Windows Scanning User Configuration
- Daniel Stuart-Kelly
When scanning Windows Operating System Targets with iQSonar V4 you need to ensure that the user has appropriate permissions to retrieve all datapoints from the target device.
This How-To will describe using principle of least privilege how to prepare a standard Domain credential to successfully scan a single windows target.
This document assumes that all default groups and profiles named are the windows default configurations and they have not been customised in your organisation.
Configurations described in this How-To were tested successfully in the iQuate Lab at time of publishing. Please check this document in conjunction with the relevant Pre-Requisites Guide to ensure you are reviewing the most up to date information.
Step-by-step guide
- Create a standard Domain User in Active Directory, no special permissions required.
- Add the user to the Builtin Backup Operators Group and Distributed COM Users Group
- Grant the User remote access to WMI on the target device by running wmimgmt.msc (WMI Control Properties application) and granting Enable Account and Remote Enable permissions
An additional grant is required to access process and service information to remote users via a WMI connection. This can be carried out on a per device level by entering the following at an elevated command prompt on the target device.
sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
This can be configured on a per-user basis by capturing the UUID for the user account required and including it in the appropriate area of the sc command.