IBM Support

Configuring DCOM and WMI in Windows 2012 R2 Server for Microsoft SCCM Scanner and Event Collection

Question & Answer


Question

How do I configure my Windows 2012 RS Servers to allow QRadar to retrieve scan data from Microsoft SCCM scanners and events over WMI?

Answer

Administrators can follow the procedures listed below to configure DCOM and verify that Windows Server 2012 R2 data can be retrieved from a remote system using WMI. This article servers two purposes for administrators:

  1. Required for Microsoft SCCM scanners.

    QRadar leverages multiple WMI queries to make successive calls to the Microsoft SCCM scanner to retrieve asset information. In the first WMI request, the scanner retrieved asset information (IPs, MAC, hostname). In the second pass the system retrieves data for installed patches, then makes a third request to retrieve pending patch information.

  2. Required for administrators who collect event data using the Microsoft Security Event Log protocol (WMI) to collect events from Windows 2012 R2 Servers.

    This is a rare configuration option due to the limitations of WMI and the limit of 50 events per second. Administrators who want to collect events from Windows 2012 R2 Servers should use WinCollect or the MSRPC protocol, depending on the event rate being generated.


Before you begin


Event collection over WMI using Windows 2012 R2 Servers is only supported on 64-bit operating systems. Windows 32-bit operating systems do not include the required registry keys to complete the procedures listed below. WMI event collection is not supported on Windows 2012 R2, 32-bit operating systems.


Configuration Overview


To configure DCOM on Windows 2012 R2 Servers, administrators must complete the following steps:

    1. Verify the required services are enabled and configured to start automatically when the operating system boots.
    2. Enable DCOM.
    3. Configure DCOM communications.
    4. Configure User Accounts for DCOM.
    5. Configure Windows Firewall.
    6. Configure WMI.
    7. Test the WMI configuration.

Required DCOM and WMI services for Windows Server 2012 R2


The following Windows services must be started and configured for automatic startup:
  • Server
  • Remote Registry
  • Windows Management Instrumentation

The procedure below outlines the steps required to configure the Server, Remote Registry, and WMI services for automatic startup.

    Procedure
    1. To open the Run menu, press the Windows logo key + R.
    2. Type the following: services.msc
    3. Click OK.
    4. In the details pane, verify the following services are started and set to automatic startup:
      a. Server
      b. Remote Registry
      c. Windows Management Instrumentation
    5. To change a service property, right-click on the service name, and then click Properties.
    6. From the Startup type list box, select Automatic.
    7. If the Service status is not started, click Start.
    8. Click OK.
    9. Close the Services window.

      You are now ready to enable DCOM on your Windows Server 2012 R2.


Enabling DCOM for Windows Server 2012 R2


    Procedure
    1. To open the Run menu, press the Windows logo key + R.
    2. Type the following: dcomcnfg
    3. Click OK.
      The Component Services window is displayed.
    4. Under Component Services, expand Computers, and then click My Computer.
    5. On the Action menu, click Properties.
    6. Select the Default Properties tab.
    7. Configure the following Default Properties:

      a. Select the Enable Distributed COM on this computer check box.
      b. Using the Default Authentication Level list box, select Connect.
      c. Using the Default Impersonation Level list box, select Identify.

    8. Click OK.
      Note: The system displays a message about changing the DCOM Machine wide settings.
    9. Click Yes to continue.

      You are now ready to configure the DCOM protocol for Windows Server 2012 R2.


Configuring DCOM communications for Windows Server 2012 R2


    Procedure
    1. From the DCOM Configuration (dcomcnfg) window, expand Component Services, expand Computers, and select My Computer.
    2. On the Action menu, click Properties.
    3. Select the Default Protocols tab.
    4. Configure the following options:

      a. If Connection-oriented TCP/IP is listed in the DCOM Protocols window, go to Step 5.
      b. If Connection-oriented TC/IP is not listed in the DCOM Protocol window, select Add.
      c. From the Protocol Sequence list box, select Connection-oriented TC/IP.

    5. Click OK.

      You are now ready to configure a user account with permission to access DCOM.


Configuring Windows Server 2012 R2 user accounts for DCOM


After you have enabled DCOM, you must assign an account the proper permission to access DCOM on the host. You must select an existing account with administrative access or create a normal user account that is a member of an administrative group to access the host. The user you grant DCOM permissions is the user you must configure in the QRadar log source.

