WMI – Client – Usage on Linux/CentOS – Using An Authentication File

Background

Still on WMIC on Linux, let us transition away from providing the user credentials on the command line.

We will provide the credentials in a file, secure the file, and specify the file when we invoke the wmic utility.

 

Outline

  1. Active Directory
    • Provision Account
  2. Target Computer
    • Computer Management
      • Grant Account permission to Targeted Computer
        • Grant Account permission to local groups on Target Computer
    • Windows Management Interface ( wmimgmt.msc )
      • Grant accounts and groups access to WMI
      • The following permissions should be granted
        • Remote Enable
        • Execute Methods
        • Enable Account
        • Read rights
      • Access Advanced Tab
        • Ensure that granted permissions apply to the entire WMI tree
  3. Linux Box
    • Authentication File
      • Prepare Authentication File
      • Restrict Access to Authentication File
    • Attempt Usage

 

Tasks

Active Directory

Provision Account

  1. Launch Active Directory Users and Computers
  2. Add User
  3. Set expiration to never

Target Computer

Computer Management ( compmgmt.msc )

Grant Account permission to Targeted Computer

Outline
  1. Launch Computer Management ( compmgmt.msc )
  2. Access the node ( System Tools \ Local Users and Groups )
  3. Choose the group that the account needs to be granted membership in
  4. In our case
    • Distributed COM Users
    • Performance Monitor Users
  5. Please select each aforementioned group
    • Grant the account membership in the group
Images
Image – Local Group – Distributed COM Users

Image – Local Group – Performance Monitor Users

 

 

Windows Management Interface ( wmimgmt.msc )

Grant Account permission to WMI

Outline
  1. Access “WMI Control ( Local ) Properties”
    • Choose WMI Control ( local )
    • Right-click on your selection
    • Choose properties from the drop-down menu
  2. Access Security Tab
    • Root Node
      • Right-click on the “Root” node
      • Click on the Security Button
      • The permissions for the Root Users are displayed
      • Please click the “Add button”
      • The “Select Users or Groups” window is displayed
        • Within the “Select Users or Groups” window, please enter the group you will like to grant access to
        • Again our case
          • <Local Computer> \ Distributed COM Users
          • <Local Computer> \ Performance Monitor Users
        • Click the OK button
      • We return to the “Security for Root” window, Tab “Security”
        • Please choose the group you just added
        • Grant the User the following permissions
          • Execute Methods
          • Enable Account
          • Remote Enable
          • Read Security
      • Review Assigned Permissions
      • Advanced Settings
        • Once you have added and granted access to each of your targeted users and groups, we will then be ready to apply more “Advanced Settings”
        • Please click the “Advanced Settings” button
        • Select each targeted Principal
          • Expand the scope
          • Here are the available options for “Applies To”
            • This namespace only
            • This namespace and subnamespaces
            • Subnamespaces only
          • Change “Applies To”
            • From “namespaces”
            • To “This namespace and subnamespaces”
Images
Image – WMI Control ( Local) Properties – Tab – General

Image – WMI Control ( Local) Properties – Tab – Security

Image – WMI Control ( Local) Properties – Tab – Security – Security for Root

 

Image – WMI Control ( Local) Properties – Tab – Security – Select Users or Groups

Image – WMI Control ( Local) Properties – Tab – Security – Security for Root

 

Image – WMI Control ( Local) Properties – Tab – Security – Security for Root

Image – WMI Control ( Local) Properties – Advanced Security Settings for Root- Tab – Permisions – Security for Root – Before

Image – WMI Control ( Local) Properties – Performance Entry for Root – Distributed COM Users – Before

Image – WMI Control ( Local) Properties – Performance Entry for Root – Distributed COM Users – After

 

Image – WMI Control ( Local) Properties – Performance Entry for Root – Performance Monitor Users – After

Image – WMI Control ( Local) Properties – Advanced Security Settings for Root- Tab – Permisions – Security for Root – After

 

Linux Machine

Prepare Authentication File

Outline

  1. Authentication File
    • Prepare Authentication File
    • Restrict Access to Authentication File

Tasks

Prepare Authentication File

Using vi or your preferred text editor, please prepare an authentication file.

Configuration File Contents – Syntax
 

domain=<domain> 
username=<principal> 
password=<password> 

Configuration File Contents – Sample

domain=labDomain
username=myAccount
password=password

Restrict Access to Authentication File
chmod – Syntax
 

chmod u=rw,o=,g= <authenticationFile>

chmod – Sample

chmod u=rw,o=,g= wmi.txt

List Authentication File Permissions
chmod – Syntax
 

ls -la <authenticationFile>

chmod – Sample

ls -la wmi.txt

Use Authentication File

Outline

  1. Use Authentication File

Tasks

Use Authentication File
Outline
  1. Using parameter –authentication-file, pass along the name of prepared authentication file
  2. The targeted hostname is specified via //<hostname>
  3. The query to issue against the host is then supplied
    • In our case, “select Model from Win32_ComputerSystem”
Syntax
 

wmic --authentication-file <filename> //<hostname> "select Model from Win32_ComputerSystem"
Sample

wmic --authentication-file wmi.txt //labDB "select Model from Win32_ComputerSystem"
Output – Image

References

  1. Barracuda Networks
    • How can I create a user with WMI Query Permissions
      Link
  2. Aurlen
    • Example of WMIC Authentication File In Linux
      Link

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s