WMI Domain Admin / Domain User

We have recently undertaken an external PEN test to see how we are exposed to the outside world.

Turns out that the current installation on UDT/IPAM uses Domain Admin credentials for authentication and discovery. Needless to say those pesky PEN testers found this and where able to "theoretically" expose us.

So, the question is this -

What are is minimum levels of administrative access that the WMI credentials need to have to be able to fully discover the network and indeed poll correctly so that our products will work.

NB - we are about to deploy NPM, SAM, NTM, NTA, VNQM, FSM, VirMan, etc...

Cheers

Find more posts tagged with

network administration

npm

WMI

credentials

Accepted answers

smiffy85

Yes, it was vulnerable and exploitable.

However we have a solution - agent based polling. The most secure method currently available from SolarWinds - totally encrypted traffic along 1 port between poller and device.

Thanks for your help HolyGuacamole‌

All comments

asisit

I'm guessing that what you are looking for is in this article - SolarWinds Knowledge Base :: How to create a non-administrator user for SAM polling.

If security is of a concern you might also consider using SNMP for all of your polling. Using SNMPv3 would remove the need for a domain admin account to poll your servers while still requiring a level of authentication. Although we use a domain admin account for some of our WMI polling, our recent pen test didn't find it susceptible to an attack which I found very interesting.

smiffy85

Thanks asisit‌ I did have a read of that but wasn't entirely sure it was the best solution for us.

Didn't fancy doing that on all the servers.

I then read further, using SNMP certainly makes more sense AND it uses up to 5 times less resources than WMI.

In respect of your PEN test, yes, that is very odd!

smiffy85

Another point I have been thinking about is weather I would get more information from SNMP or WMI. It appears the answer is SNMP but I was wanting clarification if at all possible?

Then, I have the lovely task of turning on SNMP v2 for all servers with <= Server 2008 and SNMP v3 on Server 2012 servers.

\o/

smiffy85

Looks like Microshite are deprecating the SNMP service from Server 2012 onwards.

So, looks like I will have to have a play with that article and sort a restricted WMI admin account.

HolyGuacamole

You definitely do not need a Domain Admin for UDT and IPAM.

UDT requires a Windows login only to poll the AD for which minimum permissions are documented here

SolarWinds Online Help

IPAM possibly need a Windows account for polling & managing Windows DHCP and DNS servers. Again, the minimum permissions are documented

SolarWinds Online Help

For all the products you have listed, you don't need domain admin access. The only exception I can think of is to monitor your domain controllers via WMI, and you have a SAM agent option to avoid having to enter domain admin credentials into Orion.

smiffy85

HolyGuacamole‌ this is amazing information, thank you! No matter where I looked I couldn't find it!

I have even logged a support ticket to clarify the situation.

Ill have a nosey through the online guides so I can provide the IT Security team with the relevant requirements.

smiffy85

Hmm, perhaps not Domain Admin permissions, but local admin...which is pretty bad on a server..

http://knowledgebase.solarwinds.com/kb/questions/1672/Troubleshooting+Windows+Management+Instrumentation+(WMI)

Verify Administrator Credentials

Only a credential that has administrator rights on the target server has the necessary permissions to access the target server’s WMI services. Make sure that the username and password you are using belongs to an administrator on the target server. If the administrator credential is a domain member, be sure to specify both the user name and the domain in the standard Microsoft syntax. For example: DOMAIN\Administrator.

HolyGuacamole

A domain account that is part of the local admins group is acceptable in most places. Has this been raised as a specific concern from your pen testers?