Agentless Windows monitors

[Andreas Ericsson]

Glenn Meisenheimer wrote:
> Hi Andreas				
> 
> 
> 
> I can tell you that when you use these scripts you don't need to
>  install ANYTHING on the remote hosts - providing that you are using
>  Win2k or something more recent.

The OS provides the communications interface, I'm with you. More down 
below for my concerns.

>  This is because WMI is an integral
>  part of Windows these days, and these scripts query WMI for the
>  same classes of information that are used to populate perfmon.
> 
> 
> 
> Authentication?  We don't need no stinking authentication as long
>  as the proxy server (the server running nrpe-nt and hosting these
>  scripts)

So you need to set up a windows proxy that hosts nrpe-nt and handles all 
checks for all windows servers? Will it work with 200 servers? 2000?

> has the same Administrator login as the remote hosts.

Repeated admin logins over the network. Yay...
Same admin username/password for all hosts. Yay...
Please tell me the protocol at least uses strong encryption (like 
blowfish, rijndael or dsa) so that culprits can't pick the credentials 
off the wire with zero effort.

>   If that isn't the case, you need to call the scripts using the
>  -user and -pass command line options in order to authenticate on
>  the remote machine.  These can be handled the same as any other
>  password in nagios - using resources.cfg and the $USERn$ macros.
> 

Authentication credentials stored on a single machine, doing intense 
networking. Yay...

> 
> 
> Also, it is possible to set up a user account on a remote machine
>  which permits nagios to access WMI but does not permit an actual
>  login to the remote windows server.
> 

This is good news. So what can be done with the WMI? Anything, but only 
one command at a time? Getting performance counters? A quick search for 
WMI (Windows Management Instrumentation, the name alone is horrifying in 
a wide setup) classes at msdn shows the following classes and their 
alarming descriptions (non-alarmin descriptions cut out);

* WMI registry classes - Classes that *manipulate* registry keys and values.

* WMI system classes - Predefined classes based on the Common 
Information Model (CIM) and included in every namespace in the WMI core. 
(this is alarming because CIM is decidedly broken in several places. See 
bugtraq archives for indepth analysis).

* MSFT classes - Classes that offer a means to *manipulate* and describe 
a system event. These classes are included in the operating system.

* Consumer classes - A set of WMI event consumers which *trigger an 
action* upon receipt of an arbitrary event.

I don't know much about them, but it sounds pretty much like I'd be able 
to do whatever I want (or enable myself to do whatever I want) given a 5 
minute google and the authentication credentials.

> 
> 
> Andreas, I don't expect these scripts to be the be-all and end-all,
>  but they do demonstrate a method for using scripts to perform agentless
>  monitoring of one's Windows infrastructure.

Not counting the proxy server running nrpe-nt, ofcourse.

>  I am hoping that they
>  will serve as a starting place for further script development.
>   I already have need for more of these, and the fact that they
>  are scripted makes it easy to roll your own.
> 

Naturally. Sorry for my acrimonius response, but this has the distinct 
smell of the 1984 rsh/rexec/rlogin vuln. When it comes to microsoft and 
networking security, I trust them about as far as I can spit up-wind.

> 
> 
> Now to procede?  Here is documentation on the WMI classes available:
> 
> 
> 
> 
> 
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk
> /wmi/wmi_reference.asp
> 
> 
> 
> And here is a primer on WMI scripting:
> 
> 
> 
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnanch
> or/html/anch_wmi.asp
> 


The About WMI sports the following disturbing text.

Windows Management Instrumentation (WMI) is a component of the Windows 
operating system that provides management information and control in an 
enterprise environment. By using industry standards, managers can use 
WMI to query and set information on desktop systems, applications, 
networks, and other enterprise components. Developers can use WMI to 
create event monitoring applications that alert users when important 
incidents occur.


Note "management information and control", "query and set [everywhere]".
It's rsh re-invented (with root-access to boot *shudder*). Those who 
know a damn have moved to ssh using pre-shared keys, strict host key 
checking and pseudo-users for doing actual work.

> 
> 
> And, of course... You could always contact Pham Van Hung in Vietnam
>  who wrote these.  He is credited in the header, and is an affordable
>  resource, and great guy.
> 

Considering the poorly researched but highly possible security 
implications, I'm not surprised I haven't heard the name.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Lead Developer


-------------------------------------------------------
This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon 2005
Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows
Embedded(r) & Windows Mobile(tm) platforms, applications & content.  Register
by 3/29 & save $300 http://ads.osdn.com/?ad_id=6883&alloc_id=15149&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null