1 Reply Latest reply on Feb 12, 2019 11:43 AM by akhasheni

    Performance counters not working (in SAM)

    akhasheni

      Unable to poll performance counters for a WS2012r2 host in SAM. Attempting to get counters results in a timeout or:

      Network connection failed. HResult: No data to return. Error: Unable to connect to the specified computer, or the computer is offline.

       

      All other polling (process, service, logs) - no issues. Remote registry service is running. WMI exception added to the firewall. What am I missing?

       

      Counters are working in PerfMon (blue and green graphs are showing elapsed time and processor time for a specific process that we need to monitor):

       

      Thanks!

        • Re: Performance counters not working (in SAM)
          akhasheni

          aLTeReGo's answer on Assistance Needed with Windows Monitors was the answer for my case:

          Windows Performance Counters use RPC for communication which runs over TCP port 445. Once you add this rule to the firewall these components should come up.

          ... however opening port 445 is equivalent to enabling the stock "File and Printer Sharing (SMB-In)" Windows firewall rule - which has wide ranging security implications, and should be done with great care given that the consensus is on blocking that port unless there's a specific need for it. In response to my question about tightening down the attack surface of that exception, aLTeReGo answered:

          If you are concerned about opening TCP Port 445, then I would suggest either configuring the Windows Firewall, router access control lists, or Firewall policies to only allow TCP Port 445 traffic from the Orion server to that host. Alternatively, you could install the Orion Agent on that machine and not open any ports to that host.

          ... none of which appears a sound policy to me for various reasons - I'd rather limit traffic to a service than to an IP address (the latter don't work well as a policy and don't travel across subnets), and using agents only adds to the unknowns.

           

          So while an inbound TCP Port 445 firewall exception (equivalent to the stock "File and Printer Sharing (SMB-In)" Windows firewall rule) does resolve the immediate issue, it leaves a rather significant question unanswered:

           

          How to restrict the exception to Performance Counters traffic only, and how to make the exception work well as a security policy that also does not interfere with other SMB-related exceptions or block?