Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 5.3.2 External Systems Configuration Guide
    5.3.2
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Microsoft Windows Server

    Microsoft Windows Server

    Supported OS

    • Windows 2003
    • Windows 2008 and 2008 R2
    • Windows 2012 and 2012 R2
    • Windows 2016
    • Windows 2019

    What is Discovered and Monitored

    Metrics in bold are unique to Microsoft Windows Server monitoring.

    Installed Software Monitored via SNMP

    Although information about installed software is available via both SNMP and WMI, FortiSIEM uses SNMP to obtain installed software information to avoid an issue in Microsoft's WMI implementation for the Win32_Product WMI class - see Microsoft KB 974524 article for more information. Because of this bug, WMI calls to the Win32_Product class create many unnecessary Windows event log messages indicating that the Windows Installer has reconfigured all installed applications.

    Winexe execution and its effect

    FortiSIEM uses the winexe command during discovery and monitoring of Windows servers for the following purposes

    1. Windows domain controller diagnostic (dcdiag) and replication monitoring (repadmin /replsummary)
    2. HyperV Performance Monitoring
    3. Windows Custom performance monitoring – to run a command (e.g. powershell) remotely on windows systems

    Note: Running the winexe command remotely will automatically install the winexesvc command on the windows server.

    Protocol

    Information Discovered

    Metrics collected

    Used for
    SNMP Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports) Uptime, Overall CPU/Memory/Network Interface/Disk space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down, Performance Monitoring
    SNMP Vendor specific server hardware (hardware model, hardware serial number, fans, power supply, disk, raid battery). Currently supported vendors include HP and Dell Hardware module status - fan, power supply, thermal status, battery, disk, memory . Currently supported vendors include HP and Dell

    WMI Win32_ComputerSystem: Host name, OS Win32_WindowsProductActivation: OS Serial Number Win32_OperatingSystem: Memory, Uptime Win32_BIOS: Bios Win32_Processor: CPU Win32_LogicalDisk: Disk info Win32_NetworkAdapterConfiguration: network interface Win32_Service: Services Win32_Process: Running processes Win32_QuickFixEngineering: Installed Patches Win32_OperatingSystem: Uptime Win32_PerfRawData_PerfOS_Processor: Detailed CPU utilization Win32_PerfRawData_PerfOS_Memory: Memory utilization, paging/swapping metrics Win32_LogicalDisk: Disk space utilization Win32_PerfRawData_PerfOS_PagingFile: Paging file utilization Win32_PerfRawData_PerfDisk_LogicalDisk: Disk I/O metrics Win32_PerfRawData_Tcpip_NetworkInterface: Network Interface utilization Win32_Service: Running process uptime, start/stop status Win32_Process, Win32_PerfRawData_PerfProc_Process: Process CPU/memory/I/O utilization Performance Monitoring
    WMI

    		Security, Application and System Event Logs including logon, file/folder edits, network traffic (Win32_NTLogEvent) Security and Compliance
    Snare agent Security, Application and System Event Logs including logon, file/folder edits, network traffic (Win32_NTLogEvent) Security and Compliance
    Correlog agent Security, Application and System Event Logs ncluding logon, file/folder edits, network traffic (Win32_NTLogEvent) Security and Compliance
    FortiSIEM Agent Security, Application and System Event Logs, DNS, DHCP, IIS, DFS logs, Custom log files, File Integrity Monitoring, Registry Change Monitoring, Installed Software Change Monitoring, WMI and Powershell output monitoring Security and Compliance

    Event Types

    In ADMIN > Device Support > Event, search for "windows server" in the Description column to see the event types associated with this application or device.

    Rules

    In RESOURCE > Rules, search for "windows server" in the Name column to see the rules associated with this application or device.

    Reports

    In RESOURCE > Reports , search for "windows server" in the Name column to see the reports associated with this application or device.

    Configuration

    WinRM Configurations

    WinRM is used for some FortiSIEM Remediation actions. If Windows Remediation actions are not used in FortiSIEM, this configuration step is not required.

