How to set up a Windows user with minimal permissions for connecting to remote hosts in the Assets Discovery tool


Platform Notice: Cloud and Data Center - This article applies equally to both cloud and data center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

In certain scenarios, administrators may prefer to establish a dedicated administrator account for use within the Discovery tool in the Credentials tab. This account is use to connect to remote hosts.

The default Windows administrator account possesses enhanced privileges compared to a newly created local administrator account. As a result, a local administrator account lacks the necessary permissions to perform scans using WMI.


Environment

  • Assets Discovery tool
  • Remote host using Windows OS

Solution

In remote Windows OS instances, the following steps are required:

  1.  Create a Windows user account
    1. Add the above user to the 'Performance Monitor Users' Group
  2. WMI Control
    1.  Run wmimgmt.msc
    2. Right-click WMI CONTROL (Local) > Properties > Security Tab
    3. Navigate Root/CIMV2 > Security Button
    4. Add the 'Performance Monitor Users' Group
    5. Grant 'Execute Methods', 'Enable Account' and 'Remote Enable' to 'Performance Monitor Users' Group > Click OK
    6. Navigate Root/DEFAULT > Security Button
    7. Add the Performance Monitor Users Group
    8. Grant 'Execute Methods', 'Enable Account' and 'Remote Enable' to 'Performance Monitor Users' Group > Click OK
  3. Component Services
    1. Run 'dcomcnfg'
    2. Navigate to 'Component Services' > 'Computers'
    3. Right click 'My Computer' > Properties > COM Security Tab
    4. Click "Edit Limits" for Access Permissions
    5. Add the 'Performance Monitor Users' Group
    6. Grant 'Remote Access'
    7. Click "Edit Limits" for Launch and Activation Permissions
    8. Add the 'Performance Monitor Users' Group
    9. Grant 'Remote activation'
    10. Navigate to 'Component Services > Computers > My Computer > DCOM Config'
    11. Right-click 'Windows Management and Instrument' > Properties > Security Tab
    12. Click "Edit" For Launch and Activation Permissions
    13. Add the 'Performance Monitor Users' Group
    14. Grant 'Remote Launch' and 'Remote Activation'

Test

There are a lot of steps above and we can test if the above works two different ways.

The first way would be from the Discovery Tool itself:

  1. Launch the Discovery Tool Application
  2. Navigate to the Credentials Tab
  3. If you don't yet have a Windows Credential, Create One with the plus sign Icon
  4. Change the Type to Windows
  5. Enter the Credentials created in Solution - Step 1
  6. Click Test and Enter in the IP address of the remote host to be scanned.(You must use an IP address, Using a Hostname will result in an error).

The second way would be via PowerShell, which in addition to the WMI ports (TCP 135, WMI (DCOM) uses a randomly selected TCP port between 1024 and 65535) and also requires Port 5985 to be opened.

On the Discovery Tool Server:

  1. Launch PowerShell ISE
  2. Create a new script: File > New
  3. Copy the below PowerShell Script:
    $creds = Get-Credential -UserName "wmi" -Message "Provide Credentials for WMI Scanning"
    $CN = Read-Host "Provide the Computer name or IP address"
    Get-WmiObject -Namespace "root\cimv2" -Class Win32_Process -Impersonation 3 -ComputerName $CN -Credential $creds
  4. Click the Run Script button (F5): Debug/Continue > Run/Continue
  5. Provide the Credentials created in Solution - Step 1:
  6. Provide the hostname of the remote host to be scanned.
  7. If everything was done correctly you should see a lot of information on your Win32_Process which should look end up like this:




Last modified on Jan 4, 2025

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.