Microsoft Windows Server OS

Prerequisites:

CloudFabrix RDA provides out of the box agent-less integration for inventory data collection from Microsoft Windows server editions using WinRM protocol. Using this integration, inventory data like Windows OS version, server make & model, running services and processes and TCP/UDP network connections will be collected.
Using RDA's integration with Windows Server OS, below are the two primary use cases that are supported and consumed within the CloudFabrix Asset Intelligence and AIOps platforms.
    Windows Server OS inventory &
    Application Dependency
Below are prerequites which need to be configured on target Windows Server hosts.
WinRM configuration:
CloudFabrix supports both WinRM configuration over HTTP/HTTPS and authentication protocols using Basic/NTLM .
We recommend referring to the Microsoft document to configure WinRM over HTTP/HTTPS. The following configuration steps are for reference only.
Configure WinRM over HTTP:
    Open command shell in windows and run the following command to quickly enable the WinRM with default configuration
1
winrm quickconfig
Copied!
    Make sure to allow WinRM TCP port 5985 in Windows Firewall if it's enabled.
    Similar configuration can be done from PowerShell console by executing following command.
1
Enable-PSRemoting -force
Copied!
Configure WinRM over HTTPS:
Microsoft has published detailed information on how to configure WinRM over HTTPS @ How to configure WINRM for HTTPS - Windows Client | Microsoft Docs
    WinRM over HTTPS requires a certificate with CN matching the hostname.
    Install/import the certificate on Windows Host Certificate --> Personal --> Certificates
    Open command shell and execute the following command. It will create WinRM configuration and HTTPS listener
1
winrm quickconfig -transport:https
Copied!
    Modify WinRM configuration
The following parameters are required to modify apart from the default configuration.
    Add CloudFabrix RDA’s IP address to TrustedHosts parameter or use “*” to accept remote connections from any source. Following command helps to modify the TrustedHosts value.
1
winrm set winrm/config/client '@{TrustedHosts="*"}'
Copied!
    Configure WinRM based on authentication method. CloudFabrix support both Basic/NTLM
1
winrm set winrm/config/service/auth '@{Negotiate="true"}'
Copied!
1
winrm set winrm/config/service/auth '@{Kerberos="true"}'
Copied!
Note: If you wanted to use ‘Basic’ auth method then ‘AllowUnencrypted’ parameter value should be set to ‘true
1
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
Copied!
    CbtHardeningLevel value should be ‘Relaxed’
1
winrm set winrm/config/service/auth '@{CbtHardeningLevel="relaxed"}'
Copied!
Configuring WinRM with Group Policy:
Please refer the document from Microsoft to configure WinRM using Group Policies.
Test WinRM Connection:
To verify the WinRM configuration, use winrs.exe command which helps to test the remote connection to target Windows server using WinRM protocol.
Below are the sample commands to verify:
1
winrs -r:http://<Target_Win_IPaddress>:5985 -u:username -p:password hostname
2
winrs -r:https://<Target_Win_IPaddress>:5986 -u:username -p:password hostname
Copied!
To verify WinRM port(s) 5985 or 5986 access check from a remote Windows system:
1
Test-NetConnection -computername "<Target_Win_IPaddress>" -P "5985"
2
Test-NetConnection -computername "<Target_Win_IPaddress>" -P "5986"
Copied!
We recommend to provide the elevated or local administrator privileges for the user account which is created for data collection (domain or local) for deep discovery. However, In the absence of elevated privileges, discovery requires an user account which has enough privileges (read & execute) for WinRM remote management (WS-Man). Refer the following Microsoft documentation for more information on user privileges @ https://docs.microsoft.com/en-us/windows/win32/winrm/authentication-for-remote-connections
The following actions are required to get least read/execute privileges to non-admin users. These items are for reference only and providing the privileges depends on the customer infrastructure environment.
    Add the user acount (which is created for data collection) to the following local group.
WinRMRemoteWMIUsers__” OR “Remote Management Users
    Provide explicit read/execute permissions to the user in WinRM SDDL configuration. Following command helps to configure the privileges.
1
winrm configSDDL default
Copied!
    Provide explicit read/execute permissions to the user account (which is created for data collection)
    in powershell session configuration. Following command helps to configure the privileges.
1
Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI
Copied!
    Restart Windows Remote Management service (WS-Man)

Adding Microsoft Windows OS as Datasource/Extension in 'RDA':

Microsoft Windows OS or any other datasource/extension's configuration is configured in RDA's user interface. Login into RDA's user interface using a browser.
https://<rda-ip-address>:9998
Under 'Notebook', click on 'CFXDX Python 3' box
In the 'Notebook' command box, type botadmin() and alt (or option) + Enter to open datasource administration menu.
Click on 'Add' menu and under Type drop down, select windows-inventory
    type: Datasource/Extension type. In this context, it is 'windows-inventory'
    name: Datasource/Extension label which should be unique within the RDA
    Hostname: IP Address / DNS name of Windows host
    Username: Windows username
    Password: Windows password
    Port: 5985 / 5986
    Transport Protocol: http / https
    Auth Protocol: basic / ntlm
    Provider: wsman (default value)
Hostname field is only used for a quick network access and authention access check against any one of the valid Window server host while adding the windows-inventory as a datasource. For actual data collection from Windows servers, it expects IP or IP subnet range as an input during runtime. Please refer the following sections for an example.
Click on 'Check Connectivity' to verify the network access and credentials validity. Once it is validated, click on 'Add' button to add the windows-inventory as a datasource.

Windows Server OS data exploration in 'RDA':

Once Windows OS integration details are configured in RDA as a datasource, it will be ready to connect to targe Windows servers and explore the data for the analysis.
    Run the below command within the RDA CLI to list the available 'Tags' or 'Bots' for windows-inventory extension. In this example, the Windows extension is labelled as 'win-inv' which will be referenced within each applicable tag name.
Each listed 'tag' starts with a special character (i.e. * or # or @) and each hints about tag's filtering capability. For more information abut them, please refer to "RDA Terminology"
1
> tags win-inv
2
3
or
4
5
> bots win-inv
Copied!
Enter the below sequence of RDA bot commands to input one or more Windows server IPs for collecting the system information like CPU, Memory, OS Version, BIOS UUID etc. using system-info bot
1
> bot @dm:empty
2
3
@dm:empty> data --> @dm:addrow win_ip='10.95.134.72,10.95.134.75' --> @win-inv:system-info column_name='win_ip'
Copied!
Below are supported IP range formats....
192.168.10.10,192.168.10.11 or 192.168.10.10-192.168.10.100 or 192.168.10.0/24,192.168.11.0/24 or combination of these formats as comma separated values.
Run the below bot commands to view the supported parameters for each available bot for Windows data collection.
1
> bots win-inv
2
3
> bot @win-inv:system-info
Copied!
    connect_timeout: Connection timeout while making a connection to target Windows server using WinRM protocol. Default value is 45 seconds and it is an optional parameter.
    cli_timeout: Window CLI timeout while executing remotely on a target Windows server. Default value is 30 seconds and it is an optional parameter.
    column_name: All supported Windows bots are data sinks and each Window bot expects IP address range column as an input. Ex: columnname='win_ip' where win_ip is a column which has IP address range or a list. It is a mandatory parameter.
    concurrent_discovery: It allows to specify total number of parallel data collection jobs connecting to Windows servers. It is an optional parameter and it's default value is 10
Above parameters are common for all of the supported bots of Windows Server OS
Last modified 1mo ago