    Enable WinRM and set authentication

    Use the commands below to enable WinRM and set authentication on the target Windows Servers:

    1. To configure Windows Server:

      winrm quickconfig

      winrm set winrm/config/service/auth ‘@{Basic="true"}’

      winrm set winrm/config/service ‘@{AllowUnencrypted="true"}’

      winrm enumerate winrm/config/listener

      Notes:

      • If HTTPS is not enabled, then open Windows PowerShell console as an administrator, and run the following commands.

      New-SelfSignedCertificate -Subject 'CN=<windows host name>' -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1'

      winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="<windows host name>"; CertificateThumbprint="<thumbprint received by New-Self Signed Certificate>"}

      winrm quickconfig -transport:https

      winrm enumerate winrm/config/listener

      • Single quotes are needed for Windows 2016 and later.

    2. To configure FortiSIEM Client (Super or Collector):

      pip install pywinrm

    SNMP Configurations
    Enabling SNMP on Windows Server 2012R2, Server 2016, Server 2019

    SNMP is typically enabled by default on Windows Server 2012R2, Server 2016, and Server 2019. But you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First, you should check that SNMP Services have been enabled for your server.

    1. Log in to the Windows 2016 Server where you want to enable SNMP as an administrator.
    2. In the Start menu, select Control Panel.
    3. Under Programs, click Turn Windows features on/off.
    4. The Add Roles and Features Wizard will open automatically.
    5. Select Role-based or feature-based installation. Click Next until the Features option appears.
    6. Under Features, see if SNMP Services is installed.

      If not, check the checkbox before the SNMP Service and click Next to install the service.

    7. From the Start menu, select Services. Go to Services > SNMP Services.
    8. Select and open SNMP Service.
    9. Click the Security tab.
    10. Select Send authentication trap.
    11. Under Accepted communities, make sure there is an entry for public that is set to read-only.
    12. Select Accept SNMP packets from these hosts.
    13. Click Add.
    14. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP.
    15. Click Add.
    16. Click Apply.
    17. Under SNMP Service, click Restart service.
    Enabling SNMP on Windows 7 or Windows Server 2008 R2

    SNMP is typically enabled by default on Windows Server 2008, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

    1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
    2. In the Start menu, select Control Panel.
    3. Under Programs, click Turn Windows features on/off.
    4. Under Features, see if SNMP Services is installed.
      If not, click Add Feature, then select SMNP Service and click Next to install the service.
    5. In the Server Manager window, go to Services > SNMP Services.
    6. Select and open SNMP Service.
    7. Click the Security tab.
    8. Select Send authentication trap.
    9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
    10. Select Accept SNMP packets from these hosts.
    11. Click Add.
    12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP.
    13. Click Add.
    14. Click Apply.
    15. Under SNMP Service, click Restart service.
    Enabling SNMP on Windows Server 2003

    SNMP is typically enabled by default on Windows Server 2003, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you must make sure that the SNMP Management tool has been enabled for your device.

    1. In the Start menu, go to Administrative Tools > Services.
    2. Go to Control Panel > Add or Remove Programs.
    3. Click Add/Remove Windows Components.
    4. Select Management and Monitoring Tools and click Details.
      Make sure that Simple Network Management Tool is selected.
      If it isn't selected, select it, and then click Next to install.
    5. Go to Start > Administrative Tools > Services.
    6. Select and open SNMP Service.
    7. Click the Security tab.
    8. Select Send authentication trap.
    9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
    10. Select Accept SNMP packets from these hosts.
    11. Click Add.
    12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP.
    13. Click Add.
    14. Click Apply.
    15. Under SNMP Service, click Restart service.
    WMI Configurations
    WMI Configuration for Windows 2012, 2012R2, 2016, 2019

    To configure WMI on your device so that FortiSIEM can discover and monitor it, you must create a user who has access to WMI objects on the device. There are two ways to do this:

    Creating a Generic User Who Does Not Belong to the Local Administrator Group

    Log in to the machine you want to monitor with an administrator account.

    Step 1. Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group
    1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
    2. Right-click Users and select New User.
    3. Create a user.
    4. Select this user and right-click to select Properties > Member of tab.
    5. Click Add > Advanced > Find Now.
    6. Select and add the following groups:

      Note: To select multiple groups, hold down the CTRL key and click the desired groups.

