beautypg.com

Security, Security concerns, Implementation – HP Insight Management WBEM Providers User Manual

Page 18: Best practices, Security concerns implementation best practices

background image

Security 18

Security

Security concerns

Users can increase security by switching from SNMP Agent-based server management to Insight Provider-
based server management. The HP Insight Management WBEM Providers for Windows® use Windows-
based authentication for local and remote access to server management data.

Implementation

The Insight Providers for Windows® are implemented as a set of WMI providers. The access control is in
the form of standard Windows® account level access restrictions.
An administrator account has sufficient rights and security group memberships to access the Insight
Providers management information for both local and remote access.
For a standard user account, there are two considerations for configuring security in order to access WMI
information from the Insight Providers:

WMI namespace security

Distributed COM Users group membership

A standard user account needs security configurations to remotely access the Insight Provider
management information on a remote server. For more information, see Security Requirements for the
Insight Providers (on page

10

).

WMI namespace security settings govern access to WMI information. Windows user accounts can be
allowed or denied specific privileges per WMI namespace.
For more information on namespace security, see Access to WMI Namespaces
(

http://msdn2.microsoft.com/en-us/library/aa822575.aspx

).

Only standard users who belong to the Distributed COM Users group can remotely connect to WMI and
access management information. Administrators are in this group by default. Non-administrator users must
be added to the Distributed COM Users group for remote WMI connectivity.
For more information, see Connecting to WMI on a Remote Computer (

http://msdn2.microsoft.com/en-

us/library/aa389290.aspx

).

Best practices

HP recommends using a low-level rights user account (non-administrator) to perform most read-only
management tasks. Use of certain Insight Provider functionality, such as rebooting the system, requires an
administrator-level account. The user does not need to be an administrator of the managed system and
does not need logon rights. HP recommends that the domain administrator creates a special purpose
domain account.

See also other documents in the category HP Software: