IBM Support

Configuring DCOM and WMI to Remotely Retrieve Windows 7 Events

Question & Answer


Question

How do I configure my Windows 7 systems to allow QRadar to retrieve events over WMI?

Answer

Administrators can follow the procedures listed below to configure DCOM and verify that Windows 7 events can be retrieved from a remote system using WMI.


Configuration Overview


To configure DCOM on Windows 7, administrators must complete the following steps:

    1. Verify the required Windows 7 services are enabled and configured to start automatically when the operating system boots.
    2. Enable DCOM for Windows 7.
    3. Configure DCOM communications for Windows 7.
    4. Configure User Accounts for DCOM.
    5. Configure Windows 7 Firewall.
    6. Configure WMI for Windows 7.
    7. Test the WMI configuration.

Required DCOM and WMI services for Windows 7


The following Windows services must be started and configured for automatic startup on the Windows 7 system:
  • Server
  • Remote Registry
  • Windows Management Instrumentation

The procedure below outlines the steps required to configure the Server, Remote Registry, and WMI services for automatic startup.

Procedure

  1. On your desktop, select Start > Run.
  2. Type the following: services.msc
  3. Click OK.
  4. In the details pane, verify the following services are started and set to automatic startup:
    a. Server
    b. Remote Registry
    c. Windows Management Instrumentation
  5. To change a service property, right-click on the service name, and then click Properties.
  6. From the Startup type list box, select Automatic.
  7. If the Service status is not started, click Start.
  8. Click OK.
  9. Close the Services window.

    You are now ready to enable DCOM on your Windows 7.



Enabling DCOM for Windows 7

Procedure

  1. On your desktop, select Start > Run.
  2. Type the following: dcomcnfg
  3. Click OK. The Component Services window is displayed.
  4. Under Component Services, expand Computers, and then click My Computer.
  5. On the Action menu, click Properties.
  6. Select the Default Properties tab.
  7. Configure the following Default Properties:

    a. Select the Enable Distributed COM on this computer check box.
    b. Using the Default Authentication Level list box, select Connect.
    c. Using the Default Impersonation Level list box, select Identify.

  8. Click OK.

    You are now ready to configure the DCOM protocol for Windows 7.



Configuring DCOM communications for Windows 7

Procedure

  1. From the DCOM Configuration (dcomcnfg) window, expand Component Services, expand Computers, and select My Computer.
  2. On the Action menu, click Properties.
  3. Select the Default Protocols tab.
  4. Configure the following options:

    a. If Connection-oriented TCP/IP is listed in the DCOM Protocols window, go to Step 5.
    b. If Connection-oriented TC/IP is not listed in the DCOM Protocol window, select Add.
    c. From the Protocol Sequence list box, select Connection-oriented TC/IP.

  5. Click OK.

    You are now ready to configure a user account with permission to access DCOM.



Configuring Windows 7 user accounts for DCOM


After you have enabled DCOM, you must assign an account the proper permission to access DCOM on the host. You must select an existing account with administrative access or create a normal user account that is a member of an administrative group to access the host. The user you grant DCOM permissions is the user you must configure in the QRadar log source.


Procedure
  1. From the DCOM Configuration (dcomcnfg) window, expand Component Services, expand Computers, and select My Computer.
  2. On the Action menu, click Properties.
  3. Select the COM Security tab.
  4. In Access Permissions, click Edit Default.
  5. Select the user or group requiring DCOM access.

    Note: If the user or group requiring DCOM access is not listed in the permissions list, you must add the user to the configuration.

  6. Configure the following user permissions:
    a. Local Access - Select the Allow check box.
    b. Remote Access - Select the Allow check box.
  7. Click OK. The My Computer Properties window is displayed.
  8. In Launch and Activation Permissions, click Edit Default.
  9. Select the user or group requiring DCOM access.
    Note: If the user or group requiring DCOM access is not in the permissions list, you must add the user to the configuration.
  10. Configure the following user permissions:
    a. Local Launch - Select the Allow check box.
    b. Remote Launch - Select the Allow check box.
    c. Local Activation - Select the Allow check box.
    d. Remote Activation - Select the Allow check box.
  11. Click OK.
  12. Close the Component Services window.

    You are now ready to configure the Windows firewall to allow DCOM communications.



Configuring the Windows 7 Firewall

If a firewall is located between the your Windows 7 system and QRadar, you must configure the firewall with an exception to permit DCOM communications.


Note: You must be an administrator to change Windows Firewall settings or add an exception to the Windows Firewall.

Procedure

  1. On your desktop, select Start > Run.
  2. Type the following: wf.msc.
  3. Click OK.
  4. Select Inbound Rules.
  5. On the Action menu, click New Rule.
  6. Select Custom and click Next. The Program window is displayed.
  7. Select All programs, and click Next. The Protocol and Ports window is displayed.
  8. From the Protocol type list box, select TCP and click Next.

    Note: We recommend you do not limit Local and Remote ports or local IP addresses, but define firewall connection rules by remote IP address.