      • Distributed COM Users group.
      • Performance Monitor Users group.
      • Remote Desktop Users group.
    7. Click OK to save.
    Step 2. Enable DCOM Permissions for the Monitoring Account
    1. Go to Start > Control Panel > Administrative Tools > Component Services > Computers > My Computer.
    2. Right-click My Computer, and then Properties.
    3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
    4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
    5. Click OK.
    6. Under Access Permissions, click Edit Default.
    7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1.
    8. Click OK.
    9. Under Launch and Activation Permissions, click Edit Limits.
    10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
    11. Click OK.
    12. Under Launch and Activation Permissions, click Edit Defaults.
    13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1.
    14. Click OK.
    Step 3. See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.
    Step 4. Configuring Log Monitoring for Non-Administrative User

    To configure the non-administrative user to monitor windows event logs, follow the steps below:

    1. Go to Start > Control Panel > Administrative Tools > Active Directory Users and Computers (Computer Management > Local Users and Groups for servers that are not a domain controller).
    2. Right-click the non-admin user and select Properties.
    3. Select the Member of tab.
    4. Select the group Event Log Reader and click Add.
    5. Click Apply.
    6. Click OK to complete the configuration.
    7. The following groups should be applied to the user:
      • Distributed COM Users
      • Domain Users
      • Event Log Reader
    Creating a User Who Belongs to the Domain Administrator Group

    Log in to the Domain Controller with an administrator account.

    Step 1. Enable remote WMI requests by adding a Monitoring Account to the Domain Administrators Group
    1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
    2. Right-click Users and select New > User.
    3. Create a user for the @accelops.com domain.

      For example, YJTEST@accelops.com.

    4. Right-click Domain Admins in Users and select Properties.
    5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
    6. Click Advanced > Find Now, add the Administrator and the user which you created in Step 3.
    7. Click OK to close the User select dialog
    8. Click OK to close the Domain Admins Properties dialog.
    Step 2. Enable the Monitoring Account to Access the Monitored Device

    Log in to the machine you want to monitor with an administrator account.

    Enable DCOM Permissions for the Monitoring Account
    1. Go to Start > Control Panel > Administrative Tools > Component Services.
    2. Right-click My Computer, and then select Properties.
    3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
    4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access.
    5. Click OK.
    6. In the COM Security tab, under Access Permissions, click Edit Defaults.
    7. Find the user you created for the monitoring account, and make sure that the user has the permission Allow for both Local Access and Remote Access. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1.
    8. Click OK.
    9. In the COM Security tab, under Launch and Activation Permissions, click Edit Limits.
    10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1.
    11. In the COM Security tab, under Launch and Activation Permissions, click Edit Limits.
    12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1.
    13. Click OK.
    Enable Account Privileges in WMI

    The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

    1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
    2. Select WMI Control, and then right-click and select Properties.
    3. Select the Security tab.
    4. Expand the Root directory and select CIMV2.
    5. Click Security.
    6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remote Enable. If the user isn ot present, then click Add to add the user you created.
    7. Click Advanced.
    8. Select the user you created for the monitoring account, and then click Edit.
    9. In the Applies onto menu, select This namespace and subnamespaces.
    10. Click OK to close the Permission Entry for CIMV2 dialog.
    11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
    12. In the left-hand navigation, under Services and Applications, select Services.
    13. Select Windows Management Instrumentation, and then click Restart.
    Allow WMI through Windows Firewall (Windows Server 2012, 2016 and 2019)
    1. Go to Control Panel > Windows Firewall.
    2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
    3. Select Windows Management Instrumentation, and the click OK. You can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
    Differences Between Administrator and Non-Administrator Account

    Windows allows certain WMI classes to be pulled only via Administrator account. The following table shows this clearly.

