LIMITED ACCOUNT (WMI & RPC)
CREATE THE SERVICE ACCOUNT AND SERVICE GROUP
- Add the service account to Active Directory and set the password to never expire
2. Create a Global security group for the service account. In this case, we named it Blockbox Accounts.
CREATE THE GROUP POLICY OBJECT
3. Create a new Group Policy Object for the WMI and remote registry access and edit it for the following steps
CREATE THE WMI-INBOUND FIREWALL RULE
4. This step is used to allow inbound WMI calls via the firewall. If there is already such a rule in another GPO, then this step is optional and we can skip to step 5.
a) Create a firewall rule to allow inbound WMI.
b) Use a predefined WMI inbound rule
c) Leave the default allowance of all inbound WMI connections
d) Choose to Allow the connection and click Finish
ALLOW REMOTE REGISTRY ACCESS
5. To allow remote registry access, we have to set the permissions on a particular registry key – again we can do this via the GPO:
a) In the GPO, under Computer Configuration > Policies > Windows Settings > Registry add a new entry for the key:
MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
b) In the permissions view, add the service group created in step 2 and give it read access
ALLOW DCOM LAUNCH AND ACCESS
6. Add DCOM launch and access permissions to the GP
a) In the GPO open Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
b) Right-click on DCOM: Machine Access… and select Properties
c) Add the security group created in step 2 and allow Local and Remote access
d) Back in the Security Options, right-click on DCOM: Machine Launch… and select Properties
e) Add the security group from step 2 and allow all four entries
ALLOW READ ACCESS TO WMI NAMESPACES USING POWERSHELL
7. Allowing access to the WMI namespace cannot be done using a GPO alone. It has to be done via a logon script. The easiest way to accomplish this is via the PowerShell script found here: Creating a limited service account: PowerShell script.
THIS LOGON SCRIPT SHOULD BE DEPLOYED IN THE MANNER IN WHICH YOUR ORGANIZATION IS MOST COMFORTABLE. THE BELOW STEPS ARE JUST AN EXAMPLE OF HOW ONE CAN ADD A POWERSHELL LOGON STARTUP SCRIPT (AS OPPOSED TO A LOGON SCRIPT).
a) The attached PowerShell script should be saved to a shared folder accessible from the network such as the (\\"DomainController"\Netlogon) folder or similar shared script folder.
- From the Script folders properties window go to the Security tab. Click the edit button. In the permissions windows click the Add button, and add the Domain Computers group as well as provide the permissions (Read & execute, List folder contents and Read rights.)
b) The logon script should be added in the GPO under Computer Configuration > Policies > Windows Settings > Scripts using the PowerShell scripts tab and with the following Script Parameters:
root add "<domain>\<security group>" Enable,MethodExecute,RemoteAccess,ReadSecurity
HINT: In Step 2 we created the "Blockbox Accounts" security group, in that case the parameter would read:
root add "COMPANY\Blockbox Accounts" Enable,MethodExecute,RemoteAccess,ReadSecurity
ADD REMOTE MANAGEMENT USERS GROUP TO SERVICE ACCOUNT
8. Adding the service group Blockbox Accounts to Built in Group Remote Management Users in Active Directory Users and Computers. So it can propagate the change to all endpoints in the AD environment. This step will enable the service group to call WinRM on all endpoints.
ATTACH POLICY TO ORGANIZATIONAL UNIT
9. Now that we’ve got our BlockBox settings GPO (w/ all the appropriate security settings, firewall settings and/or logon script(s)), we will want to assign it to the appropriate computer Organization Unit in AD (or user OU if a Logon script was created in steps 7 or 8 above).
In the Group Policy Management console, click the "Blockbox policy" and on the Security Filtering section add the Domain Computers group.
This policy can be assigned to the organization’s OUs as desired – with or without user or WMI filters.
Once applied, naturally, the endpoints either need to reboot, run gpupdate /force, or simply wait until the GPO is reapplied on its next refresh time.