    Procedure
    1. From the DCOM Configuration (dcomcnfg) window, expand Component Services, expand Computers, and select My Computer.
    2. On the Action menu, click Properties.
    3. Select the COM Security tab.
    4. In Access Permissions, click Edit Default.
    5. Select the user or group requiring DCOM access.

      Note: If the user or group requiring DCOM access is not listed in the permissions list, you must add the user to the configuration.

    6. Configure the following user permissions:
      a. Local Access - Select the Allow check box.
      b. Remote Access - Select the Allow check box.
    7. Click OK.
    8. In Launch and Activation Permissions, click Edit Default.
    9. Select the user or group requiring DCOM access.
      Note: If the user or group requiring DCOM access is not in the permissions list, you must add the user to the configuration.
    10. Configure the following user permissions:
      a. Local Launch - Select the Allow check box.
      b. Remote Launch - Select the Allow check box.
      c. Local Activation - Select the Allow check box.
      d. Remote Activation - Select the Allow check box.
    11. Click OK.
    12. Click OK to close the Component Services window.

      You are now ready to configure the Windows firewall to allow DCOM communications.



Configuring the Windows Server 2012 R2 Firewall

If a firewall is located between the your Windows Server 2012 R2 and the QRadar appliance, you must configure the firewall with an exception to permit DCOM communications.


Note: You must be an administrator to change Windows Firewall settings or add an exception to the Windows Firewall.

    Procedure
    1. To open the Run menu, press the Windows logo key + R.
    2. Type the following: wf.msc.
    3. Click OK.
    4. Select Inbound Rules.
    5. On the Action menu, click New Rule.
    6. Select Custom and click Next. The Program window is displayed.
    7. Select All programs, and click Next. The Protocol and Ports window is displayed.
    8. From the Protocol type list box, select TCP and click Next.

      Note: We recommend you do not limit Local and Remote ports or local IP addresses, but define firewall connection rules by remote IP address. The remote IP address defined should be the appliance defined in the Managed Host in your Microsoft SCCM scanner configuration. For Windows event collect, the IP address should be the Target Event Collector in the Microsoft Windows Security Event Log in QRadar.

    9. Under Which remote IP addresses does this rule apply to field, select the radio button These IP addresses.
    10. Click Add.
    11. In the This IP address or subnet text box, type the IP address of QRadar appliance managing the Microsoft Windows Security Event Log source or Microsoft SCCM scanner.
    12. Click OK.
    13. Click Next.
    14. Select Allow the connection, and click Next.
    15. Select one or more network profiles to which the rule applies and click Next.
    16. Type a name and description for the firewall rule.
    17. Click Finish. You can now exit the Windows Firewall with Advanced Security panel.

      You are now ready to configure Windows Management Instrumentation (WMI) for Windows Server 2012 R2.


Configuring WMI user access for Windows Server 2012 R2

The user or group you configured for DCOM access must also have Windows Management Instrumentation (WMI) permission to access the Windows event logs required by QRadar.


    Procedure
    1. To open the Run menu, press the Windows logo key + R.
    2. Type the following: wmimgmt.msc
    3. Click OK.
    4. Right-click on WMI Control (Local), select Properties. The WMI Control (Local) Properties window is displayed.
    5. Click the Security tab. The Namespace navigation is displayed.
    6. From the Namespace menu tree, expand Root, click CIMV2.
    7. Click the Security button below the menu tree. The Security for ROOT\CIMV2 window is displayed.
    8. Select the user or group requiring WMI access.
      Note
      : If the user or group requiring WMI access is not listed in the permissions list, you must add the user to the configuration.
    9. Select the check boxes to add the following permissions:

      a. Execute Methods - Select the Allow check box.
      b. Provider Write - Select the Allow check box.
      c. Enable Account - Select the Allow check box.
      d. Remote Enable - Select the Allow check box.

      Note: If the user or group you are configuring is a system administrator, the allow permission check boxes might be selected as the permissions are inherited.

    10. Click OK.
    11. Close the WMIMGMT - WMI Control (Local) window.

Configuring DCOM Access for Windows Server 2012 R2

By default, the access to specific registry values are owned by the Trusted Installer. This procedure provides guidance on how to set the Administrator as the DCOM owner, who can then provide permissions to your QRadar user. The QRadar user specified in your log source configuration should have full control to DCOM both of the DCOM objects defined in this procedure. Only an administrator can provide another user access to both of the DCOM objects outlines below.

NOTE: If the WMI is polling from a parent to a child domain, the domain user and local administrators group in the child domain require Full Control to both of the registry keys discussed in this procedure. The user making the WMI request might also be required to be a member of the local administrators group.


