User privileges and information access for Windows operating systems
User privileges and information access
This section provides information about discovering Microsoft Windows hosts.
Local administrator discovery missing command line information using WMI
If you do not get full command line information when you discover a Windows host using WMI as a local administrator, you should check that local administrators are part of the Debug Programs policy. See the Microsoft website for more information on the Debug Programs policy.
Potential user lock out
By default, AD accounts permit a limited number of login attempts (for example, 3 attempts in 15 minutes). Access Denied
errors from WMI, DCOM, and RemQuery are counted as unsuccessful login attempts. Where target hosts are incorrectly configured, this limit can be exceeded and the account locked out.
To avoid this issue, configure the BMC Discovery account to accept unlimited login attempts.
Firewalls
Some versions of Windows have a default firewall configuration that does not permit discovery. You should configure the firewall to permit access; otherwise, you will be unable to discovery your Windows hosts. For information about the ports that should be open, see Network ports used for discovery communications.
Windows Domain Controllers
To get a full set of data from a Windows system, the credential used must be in the Local Administrator group for the target. Domain Controllers have the equivalent of a local administrator; however, the local administrator on a Domain Controller has sufficient permissions to become a domain administrator. The implication is that having full local administration rights on the Domain Controller essentially means you have a Domain Admin account.
Windows Server 2008 and later and Windows Vista and later
The account being used to discover the target host must be one of the following types:
- A domain user with Administrator privileges on the target host.
- A non-domain user with Administrator privileges and with remote User Account Control (UAC) disabled on the target host. See the Microsoft website for more information on disabling UAC.
Windows 2003
WMI discovery of Windows 2003 hosts may fail after installing Windows Updates released on November 8, 2022 on Windows domain controllers. This is due to changes in Kerberos authentication. RemQuery discovery of Windows 2003 hosts is unaffected.
Windows 2000 and Windows NT
RemQuery discovery uses AES encryption, which is not supported in Windows 2000, so RemQuery discovery falls back to DES encryption. Windows NT does not support AES or DES, so RemQuery discovery is unencrypted. WMI discovery is unaffected.
Note
In Windows 2000 and Windows NT, the sc.exe
executable is not provided. The getServices method requires WMI to run successfully.
Windows discovery using IPv6
Windows discovery using IPv6 is not supported for the following versions of Windows:
Windows Server 2003
- Windows XP
- Windows 2000
To discover these versions of Windows, you must use IPv4.
Proxy pools can contain only proxies from one of the following groups:
- Proxies running on the IPv6-unsupported versions of Windows noted in the previous section.
- Later versions in which IPv6 is supported, such as Windows Server 2008 and Windows 7.
Windows discovery commands
The following tables list the commands that are run on Windows platforms. The following methods are used:
- WMI—BMC Discovery uses Windows Management Instrumentation (WMI) as the primary means of discovery. Discovery uses both WMI queries and WMI registry access.
- RemQuery—If WMI does not succeed, BMC Discovery uses various command line tools via the RemQuery utility. When RemQuery is used, it is copied onto the admin$ share of the scanned host, installed, and started as a service. The service is then used to execute the discovery scripts. At the end of the scan, the service is stopped and uninstalled, but the executable is left in the admin$ share. If a copy already exists, it is not copied again.
- SNMP—SNMP discovery is supported for all devices with an accessible SNMP agent. Discovery supports SNMP v1, v2c, and v3. For some older platforms (for example, Netware), the use of SNMP v1 might be required. This requirement is defined on a per-credential basis. Only read (GET, GETNEXT, GETBULK) access is required.
WMI
Method | WMI namespace | WMI query |
---|---|---|
| ||
|
|
|
|
|
|
|
| |
|
| |
See notes mentioned in the following section for more information. |
|
|
|
| |
|
|
|
Optional; this query can fail. |
|
|
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
|
|
|
|
| |
|
|
|
|
| |
Optional; this query can fail. |
|
|
Optional; this query can fail. |
|
|
|
|
|
|
| |
|
| |
|
| |
|
| |
| Handled by getHostInfo call; specifically: | |
|
|
|
|
|
|
|
|
|
|
|
|
Notes
An asterisk (*) after a method name indicates that the method must succeed for a host to be created.
getPackageList
Package information is obtained by walking the registry keys described in the preceding table rather than using Win32_Product
, as it provides more reliable data.
