Environment: local -1703/remote-1709: Win10 Pro 64bit
Preparasion:
1. local/remote都启动WS-Man服务即WinRM . local启动winrm -quickstart. 添加所有机器(即*)到trustedhosts里. remote端只quickstart
Ref: http://labs.supinfochina.com/en/powershell-configure-winrm-and-enable-psremoting/#_Toc429317714
2. 保证local/remote的WMI service在运行
3. 保证local访问root\cimv2没问题(用wbemtest.exe)
4. 关闭remote防火墙(所有)
问题:
1. 本来想玩转WMI的一个自带工具,C:\windows\system32\wbem\Wbemtest.exe ,结果这个工具connect同网络同workgroup的另一台机器被拒绝(我用的remote的admin用户),得到错误0x80070005!!
2. 想到MI已经取代WMI, WS-Man应该也可以,remote端Powershell启用Enable-PSRemoting。local的Powershell使用Get-WSManInstance -ResourceURI wmicimv2/win32_service -SelectorSet @{name="winrm"} -ComputerName "Server01" -credential admin (我用的remote的admin用户), 结果还是错误<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="5" Machine="xxx"><f:Message>拒绝访问。 </f:Message>
3. 用C#代码通过WS-Man协议IEnumerable<CimInstance> enumeratedInstances = cimSession.EnumerateInstances(cimNamespace, cimClassName);
也会得到同样错误
Ref: https://blog.techygeekshome.info/2014/02/remote-uac-access-denied-errors-local-account-token-filter-policy-remote-uac-fix/
优点:方便,快. 无论wbemtest.exe/powershell/C#使用都畅通无阻。
缺点:这种方法其实是disable了remote UAC !!!对于学习或偷懒来说方便,用管理员账户登录就完全是管理员权限了,但是安全性就下降许多。
原因: "WMI tasks remotely accessing WMI information on this computer and requiring Administrative privileges MUST use a DOMAIN account part of the Local Administrators group of this computer to ensure that administrative privileges are granted. If a Local User account is used for remote accesses, it will be reduced to a plain user (filtered token), even if it is part of the Local Administrators group."
Ref : https://serverfault.com/questions/713643/windows-10-wmi-and-event-viewer-access-denied
MSDN描述---In a workgroup, the account connecting to the remote computer is a local user on that computer. Even if the account is in the Administrators group, UAC filtering means that a script runs as a standard user
即使你用的remote端具有管理员权限的账户链接,UAC会把它降级为标准用户,所以本地端绝大多数访问都会被拒绝
Ref: https://msdn.microsoft.com/en-us/library/aa826699(v=vs.85).aspx#handling_remote_connections_under_uac方案B: 根据MSDN描述,创建只用于remote的用户与用户组,再在WMI Control(Computer Management)里,指定该用户(组)能访问哪些Namespace。比如我就创建了一个onlyRemote用户,只属于Remote Management Users但不属于administrators。
优点:安全!!
缺点:要花时间配置好Namespace范围。很多security object会要求administrator权限,在Powershell里或C#用我的onlyRemote(同时也在Administrators组里)访问Win32_Service就会出现Access Denied了,访问Win32_process不会。而我的wbemtest.exe用onlyRemote用户连接remote被完全拒绝.
Ref: https://social.technet.microsoft.com/Forums/lync/en-US/4f33837b-1cb1-4648-85b1-3ba87cbfe93e/wmi-remote-access-denied?forum=winserverManagement
DCOM应该是限制老式WMI的,如果不用Ws-Man访问,就还要在DCOM里指定remote权限. 通过dcomcnfg.exe修改DCOM security
PS: 在诊断Access Denied问题还用到了WMIDiag,可以辅助判断WMI潜在的问题,这次这个问题就是通过它提示发现的。