Agentless Windows monitors

Andreas Ericsson ae at op5.se
Tue Mar 29 13:36:30 CEST 2005


Subhendu Ghosh wrote:
> On Thu, 24 Mar 2005, Glenn Meisenheimer wrote:
> 
>> Hi Anthony
>>
>>
>>
>>> Andreas message hits some key dangers to accessing WMI.
> 
> 
> 
> WMI access can be secured
> http://support.microsoft.com/kb/325353/EN-US/
> 

Ok, so no client needs to be installed and it can (according to MS 
themselves) be done securely, but the configuration process to set it up 
still requires hands-on configuration of the machine in question which 
will most likely be more confusing than installing a package on each of 
the monitored hosts and with a far greater impact if it's done wrong.

I'm not impressed.

> WMI respects existing MS authentication methods.
> 1. WMI obey Native OS access control
> 2. WMI obeys DCOM access control
> 3. WMI obeys access provided to user credentials.
> 
> The above KB talks about user credentials, but WMI can also be secured 
> at the DCOM level and OS level.
> 
> For a decent articel on securing WMI:
> http://redmondmag.com/columns/article.asp?EditorialsID=381
> 

If I read this correctly, only the most paranoid settings enable 
encryption on the packets sent. Switched networks (catenets) aren't 
immune to sniffing as some like to believe, but the paranoia setting 
seems to have a very large impact on the CPU since each packet is 
checked for credentials. One wonders, do they mean packet as in 
"tcp/ip-packet" or packet as in "some obscure MS identification of packet"?

This isn't a rant (well, it isn't intended as one anyway). I just want 
to make security conscious users aware of the risks implicit in using 
this technique.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Lead Developer


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list