Starting from Windows Visa and beyond, Microsoft included the concept of User Access Control (UAC). For domain accounts, ensuring the service account is added to the local administrators group on the remote machine should still be sufficient. For machines that are not on a domain (Workgroup machines) or other situations requiring the use of pass-through security, additional configuration may be necessary.
The problem that arises now is with UAC. When a remote connection is made using pass-through security the machine is unable to resolve elevated permissions under UAC, and for WMI and registry purposes the account is treated as a regular (non-admin) user even if the account exists in the local administrators group.
More information can be found at the following URL under the section entitled “Handling Remote Connections Under UAC”: http://msdn.microsoft.com/en-us/library/aa826699(VS.85).aspx
Make the following configuration changes to support
1.) Change the authentication level for WMI in DCOM (using DCOMCNFG.exe) to 'Packet' from 'Connect'.
As with any registry modification and/or change to security there are associated risks. These are outlined in the Microsoft article, and it should be reviewed prior to making any changes.
Finally, because of these security issues and the risks associated with the changes needed to support this configuration, make sure you evaluate the changes for your environment.
Here is an additional link listing the DCOM impersonation and authentication setting requirements:http://msdn.microsoft.com/en-us/library/aa389284(v=VS.85).aspx
If the connection is remote then you need to make following registry change
2.) Disable remote UAC as specified in the URL mentioned above: “Disabling Remote UAC by changing the registry entry that controls Remote UAC is not recommended, but may be necessary in a workgroup.
The registry entry: HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/system/LocalAccountTokenFilterPolicy.
When the value of this entry is zero (0), Remote UAC access token filtering is enabled. When the value is 1, remote UAC is disabled.”
This is a REG_DWORD value, and you will likely need to create the new value as it is not there by default.
Reboot the machine and both local and remote wmi queries should start to work
If it still does not work in remote connect scenario then check your windows firewall settings.
Some other useful tools to debug wmi issues:
wbemtest
wmidiag.exe - WMI Diagnosis Utility’
The problem that arises now is with UAC. When a remote connection is made using pass-through security the machine is unable to resolve elevated permissions under UAC, and for WMI and registry purposes the account is treated as a regular (non-admin) user even if the account exists in the local administrators group.
More information can be found at the following URL under the section entitled “Handling Remote Connections Under UAC”: http://msdn.microsoft.com/en-us/library/aa826699(VS.85).aspx
Make the following configuration changes to support
1.) Change the authentication level for WMI in DCOM (using DCOMCNFG.exe) to 'Packet' from 'Connect'.
As with any registry modification and/or change to security there are associated risks. These are outlined in the Microsoft article, and it should be reviewed prior to making any changes.
Finally, because of these security issues and the risks associated with the changes needed to support this configuration, make sure you evaluate the changes for your environment.
Here is an additional link listing the DCOM impersonation and authentication setting requirements:http://msdn.microsoft.com/en-us/library/aa389284(v=VS.85).aspx
If the connection is remote then you need to make following registry change
2.) Disable remote UAC as specified in the URL mentioned above: “Disabling Remote UAC by changing the registry entry that controls Remote UAC is not recommended, but may be necessary in a workgroup.
The registry entry: HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/system/LocalAccountTokenFilterPolicy.
When the value of this entry is zero (0), Remote UAC access token filtering is enabled. When the value is 1, remote UAC is disabled.”
This is a REG_DWORD value, and you will likely need to create the new value as it is not there by default.
Reboot the machine and both local and remote wmi queries should start to work
If it still does not work in remote connect scenario then check your windows firewall settings.
Some other useful tools to debug wmi issues:
wbemtest
wmidiag.exe - WMI Diagnosis Utility’
No comments:
Post a Comment