# Microsoft Windows Server OS ## Prerequisites: CloudFabrix RDA provides out of the box agent-less integration for inventory data collection from Microsoft Windows server editions using WinRM protocol. Using this integration, inventory data like Windows OS version, server make & model, running services and processes and TCP/UDP network connections will be collected. Using RDA's integration with Windows Server OS, below are the two primary use cases that are supported and consumed within the CloudFabrix Asset Intelligence and AIOps platforms. * Windows Server OS inventory & * Application Dependency Below are prerequites which need to be configured on target Windows Server hosts. * PowerShell 3.0 or above * Operating system: Windows 2008 & R2, Windows 2012 & R2, Windows 2016 or above * Configure WinRM for remote management (refer WinRM configuration section) * WinRM OutofMemmory Hotfix is recommended - When running on PowerShell v3.0, there is a bug with the WinRM service that limits the amount of memory available to WinRM. KB2842230 (["Out of memory" error on a computer that has a customized MaxMemoryPerShellMB quota set and has WMF 3.0 installed (microsoft.com)](https://support.microsoft.com/en-us/topic/-out-of-memory-error-on-a-computer-that-has-a-customized-maxmemorypershellmb-quota-set-and-has-wmf-3-0-installed-9700d191-0033-d0c9-fb80-9761bbc1ab03) ) Lack of this fix on host, RDA may fail to execute certain commands on target host. * User Credentials (refer required user credentials section) **WinRM configuration:** CloudFabrix supports both WinRM configuration over HTTP/HTTPS and authentication protocols using Basic/NTLM . {% hint style="info" %} We recommend referring to the Microsoft document to configure WinRM over HTTP/HTTPS. The following configuration steps are for reference only. {% endhint %} **Configure WinRM over HTTP:** * Open command shell in windows and run the following command to quickly enable the WinRM with default configuration ``` winrm quickconfig ``` * Make sure to allow WinRM TCP port 5985 in Windows Firewall if it's enabled. * Similar configuration can be done from PowerShell console by executing following command. ``` Enable-PSRemoting -force ``` **Configure WinRM over HTTPS:** {% hint style="info" %} Microsoft has published detailed information on how to configure WinRM over HTTPS @ [How to configure WINRM for HTTPS - Windows Client | Microsoft Docs](https://docs.microsoft.com/en-US/troubleshoot/windows-client/system-management-components/configure-winrm-for-https) {% endhint %} * WinRM over HTTPS requires a certificate with CN matching the hostname. * Install/import the certificate on Windows Host Certificate --> Personal --> Certificates * Open command shell and execute the following command. It will create WinRM configuration and HTTPS listener ``` winrm quickconfig -transport:https ``` * Modify WinRM configuration The following parameters are required to modify apart from the default configuration. * Add CloudFabrix RDA’s IP address to TrustedHosts parameter or use “\*” to accept remote connections from any source. Following command helps to modify the TrustedHosts value. ``` winrm set winrm/config/client '@{TrustedHosts="*"}' ``` * Configure WinRM based on authentication method. CloudFabrix support both Basic/NTLM ``` winrm set winrm/config/service/auth '@{Negotiate="true"}' ``` ``` winrm set winrm/config/service/auth '@{Kerberos="true"}' ``` {% hint style="info" %} Note: If you wanted to use ‘**Basic**’ auth method then ‘**AllowUnencrypted**’ parameter value should be set to ‘**true**’ {% endhint %} ``` winrm set winrm/config/service '@{AllowUnencrypted="true"}' ``` * CbtHardeningLevel value should be ‘Relaxed’ ``` winrm set winrm/config/service/auth '@{CbtHardeningLevel="relaxed"}' ``` **Configuring WinRM with Group Policy:** Please refer the document from Microsoft to [configure WinRM using Group Policies.](https://docs.microsoft.com/en-us/windows/win32/winrm/installation-and-configuration-for-windows-remote-management) {% hint style="info" %} We recommend to provide the elevated or local administrator privileges for the user account which is created for data collection (domain or local) for deep discovery. However, In the absence of elevated privileges, discovery requires an user account which has enough privileges (read & execute) for WinRM remote management (WS-Man). Refer the following Microsoft documentation for more information on user privileges @ {% endhint %} The following actions are required to get least read/execute privileges to **non-admin** users. These items are for reference only and providing the privileges depends on the customer infrastructure environment. * Create a local / domain user sevice account * Add the user acount (which is created for data collection) to the following local group. “**WinRMRemoteWMIUsers\_\_**” OR “**Remote Management Users**” * Configure execute, remote enable, read security, and enable account permissions for the **Remote Management Users** group on the root WMI namespace and