Microsoft Windows Server OS
Windows Server OS inventory

Prerequisites:

CloudFabrix RDA provides out of the box agent-less integration for inventory data collection from Microsoft Windows server editions using WinRM protocol. Using this integration, inventory data like Windows OS version, server make & model, running services and processes and TCP/UDP network connections will be collected.
Using RDA's integration with Windows Server OS, below are the two primary use cases that are supported and consumed within the CloudFabrix Asset Intelligence and AIOps platforms.
  • Windows Server OS inventory &
  • Application Dependency
Below are prerequites which need to be configured on target Windows Server hosts.
WinRM configuration:
CloudFabrix supports both WinRM configuration over HTTP/HTTPS and authentication protocols using Basic/NTLM .
We recommend referring to the Microsoft document to configure WinRM over HTTP/HTTPS. The following configuration steps are for reference only.
Configure WinRM over HTTP:
  • Open command shell in windows and run the following command to quickly enable the WinRM with default configuration
winrm quickconfig
  • Make sure to allow WinRM TCP port 5985 in Windows Firewall if it's enabled.
  • Similar configuration can be done from PowerShell console by executing following command.
Enable-PSRemoting -force
Configure WinRM over HTTPS:
Microsoft has published detailed information on how to configure WinRM over HTTPS @ How to configure WINRM for HTTPS - Windows Client | Microsoft Docs
  • WinRM over HTTPS requires a certificate with CN matching the hostname.
  • Install/import the certificate on Windows Host Certificate --> Personal --> Certificates
  • Open command shell and execute the following command. It will create WinRM configuration and HTTPS listener
winrm quickconfig -transport:https
  • Modify WinRM configuration
The following parameters are required to modify apart from the default configuration.
  • Add CloudFabrix RDA’s IP address to TrustedHosts parameter or use “*” to accept remote connections from any source. Following command helps to modify the TrustedHosts value.
winrm set winrm/config/client '@{TrustedHosts="*"}'
  • Configure WinRM based on authentication method. CloudFabrix support both Basic/NTLM
winrm set winrm/config/service/auth '@{Negotiate="true"}'
winrm set winrm/config/service/auth '@{Kerberos="true"}'
Note: If you wanted to use ‘Basic’ auth method then ‘AllowUnencrypted’ parameter value should be set to ‘true
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
  • CbtHardeningLevel value should be ‘Relaxed’
winrm set winrm/config/service/auth '@{CbtHardeningLevel="relaxed"}'
Configuring WinRM with Group Policy:
Please refer the document from Microsoft to configure WinRM using Group Policies.
We recommend to provide the elevated or local administrator privileges for the user account which is created for data collection (domain or local) for deep discovery. However, In the absence of elevated privileges, discovery requires an user account which has enough privileges (read & execute) for WinRM remote management (WS-Man). Refer the following Microsoft documentation for more information on user privileges @ https://docs.microsoft.com/en-us/windows/win32/winrm/authentication-for-remote-connections
The following actions are required to get least read/execute privileges to non-admin users. These items are for reference only and providing the privileges depends on the customer infrastructure environment.
  • Create a local / domain user sevice account
  • Add the user acount (which is created for data collection) to the following local group.
WinRMRemoteWMIUsers__” OR “Remote Management Users
  • Configure execute, remote enable, read security, and enable account permissions for the Remote Management Users group on the root WMI namespace and subnamespaces.
  • Configure execute, remote enable, read security, and enable account permissions for the Remote Management Users group using scmanager command utility.
  • Provide explicit read/execute permissions to the user in WinRM SDDL configuration. Following command helps to configure the privileges.
winrm configSDDL default
  • Provide explicit read/execute permissions to the user account (which is created for data collection)
    in powershell session configuration. Following command helps to configure the privileges.
Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI
  • Restart Windows Remote Management service (WS-Man)

Windows Commands used for data collection:

  • Windows OS System Inventory
systeminfo /fo csv
(Get-WmiObject -Class win32_computersystemproduct).UUID
Get-WmiObject -Class Win32_Processor | Select-Object -Property Manufacturer,Name, NumberOfCores,NumberOfLogicalProcessors,SocketDesignation,CurrentClockSpeed,SystemName,Status"
BIOS Details:
$bios = @{};
(Get-WmiObject -Class win32_computersystemproduct |
select IdentifyingNumber, SKUNumber, UUID, Vendor).psobject.properties |
% {$bios.Add($_.Name, $_.Value)};
(Get-WmiObject -Class win32_bios |
select BIOSVersion, SerialNumber, ReleaseDate, Description, Manufacturer, Version).psobject.properties |
% {$bios.Add($_.Name, $_.Value)}; new-object psobject -Property $bios
  • Windows Service & Process Inventory
Get-WmiObject -Class Win32_Process
Get-WmiObject -Class Win32_Service
  • Windows Application TCP/UDP Connections
nestat -ano
nestat -anob (Optional)
  • Windows Network Configuration
Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Select-Object -Property *
Get-WmiObject -Class Win32_NetworkAdapter | Select-Object -Property Index, NetConnectionStatus
  • Windows installed Software Applications
Get-WmiObject Win32_Product |select-object Name,Version,Description,InstallDate,InstallDate2,InstallLocation,InstallSource,ProductID,RegCompany,RegOwner,Vendor
Test WinRM Connection:
To verify the WinRM configuration, use winrs.exe command which helps to test the remote connection to target Windows server using WinRM protocol.
Below are the sample commands to verify:
winrs -r:http://<Target_Win_IPaddress>:5985 -u:username -p:password hostname
winrs -r:https://<Target_Win_IPaddress>:5986 -u:username -p:password hostname
To verify WinRM port(s) 5985 or 5986 access check from a remote Windows system:
Test-NetConnection -computername "<Target_Win_IPaddress>" -P "5985"
Test-NetConnection -computername "<Target_Win_IPaddress>" -P "5986"

Adding Microsoft Windows OS as Datasource/Extension in 'RDA':

Microsoft Windows OS or any other datasource/extension's configuration is configured in RDA's user interface. Login into RDA's user interface using a browser.
https://<rda-ip-address>:9998
Under 'Notebook', click on 'CFXDX Python 3' box
In the 'Notebook' command box, type botadmin() and alt (or option) + Enter to open datasource administration menu.
Click on 'Add' menu and under Type drop down, select windows-inventory
  • type: Datasource/Extension type. In this context, it is 'windows-inventory'
  • name: Datasource/Extension label which should be unique within the RDA
  • Hostname: IP Address / DNS name of Windows host
  • Username: Windows username
  • Password: Windows password
  • Port: 5985 / 5986
  • Transport Protocol: http / https
  • Auth Protocol: basic / ntlm / kerberos
  • Provider: wsman (default value)
Hostname field is only used for a quick network access and authention access check against any one of the valid Window server host while adding the windows-inventory as a datasource. For actual data collection from Windows servers, it expects IP or IP subnet range as an input during runtime. Please refer the following sections for an example.
Click on 'Check Connectivity' to verify the network access and credentials validity. Once it is validated, click on 'Add' button to add the windows-inventory as a datasource.

Windows Server OS data exploration in 'RDA':

Once Windows OS integration details are configured in RDA as a datasource, it will be ready to connect to targe Windows servers and explore the data for the analysis.
For the details on Windows OS inventory data collection bots, refer CloudFabrix RDA Bot documentation.
Last modified 2mo ago