    WMI Class Administrator Non-Administrator
    Win32_BIOS Yes No
    Win32_ComputerSystem Yes Yes
    Win32_LogicalDisk Yes No
    Win32_NetworkAdapter Yes Yes
    Win32_NetworkAdapterConfiguration Yes Yes
    Win32_NTLogEvent Yes Yes
    Win32_OperatingSystem Yes Yes
    Win32_Process Yes Yes
    Win32_Processor Yes Yes
    Win32_Product Yes Yes
    Win32_QuickFixEngineering Yes No
    Win32_Service Yes No
    Win32_UserAccount Yes No
    win32_Volume Yes Yes
    Win32_PerfFormattedData_DHCPServer_DHCPServer Yes Yes
    Win32_PerfFormattedData_DNS_DNS Yes Yes
    Win32_PerfFormattedData_W3SVC_WebService Yes Yes
    Win32_PerfRawData_DirectoryServices_DirectoryServices Yes Yes
    Win32_PerfRawData_NTDS_NTDS Yes Yes
    Win32_PerfRawData_PerfDisk_LogicalDisk Yes Yes
    Win32_PerfRawData_PerfDisk_PhysicalDisk Yes Yes
    Win32_PerfRawData_PerfOS_Memory Yes Yes
    Win32_PerfRawData_PerfOS_PagingFile Yes Yes
    Win32_PerfRawData_PerfOS_Processor Yes Yes
    Win32_PerfRawData_PerfProc_Process Yes Yes
    Win32_PerfRawData_Tcpip_NetworkInterface Yes Yes
    WMI Configurations for Windows 2008 and 2008R2

    To configure WMI on your device so that FortiSIEM can discover and monitor it, you must create a user who has access to WMI objects on the device. There are two ways to do this:

    Creating a Generic User Who Does Not Belong to the Local Administrator Group

    Log in to the machine you want to monitor with an administrator account.

    Step 1. Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group
    1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
    2. Right-click Users and select New User.
    3. Create a user.
    4. Select this user and right-click to select Properties > Member of tab.
    5. Select Distributed COM Users and click Add.
    6. Click OK to save.
      This is the account you must use to set up the Performance Monitor Users group permissions.
    7. Repeat steps 4 through 6 for the Performance Monitor Users group.
    Step 2. Enable DCOM Permissions for the Monitoring Account
    1. Go to Start > Control Panel > Administrative Tools > Component Services.
    2. Right-click My Computer, and then Properties.
    3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
    4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
    5. Click OK.
    6. Under Access Permissions, click EditDefault.
    7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
    8. Click OK.
    9. Under Launch and Activation Permissions, click Edit Limits.
    10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
    11. Click OK.
    12. Under Launch and Activation Permissions, click Edit Defaults.
    13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

    See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

    Configuring Log Monitoring for Non-Administrative User

    To configure the non-administrative user to monitor windows event logs, follow the steps below:

    1. Go to Start > Control Panel > Administrative Tools > Active Directory Users and Computers (Computer Management > Local Users and Groups for servers that are not a domain controller).
    2. Right-click the non-admin user and select Properties.
    3. Select the Member of tab.
    4. Select the group Event Log Reader and click Add.
    5. Click Apply.
    6. Click OK to complete the configuration.

    The following groups should be applied to the user:

    • Distributed COM Users
    • Domain Users
    • Event Log Reader
    Creating a User Who Belongs to the Domain Administrator Group

    Log in to the Domain Controller with an administrator account.

    Step 1. Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group
    1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
    2. Right-click Users and select Add User.
    3. Create a user for the @accelops.com domain.
      For example, YJTEST@accelops.com.
    4. Go to Groups, right-click Administrators, and then click Add to Group.
    5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
    6. For Enter the object names to select, enter the user you created in step 3.
    7. Click OK to close the Domain Admins Properties dialog.
    8. Click OK.
    Step 2. Enable the Monitoring Account to Access the Monitored Device

    Log in to the machine you want to monitor with an administrator account.

    Enable DCOM Permissions for the Monitoring Account
    1. Go to Start > Control Panel > Administrative Tools > Component Services.
    2. Right-click My Computer, and then select Properties.
    3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
    4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access.
    5. Click OK.
    6. In the Com Security tab, under Access Permissions, click Edit Defaults.
    7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access.
    8. Click OK.
    9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
    10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
    11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
    12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
    Enable Account Privileges in WMI

