EV Reach - WMI Explorer -  Using WMI Impersonation Level

Last modified on 2023/07/12 14:02
Contents

Delegation is one type of security impersonation level.

When you connect from Computer A to Computer B, every action taken on Computer B is done on your behalf. This is called impersonation. There are multiple levels of impersonation. WMIX only uses two: IMPERSONATE and DELEGATE. By default, EV Reach's WMI Explorer uses the IMPERSONATE level which is appropriate for most situations.

Using the IMPERSONATE level, WMI security restricts the access to only the resources located on Computer B. If Computer B attempts to access a resource located on Computer C, it automatically receives an Access is Denied. This is because WMI doesn't allow Computer B to use the credentials received from Computer A to authenticate on other computers.

WMIX-73.png

With the DELEGATE level, WMI lifts all restrictions and allows Computer B to connect to other computers on behalf of Computer A. Special care should be taken when using the delegate impersonation level. When using delegation, you are allowing the remote machine to execute network tasks using your credentials. In effect, you are granting unlimited network access to a remote machine on your behalf. For this reason, delegation is turned off by default in WMIX.

WMIX-74.png

In some circumstances, you may need to activate a connection using the DELEGATE mode. For instance, if you install software packages on Computer B and the MSI package is located in a share on Computer C, you will have to allow Computer B to access Computer C resources using delegation.

Opening a Connection Using Delegation

You need to use the Connect button or the Open As Favorites option to initiate a connection in DELEGATE mode.

  1. Click on the button of the main toolbar.

    wmix39.png

    If needed, click on the More >> button to display the extended connect options.
  2. Enter the remote machine name, the credentials to use for the delegation and check Enable delegation.

    wmix40.png

  3. Click on OK.

Note: If the connection is successful, the Information Panel will display a notification warning in the Security section that delegation is enabled. You can click on the notification warning to turn off delegation for that connection.

Delegation Requirements

For the Delegate impersonation level to work, the following condition must be true:

  • The user account specified in the Delegation options must belong to an active directory domain and must NOT be marked as "Account is sensitive and cannot be delegated". This account flag can be accessed using the MMC User & Computer Snap-in. Open the account properties window and select the Account tab. The flag can be found under Account options. By default, this flag is not marked.
  • The remote machine account (Computer B) must be marked with the "Trusted computer for delegation" attribute in the Active Directory Service. To access this attribute, use the MMC User & Computer snap-in and open the property window of the computer account. By default, Active Directory does not trust computers for delegation. It only trusts servers.

    WMIX-78.png

  • The computers hosting WMIX, the remote computer, and any downstream computers being accessed must all be running Windows 2000 or later in an Active Directory realm.

Note: If you make a change to a delegation setting in Active Directory, you may need to close and restart WMIX for the change to be detected.

Tags:
Powered by XWiki © EasyVista 2022