Versions Compared

Old Version 3

changes.mady.by.user Aparna Rr

Saved on

compared with

New Version 4

changes.mady.by.user Aparna Rr

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

WinRM 2.x now uses the following ports for its default WinRM configuration: Ports HTTP = 5985 and HTTPS = 5986. See “Creating a WinRM listener with a custom port”. https://mdrkb.atlassian.net/wiki/spaces/AAMDARCQSG/pages/527237128/Windows+Remote+Management+WinRM#Creating-a-WinRM-listener-with-a-custom-port

WinRM must be installed and configured or WinRM scripts do not run and the WinRM command-line tool cannot perform data operations.

...

A certificate must be installed before you use the HTTPS protocol. This information is in the collector manual. You should execute step Step 4 in the collector manual only if you use a local account for monitored host name.

To set up WinRM

  1. To configure a Vista computer, you must login as the local administrator. You can either select Run As Administrator from the Start menu or use the RunAs command at the command prompt.

  2. To configure WinRM to work with the collector for standard http enter the following: To create WinRM listener with HTTP port 80, run the following command to create this listener: winrm create  

Code Block
winrm create winrm/config/listener?Address=*+Transport=

...

HTTP

The command performs the following operations:

  • Starts the WinRM service and sets the service startup type to auto-start.

  • Configures a listener for the port that sends and receives MS-Management protocol messages using the HTTP protocol.

  • Defines the Internet Connection Firewall (ICF) exceptions for the WinRM service and opens the ports. 

  1. Modify some of the default settings: winrm set  

Code Block
winrm set winrm/config/service @{AllowUnencrypted="true"}winrm set winrm/config/service/Auth @{Basic="true"}

  1. To verify these settings, type the following:

Code Block
winrm enumerate winrm/config/Listener

  1. To remove a WinRM listener type the following at a command prompt:

...

  1.  

Code Block
winrm delete winrm/config/listener?Address=*+Transport=

...

HTTPS

  1. Follow the remaining steps in the WS Management Event Collector Guide for Installation and Sensor Configuration.

 

...

To Create a WinRM listener with a custom port 

You need to create a WinRM listener with a custom port when you want to collect Windows logs and enable the WinRM listener. It uses the ports that are already in use.

...

To create a WinRM listener with a custom HTTP port 8888

  • Run the command: winrm create  

Code Block
winrm create winrm/config/listener?Address=*+Transport=HTTP @{Port="8888"}Port 8888 is given as an example.

You may choose any unused port.

To create WinRM listener with a custom HTTPS port 8888:

  • Run the command: winrm create  

Code Block
winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Port="8888"}

Port 8888 is given as an example. You may choose any unused port.

To change the port to a created WinRM listener: 

  • Run the command: winrm set  

Code Block
winrm set winrm/config/listener?Address=*+Transport=HTTP @{Port="8888"}

 Port 8888 is given as an example. You may choose any unused port.

Creating To Create a Group Policy Object (GPO) for auto-configuration through Active Directory for the WS Management collector

...

Creating To Create a GPO for auto-enrollment of certificates for WinRM for the WS Management collector

...

To create a GPO for auto-enrollment of certificates for WinRM for the WS Management collector

  1. On the Start menu, go navigate to Programs > Administrative Tools > Group Policy Management.

  2. Create a new GPO.

  3. Right-click the new GPO , and click Edit.

  4. In Group Policy Management Editor, expand the Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies folders.

  5. Create a new automatic certificate request policy.

  6. In the Welcome to the Automatic Certificate Request Settings Wizard panel, click Next.

  7. In the Certificate Template panel, select the Computer template, and click Next. If you create a policy for domain controllers, select the Domain Controller template.

  8. Click Finish.

  9. In the Group Policy Management Editor, navigate to Public Key Policies folder, in the right, enable Certificate Client Services - Auto-Enrollment (right-click Properties).

  10. To the right, in Group Policy Management Editor, in the Object Type section, , right-click Certificate Client Services - Auto-Enrollment, and select Properties.

  11. In the Configuration Model list, click Enabled.

  12. Check the two boxes available, click Apply and then click OK.

...