To speed this process, a temporary WMI class is created on the remote computer to query the registry locally. This temporary class is given a unique name and is removed after the registry data has been retrieved.
On 64-bit Windows systems, the Wow6432Node
(32-bit application data) is also examined.
getHBAInfo
WMI support for gathering HBA information uses the following queries to populate the HBA information if it is safe to do so:
SELECT * FROM MSFC_FCAdapterHBAAttributes SELECT * FROM MSFC_FibrePortHBAAttributes
The OS version and patch list is checked to see whether HBA queries are safe. On Microsoft Windows Server 2003, Vista, and Server 2008, the HBAAPI.DLL
module used by WMI leaks handles unless patched with KB957052. If this patch is not installed, no WMI requests are made.
By inspection, no current version of Windows 2003 (5.2.x) or Windows 2008 (6.0.x) includes this patch (current versions including service packs), but Windows 2008 R2 (6.1.x) does include it. It is unclear whether the problem exists on Windows 2000, but there is no patch available.
We make the following assumptions:
- Windows 2000 HBA queries are safe via WMI.
- Newer versions of Windows do not have the bug.
- This check is unnecessary when running
FCINFO.EXE
. This does useHBAAPI.DLL
and could experience the same handle leak, but is a short-lived process, and they are cleared on exit.
The Microsoft FCINFO.EXE
command line tool is also used by RemQuery. This is used where WMI is deemed unsafe or has failed for some reason. This provides equivalent information about HBAs, because it uses the same API as the WMI provider.
RemQuery
Method | Script | Notes |
---|---|---|
| Handled by getHostInfo call. | |
|
| |
| Handled by getFileInfo call. | |
|
| |
| ||
|
| |
|
| Requires Microsoft FCINFO.EXE to be installed on the target system. |
| Requires Emulex HBAnywhere to be installed on the target system. | |
| Requires Emulex HBAnywhere to be installed on the target system. | |
| Requires Emulex LPUTIL.EXE to be installed on the target system. | |
| Requires Emulex LPUTIL.EXE to be installed on the target system. | |
| Requires Emulex LPUTIL.EXE to be installed on the target system. | |
|
| |
| ||
| ||
| ||
|
| Uses Windows API to query IP addresses. |
| ||
|
| Uses Windows API to query MAC addresses. |
| ||
|
| |
| ||
|
| Uses Windows API to query interface details. |
| ||
|
| Uses Windows API to request same registry keys as WMI queries. |
| Handled by getHostInfo call. | |
|
| Uses Windows API to query process information. |
| ||
|
| Requires TCPVCON.EXE to be installed on the target system. |
| Requires OPENPORTS.EXE to be installed on the target system. | |
|
| |
|
| |
|
| Uses Windows API to query process information. |
|
SNMP
Method | MIB Values | OID |
---|---|---|
|
|
|
|
| |
|
| |
|
|
|
|
| |
| IF-MIB::ifEntry | 1.3.6.1.2.1.2.2.1 |
IP-MIB::ipAddrEntry | 1.3.6.1.2.1.4.20.1 | |
| IF-MIB::ifEntry | 1.3.6.1.2.1.4.20.1 |
IP-MIB::ipNetToPhysicalEntry | 1.3.6.1.2.1.4.35.1 | |
IP-MIB::ipNetToMediaEntry | 1.3.6.1.2.1.4.22.1 | |
| TCP-MIB::tcpConnectionEntry | 1.3.6.1.2.1.6.19.1 |
TCP-MIB::tcpConnEntry | 1.3.6.1.2.1.6.13.1 | |
| IF-MIB::ifEntry | 1.3.6.1.2.1.2.2.1 |
|
|
|
|
| |
|
|
|
|
|
Comments
Log in or register to comment.