  9. Under Which remote IP addresses does this rule apply to?, select These IP addresses.
  10. Select These IP addresses, click Add. The IP Address window is displayed.
  11. In the This IP address or subnet text box, type the IP address of QRadar, click OK. The Action window is displayed.
  12. Select Allow the connection, click Next.
  13. Type the network profile to which the rule applies, click Next.
  14. Type a name and description for the firewall rule, click Finish.
  15. Close the Server Manager window.

    You are now ready to configure Windows Management Instrumentation (WMI) for Windows 7.



Configuring WMI user access for Windows 7

The user or group you configured for DCOM access must also have Windows Management Instrumentation (WMI) permission to access the Windows event logs required by QRadar.

Procedure

  1. On your desktop, select Start > Run.
  2. Type the following: wmimgmt.msc
  3. Click OK.
  4. Right-click on WMI Control (Local), select Properties. The WMI Control (Local) Properties window is displayed.
  5. Click the Security tab.
  6. In Namespace navigation, expand Root, click CIMV2.
  7. Click Security. The Security for ROOT\CIMV2 window is displayed.
  8. Select the user or group requiring WMI access. Note: If the user or group requiring WMI access is not listed in the permissions list, you must add the user to the configuration.
  9. Select the check boxes to add the following permissions:

    a. Execute Methods - Select the Allow check box.
    b. Provider Write - Select the Allow check box.
    c. Enable Account - Select the Allow check box.
    d. Remote Enable - Select the Allow check box.

    Note: If the user or group you are configuring is a system administrator, the allow permission check boxes might be selected as the permissions are inherited.

  10. Click OK.
  11. Close the WMIMGMT - WMI Control (Local) window.

Configuring Windows 7 R2 64-bit Trusted Installer

Windows 7 R2 64-bit incorporated a security feature called the Trusted Installer that can affect the connection to the DCOM object.

Procedure

  1. On your desktop, select Start > Run.
  2. Type the following: regedit
  3. Click OK.
    Note: You must be a system administrator to edit registry settings.
  4. Locate the following registry location:HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
  5. Right-click the entry {76A64158-CB41-11D1-8B02-00600806D9B6}, then click Permissions.
  6. Click Advanced.
  7. Click the Owner tab. The Trusted Installer is shown as the current owner.
  8. Select the Administrators group, click OK.
  9. Select the QRadar user, select the Allow check box for Full Control permission, and click Apply.

    Note: If the QRadar user is not listed in the permissions list, you must add the user to the configuration.

  10. Click Advanced.
  11. Click the Owner tab.
    Administrators is shown as the current owner.
  12. Select or add your QRadar user, click OK.

    Note: If the QRadar user is not listed in the Change owner to permission list, you must select Other users or groups to add the user to the configuration.

  13. Click OK to return to the Registry Editor.
  14. Repeat to for the following registry key:HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
  15. Close the Registry Editor.

    To complete the DCOM configuration, administrators should verify WMI communications by querying the Windows 7 security event log.


Verifying and Testing your WMI Configuration

To assist with verifying your WMI communications, the Microsoft Windows Event Log protocol RPM includes a test tool that allows QRadar to query the remote server for Windows event log information. To use this test tool, your QRadar system must be installed with the latest version of the Windows Event Log protocol.

Procedure

  1. Using SSH, log in to QRadar as the root user.
    Username: root
    Password: <password>
  2. Type the following command: cd /opt/qradar/jars
  3. Type the following command: java -jar WMITestTool-<date>.jar
  4. Configure the following parameters:
    a. Remote Windows Host - Type the IP address of your Windows server.
    b. Active Directory Domain, or Hostname if in a Workgroup - Type the domain or workgroup for your Windows 7 system.
    c. Username - Type the username required to access the remote Windows server.
    d. Password - Type the username required to access the remote Windows server.

    The test tool will attempt to connect to your remote Windows server.
  5. In the WQL Query parameter, type the following: Select NumberOfRecords From Win32_NTEventLogFile WHERE LogFileName='Security'

    Note: The example query provided functions with 32-bit and 64-bit versions of Windows Server 2003 and Windows 7.

    If QRadar can successfully query your Windows server, the number of records in the security event log are returned.

    For example:
    -----
    instance of Win32_NTEventlogFile
    Name = C:\Windows\System32\Winevt\Logs\Security.evtx
    NumberOfRecords = 5786
    -----

If the returned query states total records = 0, or if there is an error, you must verify the proper services are running, your DCOM configuration, the WMI configuration, and your Windows firewall settings. If you have verified the configuration of your Windows server, contact support.

If you are having connection issues, we recommend using the test tool with the Windows Firewall temporarily disabled. If the test tool returns security event log results, enable the Windows Firewall and see your Network Administrator.

Where do I find more information?


If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support for assistance:

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Integrations - 3rd Party","Platform":[{"code":"PF033","label":"Windows"}],"Version":"7.1;7.0;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg21678809