least privilege account for WinRM remote calls on Windows 2008 Server
Posted
by aldrin
on Server Fault
See other posts from Server Fault
or by aldrin
Published on 2010-03-18T18:04:56Z
Indexed on
2010/03/18
18:11 UTC
Read the original article
Hit count: 1353
ServerFault Windows experts: please consider the following use case:
- I have 2 Windows 2008 Server SP2 boxes let’s call them – SOURCE, CLIENT.
- On SOURCE: I create a new user called 'normal'. Just a plain user - no special privileges.
- On CLIENT: I run the following from a command prompt
winrm get wmi/root/cimv2/Win32_UTCTime -r:SOURCE -u:normal -p:NormalPassword
- I get an output containing
WSManFault: Message = Access is denied.
- On CLIENT: I repeat step 3 with the administrator identity, i.e.
winrm get wmi/root/cimv2/Win32_UTCTime -r:SOURCE -u:Administrator -p:AdminPassword
- I get the current UTC time at SOURCE.
The question is, what are the least privileges I need to assign to the user 'normal' to ensure that Step 3 behaves like Step 5. In other words, what's the least privilege to enable WinRM access for a non-Admin account?
© Server Fault or respective owner