How to set up a Windows user with minimal permissions for connecting to remote hosts in the Assets Discovery tool

Summary

In certain scenarios, administrators may prefer to establish a dedicated administrator account for use within the Discovery tool in the Credentials tab. This account is use to connect to remote hosts.

The default Windows administrator account possesses enhanced privileges compared to a newly created local administrator account. As a result, a local administrator account lacks the necessary permissions to perform scans using WMI.

Environment

• Assets Discovery tool

• Remote host using Windows OS

Solution

In remote Windows OS instances, the following steps are required:

1. Create a Windows user account

   1. Add the above user to the 'Performance Monitor Users' Group

2. WMI Control

   1. Run wmimgmt.msc

   2. Right-click WMI CONTROL (Local) > Properties > Security Tab

   3. Navigate Root/CIMV2 > Security Button

   4. Add the 'Performance Monitor Users' Group

   5. Grant 'Execute Methods', 'Enable Account' and 'Remote Enable' to 'Performance Monitor Users' Group > Click OK

   6. Navigate Root/DEFAULT > Security Button

   7. Add the Performance Monitor Users Group

   8. Grant 'Execute Methods', 'Enable Account' and 'Remote Enable' to 'Performance Monitor Users' Group > Click OK

3. Component Services

   1. Run 'dcomcnfg'

   2. Navigate to 'Component Services' > 'Computers'

   3. Right click 'My Computer' > Properties > COM Security Tab

   4. Click "Edit Limits" for Access Permissions

   5. Add the 'Performance Monitor Users' Group

   6. Grant 'Remote Access'

   7. Click "Edit Limits" for Launch and Activation Permissions

   8. Add the 'Performance Monitor Users' Group

   9. Grant 'Remote activation'

   10. Navigate to 'Component Services > Computers > My Computer > DCOM Config'

   11. Right-click 'Windows Management and Instrument' > Properties > Security Tab

   12. Click "Edit" For Launch and Activation Permissions

   13. Add the 'Performance Monitor Users' Group

   14. Grant 'Remote Launch' and 'Remote Activation'

Test

There are a lot of steps above and we can test if the above works two different ways.

1st Method

The first way would be from the Discovery Tool itself:

1. Launch the Discovery Tool Application

2. Navigate to the Credentials Tab

3. If you don't yet have a Windows Credential, Create One with the ➕ Icon

4. Change the Type to Windows

5. Enter the Credentials created in Solution - Step 1

   

6. Click Test and Enter in the IP address of the remote host to be scanned.(You must use an IP address, Using a Hostname will result in an error).

The second way would be via PowerShell, which in addition to the WMI ports (TCP 135, WMI (DCOM) uses a randomly selected TCP port between 1024 and 65535) and also requires Port 5985 to be opened.

2nd Method

The 2nd way would be from the Discovery Tool Server:

1. Launch PowerShell ISE

2. Create a new script: File > New

3. Copy the below PowerShell Script:

   1 2 3 $creds = Get-Credential -UserName "wmi" -Message "Provide Credentials for WMI Scanning" $CN = Read-Host "Provide the Computer name or IP address" Get-WmiObject -Namespace "root\cimv2" -Class Win32_Process -Impersonation 3 -ComputerName $CN -Credential $creds

4. Click the Run Script button (F5): Debug/Continue > Run/Continue

5. Provide the Credentials created in Solution - Step 1:

   

6. Provide the hostname of the remote host to be scanned.

7. If everything was done correctly you should see a lot of information on your Win32_Process which should look end up like this: