Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

When scanning Windows Operating System Targets with iQSonar V4 you need to ensure that the user has appropriate permissions to retrieve all datapoints from the target device.

This How-To will describe using principle of least privilege how to prepare a standard Domain credential to successfully scan a single windows target.

This document assumes that all default groups and profiles named are the windows default configurations and they have not been customised in your organisation.


Step-by-step guide

  1. Create a standard Domain User in Active Directory, no special permissions required.
  2. Add the user to the Builtin Backup Operators Group and Distributed COM Users Group
  3. Grant the User remote access to WMI on the target device by running wmimgmt.msc (WMI Control Properties application) and granting Enable Account and Remote Enable permissions
  4. An additional grant is required to access process and service information to remote users via a WMI connection. This can be carried out on a per device level by entering the following at an elevated command prompt on the target device.

    sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

    This can be configured on a per-user basis by capturing the UUID for the user account required and including it in the appropriate area of the sc command.


  • No labels