Windows Server Configuration

Configuring Microsoft Windows Monitoring

1. In the IT-Conductor main menu, navigate to Dashboards > Administrator.

Figure 1: IT-Conductor Dashboards Menu

2. In the Administrator dashboard, locate the Windows Systems panel and click to start adding a system for monitoring.

Figure 2: Add Windows Servers

3. In the Create Windows System wizard, fill out all the necessary information. Once completed, click to add the system.

Figure 3: Create Windows System

4. A pop-up message will confirm that the Linux Host has been added successfully. Click OK to dismiss and proceed to configure the Linux user to be used for monitoring.

5. Provide the account information in the wizard and click to complete the configuration.

Figure 5: Windows Information

Note Please take note of the WinRM Configuration Requirements.

6. A pop-up message will confirm that the account has been created successfully. Click OK to complete the process.

7. The newly added system will appear in the Windows System panel.

Note It may take a few minutes to change the status to "In Progress," refresh the panel if needed. If there are issues with the configuration, such as wrong connection parameters or an invalid account etc. the status will stay "Ready", troubleshoot by displaying the log. Click for the new record or click object icon and select Log from the menu popup.

Figure 8: Windows System with In Progress Status

8. The Windows System will show up in the service grid within 5-15 minutes.

Figure 9: IT-Conductor Service Grid View

WinRM Configuration Requirements

IT-Conductor accesses Windows systems utilizing WinRM. If WinRM TLS (HTTPS) has been enabled then ignore the Configuration section. Otherwise (which is the most common situation) Windows uses a proprietary payload encryption mechanism and client whitelisting for unsecured (HTTP) connections. In this case, the following configurations have to be performed:

Use Domain Group Policy to apply these settings to multiple Windows machines:

Figure 10: Group Policy Management

If configuring manually run the following commands on each monitored machine:

The commands need to be executed from command prompt with elevated permissions (As Administrator).

  1. Make sure WinRM is enabled. Run the following command:

    winrm quickconfig
  2. Enable "AllowUnencrypted". Run the following command:

    winrm set winrm/config/service @{AllowUnencrypted="true"}
  3. Add Gateway host to WinRM trusted hosts. Run the following command:

    winrm set winrm/config/client @{TrustedHosts="<Gateway Host 1>,<Gateway Host 2>,..."}

    Please make sure the failover Gateway Host (when configured) is included.

  4. Enable Basic Authentication (Optional). If the monitored Windows host is a standalone computer (not part of a Domain) the Basic authentication needs to be enabled. Run the following command:

    winrm set winrm/config/service/auth @{Basic="true"}

User Access

The easiest way to enable remote user access to WinRM is to add it to the local Administrators group.

If granting administrative access is not possible due to the security policy please follows the procedure to enable monitoring with a non-privileged account:

Add domain account or group to local WinRM Accounts

The local group membership can be assigned with Domain Group Policy (see above), otherwise, follow the instructions below.

  1. Open the Computer Management console (compmgmt.msc).

  2. Go to Local Users and Groups.

  3. Expand Groups.

  4. Add desired domain Group or User to Performance Log Users, Performance Monitor Users, and Remote Management Users groups.

    Figure 11: Computer Management

Grant Access to WMI Namespace

WMI Namespace access configuration is not supported in Domain Group Policy and has to be configured on each monitored machine.

  1. From the Computer Management console, expand Service and Applications.

  2. Right-click on WMI Control and then click Properties to access to WMI configuration.

  3. Open the Security tab.

  4. Select the "\Root\CIMV2" namespace:

    Figure 12: WMI Control Properties
  5. Click on Security to choose which user or group will be granted access.

  6. In the Security dialog box, click Add.

  7. In the Select Users, Computers, or Groups dialog box, enter the name of the object (user or group) you want to add.

  8. Click OK.

  9. Click Advanced to open the Advanced Security Settings dialog box:

    Figure 13: Security Permissions
  10. On the Permissions tab select the desired user in the Permissions entries.

  11. Click Edit.

    Figure 14: Advanced Security Settings
  12. Set Type to Allow, set Applies to This namespace and subnamespaces, and select the Execute Methods, Enable Account, and Remote Enable options:

    Figure 15: Permission Entry
  13. Click OK to close all windows and apply the changed settings.

See Authorize WMI users and Set Permissions for more details.

Allow Windows Service Configuration Manager Access

We need to grant the user Windows Service Configuration Manager Access.

Run a Command Prompt as Administrator, and execute the following command:

sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Figure 16: Command Prompt

Last updated

#660:

Change request updated