Pre-Requisites
Administrator access to each Windows server you want to configure.
Applies To
- Zenoss 2.x
- Zenoss 3.x
Summary
Monitoring Windows devices normally requires an account with Administrator level privileges. For the Zenoss user that wishes to use a non-administrative account several additional configuration steps must be performed on each Windows device, or by using a Group Policy.
Zenoss uses the Windows Management Instrumentation (WMI) feature to collect Event Log and Service information in the Core edition and modeling information when using the Enterprise edition. In the Enterprise edition, the remote Windows registry API is also used to collect low-level performance monitor ("PerfMon") statistics. Both of these Windows subsystems use the Microsoft Remote Procedure Call (MS-RPC) interface to connect to the Windows device and gather the appropriate information. MS-RPC handles the authentication on a per packet or per session basis, but ultimately the access granted is determined by the subsystems involved with serving the remote procedure calls.
Procedure
Configuring a Standalone Windows Device for a Non-Administrative Account
1. Firewall
If the Windows Firewall is in use, modify it to allow Remote Administration access. This will open the MS-RPC port and others as needed. The following command entered in a Command Prompt can be used:
netsh firewall set service RemoteAdmin enable
2. File Sharing
On Windows XP, Simple File Sharing must be disabled for machines that are not located within a Domain. When this feature is enabled it causes all incoming MS-RPC connections to use the built-in Guest account, rather than the account credentials specified in the incoming call. This option may be found by going to Control Panel, opening the Folder Options applet and then choosing the View tab. In the Advanced Settings list, navigate to the bottom until you see the Use simple file sharing (Recommended) checkbox and then disable it.
3. Local Account or Group
Create a new local account on the Windows device for monitoring. We assume in the remainder of these steps that this account was named zenossmon but any valid account name can be used. Place the account only in the Users group and not in the Power Users or Administrators groups. Optionally, create a new user group for monitoring and use that group instead of the account in the remaining steps.
4. DCOM Access
Give the zenossmon account DCOM access by running the dcomcnfg utility. See http://msdn.microsoft.com/en-us/library/aa393266.aspx for more details.
- In the Component Services dialog box:
- Expand Component Services
- Expand Computers
- Right-click My Computer
- Click Properties to display the My Computer Properties dialog
- In the My Computer Properties dialog box:
- Click the COM Security tab
- Under Access Permissions, click Edit Limits to display the Access Permission dialog
- In the Access Permission dialog box:
- Add the zenossmon account to the list
- Ensure that the Remote Access checkbox is enabled
- Click OK to save and close the dialog
- Under Launch and Activation Permissions:
- Click Edit Limits
- In the Access Permission dialog box, add the zenossmon account to the list
- Ensure that the Remote Launch and Remote Activation checkboxes are enabled
- Click OK to save and close the dialog
- Click OK on the My Computer Properties dialog to save all changes.
5. WMI Namespace
Give the zenossmon account permissions to read the WMI namespace by using WMI Control. See http://technet.microsoft.com/en-us/library/cc787533.aspx for more details.
- Open the Start menu:
- Right-click on My Computer
- Select Manage from the menu to display the Computer Management dialog
- In the Computer Management dialog:
- Expand the Services and Applications item
- Right-click on WMI Control to launch the WMI Control Properties dialog
- In the WMI Control Properties dialog:
- Click the Security tab
- Expand the Root namespace
- Select the CIMV2 namespace folder
- Click Security to display the Security for Root\CIMV2 dialog
- In the Security for ROOT\CIMV2 dialog:
- Add the zenossmon user to the list
- Ensure the Enable Account and Remote Enable checkboxes are enabled
- Click OK to save and close the dialog
- In the WMI Control Properties dialog click OK to close the dialog and save all changes.
6. Test
At this point in the process remote access to WMI should be enabled and functioning. Test it by running the following command from the Zenoss server:
wmic -U '.\zenossmon' //myhostname 'SELECT Name FROM Win32_ComputerSystem'
If all is well this command should return the remote system name as the response. If there is any error, carefully recheck the above steps to ensure all access has been properly granted.
7. Performance Data
To gather Windows performance data from PerfMon permissions on the winreg registry key must be granted to our monitoring user by using regedit. See http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 for more details.
- Run regedit.
- Browse to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
- Right-click on the winreg key and choose Permissions.
- Add the monitoring user to the permissions list
- Grant only Read permissions.
While still in edit you must also grant the zenossmon user read access to performance counters.
- Browse to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
- Right-click on the Perflib key and choose Permissions.
- Add the monitoring user to the permissions list and grant only Read permissions.
8. Windows 2003 and Later
If this is Windows 2003 or later you must also be sure to add the zenossmon user to the Performance Monitor Users group.
9. Event Log
Give the zenossmon account access to read the Windows Event Log. See http://support.microsoft.com/kb/323076 for more details.
Once the appropriate changes are made, test that Event Log access works with your zenossmon user by running the following from your Zenoss system:
wmic -U '.\zenossmon' //myhostname 'SELECT Message FROM Win32_NTLogEvent WHERE LogFile="Application"'
10. Service Control Manager
If you are using SP1 or newer with Windows Server 2003, then you will need to allow non-administrative users to access the service control manager in order to monitor services. See http://support.microsoft.com/kb/907460 for more details.
At a command prompt, run the following:
sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
At this point you should be able to query Windows service status remotely using the non-administrative account. This can be tested by running the following from your Zenoss system:
wmic -U '.\zenossmon' //myhostname 'SELECT Name FROM Win32_Service'
Comments