EV Observe - Configure Microsoft Windows Monitoring Prerequisites
To use service templates to monitor Microsoft Windows devices using SNMP and WMI protocols, specific prerequisites must first be met.
- You configure these prerequisites once only.
- This is done in two steps:
- SNMP protocol: Configure the SNMP service, SNMP agent properties and SNMP security
- WMI protocol: In Active Directory, configure a dedicated user for monitoring DCOM security and WMI security
Role of protocols
- The SNMP protocol (Simple Network Management Protocol) is in charge of managing network devices and analyzing network problems.
- The WMI protocol (Windows Management Instrumentation) is a Microsoft Windows internal management system for checking and monitoring system resources.
Notes
- Only users who are domain administrators or who belong to the local Administrators group on the Windows machine can view the status of Windows services using WMI.
Procedures
How to configure Microsoft Windows monitoring prerequisites for the SNMP protocol
Step 1: Install the SNMP feature in the Windows settings
1. Select the Windows Start menu > Settings to open the Windows Control Panel.
2. Select System and click Apps & features in the left pane.
3. Select Optional features.
4. Click + Add a feature.
5. Select the SNMP Protocol feature.
6. Click Install.
Step 2: Configure the SNMP service
1. Display the properties of the SNMP service in the Windows Services Manager.
- Select the Windows Start menu > Administrative Tools > Services to open the Services Manager.
Note: You can also open the Services Manager using a command prompt. To do this, select the Windows Start menu > Run and run the command below.
services.msc
- Find SNMP Service.
- Right-click and select Properties from the contextual menu.
2. Configure the SNMP agent.
- Select the Agent tab.
- Select the options for the services provided by your computer.
- Physical: This specifies whether the computer manages physical devices, such as a hard disk partition.
- Applications: This specifies whether the computer uses any programs that send data by using TCP/IP.
- Datalink and subnetwork: This specifies whether this computer manages a TCP/IP subnetwork or datalink, such as a bridge.
- Internet: This specifies whether this computer acts as an IP gateway (router).
- End-to-end: This specifies whether this computer acts as an IP host.
- Click OK.
3. Configure SNMP security.
- Select the Security tab.
- Add a new community.
- Click Add in the Accepted community names section.
- Enter the community name and the associated permission level.
- The SNMP community name is case-sensitive.
Enter the same community name for all servers.
- The READ ONLY right is sufficient.
- The SNMP community name is case-sensitive.
- Click Add.
- Enter the IP address of the Box authorized to access SNMP on the server.
- Select the Accept SNMP packets from these hosts option.
- Click Add.
- Enter the host name and IP or IPX address of the host.
- Click Add.
3. Click OK to save the configuration of the SNMP service.
You will return to the list of services.
3. Restart the SNMP service.
- Right-click the SNMP service and select Restart from the contextual menu.
How to configure Microsoft Windows monitoring prerequisites for the WMI protocol
Step 1: In Active Directory, create and configure the dedicated monitoring user
1. In your Active Directory domain, create a dedicated domain user for monitoring.
Note: The user must belong to the local Administrators group.
example domain\servicenav
2. Create a GPO to prevent the user from connecting remotely to the host via the console and desktop.
Step 2: Start the WMI (Windows Management Instrumentation) service
1. Select the Windows Start menu > Administrative Tools > Services to open the Services Manager.
Note: You can also open the Services Manager using a command prompt. To do this, select the Windows Start menu > Run and run the command below.
services.msc
2. Display the properties of the WMI (Windows Management Instrumentation) service in the Windows Services Manager.
- Find Windows Management Instrumentation.
- Right-click and select Properties from the contextual menu.
3. Specify that the service should start automatically.
- Select the General tab.
- Select the Automatic option for the startup type.
- Click OK.
The service will start when Windows is started.
Step 3: Add the user to the local group called Performance Monitor Users
Step 4: Configure DCOM security
1. Open Windows Component Services using a command prompt.
- Select the Windows Start menu > Run.
- Run the command below.
dcomcnfg.exe
2. Display the properties of the workstation.
- Expand the Console Root and select the My Computer node.
- Right-click and select Properties from the contextual menu.
3. Configure access permissions.
- Select the COM Security tab.
- Click Edit Limits in the Launch and Activation Permissions section.
- Select the WMI user in the Security Limits section.
- Select the Remote Launch and Remote Activation options in the Allow column.
- Click OK.
4. Close Windows Component Services.
Step 5: Configure WMI security
1. Open Windows MMC (Microsoft Management Console) using a command prompt.
- Select the Windows Start menu > Run.
- Run the command below.
wmimgmt.msc
2. Display the properties of the WMI control.
- Expand the Console Root and select the WMI Control node.