    The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

    1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
    2. Select WMI Control, and then right-click and select Properties.
    3. Select the Security tab.
    4. Expand the Root directory and select CIMV2.
    5. Click Security.
    6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remote Enable.
    7. Click Advanced.
    8. Select the user you created for the monitoring account, and then click Edit.
    9. In the Apply onto menu, select This namespace and subnamespaces.
    10. Click OK to close the Permission Entry for CIMV2 dialog.
    11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
    12. In the left-hand navigation, under Services and Applications, select Services.
    13. Select Windows Management Instrumentation, and then click Restart.
    Allow WMI to Connect Through the Windows Firewall (Windows 2003)
    1. In the Start menu, select Run.
    2. Run gpedit.msc.
    3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
    4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
    5. Select Windows Firewall: Allow remote administration exception.
    6. Run cmd.exe and enter these commands:
      netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP
    7. Restart the server.
    Allow WMI through Windows Firewall (Windows Server 2008, 2012)
    1. Go to Control Panel > Windows Firewall.
    2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
    3. Select Windows Management Instrumentation, and the click OK.You can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
    Differences Between Administrator and Non-Administrator Account

    Windows allows certain WMI classes to be pulled only via Administrator account. The following table shows this clearly.

    WMI Class Administrator Non-Administrator
    Win32_BIOS Yes No
    Win32_ComputerSystem Yes Yes
    Win32_LogicalDisk Yes No
    Win32_NetworkAdapter Yes Yes
    Win32_NetworkAdapterConfiguration Yes Yes
    Win32_NTLogEvent Yes Yes
    Win32_OperatingSystem Yes Yes
    Win32_Process Yes Yes
    Win32_Processor Yes Yes
    Win32_Product Yes Yes
    Win32_QuickFixEngineering Yes No
    Win32_Service Yes No
    Win32_UserAccount Yes No
    win32_Volume Yes Yes
    Win32_PerfFormattedData_DHCPServer_DHCPServer Yes Yes
    Win32_PerfFormattedData_DNS_DNS Yes Yes
    Win32_PerfFormattedData_W3SVC_WebService Yes Yes
    Win32_PerfRawData_DirectoryServices_DirectoryServices Yes Yes
    Win32_PerfRawData_NTDS_NTDS Yes Yes
    Win32_PerfRawData_PerfDisk_LogicalDisk Yes Yes
    Win32_PerfRawData_PerfDisk_PhysicalDisk Yes Yes
    Win32_PerfRawData_PerfOS_Memory Yes Yes
    Win32_PerfRawData_PerfOS_PagingFile Yes Yes
    Win32_PerfRawData_PerfOS_Processor Yes Yes
    Win32_PerfRawData_PerfProc_Process Yes Yes
    Win32_PerfRawData_Tcpip_NetworkInterface Yes Yes
    Windows Agent Configurations

    For information on configuring Windows Agent, see Windows Agent Installation Guide.

    Syslog Configurations

    See the Windows Agent Installation Guide for information on configuring the sending of syslogs from your device to FortiSIEM.

    Sample Windows Server Syslog

    <108>2014 Dec 17 15:05:47 CorreLog_Win_Agent 1NDCITVWCVLT05.tsi.lan Login Monitor: Local Console User Login: User Name: weighalll-admin
    Configuring the Security Audit Logging Policy

    Because Windows generates a lot of security logs, you should specify the categories of events that you want logged and available for monitoring by FortiSIEM.

    1. Log in the machine where you want to configure the policy as an administrator.
    2. Go to Programs > Administrative Tools > Local Security Policy.
    3. Expand Local Policies and select Audit Policy.
      You will see the current security audit settings.
    4. Selet a policy and edit the Local Security Settings for the events you want audited. Recommended settings are:

      5. Policy Description Settings
      Audit account logon events and Audit logon events For auditing logon activity Select Success and Failure
      Audit object access events For auditing access to files and folders. There is an additional configuration requirement for specifying which files and folders, users and user actions will be audited. See the next section, Configuring the File Auditing Policy. Select Success and Failure
      Audit system events Includes system up/down messages
    Configuring the File Auditing Policy

    When you enable the policy to audit object access events, you also must specify which files, folders, and user actions will be logged. You should be very specific with these settings, and set their scope to be as narrow as possible to avoid excessive logging. For this reason you should also specify system-level folders for auditing.

    1. Log in the machine where you want to set the policy with administrator privileges.
      On a domain computer, a Domain administrator account is needed
    2. Open Windows Explorer, select the file you want to set the auditing policy for, right-click on it, and select Properties.
    3. In the Security tab, click Advanced.
    4. Select the Auditing tab, and then click Add.
      This button is labeled Edit in Windows 2008.
    5. In the Select User or Group dialog, click Advanced, and then find and select the users whose access to this file you want to monitor.
    6. Click OK when you are done adding users.
    7. In the Permissions tab, set the permissions for each user you added.

