我一直试图以非管理员域用户的身份通过 WMI 获取正在运行的 Windows 进程的远程列表,包括它们的 CommandLine/ExecutablePath 属性,用于监控工具。我已成功使用以下答案获取进程列表,但 CommandLine 属性始终为空。
[用户需要哪些权限/权利才能在远程计算机上拥有 WMI 访问权限?
在本地安全策略中授予“调试程序”用户权限允许访问 CommandLine/ExecutablePath 信息。但监控用户帐户可能会入侵进程,而不仅仅是查询有关进程的信息。是否有任何较低的用户权限或其他方式来解锁 CommandLine 信息?我已使用下面显示的 wmic 工具参数进行测试。
wmic /node:“服务器名称”/user:用户名/password:密码进程获取名称、命令行、可执行路径
提前感谢您能给我的任何见解。
答案1
我最终设法解决了这个问题,方法是为 AD 组授予单个服务的更多权限。这样,监控工具可能能够控制要监控的服务,但至少不能侵入目标机器上运行的任何进程。我使用了下面的 Powershell 脚本来实现这一点。您必须输入自己的 AD 组并修改 Windows 服务列表以满足您的需求。可以通过组策略运行此类脚本并将其应用于一组服务器。
function AddSDDL() {
Param(
[Parameter(Mandatory=$True)]
[string]$Username,
[Parameter(Mandatory=$True)]
[string]$Service
)
$servicetest = Get-Service | where {$_.name -eq "$service"}
if (!$servicetest -and $service -ne "scmanager") {
Write-Host "Service $service does not exist. Please supply the name and not the display name"
return $false;
}
$domain = ($username.split("\"))[0]
$user = ($username.split("\"))[1]
$ntaccount = New-Object System.Security.Principal.NTAccount($domain,$user)
$sid = ($ntaccount.Translate([System.Security.Principal.SecurityIdentifier])).value
if (!$sid) {
Write-Host "User $username cannot be resolved to a SID. Does the account exist?"
return $false;
}
$sddl = [string](cmd /c "sc.exe sdshow $service");
if ($sddl -match $sid) {
Write-Host "User $username already has some sort of access in the SDDL. Remediate manually"
return $false;
}
if($sddl -match "S:\(") {
$sddl = $sddl -replace "S:\(","(A;;CCLCLORPRC;;;$sid)S:("
} elseif($sddl -match "D:" -and $sddl.LastIndexOf(":") -lt 3) {
$sddl += "(A;;CCLCLORPRC;;;$sid)";
} else {
Write-Host "SDDL contains multiple description types like D: and A:, but not S:, remediate manually"
return $false;
}
$sddlCommand = "sc.exe sdset $service $sddl";
Write-Host($sddlCommand);
$sddlset = cmd /c $sddlCommand
if ($sddlset -notlike "*SUCCESS*") {
Write-Host "Permissions did not set"
Write-Host "Full error: $sddlset"
}
else {
Write-Host "Permissions set successfully for $username on $service"
}
return $true;
}
clear;
# default 2012 R2 scmanager: D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
# default 2012 R2 w32time: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPLOCRRC;;;LS)(A;;CCSWWPLORC;;;LS)
# default 2008 R2 scmanager: D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
# default 2008 R2 w3svc: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
# default 2008 R2 aspnet_state: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
# with list content (LC), read all properties (RP) and read permissions (RC) for authenticated users: D:(A;;CCLC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
$serviceNames = @("DHCPServer","TlntSvr","RpcSs","SamSs","DNS","Dnscache","LanmanWorkstation","Netlogon","Kdc","IsmServ","DFSR","W32Time","LanmanServer","WAS","aspnet_state","W3SVC","scmanager");
$serviceNames += Get-Service | Where-Object{$_.Name -like "*sql*"} | ForEach-Object{$_.Name};
$serviceNames += Get-Service | Where-Object{$_.Name -like "*ReportServer*"} | ForEach-Object{$_.Name};
foreach($serviceName in $serviceNames) {
Write-Host("SDDL of $serviceName before update: ") -NoNewline;
sc.exe sdshow $serviceName
$wmiGroup = "YOUR_DOMAN\AD_GROUP_FOR_WMI_MONITORING"
$modified = AddSDDL -Username $wmiGroup -Service $serviceName;
if($modified) {
Write-Host("SDDL of $serviceName after update: ") -NoNewline;
sc.exe sdshow $serviceName
}
}