Windows Management Instrumentation (WMI) is an industry-standard technology for accessing management information in an enterprise environment. It provides users with information about the status of local and remote Windows computer systems.
In Lumeta Enterprise Edition 3.3.4, WMI augments Lumeta discovery, profiling, and reporting with values retrieved from WMI-enabled devices. Some WMI features are in development; these are called out in the descriptions ahead.
Relatedly, Lumeta recommends that your Active Directory credentials be read only, unique, and non-expiring.
The return values from WMI-enabled devices enhance the following aspects of Lumeta:
- Discovery (census counts) (in Lumeta 3.3.4)
- Profiling (for Windows 10 and other versions) (in Lumeta 3.3.4)
- Services - Identifies installed/running services such as Windows Defender, HBSS/McAfee Agent, and Tanium Agent
- Install status (in Lumeta 3.3.4)
- Enabled/disabled status (in Lumeta 3.3.4)
- Last scan time (post-Lumeta 3.3.4)
- Version (post-Lumeta 3.3.4)
Device attributes discovered through WMI Discovery will augment that device's profile. Also, notifications pertaining to the profiling of WMI-responsive Windows devices are expected to be made available at about the same time.
Some basics on WMI Discovery in Lumeta Enterprise Edition:
- WMI Discovery relies on port 135 to function; port 135 must be responsive in order to generate targets for WMI. When your company's Active Directory administrator is asked to create a new user with WMI permissions (or give WMI permissions to an existing user), the admin will need to enable port 135 in the company's Active Directory Firewall Rules Group Policy.
- WMI access is credentialed. This means that your system administrator will need to manually input or import WMI credentials to a collector's WMI configuration. It also means that every device in the WMI-configured zone will be tested using every credential. Lumeta WMI Discovery tries credentials in the order they are provided and uses the first one that works.
- The overhead on the Lumeta system of testing many credentials against each device may be significant. WMI queries take ~ 800ms per WMI responsive device (per credential). Lumeta runs 10 threads at a time so, in aggregate, the Lumeta system can handle approximately 10 WMI responders per second.
- Your company's users with domain admin level authorization will have WMI-access to all devices on the domain by default.
- It is recommended the user "lumeta" be made a domain admin, unique to Lumeta, and non-expiring in order to configure WMI security settings globally, domain-wide.
- Windows Domain Admin level access is recommended because each Windows machine has its own setting and there is no standard Windows AD group policy setting one can apply to allow WMI access for non domain admin users.
- If adding Windows Domain Admin Users to Lumeta is not permitted, then you can resort to a power shell script to create a non-admin, read only user. Here are some online documents (see related links) that lists the steps you can take to create a script that contains the appropriate security descriptors. The documents also explain how to subsequently place the script into a Windows AD GPO as a startup script and have your computers get the updated security settings at boot time.
- The Lumeta system prioritizes the testing of WMI credentials in the top-down order in which they are listed. Lumeta encrypts the WMI credentials before storing them in its database. Cloud and SNMP credentials are encrypted in the same way.
In configuring WMI Discovery, following are some recommendations and things to keep in mind:
- FireMon recommends that you create one collector for each set of WMI credentials and set the CIDR range in Discovery Spaces to contain only devices that will respond successfully to those credentials. This will minimize the amount of time it will take to scan the network. This will also enable you to optimize the rescan interval for WMI.
- FireMon recommends that you setup a specific Active Directory account for use with Lumeta and WMI Discovery. This will enable you to tailor the permissions and settings of the account to minimize access and make it read-only.
- Expiry of Windows credentials: Be aware that if the Windows credentials expire, the Lumeta system won't be able to retrieve data.
- WMI attributes expire after 14 days; all other device attributes expire after 2 days.
