beautypg.com

5 security, Security concerns, Implementation – HP Insight Management WBEM Providers User Manual

Page 10: Best practices

background image

5 Security

Security concerns

Users can increase security by switching from SNMP Agent-based server management to Insight
Provider-based server management. The HP Insight Management WBEM Providers for Windows®
use Windows-based authentication for local and remote access to server management data.

Implementation

The Insight Providers for Windows® are implemented as a set of WMI providers. The access control
is in the form of standard Windows® account level access restrictions.

An administrator account has sufficient rights and security group memberships to access the Insight
Providers management information for both local and remote access.

For a standard user account, there are two considerations for configuring security in order to access
WMI information from the Insight Providers:

WMI namespace security

Distributed COM Users group membership

A standard user account needs security configurations to remotely access the Insight Provider
management information on a remote server.

WMI namespace security settings govern access to WMI information. Windows user accounts can
be allowed or denied specific privileges per WMI namespace.

For more information on namespace security, see Access to WMI Namespaces (

http://

msdn2.microsoft.com/en-us/library/aa822575.aspx

).

Only standard users who belong to the Distributed COM Users group can remotely connect to
WMI and access management information. Administrators are in this group by default.
Non-administrator users must be added to the Distributed COM Users group for remote WMI
connectivity.

For more information, see Connecting to WMI on a Remote Computer (

http://msdn2.microsoft.com/

en-us/library/aa389290.aspx

).

Best practices

HP recommends using a low-level rights user account (non-administrator) to perform most read-only
management tasks. Use of certain Insight Provider functionality, such as rebooting the system,
requires an administrator-level account. You do not need to be an administrator of the managed
system and do not need logon rights. HP recommends that the domain administrator creates a
special purpose domain account.

Configuring Insight Provider Security for a User Account using HP SIM
Configure and Repair Agents

NOTE:

When you must configure a non-administrator account on an x64 target server, verify

that the system is identified to HP SIM as a server and that it has the system subtype. For more
information, see the HP SIM help file.

The following procedure provides access rights to allow a standard user account to view most
management information. However, you must use an administrator account to perform some
management tasks such as rebooting a server.

To configure a domain or local user (non-administrator) account for remote management:

10

Security