- Right-click and select Properties from the contextual menu.
3. Configure the access permissions for the CIMV2 namespace.
- Select Root > CIMV2.
- Select Security.
- Select the WMI user.
- Select the Enable Account and Remote Enable options in the Allow column.
- Click OK.
You will return to the properties window.
4. Click OK to save the configuration.
5. Close the Windows MMC.
Step 6: Check that the remote WMI access permissions work in the Box
1. Test the remote WMI access permissions for the WMI user.
Using command line wmic
- Run the command below in the Box terminal.
wmic --user='login' --password='password' --workgroup='domain' --namespace='root\CIMV2' server.IP.address "SELECT * FROM Win32_LogicalDisk" ; echo $?
- Check that the results returned are identical to the rows below.
CLASS: Win32_LogicalDisk
Access|Availability|BlockSize|Caption|Compressed|ConfigManagerErrorCode|ConfigManagerUserConfig|CreationClassName|Description|DeviceID|DriveType|ErrorCleared|ErrorDescription|ErrorMethodology|FileSystem|FreeSpace|InstallDate|LastErrorCode|MaximumComponentLength|MediaType|Name|NumberOfBlocks|PNPDeviceID|PowerManagementCapabilities|PowerManagementSupported|ProviderName|Purpose|QuotasDisabled|QuotasIncomplete|QuotasRebuilding|Size|Status|StatusInfo|SupportsDiskQuotas|SupportsFileBasedCompression|SystemCreationClassName|SystemName|VolumeDirty|VolumeName|VolumeSerialNumber
0|0|0|A:|False|0|False|Win32_LogicalDisk|Lecteur de disquettes 3 ¢ pouces|A:|2|False|(null)|(null)|(null)|0|(null)|0|0|5|A:|0|(null)|NULL|False|(null)|(null)|False|False|False|0|(null)|0|False|False|Win32_ComputerSystem|COSVGRE14|False|(null)|(null)
0|0|0|C:|False|0|False|Win32_LogicalDisk|Disque fixe local|C:|3|False|(null)|(null)|NTFS|3661844480|(null)|0|255|12|C:|0|(null)|NULL|False|(null)|(null)|True|False|False|96266612736|(null)|0|True|True|Win32_ComputerSystem|COSVGRE14|False||0AF823EF
0|0|0|D:|False|0|False|Win32_LogicalDisk|Disque CD-ROM|D:|5|False|(null)|(null)|(null)|0|(null)|0|0|11|D:|0|(null)|NULL|False|(null)|(null)|False|False|False|0|(null)|0|False|False|Win32_ComputerSystem|COSVGRE14|False|(null)|(null)
0
Via a discovery in the Box
- Run a discovery in the Box using the WMI user.
The discovery will query the WMI class, Win32_OperatingSystem using the WMI user.
- Check that the discovery works correctly.
If it is successful, this means that the WMI user has the remote access permissions to WMI you defined earlier.
2. If the WMI user is unable to access the Box, you must correct the errors and run the test again.
Timeout of the WMI query
librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv [wmi/wmic.c:196:main()] ERROR: Login to remote object. NTSTATUS: NT_STATUS_IO_TIMEOUT - NT_STATUS_IO_TIMEOUT 1
- Solution: Check that the firewall rules authorize the WMI protocol on the server.
Unreachable host
librpc/rpc/dcerpc_connect.c:337:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c000023d) in dcerpc_pipe_connect_ncacn_ip_tcp_recv [librpc/rpc/dcerpc_connect.c:828:dcerpc_pipe_connect_b_recv()] failed NT status (c000023d) in dcerpc_pipe_connect_b_recv [wmi/wmic.c:196:main()] ERROR: Login to remote object. NTSTATUS: NT_STATUS_HOST_UNREACHABLE - NT_STATUS_HOST_UNREACHABLE 1
- Solution: Check that the IP address is correct.
Incorrect password
- Solution: Check that the password does not contain the @ symbol because this is not managed correctly by WMI.
Note: Error encountered in Windows Server 2019
Unable to connect to Workgroup Servers
- Cause: If connection failed with a local administrator account, this may be linked to the enabling of the UAC (User Account Control) when monitoring a node belonging to a non-domain workgroup.
- Solution: Disable the remote UAC for the node.
Note: This will not disable the local UAC.
- Log in to the machine as the administrator.
- Add a registry key to disable the local UAC.
- Open the registry.
- Go to the registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
- Locate or add the registry key, DWORD: LocalAccountTokenFilterPolicy and enter the value 1 (Note: The 0 value is used to enable the remote UAC again.