Monitoring CIS-hardened devices
A CIS-hardened device goes a long way in improving overall security in your network. CIS hardening corresponds to tightening of security in the software component, based on the benchmarks provided by CIS (Center for Internet Security). It can mean anything from disabling unused ports and services to restricting visitor access to a system.
Monitoring CIS-enabled devices require special permissions to be provided to the network monitoring software. Please follow the steps below to enable monitoring of CIS-hardened devices in OpManager:
- Monitoring availability via ICMP
- Monitoring via SNMP
- Monitoring via WMI
1. Monitoring availability via ICMP
To monitor device availability via ICMP, we first have to enable access for ICMP v4 protocols in our firewall. Below are the steps to enable ICMP in the monitored device:
- From the monitored device, open Command Prompt in Administrator mode.
- If you want to enable firewall access for OpManager server, please execute the command below, replacing <OpManager_IP> with OpManager server's IP.
netsh advfirewall firewall add rule name="OPM_ICMP_RULE" dir=in action=allow enable=yes protocol=ICMPv4 remoteip=<OpManager_IP>
2. Monitoring via SNMP
To monitor your devices through SNMP, we just have to configure SNMP service on all your network devices. Know more here on how to enable and configure SNMP in your network devices.
3. Monitoring via WMI
-
3.1 To enable WMI traffic, DCOM, WMI, callback sink and outgoing connections in Firewall.
To monitor hardened devices using WMI, a few connections/protocols have to be enabled for OpManager to be able to reach the device, the foremost of which would be to allow OpManager's traffic (both inward and outward) through your firewall. By default, WMI settings in Windows Firewall settings are configured to enable only WMI connections, rather than allowing other DCOM applications too. We must add an exception in the firewall for WMI, that allows the remote device to receive remote connection requests and asynchronous callbacks to Unsecapp.exe. To enable the necessary connections in your firewall, execute the below commands one by one in the monitored device, depending on your requirements.
- To establish a firewall exception for DCOM port 135, use the following command:
Firewall access for OpManager server:
netsh advfirewall firewall add rule dir=in name="OPM_DCOM_CIS" program=%systemroot%\system32\svchost.exe service=rpcss action=allow protocol=TCP localport=135 remoteip=<OpManager_server_IP>
- To establish a firewall exception for the WMI service, use the following command:
Firewall access for OpManager server:
netsh advfirewall firewall add rule dir=in name ="OPM_WMI_CIS" program=%systemroot%\system32\svchost.exe service=winmgmt action = allow protocol=TCP localport=any remoteip=<OpManager_server_IP>
- To establish a firewall exception for the sink that receives callbacks from a remote computer, use the following command:
Firewall access for OpManager server:
netsh advfirewall firewall add rule dir=in name ="OPM_UnsecApp_CIS" program=%systemroot%\system32\wbem\unsecapp.exe action=allow remoteip=<OpManager_server_IP>
- To establish a firewall exception for outgoing connections to a remote computer that the local computer is communicating with asynchronously, use the following command:
Firewall access for OpManager server:
netsh advfirewall firewall add rule dir=out name ="OPM_WMI_OUT_CIS" program=%systemroot%\system32\svchost.exe service=winmgmt action=allow protocol=TCP localport=any remoteip=<OpManager_server_IP>
-
3.2 Allow remote WMI access with restricted permissions:
You can configure a regular Windows user to access WMI information by adding the necessary user account to the Distributed COM Users and the Performance Monitor Users group using lusrmgr.msc, and then configuring the DCOM security settings to allow the groups to access the system remotely (using dcomcnfg).
Note: These configurations are required to be performed in the User profiles of the client devices that are to be monitored.
Configuring Distributed COM Users in Local user and Groups Setting:
To begin with, we are adding the DCOM user group in our local user settings.
- 1. Click Start → Run, type lusrmgr.msc and click OK.
- 2. In the Users folder, right-click the user to bring up the menu, and select Properties.
- 3. Click over to the Members of tab, and click Add.
- 4. Under 'Enter the object names to select', type 'Distributed COM Users' (without quotes), click Check Names, then click OK.
- 5. Click Add.
- 6. Repeat steps 3-5 for the Performance Monitor Users group and Event Log Readers group.
Configuring the DCOM Security Settings to allow the groups to access the system remotely:
Next, we're providing basic access permissions to the user groups (Distributed COM Users and Performance Monitor Users) to be able to gain control of the device remotely.
- 7. Click Start → Run, type dcomcnfg and click OK.
- 8. Drill down into the Component Services tree until you get to My Computer. Right-click 'My Computer' to bring up the menu, and click Properties.
- 9. Click the COM Security tab, then click Edit Limits under the Launch and Activation Permissions section.
- 10. Click Add.
- 11. Under 'Enter the object names to select', type 'Distributed COM Users' (without quotes), click Check Names, then click OK.
- 12. Click Add.
- 13. Repeat steps 9-12 for the Performance Monitor Users group.
- 14. Check Allow for each of the permissions (Local Launch, Remote Launch, Local Activation, Remote Activation) for each of these groups, and click OK.
Setting the WMI Control security settings to be applied to all namespaces:
Finally, access is provided for all classes under all namespaces for both the user groups, in order to enable OpManager to fetch those data using WMI.
- 15. Click Start → Run, type wmimgmt.msc and click OK.
- 16. Right-click WMI Control (Local) to bring up the menu, and click Properties.
- 17. Click over to the Security tab, then click Root, and click the Security button.
- 18. Click Add.
- 19. Under 'Enter the object names to select', type 'Distributed COM Users' (without quotes), click Check Names, then click OK.
- 20. Make sure the Distributed COM Users group is selected, and click Advanced.
- 21. Highlight the row with Distributed COM Users in it and click Edit.
- 22. From the 'Applies to' drop-down list, select 'This namespace and subnamespaces'.
- 23. Under the 'Allow' column, check Execute Methods, Enable Account and Remote Enable, and then click OK.
- 24. Repeat steps 17-23 for the Performance Monitor Users group.
- 25. Click OK to close all windows.
-
3.3 Set permissions to Service Control Manager Security for Windows Service Monitoring:
If you wish to monitor whether Windows Service monitors are up/down, you need to grant permission to SCManager. The access to the Windows services is controlled by the Security Descriptor of Service Control Manager, which by default is restricted for hardened OS. The below mentioned steps will grant remote access to Service Control Manager in user level, to get the list of services on a server.
- Retrieve the user SID of the User Account
- From the monitored device, open Command Prompt in Administrator mode.
- Run the below command to retrieve the user SID. Replace UserName with the user name for the User account.
wmic useraccount where name="UserName" get name,sid
Example:
wmic useraccount where name="administrator" get name,sid
- Note down the SID. (Ex. S-1-0-10-200000-30000000000-4000000000-500)
- Retrieve the current SDDL for the SC Manager
- Run the below command which will save the current SDDL for the SC Manager to the CurrentSDDL.txt.
sc sdshow scmanager > CurrentSDDL.txt
- Edit the CurrentSDDL.txt and copy the entire content.
- The SDDL will be look like below:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
- Update the SDDL:
- Frame new SDDL snippet for above SID
(A;;CCLCRPWPRC;;;<SID of User>)
Ex.
(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)
- Now place this snippet in before "S:" of original SDDL.
- Updated SDDL will be like this:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
- Finally Execute the below command with Updated SDDL:
sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
This will grant the following permissions to the user:
CC - To Get Service's current configuration
LC - To Get Service's current status
RP - To Read Properties/Start the Service
WP - To Write Properties/Stop the Service
RC - To Read the Security Descriptor.