©JuniperNetworks,Inc.1
Setup non-admin user to query Domain Controller event log for Windows2008 and Windows2012 INTRODUCTION InUserfwADintegrationsolution,SRXqueriestheDomainControllereventlogtogettheuser-to-ipmapping.TheeasiestwaywouldbetoconfiguretheSRXtoquerytheDomainController,isusingauserwhoispartoftheDomainAdministratorgroup.ThisisrestrictiveandpotentiallyriskytoadministratorsandweneedtoprovideawayforthefirewalltoquerytheDomainControllerviaauserwithnon-adminprivileges.SRXusesWindowsManagementInstrumentation(WMI)toqueryActiveDirectoryDomainControllersfortheSecurityEventlogs.TohandletheremotecalltoDC,wealsouseDistributedCOM(DCOM)technology.ToallowSRXtouseanon-adminaccountforDCconnectivity,itshouldhaveeventlogreadingpermission.Foranon-adminuser,itshouldhavethefollowingpermissionstoqueryDC
§ DCOMPermission§ WMIPermission§ Eventlogreadingpermission
Tominimizethepermissionofthisnon-adminuserthefollowingpermissionwillbedenied:
§ InteractiveLogonNote:
Usingthisnon-adminuseraccounttoaccessthedomaindevicesforotherpurposemayfailduetothepermissionrestriction.ToallowPC-Probefeature,pleaseuseanaccountindomainadministratorsgroup,asWindowsrequirestheadministratorprivilegestoreturntheloggedonusersinfoinaWindowsclientPC.
©JuniperNetworks,Inc.2
INSTRUCTIONS Step1:Createadomainuser
§ OpenupActiveDirecotryUsersandComputers
StartàAdministrativeToolsàActiveDirectoryUsersandComputers
§ Addnewuser
RightClickUsersàNewàUser
§ FillinrequiredfieldstoCreateuser
Step2:GrantuserDCOMpermission
§ StartàRun,orincommandlineconsole,inputdcomcnfg
©JuniperNetworks,Inc.3
§ ClickontoConsoleRootàComponentServicesàComputers,right-clickMyComputeràselectProperties.Thenanewwindowopens.ThenclickontheCOMSecuritytab.
§ IntheLaunchandActivationPermissionsareaclickEditLimitsbutton.Inthenewwindow,ClickADD.EnterintheUsernamecreatedinStep1intothelowerboxandclickonCheckNames.ClickOK.
©JuniperNetworks,Inc.4
§ GranttheusertheRemoteActivationpermissionbyclickingonuserandthenselectingthecheckbox.RemoveLocalLaunchpermissionbyclickingoncheckmarktoremove.ThenclickOKtoexit.
§ ClickOKandcloseoutofComponentServiceswindow.
©JuniperNetworks,Inc.5
Step3:GrantuserWMIpermission
§ OpenWindowsManagementInstrumentation(WMI)console: StartàRun,orincommandlineconsole,inputwmimgmt.msc
§ Right-clickWMIControlandselectProperties.§ SelecttheSecuritytabandexpand"Root".
§ SelectCIMV2andclickSecurity.
©JuniperNetworks,Inc.6
§ ClickADD.EnterintheUsernamecreatedinStep1intothelowerboxandclickonCheckNames.ClickOK.
§ GranttheuserRemoteEnablepermissionsbyclickingonuserandthenselectingthecheckbox.RemoveEnableAccountpermissionbyclickingonCheckMarkbox.ThenclickOKtoexit.
©JuniperNetworks,Inc.7
§ ClickOKtoWMIPropertiesscreenandclosewmimgmtwindow.Step4:GranttheuserEventLogaccesspermissions
§ OpenupGroupsPolicyManagement StartàAdministrativeToolsàGroupsPolicyManagement.
©JuniperNetworks,Inc.8
§ ExpandtheForesttreetolocateDefaultDomainControllersPolicy
§ Right-clickDefaultDomainControllersPolicyandselectEdittoopenuptheEditorwindow.
§ UnderDefaultDomainControllersPolicyexpandthefollowingtree:ComputerConfigurationàPoliciesàWindowsSettingsàSecuritySettingsàLocalPoliciesàUserRightsAssignment
©JuniperNetworks,Inc.9
§ IntherightpartoftheWindow,locateanddouble-clickManageauditingandsecuritylog.
§ InthenewwindowclicktheAddUserorGroupbuttonandselectBrowse.
©JuniperNetworks,Inc.10
§ EnterintheUsernamecreatedinStep1intothelowerboxandclickonCheckNames.ClickOK.
§ ClickOKtwiceStep5:DenyInteractiveLogonabilityfortheuser
§ OpenupGroupsPolicyManagementEditor,ifclosedfrompreviousstep4. StartàAdministrativeToolsàGroupsPolicyManagement.ExpandtheForesttreetolocateDefaultDomainControllersPolicyandRight-clickDefaultDomainControllersPolicyandselectEdit
§ UnderDefaultDomainControllersPolicyexpandthefollowingtree:
ComputerConfigurationàPoliciesàWindowsSettingsàSecuritySettingsàLocalPoliciesàUserRightsAssignment
§ IntherightpartoftheGroupPolicyManagementEditorwindow,locateanddouble-clickDenylogonlocally.
©JuniperNetworks,Inc.12
§ EnterintheUsernamecreatedinStep1intothelowerboxandclickonCheckNames.ClickOK.
§ ClickOKtwice
§ IntherightpartoftheGroupPolicyManagementEditorwindow,locateanddouble-clickDenylogonthroughRemoteDesktopServices.
§ RepeatthestepstoaddUsernameinStep1tolistandclickOKtwice.
§ CloseGroupPolicyManagementEditorWindowStep5:RestartWMIService
§ OpenWindowsManagementInstrumentation(WMI)console: StartàRun,orincommandlineconsole,inputservices.msc
§ LocatetheWindowsManagementInstrumentationserviceandrestartitbyrightclickingtheserviceandclickingontheRestartoption.
©JuniperNetworks,Inc.13
Step6:Configurethenon-domainuserinSRX
#set services user-identification active-directory-access domain SRXTEST user <user from step 1> (in this example “non_admin”) #set services user-identification active-directory-access domain SRXTEST user password <password entered as part of step 1>
Top Related