WMI访问进程CommandLine的最小权限是什么？

我终于成功地解决了这个问题，通过给AD组更多的权限来提供单独的服务。 这样，监视工具可能能够控制要监视的服务，但至less不能侵入在目标机器上运行的任何进程。 我已经使用下面的Powershell脚本来实现这一点。 您将不得不input您自己的AD组，并修改Windows服务列表以满足您的需求。 可以通过组策略运行这种脚本，并将其应用到一组服务器上。

function AddSDDL() { Param( [Parameter(Mandatory=$True)] [string]$Username, [Parameter(Mandatory=$True)] [string]$Service ) $servicetest = Get-Service | where {$_.name -eq "$service"} if (!$servicetest -and $service -ne "scmanager") { Write-Host "Service $service does not exist. Please supply the name and not the display name" return $false; } $domain = ($username.split("\"))[0] $user = ($username.split("\"))[1] $ntaccount = New-Object System.Security.Principal.NTAccount($domain,$user) $sid = ($ntaccount.Translate([System.Security.Principal.SecurityIdentifier])).value if (!$sid) { Write-Host "User $username cannot be resolved to a SID. Does the account exist?" return $false; } $sddl = [string](cmd /c "sc.exe sdshow $service"); if ($sddl -match $sid) { Write-Host "User $username already has some sort of access in the SDDL. Remediate manually" return $false; } if($sddl -match "S:\(") { $sddl = $sddl -replace "S:\(","(A;;CCLCLORPRC;;;$sid)S:(" } elseif($sddl -match "D:" -and $sddl.LastIndexOf(":") -lt 3) { $sddl += "(A;;CCLCLORPRC;;;$sid)"; } else { Write-Host "SDDL contains multiple description types like D: and A:, but not S:, remediate manually" return $false; } $sddlCommand = "sc.exe sdset $service $sddl"; Write-Host($sddlCommand); $sddlset = cmd /c $sddlCommand if ($sddlset -notlike "*SUCCESS*") { Write-Host "Permissions did not set" Write-Host "Full error: $sddlset" } else { Write-Host "Permissions set successfully for $username on $service" } return $true; } clear; # default 2012 R2 scmanager: D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD) # default 2012 R2 w32time: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPLOCRRC;;;LS)(A;;CCSWWPLORC;;;LS) # default 2008 R2 scmanager: D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD) # default 2008 R2 w3svc: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) # default 2008 R2 aspnet_state: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) # with list content (LC), read all properties (RP) and read permissions (RC) for authenticated users: D:(A;;CCLC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD) $serviceNames = @("DHCPServer","TlntSvr","RpcSs","SamSs","DNS","Dnscache","LanmanWorkstation","Netlogon","Kdc","IsmServ","DFSR","W32Time","LanmanServer","WAS","aspnet_state","W3SVC","scmanager"); $serviceNames += Get-Service | Where-Object{$_.Name -like "*sql*"} | ForEach-Object{$_.Name}; $serviceNames += Get-Service | Where-Object{$_.Name -like "*ReportServer*"} | ForEach-Object{$_.Name}; foreach($serviceName in $serviceNames) { Write-Host("SDDL of $serviceName before update: ") -NoNewline; sc.exe sdshow $serviceName $wmiGroup = "YOUR_DOMAN\AD_GROUP_FOR_WMI_MONITORING" $modified = AddSDDL -Username $wmiGroup -Service $serviceName; if($modified) { Write-Host("SDDL of $serviceName after update: ") -NoNewline; sc.exe sdshow $serviceName } } 

在这里，他们build议使用WmiSecurity的以下解决scheme：

 WmiSecurity.exe /C="%computername%" /A /N=Root/CIMV2 /M=" DOMAIN\USER:REMOTEACCESS" /R 

或者，您可以使用内置的实用程序，如此处所示。

但是我认为这两种解决scheme都不能限制访问处理信息。