Page tree

Windows Management Instrumentation (WMI) is an industry-standard technology for accessing management information in an enterprise environment.  It provides users with information about the status of local and remote Windows computer systems, providing discovery, profiling, and reporting with values retrieved from WMI-enabled devices.

Port Discovery Requirement

Device Profile Discovery depends on Port Discovery. Be sure to enable Port Discovery before using Device Profiling.

FIPS Requirement

Starting from Asset Manager 4.8, FIPS is required to be disabled for WMI functionality.

Relatedly, Asset Manager recommends that your Active Directory credentials be read only, unique, and non-expiring. 

The return values from WMI-enabled devices enhance the following aspects of Asset Manager:

  1. Discovery
  2. Profiling
  3. Services - Identifies installed/running services such as Windows Defender, HBSS/McAfee Agent, and Tanium Agent
    1. Install status
    2. Enabled/disabled status
    3. Last-scan time
    4. Version

Device attributes discovered through WMI Discovery will augment that device's profile. Also, notifications pertaining to the profiling of WMI-responsive Windows devices are expected to be made available at about the same time.

About WMI

Some basics on WMI Discovery in Asset Manager Enterprise Edition:

  1. WMI Discovery relies on port 135 to function; port 135 must be responsive in order to generate targets for WMI.  When your company's Active Directory administrator is asked to create a new user with WMI permissions (or give WMI permissions to an existing user), the admin will need to enable port 135 in the company's Active Directory Firewall Rules Group Policy
     
  2. WMI access is credentialed with proper DCOM and UAC settings provided by your Windows Domain Controller administrator. This means that your system administrator will need to manually input or import WMI credentials to a collector's WMI configuration. It also means that every device in the WMI-configured zone will be tested using every credential. Asset Manager WMI Discovery tries credentials in the order they are provided and uses the first one that works.

  3. The overhead on the Asset Manager system of testing many credentials against each device may be significant. WMI queries take ~ 800ms per WMI responsive device (per credential). Asset Manager runs 10 threads at a time so, in aggregate, the Asset Manager system can handle approximately 10 WMI responders per second.

  4. Your company's users with domain admin level authorization will have WMI-access to all devices on the domain by default.

  5. It is recommended the user "Asset Manager" be made a domain admin, unique to Asset Manager, and non-expiring in order to configure WMI security settings globally, domain-wide.

  6. Windows Domain Admin level access is recommended because each Windows machine has its own setting and there is no standard Windows AD group policy setting one can apply to allow WMI access for non domain admin users.  

  7. If adding Windows Domain Admin Users to Asset Manager is not permitted, then you can resort to a power shell script to create a non-admin, read only user.  Here are some online documents (see related links) that lists the steps you can take to create a script that contains the appropriate security descriptors.  The documents also explain how to subsequently place the script into a Windows AD GPO as a startup script and have your computers get the updated security settings at boot time.

  8. The Asset Manager system prioritizes the testing of WMI credentials in the top-down order in which they are listed. Asset Manager encrypts the WMI credentials before storing them in its database. Cloud and SNMP credentials are encrypted in the same way. 

Considerations

In configuring WMI Discovery, the following are some recommendations and things to keep in mind:

  1. FireMon recommends that you create one collector for each set of WMI credentials and set the CIDR range in Discovery Spaces to contain only devices that will respond successfully to those credentials:
    1. This will minimize the amount of time it will take to scan the network
    2. This will minimize the chance the WMI credential can be locked out (TIP: Increase the account lockout threshold)
    3. This will enable you to optimize the rescan interval for WMI.

  2. FireMon recommends that you setup a specific Active Directory account for use with Asset Manager and WMI Discovery. This will enable you to tailor the permissions and settings of the account to minimize access and make it read-only. 

  3. Expiration of Windows credential - Be aware that if the Windows credentials expire, the Asset Manager system won't be able to retrieve data.

  4. WMI attributes expire after 14 days; all other device attributes expire after 2 days.

WMI Dashboards

On the Asset Manager main menu, in Dashboards, the are two WMI dashboards available: WMI Summary and WMI Troubleshooting


Following is a summary of the widgets on these dashboards:

  1. Browse to Dashboards > WMI and select an option:
    1. WMI Summary

      WMI Summary Dashboard Widgets

      Type

      Description

      WMI Responders by OS 

      Summary chart 

      Count of WMI Operating Systems across all zones  

      WMI Responders 

      Detail table 

      Devices across all zones that responded to WMI Discovery 

      Non-Responding WMI Device Summary 

      Summary chart 

      Count of device-types across all zones that were unresponsive to WMI Discovery 

      Non-Responding WMI Devices 

      Detail table 

      Devices across all zones that were unresponsive to WMI Discovery 

      WMI Devices without Security Services Summary 

      Summary chart 

      Count of WMI-responsive device-types across all zones that did not report on a defined, configurable list of WMI security services.  Default list is Trellix, Tanium, and Windows Defender.