On the Lumeta main menu, in Dashboards, the are two WMI dashboards available: WMI Summary and WMI Troubleshooting
Following is a summary of the widgets on these dashboards:
- Browse to Dashboards > WMI and select an option:
WMI Summary Dashboard Widgets
WMI Responders by OS
Count of WMI Operating Systems across all zones
Devices across all zones that responded to WMI Discovery
Non-Responding WMI Device Summary
Count of device-types across all zones that were unresponsive to WMI Discovery
Non-Responding WMI Devices
Devices across all zones that were unresponsive to WMI Discovery
WMI Devices without Security Services Summary
Count of WMI-responsive device-types across all zones that did not report any WMI services
WMI Devices without Security Services
WMI-responsive device-types across all zones that did not report any WMI services
WMI Troubleshooting Dashboard Widgets
Windows Devices with WMI Port Closed Summary
Count of device-types across all zones that were profiled as Windows, yet did not have port 135 open
Windows Devices with WMI Port Closed
Devices across all zones that were profiled as Windows, yet did not have port 135 open
WMI Devices with No WMI Services Summary
Count of device-types across all zones that were WMI-service responsive, yet did not report any WMI security services
WMI Devices with No WMI Services
Devices across all zones that that were WMI-service responsive, yet did not report any WMI security services
WMI Summary Dashboard Widgets
You can click a pie slice to filter the adjacent table to show only records associated with that attribute––in this case, the table would filter to a particular Windows operating system. You can also click a link in the table to drill down to Device Details for that device. These dashboard widgets show devices across all zones that responded to WMI Discovery.
These dashboard widgets show devices across all zones that were unresponsive to WMI Discovery. This means that port 135 was open, yet there was no response to WMI discovery.
These dashboard widgets show WMI-responsive device-types across all zones that did not report any WMI services.
WMI Troubleshooting Dashboard Widgets
These dashboard widgets show devices across all zones that were profiled as Windows, yet did not have port 135 open.
These dashboard widgets show devices across all zones that that were WMI-service responsive, yet did not report any WMI services. This could be an indication that your credentials do not have the proper permissions.
See What Services are Running
You can input the IP address of any WMI-responsive device in a selected zone (or click a link in a WMI dashboard widget) to display a comprehensive list of all services running on the box (e.g., Windows Defender and Tanium status information.)
On the Lumeta GUI, browse to Search > Device Details.
Input an IP address and zone name.
Click Search and the WMI Services tab.
All services running on the box display. You can see the total number of records that were returned below the table.
Search the Services
You can use the control at the bottom of the results table to page through the results or use the Search bar to filter out all the records that don't match your criteria.
A description of each of the table columns follows:
- Name: Unique identifier of the service that provides an indication of the functionality that is managed.
- Started: Indicates whether or not the service is started.
- State: Current state of the base service.
The values are:
* Start Pending
* Stop Pending
* Continue Pending
* Pause Pending
- Status: Current status of the object. Various operational and non-operational statuses can be defined. Operational statuses include: "OK", "Degraded", and "Pred Fail" (an element, such as a SMART-enabled hard disk drive, may be functioning properly but predicting a failure in the near future). Non-operational statuses include: "Error", "Starting", "Stopping", and "Service". The latter, "Service," could apply during mirror-resilvering of a disk, reload of a user permissions list, or other administrative work.
The values are:
* Pred Fail
* No Contact
* Lost Comm
See https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-service for information from Microsoft on their Win32_Service class.
Accurately Identify All Windows Devices
Use the Attributes tab to check security compliance. You could check, for example, to ensure that all Windows systems are Windows 10 or later.
Run WMI Discovery
This new discovery type in Settings > Zones uses credentials you supply and input manually or import. You can supply WMI credentials.
A description of each WMI query is available in the lower right-hand corner of the Properties panel, under Comment.
Features in Development
- All WMI Responders Report - In development
A real-time report listing all WMI-responding devices. The table will include: IP address, MAC, Device Profile, Windows defender status information (installed, version, enable/disable, last run time ). Table columns can be sorted and filtered.
- WMI Map Highlighting - In development
Lumeta 3.3.4 is currently able to highlight WMI_OS, WMI_OS_Version, and WMI_OS_ServicePack on its maps. The capability to highlight on a Lumeta zone map all nodes that have specific services (e.g., Windows Defender, McAfee, Tanium) installed and/or running is planned for development.
- WMI Logging- In development
- At log level "info" system logs a successful poll (or error message) and time-of-poll
- At log level "debug" system logs a successful poll (or error message), time-of-poll, and response size in bytes
- No labels