Prerequisites:

CloudFabrix RDA provides out of the box agent-less integration for inventory data collection from Microsoft Windows server editions using WinRM protocol. Using this integration, inventory data like Windows OS version, server make & model, running services and processes and TCP/UDP network connections will be collected.

Using RDA's integration with Windows Server OS, below are the two primary use cases that are supported and consumed within the CloudFabrix Asset Intelligence and AIOps platforms.

• Windows Server OS inventory &

• Application Dependency

Below are prerequites which need to be configured on target Windows Server hosts.

• PowerShell 3.0 or above

• Operating system: Windows 2008 & R2, Windows 2012 & R2, Windows 2016 or above

• Configure WinRM for remote management (refer WinRM configuration section)

• WinRM OutofMemmory Hotfix is recommended - When running on PowerShell v3.0, there is a bug with the WinRM service that limits the amount of memory available to WinRM. KB2842230 ("Out of memory" error on a computer that has a customized MaxMemoryPerShellMB quota set and has WMF 3.0 installed (microsoft.com) ) Lack of this fix on host, RDA may fail to execute certain commands on target host.

• User Credentials (refer required user credentials section)

WinRM configuration:

CloudFabrix supports both WinRM configuration over HTTP/HTTPS and authentication protocols using Basic/NTLM .

Configure WinRM over HTTP:

• Open command shell in windows and run the following command to quickly enable the WinRM with default configuration

winrm quickconfig

• Make sure to allow WinRM TCP port 5985 in Windows Firewall if it's enabled.

• Similar configuration can be done from PowerShell console by executing following command.

Enable-PSRemoting -force

Configure WinRM over HTTPS:

• WinRM over HTTPS requires a certificate with CN matching the hostname.

• Install/import the certificate on Windows Host Certificate --> Personal --> Certificates

• Open command shell and execute the following command. It will create WinRM configuration and HTTPS listener

winrm quickconfig -transport:https

• Modify WinRM configuration

The following parameters are required to modify apart from the default configuration.

• Add CloudFabrix RDA’s IP address to TrustedHosts parameter or use “*” to accept remote connections from any source. Following command helps to modify the TrustedHosts value.

winrm set winrm/config/client '@{TrustedHosts="*"}'

• Configure WinRM based on authentication method. CloudFabrix support both Basic/NTLM

winrm set winrm/config/service/auth '@{Negotiate="true"}'

winrm set winrm/config/service/auth '@{Kerberos="true"}'

winrm set winrm/config/service '@{AllowUnencrypted="true"}'

• CbtHardeningLevel value should be ‘Relaxed’

winrm set winrm/config/service/auth '@{CbtHardeningLevel="relaxed"}'

Configuring WinRM with Group Policy:

Please refer the document from Microsoft to configure WinRM using Group Policies.

The following actions are required to get least read/execute privileges to non-admin users. These items are for reference only and providing the privileges depends on the customer infrastructure environment.

• Create a local / domain user sevice account

• Add the user acount (which is created for data collection) to the following local group.

“WinRMRemoteWMIUsers__” OR “Remote Management Users”

• Configure execute, remote enable, read security, and enable account permissions for the Remote Management Users group on the root WMI namespace and subnamespaces.

• Configure execute, remote enable, read security, and enable account permissions for the Remote Management Users group using scmanager command utility.

• Provide explicit read/execute permissions to the user in WinRM SDDL configuration. Following command helps to configure the privileges.

winrm configSDDL default

• Provide explicit read/execute permissions to the user account (which is created for data collection)

  in powershell session configuration. Following command helps to configure the privileges.

Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI

• Restart Windows Remote Management service (WS-Man)

Windows Commands used for data collection:

• Windows OS System Inventory

systeminfo /fo csv
(Get-WmiObject -Class win32_computersystemproduct).UUID
Get-WmiObject -Class Win32_Processor | Select-Object -Property Manufacturer,Name, NumberOfCores,NumberOfLogicalProcessors,SocketDesignation,CurrentClockSpeed,SystemName,Status"

BIOS Details:

$bios = @{}; 
(Get-WmiObject -Class win32_computersystemproduct | 
select IdentifyingNumber, SKUNumber, UUID, Vendor).psobject.properties | 
% {$bios.Add($_.Name, $_.Value)}; 
(Get-WmiObject -Class  win32_bios | 
select BIOSVersion, SerialNumber, ReleaseDate, Description, Manufacturer, Version).psobject.properties | 
% {$bios.Add($_.Name, $_.Value)}; new-object psobject -Property $bios

• Windows Service & Process Inventory

Get-WmiObject -Class Win32_Process
Get-WmiObject -Class Win32_Service

• Windows Application TCP/UDP Connections

nestat -ano
nestat -anob (Optional)

• Windows Network Configuration

Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Select-Object -Property *
Get-WmiObject -Class Win32_NetworkAdapter | Select-Object -Property Index, NetConnectionStatus

• Windows installed Software Applications

Get-WmiObject Win32_Product |select-object Name,Version,Description,InstallDate,InstallDate2,InstallLocation,InstallSource,ProductID,RegCompany,RegOwner,Vendor

Test WinRM Connection:

To verify the WinRM configuration, use winrs.exe command which helps to test the remote connection to target Windows server using WinRM protocol.

Below are the sample commands to verify:

winrs -r:http://<Target_Win_IPaddress>:5985 -u:username -p:password hostname
winrs -r:https://<Target_Win_IPaddress>:5986 -u:username -p:password hostname

To verify WinRM port(s) 5985 or 5986 access check from a remote Windows system:

Test-NetConnection -computername "<Target_Win_IPaddress>" -P "5985"
Test-NetConnection -computername "<Target_Win_IPaddress>" -P "5986"

Adding Microsoft Windows OS as Datasource/Extension in 'RDA':

Microsoft Windows OS or any other datasource/extension's configuration is configured in RDA's user interface. Login into RDA's user interface using a browser.

https://<rda-ip-address>:9998

Under 'Notebook', click on 'CFXDX Python 3' box

In the 'Notebook' command box, type botadmin() and alt (or option) + Enter to open datasource administration menu.

Click on 'Add' menu and under Type drop down, select windows-inventory

• type: Datasource/Extension type. In this context, it is 'windows-inventory'

• name: Datasource/Extension label which should be unique within the RDA

• Hostname: IP Address / DNS name of Windows host

• Username: Windows username

• Password: Windows password

• Port: 5985 / 5986

• Transport Protocol: http / https

• Auth Protocol: basic / ntlm / kerberos

• Provider: wsman (default value)

Click on 'Check Connectivity' to verify the network access and credentials validity. Once it is validated, click on 'Add' button to add the windows-inventory as a datasource.

Windows Server OS data exploration in 'RDA':

Once Windows OS integration details are configured in RDA as a datasource, it will be ready to connect to targe Windows servers and explore the data for the analysis.

For the details on Windows OS inventory data collection bots, refer CloudFabrix RDA Bot documentation.