  1. On your CA, on the Start menu, click Run, and type the following command: mmc

  2. In the Management console, on the File menu, click Add/Remove Snap-in...

  3. In the Available snap-ins list, click Certificate Templates, click Add, and then click OK.

  4. In the Template Display Name list, right-click Computer template, and then click Properties.

  5. On the Security tab, for the domain computers group, check the Allow box to enroll permissions for domain computers.

You can now link the GPO to your domain and assign it to the computers that use WinRM for the WS Management collector.

To Specifying manually what certificate the WinRM listener uses

If in the collector log there are messages about "untrusted server certificate chain", a certificate either has not been set up, or winrm is set up with the wrong certificate file.

...

  1. Open the certificate file, and click the Details tab.

  2. Scroll to the bottom and click Thumbprint.

  3. The bottom half of the window displays the hexadecimal value. This is what must be used in the Winrm command.

  4. When logged in as administrator, or an administrator, open a command window.

  5. Set the winrm configuration to use the correct thumbprint by entering the following command: winrm set  

Code Block
winrm set winrm/config/service @{CertificateThumbprint=" "}

You need to remove the spaces from the thumbprint string.

  1. Set up the listener to use that same thumbprint by entering the following command: winrm create  

Code Block
winrm create winrm/config/Listener?Address=IP: +Transport=HTTPS @{Hostname=" ";CertificateThumbprint="

...



<Hexadecimal thumbprint value from the correct certificate>"}

...

You will need to remove the spaces from the thumbprint string. 

Deleting To Delete a WinRM listener created with the quickconfig command

...

  • For an HTTP listener, run the following command:

Code Block
winrm delete winrm/config/Listener?Address=*+Transport=HTTP

  • For an HTTPS listener, run the following command:

Code Block
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS

Using the Event Log Readers group ​

...

Therefore, do not import the customsd.reg and do not set any CustomSD manually. You might want to work under a user account that does not have administrative privileges when you use the collector.

...

To get information about the access rights run wevtutil command. For example, to get settings for the Security log, run the following command: wevtutil gl security

The command gives you the following output:

  • name: security

  • enabled: true

  • type: Admin

  • owningPublisher:

  • isolation: Custom

  • channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY) (A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)

  • logging:

  • logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx

  • retention: false

  • autoBackup: false

  • maxSize: 20971520

  • publishing:

...

  1. Navigate to the Registry.

  2. Delete the CustomSD key.

Giving To Give the Network Service account the right permission ​

...

If you are pulling from a Domain Controller, you must modify the SDDL string. 

To give Give the Network Service account the right permission 

...

  • ​You can add the account to the Event Log Readers group on the Windows 2008 server from which you want to collect the Security log with the following command:

Code Block
net localgroup "Event Log Readers" "NT Authority\Network Service" /add

  • You can give the Network Service account read access to the Security log by changing the channel access with the following command:

Code Block
wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA) (A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)​

The second option gives you the ability to use a Group Policy to set the channel access for the Security log in a domain environment.

If you are pulling from a Domain Controller, add the following string to the Custom SDDL for the Domain User to grant Network Service read access: (A;;0x1;;;NS). You need to use the second option for Windows 2008 Domain Controller as the Network Service is a Built-in Security Principal and local groups are not used in a Domain Controller.

 

Limiting the sensor to use only certain encryption types

...

  1. In a text editor, edit the config.xml file in the directory of the collector which uses the Windows Management Sensor. On Windows, this directory is normally available at Cat C:\Program Files\Symantec\Event Agent\collectors\msvista. On Linux and Solaris, this is directory is normally available at: /opt/Symantec/sesa/Agent/collectors/msvista

  2. Under the tag, find the tag. 

  3. Insert the Encryption Types property between the and tags.

  4. Specify the desired value(s). The property accepts a single value as well as a comma-separated list of values. Full list of supported encryption types is available at http://download.oracle.com/javase/6/docs/technotes/guides/security/ jgss/jgss-features.html.

  5. Save and close the file.

  6. Restart the Event Agent. The following is a sample excerpt of a config.xml:<property name="props">  <props>    ..   <prop

Code Block
<props>    ..   <prop key="EncryptionTypes">des3-hmac-sha1,

...

    des3-cbc-sha1-kd</

...

prop>     ..   </props> </property>

Creation of a subscription for reading events from a remote WinRm configured listener

...