      WMI Devices without Security Services 

      Detail table 

      WMI-responsive device-types across all zones that did not report on a defined, configurable list of WMI security services.  Default list is Trellix, Tanium, and Windows Defender.

    2. WMI Troubleshooting

      WMI Troubleshooting Dashboard Widgets

      Type

      Description

      Windows Devices with WMI Port Closed Summary 

      Summary chart 

      Count of device-types across all zones that were profiled as Windows, yet did not have port 135 open 

      Windows Devices with WMI Port Closed 

      Detail table 

      Devices across all zones that were profiled as Windows, yet did not have port 135 open 

      WMI Devices with No WMI Services Summary 

      Summary chart 

      Count of device-types across all zones that were WMI-service responsive, yet did not report any WMI services 

      WMI Devices with No WMI Services 

      Detail table 

      Devices across all zones that that were WMI-service responsive, yet did not report any WMI services 

WMI Summary Dashboard Widgets

You can click a pie slice to filter the adjacent table to show only records associated with that attribute––in this case, the table would filter to a particular Windows operating system. You can also click a link in the table to drill down to Device Details for that device. These dashboard widgets show devices across all zones that responded to WMI Discovery.


These dashboard widgets show devices across all zones that were unresponsive to WMI Discovery. This means that port 135 was open, yet there was no response to WMI discovery. 

These dashboard widgets show WMI-responsive device-types across all zones that did not report any WMI services.

WMI Troubleshooting Dashboard Widgets

These dashboard widgets show devices across all zones that were profiled as Windows, yet did not have port 135 open.

These dashboard widgets show devices across all zones that that were WMI-service responsive, yet did not report any WMI services. This could be an indication that your credentials do not have the proper permissions. 

See What Services are Running 

You can input the IP address of any WMI-responsive device in a selected zone (or click a link in a WMI dashboard widget) to display a comprehensive list of all services running on the box (e.g., Windows Defender and Tanium status information.)

  1. On the Asset Manager GUI, browse to Search > Device Details.

  2. Input an IP address and zone name.

  3. Click Search and the WMI Services tab.

    All services running on the box display.  You can see the total number of records that were returned below the table.

Search the Services

You can use the control at the bottom of the results table to page through the results or use the Search bar to filter out all the records that don't match your criteria.

A description of each of the table columns follows:

  • Name: Unique identifier of the service that provides an indication of the functionality that is managed.
  • Started: Indicates whether or not the service is started.
  • State: Current state of the base service.

The values are:
* Stopped
* Start Pending
* Stop Pending
* Running 
* Continue Pending 
* Pause Pending 
* Paused
* Unknown

  • Status: Current status of the object. Various operational and non-operational statuses can be defined. Operational statuses include: "OK", "Degraded", and "Pred Fail" (an element, such as a SMART-enabled hard disk drive, may be functioning properly but predicting a failure in the near future). Non-operational statuses include: "Error", "Starting", "Stopping", and "Service". The latter, "Service," could apply during mirror-resilvering of a disk, reload of a user permissions list, or other administrative work. 

The values are:
* OK
* Error 
* Degraded 
* Unknown
* Pred Fail 
* Starting 
* Stopping
* Service 
* Stressed 
* NonRecover 
* No Contact 
* Lost Comm 

See https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-service  for information from Microsoft on their Win32_Service class.

Accurately Identify All Windows Devices

Use the Attributes tab to check security compliance. You could check, for example, to ensure that  all Windows systems are Windows 10 or later.

Run WMI Discovery

This new discovery type in Settings > Zones uses credentials you supply and input manually or import. You can supply WMI credentials

For the User Name field, do not add the domain name.  For example, do not use admin@local.net or local.net\bob for the username portion.



WMI Queries

A description of each WMI query is available in the lower right-hand corner of the Properties panel, under Comment.


Newer Features


  1. WMI Map Highlighting
    Asset Manager 3.3.4 is currently able to highlight WMI_OS, WMI_OS_Version, and WMI_OS_ServicePack on its maps. The capability to highlight on a Asset Manager zone map all nodes that have specific services (e.g., Windows Defender, McAfee, Tanium) installed and/or running is planned for development.



Related Links

To create a non-domain admin user with WMI rights, create a script of security descriptors using these procedures:

Forum FAQ: How to deploy WMI namespace security settings via a global policy orchestrator?

Securing WMI Namespaces

DCOM Server Security Feature Bypass KB

  • No labels