Forum Discussion

Lewis_Beard's avatar
2 months ago

Windows Least Privilege and polling (WinServer)

Regarding the Dec 31 Windows Least Privilege nightmare fuel (I know the page claims it wont be strictly enforced) I started testing the script. I've just run it on one collector right now, and it seemed to work for me. I had to wait overnight instead of just 10 minutes, but it did switch accounts, and that account does seem to be able to allow the collector service to do what it needs to do.

HOWEVER. We also use that same account for the wmi user. So for the subset of windows VMs that run LM Collector software, the collector runs as DOM\user1 (redacted example). We ALSO use DOM\user1 as the wmi polling account for ALL VMs including the collector ones.

We make out collectors all monitor themselves, and so its monitoring itself using that same account. I've discovered that MOST LogicModules continued polling normally after I ran the script, but ONE of them does not: File Server (WinServer).

Whatever permissions the LM script (Windows_NonAdmin_Config.ps1) gives to that user, it looks like they overlooked something. Most LogicModules such as CPU, Cores, File Systems, Memory, everything ... the user can poll it. But File Server (WinServer) fails (error message: No data collected from sbproxy).

So my final TL;DR question is: has anyone else discovered any limitations in this scenario?

Not all Windows LogicModules get applied to every server, so I'm wondering if others have had this experience, and if there might be other LogicModules that suddenly cant be collected when polling with the same user that the collector runs as (after running their script).

Thanks!

No RepliesBe the first to reply