2 security, Implementation, Best practices – HP Integrity rx3600 Server User Manual
Page 6
2 Security
Security is a major concern and one of the primary reasons to switch from SNMP Agent-based
server management to Insight Provider-based server management. The HP Insight Management
WBEM Providers for Windows use Windows-based authentication for local and remote access to
server management data.
Implementation
The Insight Providers for Windows are implemented as a set of Windows Management
Instrumentation (WMI) providers. The access control is in the form of standard Windows account
level access restrictions.
An administrator account has sufficient rights and security group memberships to access the Insight
Provider management information for both local and remote access.
For a standard user account, there are two considerations for configuring security in order to access
WMI information from the Insight Providers:
•
WMI namespace security
•
Distributed COM user group membership
A standard user account needs security configurations to remotely access the Insight Provider
management information on a remote server. For more information, see the Windows Server™
2008 R2 on HP Integrity Servers Installation Guide and Windows Server™ 2008 SP2 on HP
Integrity Servers Installation Guide.
WMI namespace security settings govern access to WMI information. Windows user accounts can
be allowed or denied specific privileges per WMI namespace.
For more information on namespace security, see Access to WMI Namespaces
.
Only standard users who belong to the Distributed COM Users group can remotely connect to
WMI and access management information. Administrators are in this group by default.
Non-administrator users must be added to the Distributed COM Users group for remote WMI
connectivity. For more information on this topic, see Connecting to WMI on a Remote Computer
).
Best Practices
According to the principle of least privilege, HP recommends you use a low rights user account
(nonadministrator) to perform most read-only management tasks. Use of certain Insight Provider
functionality always requires an administrator level account. An example of this is a method to
reboot the system. This user does not need to be an administrator of the managed system and does
not need logon rights. HP recommends that the domain administrator creates a special purpose
domain account.
Configuring Insight Provider Security for a User Account via the Windows®
Command Line
The following procedure provides access rights to allow a standard user account to view most
management information. However, you must use an administrator account to perform some
management tasks, such as rebooting a server.
To configure a domain user or local user (non-administrator) account for remote management:
1.
Open a Command Prompt window.
2.
Change to the \Program Files\HPWBEM\Tools folder of the system drive.
6
Security