IBM Support

Configuring DCOM and WMI to Remotely Retrieve Windows 2008 Server Events

Question & Answer


Question

How do I configure my Windows 2008 Servers to allow QRadar to retrieve events over WMI?

Answer

Administrators can follow the procedures listed below to configure DCOM and verify that Windows Server 2008 events can be retrieved from a remote system using WMI.


Before you begin


Event collection over WMI using Windows 2008 is only supported on 64-bit operating systems. Windows 32-bit operating systems do not include the required registry keys to complete the procedcures listed below. Therefore, WMI event collection is not supported on Windows 2008, 32-bit operating systems. Administrators with Windows 2008, 32-bit operating systems can use WinCollect to remotely poll for Security, Application, and System event logs.


Configuration Overview


To configure DCOM on Windows 2008, administrators must complete the following steps:

    1. Verify the required services are enabled and configured to start automatically when the operating system boots.
    2. Enable DCOM.
    3. Configure DCOM communications.
    4. Configure User Accounts for DCOM.
    5. Configure Windows Firewall.
    6. Configure WMI.
    7. Test the WMI configuration.

Required DCOM and WMI services for Windows Server 2008


The following Windows services must be started and configured for automatic startup:
  • Server
  • Remote Registry
  • Windows Management Instrumentation

The procedure below outlines the steps required to configure the Server, Remote Registry, and WMI services for automatic startup.

Procedure

  1. To open the Run menu, press the Windows logo key + R.
  2. Type the following: services.msc
  3. Click OK.
  4. In the details pane, verify the following services are started and set to automatic startup:
    a. Server
    b. Remote Registry
    c. Windows Management Instrumentation
  5. To change a service property, right-click on the service name, and then click Properties.
  6. From the Startup type list box, select Automatic.
  7. If the Service status is not started, click Start.
  8. Click OK.
  9. Close the Services window.

    You are now ready to enable DCOM on your Windows Server 2008.



Enabling DCOM for Windows Server 2008

Procedure

  1. To open the Run menu, press the Windows logo key + R.
  2. Type the following: dcomcnfg
  3. Click OK.
    The Component Services window is displayed.
  4. Under Component Services, expand Computers, and then click My Computer.
  5. On the Action menu, click Properties.
  6. Select the Default Properties tab.
  7. Configure the following Default Properties:

    a. Select the Enable Distributed COM on this computer check box.
    b. Using the Default Authentication Level list box, select Connect.
    c. Using the Default Impersonation Level list box, select Identify.

  8. Click OK.
    Note: The system displays a message about changing the DCOM Machine wide settings.
  9. Click Yes to continue.

    You are now ready to configure the DCOM protocol for Windows Server 2008.



Configuring DCOM communications for Windows Server 2008

Procedure

  1. From the DCOM Configuration (dcomcnfg) window, expand Component Services, expand Computers, and select My Computer.
  2. On the Action menu, click Properties.
  3. Select the Default Protocols tab.
  4. Configure the following options:

    a. If Connection-oriented TCP/IP is listed in the DCOM Protocols window, go to Step 5.
    b. If Connection-oriented TC/IP is not listed in the DCOM Protocol window, select Add.
    c. From the Protocol Sequence list box, select Connection-oriented TC/IP.

  5. Click OK.

    You are now ready to configure a user account with permission to access DCOM.



Configuring Windows 2008 user accounts for DCOM


After you have enabled DCOM, you must assign an account the proper permission to access DCOM on the host. You must select an existing account with administrative access or create a normal user account that is a member of an administrative group to access the host. The user you grant DCOM permissions is the user you must configure in the QRadar log source.


Procedure
  1. From the DCOM Configuration (dcomcnfg) window, expand Component Services, expand Computers, and select My Computer.
  2. On the Action menu, click Properties.
  3. Select the COM Security tab.
  4. In Access Permissions, click Edit Default.
  5. Select the user or group requiring DCOM access.

    Note: If the user or group requiring DCOM access is not listed in the permissions list, you must add the user to the configuration.

