Core edition and modeling information when using the Enterprise edition. In the Enterprise edition, the remote Windows registry API is also used to collect low-level performance monitor ("PerfMon") statistics. Both of these Windows subsystems use the Microsoft Remote Procedure Call (MS-RPC) interface to connect to the Windows device and gather the appropriate information. MS-RPC handles the authentication on a per packet or per session basis, but ultimately the access granted is determined by the subsystems involved with serving the remote procedure calls.

  1. If the Windows Firewall is in use, modify it to allow Remote Administration access. This will open the MS-RPC port and others as needed. The following command entered in a Command Prompt can be used:

    netsh firewall set service RemoteAdmin enable
  2. On Windows XP, Simple File Sharing must be disabled for machines that are not located within a Domain. When this feature is enabled it causes all incoming MS-RPC connections to use the built-in Guest account, rather than the account credentials specified in the incoming call. This option may be found by going to Control Panel, opening the Folder Options applet and then choosing the View tab. In the Advanced Settings list, navigate to the bottom until you see the Use simple file sharing (Recommended) option and then disable it.

    Figure 50.1. Windows XP Disable Simple File Sharing

    Windows XP Disable Simple File Sharing

  3. Create a new local account on the Windows device for monitoring. We assume in the remainder of these steps that this account was named zenossmon but any valid account name can be used. Place the account only in the Users group and not in the Power Users or Administrators groups. Optionally, create a new user group for monitoring and use that group instead of the account in the remaining steps.

  4. Give the zenossmon account DCOM access by running the dcomcnfg utility.

    Figure 50.2. Component Services COM Security Settings

    Component Services COM Security Settings

    1. In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties .

    2. In the My Computer Properties dialog box, click the COM Security tab.

    3. Under Access Permissions, click Edit Limits. In the Access Permission dialog box, add the zenossmon account to the list and ensure that the Remote Access checkbox is enabled, then click OK to close the dialog.

    4. Under Launch and Activation Permissions, click Edit Limits. In the Access Permission dialog box, add the zenossmon account to the list and ensure that the Remote Launch and Remote Activation checkboxes are enabled, then click OK to close the dialog.

    5. Click OK on the My Computer Properties dialog to save all changes.

  5. Give the zenossmon account permissions to read the WMI namespace by using WMI Control.

    Figure 50.3. WMI Control Properties

    WMI Control Properties

    1. Open the Start menu and right-click on My Computer. Select Manage from the menu.

    2. In the Computer Management dialog, expand the Services and Applications item and then right-click on WMI Control.

    3. In the WMI Control Properties dialog, click the Security tab.

    4. Expand the Root namespace, select the CIMV2 namespace folder and then click Security.

    5. In the Security for ROOT\CIMV2 dialog, add the zenossmon user to the list and ensure the Enable Account and Remote Enable checkboxes are enabled, then click OK to close the dialog.

    6. In the WMI Control Properties dialog click OK to close the dialog and save all changes.

  6. At this point in the process remote access to WMI should be enabled and functioning. Test it by running the following command from the Zenoss server:

    wmic -U '.\zenossmon' //myhostname 'SELECT Name FROM Win32_ComputerSystem'

    If all is well this command should return the remote system name as the response. If there is any error, carefully recheck the above steps to ensure all access has been properly granted.

  7. To gather Windows performance data from PerfMon permissions on the winreg registry key must be granted to our monitoring user by using regedit.

    Figure 50.4. regedit and the winreg Key

    regedit and the winreg Key

    1. Run regedit.

    2. Browse to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg key.

    3. Right-click on the winreg key and choose Permissions.

    4. Add the monitoring user to the permissions list and grant only Read permissions

  8. Give the zenossmon account access to read the Windows Event Log.

    Once the appropriate changes are made, test that Event Log access works with your zenossmon user by running the following from your Zenoss system:

    wmic -U '.\zenossmon' //myhostname \
    'SELECT Message FROM Win32_NTLogEvent WHERE LogFile="Application"'
  9. If you are using SP1 or newer with Windows Server 2003, then you will need to allow non-administrative users to access the service control manager in order to monitor services.

    At a command prompt, run the following:

    sc sdset SCMANAGER
    D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)
    (AU;OIIOFA;GA;;;WD)

    Warning

    The above command should be one line.

    At this point you should be able to query Windows service status remotely using the non-administrative account. This can be tested by running the following from your Zenoss system:

    wmic -U '.\zenossmon' //myhostname 'SELECT Name FROM Win32_Service'