subnamespaces. ![](https://2978683539-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LhoMVYxiQlKXh6OxX98%2Fuploads%2FXbvK8DZk874KWDIqeyMK%2FScreen%20Shot%202022-05-10%20at%2011.57.16%20AM.png?alt=media\&token=bfe03b0a-9f6d-4eba-a08a-4ec08918d032) ![](https://2978683539-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LhoMVYxiQlKXh6OxX98%2Fuploads%2FwcWPBIP3PioZrJbVUVS6%2FScreen%20Shot%202022-05-10%20at%2011.58.51%20AM.png?alt=media\&token=538b9f11-65cd-4adc-84a3-0d210e9d7240) ![](https://2978683539-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LhoMVYxiQlKXh6OxX98%2Fuploads%2FQHP7XwQVAdWoPUosmZVi%2FScreen%20Shot%202022-05-10%20at%2012.00.43%20PM.png?alt=media\&token=1ed793a5-78fa-48b2-aeea-2245b3b13add) * Configure execute, remote enable, read security, and enable account permissions for the **Remote Management Users** group using **scmanager** command utility. * Provide explicit read/execute permissions to the user in WinRM SDDL configuration. Following command helps to configure the privileges. ``` winrm configSDDL default ``` * Provide explicit read/execute permissions to the user account (which is created for data collection) in powershell session configuration. Following command helps to configure the privileges. ``` Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI ``` * Restart Windows Remote Management service (WS-Man) ### **Windows Commands used for data collection:** * Windows OS System Inventory ``` systeminfo /fo csv (Get-WmiObject -Class win32_computersystemproduct).UUID Get-WmiObject -Class Win32_Processor | Select-Object -Property Manufacturer,Name, NumberOfCores,NumberOfLogicalProcessors,SocketDesignation,CurrentClockSpeed,SystemName,Status" BIOS Details: $bios = @{}; (Get-WmiObject -Class win32_computersystemproduct | select IdentifyingNumber, SKUNumber, UUID, Vendor).psobject.properties | % {$bios.Add($_.Name, $_.Value)}; (Get-WmiObject -Class win32_bios | select BIOSVersion, SerialNumber, ReleaseDate, Description, Manufacturer, Version).psobject.properties | % {$bios.Add($_.Name, $_.Value)}; new-object psobject -Property $bios ``` * Windows Service & Process Inventory ``` Get-WmiObject -Class Win32_Process Get-WmiObject -Class Win32_Service ``` * Windows Application TCP/UDP Connections ``` nestat -ano nestat -anob (Optional) ``` * Windows Network Configuration ``` Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Select-Object -Property * Get-WmiObject -Class Win32_NetworkAdapter | Select-Object -Property Index, NetConnectionStatus ``` * Windows installed Software Applications ``` Get-WmiObject Win32_Product |select-object Name,Version,Description,InstallDate,InstallDate2,InstallLocation,InstallSource,ProductID,RegCompany,RegOwner,Vendor ``` **Test WinRM Connection:** To verify the WinRM configuration, use `winrs.exe` command which helps to test the remote connection to target Windows server using WinRM protocol. Below are the sample commands to verify: ``` winrs -r:http://:5985 -u:username -p:password hostname winrs -r:https://:5986 -u:username -p:password hostname ``` To verify WinRM port(s) 5985 or 5986 access check from a remote Windows system: ``` Test-NetConnection -computername "" -P "5985" Test-NetConnection -computername "" -P "5986" ``` ## Adding Microsoft Windows OS as Datasource/Extension in '**RDA**': Microsoft Windows OS or any other datasource/extension's configuration is configured in RDA's user interface. Login into RDA's user interface using a browser. **https\://\:9998** Under '**Notebook**', click on '**CFXDX Python 3**' box ![](https://2978683539-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhoMVYxiQlKXh6OxX98%2F-McvHoBvh7w9qGIU_z-A%2F-McvJao2W2zwuMV05Ek3%2FScreen%20Shot%202021-06-23%20at%205.01.23%20PM.png?alt=media\&token=1aa15ba1-6465-4c67-9cc8-ac4ed66f895f) In the '**Notebook**' command box, type **`botadmin()`** and **`alt (or option) + Enter`** to open datasource administration menu. Click on '**Add**' menu and under **Type** drop down, select **`windows-inventory`** ![](https://2978683539-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhoMVYxiQlKXh6OxX98%2F-Mjeogoi0w-sdaKaoHYg%2F-MjfJCmenKC2MiDK7VWi%2FScreen%20Shot%202021-09-15%20at%202.15.27%20PM.png?alt=media\&token=de390f1f-b80b-446e-bf83-cb3e1aa2bf45) * **type**: Datasource/Extension type. In this context, it is '**windows-inventory**' * **name**: Datasource/Extension label which should be unique within the RDA * **Hostname:** IP Address / DNS name of Windows host * **Username:** Windows username * **Password:** Windows password * **Port**: 5985 / 5986 * **Transport Protocol**: http / https * **Auth Protocol**: basic / ntlm / kerberos * **Provider:** wsman (default value) {% hint style="info" %} **Hostname** field is only used for a quick network access and authention access check against any one of the valid Window server host while adding the `windows-inventory` as a datasource. For actual data collection from Windows servers, it expects IP or IP subnet range as an input during runtime. Please refer the following sections for an example. {% endhint %} Click on '**Check Connectivity**' to verify the network access and credentials validity. Once it is validated, click on '**Add**' button to add the `windows-inventory` as a datasource. ## Windows Server OS data exploration in '**RDA**': Once Windows OS integration details are configured in RDA as a datasource, it will be ready to connect to targe Windows servers and explore the data for the analysis. For the details on Windows OS inventory data collection bots, refer [**CloudFabrix RDA Bot documentation.**](https://bot-docs.cloudfabrix.io/Bots/windows-inventory/)