  6. Configure the following user permissions:
    a. Local Access - Select the Allow check box.
    b. Remote Access - Select the Allow check box.
  7. Click OK.
  8. In Launch and Activation Permissions, click Edit Default.
  9. Select the user or group requiring DCOM access.
    Note: If the user or group requiring DCOM access is not in the permissions list, you must add the user to the configuration.
  10. Configure the following user permissions:
    a. Local Launch - Select the Allow check box.
    b. Remote Launch - Select the Allow check box.
    c. Local Activation - Select the Allow check box.
    d. Remote Activation - Select the Allow check box.
  11. Click OK.
  12. Click OK to close the Component Services window.

    You are now ready to configure the Windows firewall to allow DCOM communications.



Configuring the Windows 2008 Firewall

If a firewall is located between the your Windows Server 2008 and the QRadar appliance, you must configure the firewall with an exception to permit DCOM communications.


Note: You must be an administrator to change Windows Firewall settings or add an exception to the Windows Firewall.

Procedure

  1. To open the Run menu, press the Windows logo key + R.
  2. Type the following: wf.msc.
  3. Click OK.
  4. Select Inbound Rules.
  5. On the Action menu, click New Rule.
  6. Select Custom and click Next. The Program window is displayed.
  7. Select All programs, and click Next. The Protocol and Ports window is displayed.
  8. From the Protocol type list box, select TCP and click Next.

    Note: We recommend you do not limit Local and Remote ports or local IP addresses, but define firewall connection rules by remote IP address. The remote IP address defined should be the appliance defined as the Target Event Collector in the Microsoft Windows Security Event Log in QRadar.

  9. Under Which remote IP addresses does this rule apply to field, select the radio button These IP addresses.
  10. Click Add.
  11. In the This IP address or subnet text box, type the IP address of QRadar appliance managing the Microsoft Windows Security Event Log source. The QRadar appliance making the request is defined in the log source in the Target Event Collector field.
  12. Click OK.
  13. Click Next.
  14. Select Allow the connection, and click Next.
  15. Select one or more network profiles to which the rule applies and click Next.
  16. Type a name and description for the firewall rule.
  17. Click Finish. You can now exit the Windows Firewall with Advanced Security panel.

    You are now ready to configure Windows Management Instrumentation (WMI) for Windows 2008.


Configuring WMI user access for Windows Server 2008

The user or group you configured for DCOM access must also have Windows Management Instrumentation (WMI) permission to access the Windows event logs required by QRadar.

Procedure

  1. To open the Run menu, press the Windows logo key + R.
  2. Type the following: wmimgmt.msc
  3. Click OK.
  4. Right-click on WMI Control (Local), select Properties. The WMI Control (Local) Properties window is displayed.
  5. Click the Security tab. The Namespace navigation is displayed.
  6. From the Namespace menu tree, expand Root, click CIMV2.
  7. Click the Security button below the menu tree. The Security for ROOT\CIMV2 window is displayed.
  8. Select the user or group requiring WMI access. Note: If the user or group requiring WMI access is not listed in the permissions list, you must add the user to the configuration.
  9. Select the check boxes to add the following permissions:

    a. Execute Methods - Select the Allow check box.
    b. Provider Write - Select the Allow check box.
    c. Enable Account - Select the Allow check box.
    d. Remote Enable - Select the Allow check box.

    Note: If the user or group you are configuring is a system administrator, the allow permission check boxes might be selected as the permissions are inherited.

  10. Click OK.
  11. Close the WMIMGMT - WMI Control (Local) window.

Configuring DCOM Access for Windows Server 2008

By default, the access to specific registry values are owned by the Trusted Installer. This procedure provides guidance on how to set the Administrator as the DCOM owner, who can then provide permissions to your QRadar user. The QRadar user specified in your log source configuration should have full control to DCOM both of the DCOM objects defined in this procedure. Only an administrator can provide another user access to both of the DCOM objects outlines below.

