It is recommended that you create a dedicated service account for Nodeware and avoid using Domain Admin credentials or other user accounts. CIS Controls v7 3.3 states:
3.3 Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative activities and should be tied to specific machines at specific IP addresses.
Requirements
The service account must meet the following requirements for proper operation:
Substitute your created domain and user in the following commands where you see <domain> or <user>.
Required groups
In a command prompt, enter the following commands
net localgroup "Remote Management Users" /add <domain>\<user>
net localgroup "Performance Monitor Users" /add <domain>\<user>
net localgroup "WinRMRemoteWMIUsers__" /add <domain>\<user>
Access to WinRM resources
1. In a command prompt, enter the following command
winrm configSDDL default
2. This will open the Permissions for Default dialog window
3. In the Group or user names section, add <domain>\<user> to the list
4. Select the <domain>\<user> you added, in the Permissions for <user> section beneath:
- Check "Allow" for Read (Get, Enumerate, Subscribe)
- Check "Allow" for Execute (Invoke)
5. Click OK to confirm the changes
Troubleshooting
To verify the WinRM listeners are configured correctly, run the following on the target machine
winrm enumerate winrm/config/listener
Test-WSMan localhost
To create the listeners and add firewall exceptions for WinRM, you can run the following on the target machine
Enable-PSRemoting -Force
Verify the account has Remote Enable and Enable on the root\cimv2 WMI namespace (via wmimgmt.msc → WMI Control → Security), or apply an equivalent policy you use for WMI access.
Comments
0 comments
Article is closed for comments.