    Procedure
    1. To open the Run menu, press the Windows logo key + R.
    2. Type the following command to open the registry editor: regedit
    3. Click OK. Note: You must be a system administrator to edit registry settings.
    4. Locate the following registry location:HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
    5. Right-click the entry {76A64158-CB41-11D1-8B02-00600806D9B6}, then click Permissions.
    6. Click the Advanced button. The Advanced Security Settings are displayed.
    7. In the Owner field, click Change.
    8. In the Enter the object name field, set the owner as Administrators.
    9. Click OK.
    10. In the Permissions entries field, select your user and click Edit.
      Note: If the QRadar user is not listed in the permissions list, you must Click Add and define your user as a Principal. To search for a user, type the user name, click Check Names, then click OK to add your user.

    11. Configure the following parameters for your user:
      1. In the Type field, select Allow.
      2. In the Applies to field, select This key and subkeys.
      3. In the Basic permissions field, select Full Control. By default, selecting Full Control adds Read as a permission type.
    12. Click OK to return to the Advanced Security Settings window.
    13. In the Owner field, click Change.
    14. In the Enter the object name field, set the owner as your QRadar user.
    15. Click OK until you return to the Registry Editor.
    16. Repeat this process for the following registry key:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
    17. Close the Registry Editor.

      To complete the DCOM configuration, administrators should verify WMI communications by either scheduling a Microsoft SCCM scan in QRadar or using the test tool below to query for events to prove that your users has the correct permissions to poll for data using WMI.

Verifying and Testing your WMI Configuration

To assist with verifying your WMI communications, the Microsoft Windows Event Log protocol RPM includes a test tool that allows QRadar to query the remote server for Windows event log information. To use this test tool, your QRadar system must be installed with the latest version of the Windows Event Log protocol.


    Procedure
    1. Using SSH, log in to QRadar as the root user.
      Username: root
      Password: <password>
    2. Type the following command: cd /opt/qradar/jars
    3. Type the following command: java -jar WMITestTool-<date>.jar
    4. Configure the following parameters:
      1. Remote Windows Host - Type the IP address of your Windows 2012 R2 Server.
      2. Active Directory Domain, or Hostname if in a Workgroup - Type the domain for your Windows 2012 R2 Server.
      3. Username - Type the username required to access the remote Windows 2012 R2 Server.
      4. Password - Type the password for the username defined above.
      5. NTLM Version (1 or 2) - Type 2.

        Note: In almost every case, the Windows operating systems use NTLM version 2.

        If you receive an error, please go back and re-check the settings on the Windows specified in the DCOM section of the Log Source Users Guide. If the connection is successful, you should see the following response:

        Connecting to <host> as <domain>\DCOM ...
        Using Raw WMI: false
        Attempting to create a COM object implemented by class: WbemLocator on remote host [
        <host>]
        Using CLSID=[76a64158-cb41-11d1-8b02-00600806d9b6] PROGID=[] INTERFACEID=[76A6415B-CB41-11D1-8B02-00600806D9B6]
        Attempting to create server clsid=[76a64158-cb41-11d1-8b02-00600806d9b6] and progid=[]
        Proxy class derived from ScriptableComObject: narrowing to IDispatch reference.
        Using WMI IWmiServices implemented via: WbemServices
        WQL Query (enter quit to exit):


        The test tool will attempt to connect to your remote Windows server.
    5. In the WQL Query parameter, type the following: Select NumberOfRecords From Win32_NTEventLogFile WHERE LogFileName='Security'

      Note: The example query provided functions with 32-bit and 64-bit versions of Windows.

      If QRadar can successfully query your Windows server, the number of records in the security event log are returned.

      For example:
      -----
      instance of Win32_NTEventlogFile
      Name = C:\Windows\System32\Winevt\Logs\Security.evtx
      NumberOfRecords = 5786
      -----
If the returned query states total records = 0, or if there is an error, you must verify the proper services are running, your DCOM configuration, the WMI configuration, and your Windows firewall settings. If you have verified the configuration of your Windows server, contact support.

If you are having connection issues, we recommend using the test tool with the Windows Firewall temporarily disabled. If the test tool returns security event log results, enable the Windows Firewall and see your Network Administrator.

Where do I find more information?


If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support for assistance:

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Integrations - 3rd Party","Platform":[{"code":"PF033","label":"Windows"}],"Version":"7.1;7.0;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg21986943