WMI 访问进程 CommandLine 的最低权限是什么？

Question 1

我最终设法解决了这个问题，方法是为 AD 组授予单个服务的更多权限。这样，监控工具可能能够控制要监控的服务，但至少不能侵入目标机器上运行的任何进程。我使用了下面的 Powershell 脚本来实现这一点。您必须输入自己的 AD 组并修改 Windows 服务列表以满足您的需求。可以通过组策略运行此类脚本并将其应用于一组服务器。

function AddSDDL() {
    Param(
        [Parameter(Mandatory=$True)]
        [string]$Username,
        [Parameter(Mandatory=$True)]
        [string]$Service
    )
    $servicetest = Get-Service | where {$_.name -eq "$service"}
    if (!$servicetest -and $service -ne "scmanager") {
        Write-Host "Service $service does not exist. Please supply the name and not the display name"
        return $false;
    }
    $domain = ($username.split("\"))[0]
    $user = ($username.split("\"))[1]
    $ntaccount = New-Object System.Security.Principal.NTAccount($domain,$user)
    $sid = ($ntaccount.Translate([System.Security.Principal.SecurityIdentifier])).value
    if (!$sid) {
        Write-Host "User $username cannot be resolved to a SID. Does the account exist?"
        return $false;
    }
    $sddl = [string](cmd /c "sc.exe sdshow $service");
    if ($sddl -match $sid) {
        Write-Host "User $username already has some sort of access in the SDDL. Remediate manually"
        return $false;
    }
    if($sddl -match "S:\(") {
        $sddl = $sddl -replace "S:\(","(A;;CCLCLORPRC;;;$sid)S:("
    } elseif($sddl -match "D:" -and $sddl.LastIndexOf(":") -lt 3) {
        $sddl += "(A;;CCLCLORPRC;;;$sid)";
    } else {
        Write-Host "SDDL contains multiple description types like D: and A:, but not S:, remediate manually"
        return $false;
    }
    $sddlCommand = "sc.exe sdset $service $sddl";
    Write-Host($sddlCommand);
    $sddlset = cmd /c $sddlCommand
    if ($sddlset -notlike "*SUCCESS*") {
        Write-Host "Permissions did not set"
        Write-Host "Full error: $sddlset"
    }
    else {
        Write-Host "Permissions set successfully for $username on $service"
    }

    return $true;
}

clear;

# default 2012 R2 scmanager: D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
# default 2012 R2 w32time: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPLOCRRC;;;LS)(A;;CCSWWPLORC;;;LS)
# default 2008 R2 scmanager: D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
# default 2008 R2 w3svc: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
# default 2008 R2 aspnet_state: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
# with list content (LC), read all properties (RP) and read permissions (RC) for authenticated users: D:(A;;CCLC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

$serviceNames = @("DHCPServer","TlntSvr","RpcSs","SamSs","DNS","Dnscache","LanmanWorkstation","Netlogon","Kdc","IsmServ","DFSR","W32Time","LanmanServer","WAS","aspnet_state","W3SVC","scmanager");
$serviceNames += Get-Service | Where-Object{$_.Name -like "*sql*"} | ForEach-Object{$_.Name};
$serviceNames += Get-Service | Where-Object{$_.Name -like "*ReportServer*"} | ForEach-Object{$_.Name};
foreach($serviceName in $serviceNames) {
    Write-Host("SDDL of $serviceName before update: ") -NoNewline;
    sc.exe sdshow $serviceName

    $wmiGroup = "YOUR_DOMAN\AD_GROUP_FOR_WMI_MONITORING"
    $modified = AddSDDL -Username $wmiGroup -Service $serviceName;

    if($modified) {
        Write-Host("SDDL of $serviceName after update: ") -NoNewline;
        sc.exe sdshow $serviceName
    }
}