Procedure

  1. To open the Run menu, press the Windows logo key + R.
  2. Type the following command to open the registry editor: regedit
  3. Click OK. Note: You must be a system administrator to edit registry settings.
  4. Locate the following registry location:HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
  5. Right-click the entry {76A64158-CB41-11D1-8B02-00600806D9B6}, then click Permissions.
  6. Click the Advanced button. The Advanced Security Settings are displayed.
  7. In the Owner field, click Change.
  8. In the Enter the object name field, set the owner as Administrators.
  9. Click OK.
  10. In the Permissions entries field, select your user and click Edit.
    Note: If the QRadar user is not listed in the permissions list, you must Click Add and define your user as a Principal. To search for a user, type the user name, click Check Names, then click OK to add your user.

  11. Configure the following parameters for your user:
    1. In the Type field, select Allow.
    2. In the Applies to field, select This key and subkeys.
    3. In the Basic permissions field, select Full Control. By default, selecting Full Control adds Read as a permission type.
  12. Click OK to return to the Advanced Security Settings window.
  13. In the Owner field, click Change.
  14. In the Enter the object name field, set the owner as your QRadar user.
  15. Click OK until you return to the Registry Editor.
  16. Repeat this process for the following registry key:HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
  17. Close the Registry Editor.

    To complete the DCOM configuration, administrators should verify WMI communications by querying the Windows 2008 security event log.


Verifying and Testing your WMI Configuration

To assist with verifying your WMI communications, the Microsoft Windows Event Log protocol RPM includes a test tool that allows QRadar to query the remote server for Windows event log information. To use this test tool, your QRadar system must be installed with the latest version of the Windows Event Log protocol.

Procedure

  1. Using SSH, log in to QRadar as the root user.
    Username: root
    Password: <password>
  2. Type the following command: cd /opt/qradar/jars
  3. Type the following command: java -jar WMITestTool-<date>.jar
  4. Configure the following parameters:
    1. Remote Windows Host - Type the IP address of your Windows server.
    2. Active Directory Domain, or Hostname if in a Workgroup - Type the domain or workgroup for your Windows 2008 system.
    3. Username - Type the username required to access the remote Windows server.
    4. Password - Type the username required to access the remote Windows server.
    5. NTLM Version (1 or 2) - Specify the version of NTLM protocol to be used.

      Note: In almost every case, the Windows operating systems use NTLM version 2.

      If you receive an error, please go back and re-check the settings on the Windows specified in the DCOM section of the Log Source Users Guide. If the connection is successful, you should see the following response:

      Connecting to <host> as <domain>\<user> ...
      Using Raw WMI: false
      Attempting to create a COM object implemented by class: WbemLocator on remote host [
      <host>]
      Using CLSID=[76a64158-cb41-11d1-8b02-00600806d9b6] PROGID=[] INTERFACEID=[76A6415B-CB41-11D1-8B02-00600806D9B6]
      Attempting to create server clsid=[76a64158-cb41-11d1-8b02-00600806d9b6] and progid=[]
      Proxy class derived from ScriptableComObject: narrowing to IDispatch reference.
      Using WMI IWmiServices implemented via: WbemServices
      WQL Query (enter quit to exit):


      The test tool will attempt to connect to your remote Windows server.
  5. In the WQL Query parameter, type the following: Select NumberOfRecords From Win32_NTEventLogFile WHERE LogFileName='Security'

    Note: The example query provided functions with 32-bit and 64-bit versions of Windows.

    If QRadar can successfully query your Windows server, the number of records in the security event log are returned.

    For example:
    -----
    instance of Win32_NTEventlogFile
    Name = C:\Windows\System32\Winevt\Logs\Security.evtx
    NumberOfRecords = 5786
    -----

If the returned query states total records = 0, or if there is an error, you must verify the proper services are running, your DCOM configuration, the WMI configuration, and your Windows firewall settings. If you have verified the configuration of your Windows server, contact support.

If you are having connection issues, we recommend using the test tool with the Windows Firewall temporarily disabled. If the test tool returns security event log results, enable the Windows Firewall and see your Network Administrator.

Where do I find more information?


If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support for assistance:

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Integrations - 3rd Party","Platform":[{"code":"PF033","label":"Windows"}],"Version":"7.1;7.0;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg21681046