0

Context:

  • Enterprise IT environment
  • 3000+ Virtual Machines running various editions of Windows Server (the client)
  • Vendor specific application which uses WMI to query the Windows Servers for information, logs into server and runs PowerShell scripts.
  • Application itself is a Windows service running on one specific VM (the service host), running as a domain user with local administrator privileges across the domain (the service account)

Security Requirement:

  • When the service account is used to run login to client systems, the login should only be authorised if the request came from the service host (whether by IP address or other identification)

i.e. if another computer used the same username/password, it should either be rejected or raise some kind of alert in the Windows Event Log that can be monitored.

Is this at all feasible?

Dave M
  • 4,494
  • 21
  • 30
  • 30
adz_esm
  • 3
  • 1

1 Answers1

0

Depending on how you use WMI in your environment (is that application the only one that will connect to remote systems via WMI? Or do you have others?), you could easily create, deploy and manage Windows Firewall rules on these systems that only accept traffic on the WMI port if it comes from the service host IP address, and that is from the service account. There's a way to assign a specific port to WMI for that:

https://docs.microsoft.com/en-us/windows/win32/wmisdk/setting-up-a-fixed-port-for-wmi

This is most likely the easiest way. The firewall rules can be managed via GPOs afterwards.

Aura
  • 461
  • 5
  • 12
  • Thank you @aura. I don't have absolute certainty over whether there are other applications using WMI, so it would be safest to assume that there are. To confirm my understanding - each of the client systems would need to be reconfigured to used a fixed port for WMI, and then firewall rules added GPO to whitelist the IP addresses allowed to communicate with the client over that port? – adz_esm Dec 13 '19 at 14:13
  • Yes, that would be it. You'll want to use the same WMI port on every host system, so this way you'll be able to create a single Windows Firewall GPO that can be applied to every host system. Otherwise, you would have to create a Windows Firewall GPO for each single port that is being used by WMI, or put them all in the same GPO... but allowing a couple of ports for WMI. – Aura Dec 13 '19 at 17:33