Agentless Windows monitors

[Anthony Montibello]

hi 

Andreas message hits some key dangers to accessing WMI.

With access to WMI one can literally do anything, to a system,
inclusive of rebooting the system.

A second problem with WMI is that a user would still have to create
there own performance counters for checking things like CPU load over
time.  for instance just checking the Counter for CPU % is an
instantaneous result of current load at that test instance.  The only
way to check for average load over time is to collect these test
values, store them into some structure ; then calculate the average.
this is one of the reasons to use an agent,  NC_Net polls the CPU
usage ~12 times a minute. Using WMI one can setup a counter that saves
samples and then crunches the numbers but I think it is easier to just
run an agent or accept just the instantaneous time without the agent.

NOTE: NC_Net also has access to WMI however NC_Net parses the commands
sent to it and then it will only allow a select query to be passed
directly to WMI.

Several months ago there was a plug-in called "genma" that supposedly
can also run without an agent loaded via ASP ???
However I never tried this plugin because it requires Dot Net V2 (This
is still in beta)

once again thanks Andreas for a nice summary overview of what this WMI
stuff is as well as some of its advantages/disadvantages

Thanks 
Tony

On Thu, 24 Mar 2005 10:05:54 +0100, Andreas Ericsson <ae at op5.se> wrote:
> Glenn Meisenheimer wrote:
> > Hi Andreas
> >
> >
> >
> > I can tell you that when you use these scripts you don't need to
> >  install ANYTHING on the remote hosts - providing that you are using
> >  Win2k or something more recent.
> 
> The OS provides the communications interface, I'm with you. More down
> below for my concerns.
> 
> >  This is because WMI is an integral
> >  part of Windows these days, and these scripts query WMI for the
> >  same classes of information that are used to populate perfmon.
> >
> >
> >
> > Authentication?  We don't need no stinking authentication as long
> >  as the proxy server (the server running nrpe-nt and hosting these
> >  scripts)
> 
> So you need to set up a windows proxy that hosts nrpe-nt and handles all
> checks for all windows servers? Will it work with 200 servers? 2000?
> 
> > has the same Administrator login as the remote hosts.
> 
> Repeated admin logins over the network. Yay...
> Same admin username/password for all hosts. Yay...
> Please tell me the protocol at least uses strong encryption (like
> blowfish, rijndael or dsa) so that culprits can't pick the credentials
> off the wire with zero effort.
> 
> >   If that isn't the case, you need to call the scripts using the
> >  -user and -pass command line options in order to authenticate on
> >  the remote machine.  These can be handled the same as any other
> >  password in nagios - using resources.cfg and the $USERn$ macros.
> >
> 
> Authentication credentials stored on a single machine, doing intense
> networking. Yay...
> 
> >
> >
> > Also, it is possible to set up a user account on a remote machine
> >  which permits nagios to access WMI but does not permit an actual
> >  login to the remote windows server.
> >
> 
> This is good news. So what can be done with the WMI? Anything, but only
> one command at a time? Getting performance counters? A quick search for
> WMI (Windows Management Instrumentation, the name alone is horrifying in
> a wide setup) classes at msdn shows the following classes and their
> alarming descriptions (non-alarmin descriptions cut out);
> 
> * WMI registry classes - Classes that *manipulate* registry keys and values.
> 
> * WMI system classes - Predefined classes based on the Common
> Information Model (CIM) and included in every namespace in the WMI core.
> (this is alarming because CIM is decidedly broken in several places. See
> bugtraq archives for indepth analysis).
> 
> * MSFT classes - Classes that offer a means to *manipulate* and describe
> a system event. These classes are included in the operating system.
> 
> * Consumer classes - A set of WMI event consumers which *trigger an
> action* upon receipt of an arbitrary event.
> 
> I don't know much about them, but it sounds pretty much like I'd be able
> to do whatever I want (or enable myself to do whatever I want) given a 5
> minute google and the authentication credentials.
> 
> >
> >
> > Andreas, I don't expect these scripts to be the be-all and end-all,
> >  but they do demonstrate a method for using scripts to perform agentless
> >  monitoring of one's Windows infrastructure.
> 
> Not counting the proxy server running nrpe-nt, ofcourse.
> 
> >  I am hoping that they
> >  will serve as a starting place for further script development.
> >   I already have need for more of these, and the fact that they
> >  are scripted makes it easy to roll your own.
> >
> 
> Naturally. Sorry for my acrimonius response, but this has the distinct
> smell of the 1984 rsh/rexec/rlogin vuln. When it comes to microsoft and
> networking security, I trust them about as far as I can spit up-wind.
> 
> >
> >
> > Now to procede?  Here is documentation on the WMI classes available:
> >
> >
> >
> >
> >
> > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk
> > /wmi/wmi_reference.asp
> >
> >
> >
> > And here is a primer on WMI scripting:
> >
> >
> >
> > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnanch
> > or/html/anch_wmi.asp
> >
> 
> The About WMI sports the following disturbing text.
> 
> Windows Management Instrumentation (WMI) is a component of the Windows
> operating system that provides management information and control in an
> enterprise environment. By using industry standards, managers can use
> WMI to query and set information on desktop systems, applications,
> networks, and other enterprise components. Developers can use WMI to
> create event monitoring applications that alert users when important
> incidents occur.
> 
> Note "management information and control", "query and set [everywhere]".
> It's rsh re-invented (with root-access to boot *shudder*). Those who
> know a damn have moved to ssh using pre-shared keys, strict host key
> checking and pseudo-users for doing actual work.
> 
> >
> >
> > And, of course... You could always contact Pham Van Hung in Vietnam
> >  who wrote these.  He is credited in the header, and is an affordable
> >  resource, and great guy.
> >
> 
> Considering the poorly researched but highly possible security
> implications, I'm not surprised I haven't heard the name.
> 
> --
> Andreas Ericsson                   andreas.ericsson at op5.se
> OP5 AB                             www.op5.se
> Lead Developer
> 
> -------------------------------------------------------
> This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon 2005
> Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows
> Embedded(r) & Windows Mobile(tm) platforms, applications & content.  Register
> by 3/29 & save $300 http://ads.osdn.com/?ad_id=6883&alloc_id=15149&op=click
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>


-------------------------------------------------------
This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon 2005
Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows
Embedded(r) & Windows Mobile(tm) platforms, applications & content.  Register
by 3/29 & save $300 http://ads.osdn.com/?ad_id=6883&alloc_id=15149&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null