least privilege account for WinRM remote calls on Windows 2008 Server

Posted by aldrin on Server Fault See other posts from Server Fault or by aldrin
Published on 2010-03-18T18:04:56Z Indexed on 2010/03/18 18:11 UTC
Read the original article Hit count: 1353

ServerFault Windows experts: please consider the following use case:

  1. I have 2 Windows 2008 Server SP2 boxes let’s call them – SOURCE, CLIENT.
  2. On SOURCE: I create a new user called 'normal'. Just a plain user - no special privileges.
  3. On CLIENT: I run the following from a command prompt winrm get wmi/root/cimv2/Win32_UTCTime -r:SOURCE -u:normal -p:NormalPassword
  4. I get an output containing WSManFault: Message = Access is denied.
  5. On CLIENT: I repeat step 3 with the administrator identity, i.e. winrm get wmi/root/cimv2/Win32_UTCTime -r:SOURCE -u:Administrator -p:AdminPassword
  6. I get the current UTC time at SOURCE.

The question is, what are the least privileges I need to assign to the user 'normal' to ensure that Step 3 behaves like Step 5. In other words, what's the least privilege to enable WinRM access for a non-Admin account?

© Server Fault or respective owner

Related posts about windows-server-2008

Related posts about winrs