Answer

我最终设法解决了这个问题，方法是为 AD 组授予单个服务的更多权限。这样，监控工具可能能够控制要监控的服务，但至少不能侵入目标机器上运行的任何进程。我使用了下面的 Powershell 脚本来实现这一点。您必须输入自己的 AD 组并修改 Windows 服务列表以满足您的需求。可以通过组策略运行此类脚本并将其应用于一组服务器。

function AddSDDL() {
    Param(
        [Parameter(Mandatory=$True)]
        [string]$Username,
        [Parameter(Mandatory=$True)]
        [string]$Service
    )
    $servicetest = Get-Service | where {$_.name -eq "$service"}
    if (!$servicetest -and $service -ne "scmanager") {
        Write-Host "Service $service does not exist. Please supply the name and not the display name"
        return $false;
    }
    $domain = ($username.split("\"))[0]
    $user = ($username.split("\"))[1]
    $ntaccount = New-Object System.Security.Principal.NTAccount($domain,$user)
    $sid = ($ntaccount.Translate([System.Security.Principal.SecurityIdentifier])).value
    if (!$sid) {
        Write-Host "User $username cannot be resolved to a SID. Does the account exist?"
        return $false;
    }
    $sddl = [string](cmd /c "sc.exe sdshow $service");
    if ($sddl -match $sid) {
        Write-Host "User $username already has some sort of access in the SDDL. Remediate manually"
        return $false;
    }
    if($sddl -match "S:\(") {
        $sddl = $sddl -replace "S:\(","(A;;CCLCLORPRC;;;$sid)S:("
    } elseif($sddl -match "D:" -and $sddl.LastIndexOf(":") -lt 3) {
        $sddl += "(A;;CCLCLORPRC;;;$sid)";
    } else {
        Write-Host "SDDL contains multiple description types like D: and A:, but not S:, remediate manually"
        return $false;
    }
    $sddlCommand = "sc.exe sdset $service $sddl";
    Write-Host($sddlCommand);
    $sddlset = cmd /c $sddlCommand
    if ($sddlset -notlike "*SUCCESS*") {
        Write-Host "Permissions did not set"
        Write-Host "Full error: $sddlset"
    }
    else {
        Write-Host "Permissions set successfully for $username on $service"
    }

    return $true;
}

clear;

# default 2012 R2 scmanager: D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
# default 2012 R2 w32time: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPLOCRRC;;;LS)(A;;CCSWWPLORC;;;LS)
# default 2008 R2 scmanager: D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
# default 2008 R2 w3svc: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
# default 2008 R2 aspnet_state: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
# with list content (LC), read all properties (RP) and read permissions (RC) for authenticated users: D:(A;;CCLC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

$serviceNames = @("DHCPServer","TlntSvr","RpcSs","SamSs","DNS","Dnscache","LanmanWorkstation","Netlogon","Kdc","IsmServ","DFSR","W32Time","LanmanServer","WAS","aspnet_state","W3SVC","scmanager");
$serviceNames += Get-Service | Where-Object{$_.Name -like "*sql*"} | ForEach-Object{$_.Name};
$serviceNames += Get-Service | Where-Object{$_.Name -like "*ReportServer*"} | ForEach-Object{$_.Name};
foreach($serviceName in $serviceNames) {
    Write-Host("SDDL of $serviceName before update: ") -NoNewline;
    sc.exe sdshow $serviceName

    $wmiGroup = "YOUR_DOMAN\AD_GROUP_FOR_WMI_MONITORING"
    $modified = AddSDDL -Username $wmiGroup -Service $serviceName;

    if($modified) {
        Write-Host("SDDL of $serviceName after update: ") -NoNewline;
        sc.exe sdshow $serviceName
    }
}

Question 2

这里他们建议使用以下解决方案Wmi安全：

WmiSecurity.exe /C="%computername%" /A /N=Root/CIMV2 /M=" DOMAIN\USER:REMOTEACCESS" /R

或者，你可以使用内置实用程序，如演示这里。

但我认为这两种解决方案都不能将访问仅限于流程信息。

Answer

这里他们建议使用以下解决方案Wmi安全：

WmiSecurity.exe /C="%computername%" /A /N=Root/CIMV2 /M=" DOMAIN\USER:REMOTEACCESS" /R

或者，你可以使用内置实用程序，如演示这里。

但我认为这两种解决方案都不能将访问仅限于流程信息。

WMI 访问进程 CommandLine 的最低权限是什么？

答案1

答案2

相关内容