Eu finalmente consegui contornar esse problema, dando a um grupo do AD mais permissões para os serviços individuais. Dessa forma, a ferramenta de monitoramento pode controlar os serviços a serem monitorados, mas pelo menos não conseguir invadir nenhum processo em execução nas máquinas de destino. Eu usei o script Powershell abaixo para realizar isso. Você teria que inserir seu próprio grupo AD e modificar a lista de serviços do Windows para atender às suas necessidades. É possível executar esse tipo de script por meio da política de grupo e aplicá-lo a um grupo de servidores.
function AddSDDL() {
Param(
[Parameter(Mandatory=$True)]
[string]$Username,
[Parameter(Mandatory=$True)]
[string]$Service
)
$servicetest = Get-Service | where {$_.name -eq "$service"}
if (!$servicetest -and $service -ne "scmanager") {
Write-Host "Service $service does not exist. Please supply the name and not the display name"
return $false;
}
$domain = ($username.split("\"))[0]
$user = ($username.split("\"))[1]
$ntaccount = New-Object System.Security.Principal.NTAccount($domain,$user)
$sid = ($ntaccount.Translate([System.Security.Principal.SecurityIdentifier])).value
if (!$sid) {
Write-Host "User $username cannot be resolved to a SID. Does the account exist?"
return $false;
}
$sddl = [string](cmd /c "sc.exe sdshow $service");
if ($sddl -match $sid) {
Write-Host "User $username already has some sort of access in the SDDL. Remediate manually"
return $false;
}
if($sddl -match "S:\(") {
$sddl = $sddl -replace "S:\(","(A;;CCLCLORPRC;;;$sid)S:("
} elseif($sddl -match "D:" -and $sddl.LastIndexOf(":") -lt 3) {
$sddl += "(A;;CCLCLORPRC;;;$sid)";
} else {
Write-Host "SDDL contains multiple description types like D: and A:, but not S:, remediate manually"
return $false;
}
$sddlCommand = "sc.exe sdset $service $sddl";
Write-Host($sddlCommand);
$sddlset = cmd /c $sddlCommand
if ($sddlset -notlike "*SUCCESS*") {
Write-Host "Permissions did not set"
Write-Host "Full error: $sddlset"
}
else {
Write-Host "Permissions set successfully for $username on $service"
}
return $true;
}
clear;
# default 2012 R2 scmanager: D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
# default 2012 R2 w32time: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPLOCRRC;;;LS)(A;;CCSWWPLORC;;;LS)
# default 2008 R2 scmanager: D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
# default 2008 R2 w3svc: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
# default 2008 R2 aspnet_state: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
# with list content (LC), read all properties (RP) and read permissions (RC) for authenticated users: D:(A;;CCLC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
$serviceNames = @("DHCPServer","TlntSvr","RpcSs","SamSs","DNS","Dnscache","LanmanWorkstation","Netlogon","Kdc","IsmServ","DFSR","W32Time","LanmanServer","WAS","aspnet_state","W3SVC","scmanager");
$serviceNames += Get-Service | Where-Object{$_.Name -like "*sql*"} | ForEach-Object{$_.Name};
$serviceNames += Get-Service | Where-Object{$_.Name -like "*ReportServer*"} | ForEach-Object{$_.Name};
foreach($serviceName in $serviceNames) {
Write-Host("SDDL of $serviceName before update: ") -NoNewline;
sc.exe sdshow $serviceName
$wmiGroup = "YOUR_DOMAN\AD_GROUP_FOR_WMI_MONITORING"
$modified = AddSDDL -Username $wmiGroup -Service $serviceName;
if($modified) {
Write-Host("SDDL of $serviceName after update: ") -NoNewline;
sc.exe sdshow $serviceName
}
}