setup non-admin user to query domain controller event · pdf filesetup non-admin user to query...

©JuniperNetworks,Inc.1

Setup non-admin user to query Domain Controller event log for Windows2008 and Windows2012 INTRODUCTION InUserfwADintegrationsolution,SRXqueriestheDomainControllereventlogtogettheuser-to-ipmapping.TheeasiestwaywouldbetoconfiguretheSRXtoquerytheDomainController,isusingauserwhoispartoftheDomainAdministratorgroup.ThisisrestrictiveandpotentiallyriskytoadministratorsandweneedtoprovideawayforthefirewalltoquerytheDomainControllerviaauserwithnon-adminprivileges.SRXusesWindowsManagementInstrumentation(WMI)toqueryActiveDirectoryDomainControllersfortheSecurityEventlogs.TohandletheremotecalltoDC,wealsouseDistributedCOM(DCOM)technology.ToallowSRXtouseanon-adminaccountforDCconnectivity,itshouldhaveeventlogreadingpermission.Foranon-adminuser,itshouldhavethefollowingpermissionstoqueryDC

§ DCOMPermission§ WMIPermission§ Eventlogreadingpermission

Tominimizethepermissionofthisnon-adminuserthefollowingpermissionwillbedenied:

§ InteractiveLogonNote:

Usingthisnon-adminuseraccounttoaccessthedomaindevicesforotherpurposemayfailduetothepermissionrestriction.ToallowPC-Probefeature,pleaseuseanaccountindomainadministratorsgroup,asWindowsrequirestheadministratorprivilegestoreturntheloggedonusersinfoinaWindowsclientPC.

©JuniperNetworks,Inc.2

INSTRUCTIONS Step1:Createadomainuser

§ OpenupActiveDirecotryUsersandComputers

StartàAdministrativeToolsàActiveDirectoryUsersandComputers

§ Addnewuser

RightClickUsersàNewàUser

§ FillinrequiredfieldstoCreateuser

Step2:GrantuserDCOMpermission

§ StartàRun,orincommandlineconsole,inputdcomcnfg

©JuniperNetworks,Inc.3

§ ClickontoConsoleRootàComponentServicesàComputers,right-clickMyComputeràselectProperties.Thenanewwindowopens.ThenclickontheCOMSecuritytab.

§ IntheLaunchandActivationPermissionsareaclickEditLimitsbutton.Inthenewwindow,ClickADD.EnterintheUsernamecreatedinStep1intothelowerboxandclickonCheckNames.ClickOK.

©JuniperNetworks,Inc.4

§ GranttheusertheRemoteActivationpermissionbyclickingonuserandthenselectingthecheckbox.RemoveLocalLaunchpermissionbyclickingoncheckmarktoremove.ThenclickOKtoexit.

§ ClickOKandcloseoutofComponentServiceswindow.

©JuniperNetworks,Inc.5

Step3:GrantuserWMIpermission

§ OpenWindowsManagementInstrumentation(WMI)console: StartàRun,orincommandlineconsole,inputwmimgmt.msc

§ Right-clickWMIControlandselectProperties.§ SelecttheSecuritytabandexpand"Root".

§ SelectCIMV2andclickSecurity.

©JuniperNetworks,Inc.6

§ ClickADD.EnterintheUsernamecreatedinStep1intothelowerboxandclickonCheckNames.ClickOK.

§ GranttheuserRemoteEnablepermissionsbyclickingonuserandthenselectingthecheckbox.RemoveEnableAccountpermissionbyclickingonCheckMarkbox.ThenclickOKtoexit.

©JuniperNetworks,Inc.7

§ ClickOKtoWMIPropertiesscreenandclosewmimgmtwindow.Step4:GranttheuserEventLogaccesspermissions

§ OpenupGroupsPolicyManagement StartàAdministrativeToolsàGroupsPolicyManagement.

©JuniperNetworks,Inc.8

§ ExpandtheForesttreetolocateDefaultDomainControllersPolicy

§ Right-clickDefaultDomainControllersPolicyandselectEdittoopenuptheEditorwindow.

§ UnderDefaultDomainControllersPolicyexpandthefollowingtree:ComputerConfigurationàPoliciesàWindowsSettingsàSecuritySettingsàLocalPoliciesàUserRightsAssignment

©JuniperNetworks,Inc.9

§ IntherightpartoftheWindow,locateanddouble-clickManageauditingandsecuritylog.

§ InthenewwindowclicktheAddUserorGroupbuttonandselectBrowse.

©JuniperNetworks,Inc.10

§ EnterintheUsernamecreatedinStep1intothelowerboxandclickonCheckNames.ClickOK.

§ ClickOKtwiceStep5:DenyInteractiveLogonabilityfortheuser

§ OpenupGroupsPolicyManagementEditor,ifclosedfrompreviousstep4. StartàAdministrativeToolsàGroupsPolicyManagement.ExpandtheForesttreetolocateDefaultDomainControllersPolicyandRight-clickDefaultDomainControllersPolicyandselectEdit

§ UnderDefaultDomainControllersPolicyexpandthefollowingtree:

ComputerConfigurationàPoliciesàWindowsSettingsàSecuritySettingsàLocalPoliciesàUserRightsAssignment

§ IntherightpartoftheGroupPolicyManagementEditorwindow,locateanddouble-clickDenylogonlocally.

©JuniperNetworks,Inc.11

§ InthenewwindowclicktheAddUserorGroupbuttonandselectBrowse.

©JuniperNetworks,Inc.12

§ EnterintheUsernamecreatedinStep1intothelowerboxandclickonCheckNames.ClickOK.

§ ClickOKtwice

§ IntherightpartoftheGroupPolicyManagementEditorwindow,locateanddouble-clickDenylogonthroughRemoteDesktopServices.

§ RepeatthestepstoaddUsernameinStep1tolistandclickOKtwice.

§ CloseGroupPolicyManagementEditorWindowStep5:RestartWMIService

§ OpenWindowsManagementInstrumentation(WMI)console: StartàRun,orincommandlineconsole,inputservices.msc

§ LocatetheWindowsManagementInstrumentationserviceandrestartitbyrightclickingtheserviceandclickingontheRestartoption.

©JuniperNetworks,Inc.13

Step6:Configurethenon-domainuserinSRX

#set services user-identification active-directory-access domain SRXTEST user <user from step 1> (in this example “non_admin”) #set services user-identification active-directory-access domain SRXTEST user password <password entered as part of step 1>