    The configuration is now complete. Windows will generate audit events when the users you specified take the actions specified on the files or folders for which you set the audit policies.

    Setting Access Credentials

    SNMP, Telnet, and SSH Access Credentials for All Devices

    See Access Credentials.

    LDAP, LDAPS, LDAP Start TLS / OpenLDAP Access Credentials for All Devices

    Settings Value
    Name <set name>
    Device Type Microsoft Windows Server *
    Access Protocol LDAP / LDAPS / LDAP Start TLS
    Used For OpenLDAP
    Server Port 389 for LDAP, LDAP Start TLS; 636 for LDAPS
    Base DN Specify the root of the LDAP tree as the Base DN. For example: dc=companyABC,dc=com
    Password Config See Password Configuration
    User Name For user discoveries from an OpenLDAP directory, specify the full DN as the user name. For example: uid=jdoe,ou=hr,ou=unit,dc=companyABC,dc=com
    Password Password of the user able to access this system

    LDAP, LDAPS, LDAP Start TLS / Microsoft Active Directory Access Credentials for All Devices

    Settings Value
    Name <set name>
    Device Type Microsoft Windows Server *
    Access Protocol LDAP / LDAPS / LDAP Start TLS
    Used For Microsoft Active Directory
    Server Port 389 for LDAP, LDAP Start TLS; 636 for LDAPS
    Base DN Specify the root of the LDAP tree as the Base DN. For example: dc=companyABC,dc=com
    NetBIOS/Domain The domain name or NetBIOS name attribute
    Password Config See Password Configuration
    User Name For Microsoft Active Directory, the user name can be just the login name.
    Password Password of the user able to access this system

    WMI Access Credentials for All Devices

    Settings Value
    Name <set name>
    Device Type Microsoft Windows Server *
    Access Protocol WMI
    Pull Interval 1 minute
    NetBIOS/Domain The domain name or NetBIOS name attribute
    Password Config See Password Configuration
    User Name Name of the user able to access this system
    Password Password of the user able to access this system
    Previous
    Next

    Microsoft Windows Server

    Microsoft Windows Server

    Supported OS

    • Windows 2003
    • Windows 2008 and 2008 R2
    • Windows 2012 and 2012 R2
    • Windows 2016
    • Windows 2019

    What is Discovered and Monitored

    Metrics in bold are unique to Microsoft Windows Server monitoring.

    Installed Software Monitored via SNMP

    Although information about installed software is available via both SNMP and WMI, FortiSIEM uses SNMP to obtain installed software information to avoid an issue in Microsoft's WMI implementation for the Win32_Product WMI class - see Microsoft KB 974524 article for more information. Because of this bug, WMI calls to the Win32_Product class create many unnecessary Windows event log messages indicating that the Windows Installer has reconfigured all installed applications.

    Winexe execution and its effect

    FortiSIEM uses the winexe command during discovery and monitoring of Windows servers for the following purposes

    1. Windows domain controller diagnostic (dcdiag) and replication monitoring (repadmin /replsummary)
    2. HyperV Performance Monitoring
    3. Windows Custom performance monitoring – to run a command (e.g. powershell) remotely on windows systems

    Note: Running the winexe command remotely will automatically install the winexesvc command on the windows server.

    Protocol

    Information Discovered

    Metrics collected

    Used for
    SNMP Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports) Uptime, Overall CPU/Memory/Network Interface/Disk space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down, Performance Monitoring
    SNMP Vendor specific server hardware (hardware model, hardware serial number, fans, power supply, disk, raid battery). Currently supported vendors include HP and Dell Hardware module status - fan, power supply, thermal status, battery, disk, memory . Currently supported vendors include HP and Dell

    WMI Win32_ComputerSystem: Host name, OS Win32_WindowsProductActivation: OS Serial Number Win32_OperatingSystem: Memory, Uptime Win32_BIOS: Bios Win32_Processor: CPU Win32_LogicalDisk: Disk info Win32_NetworkAdapterConfiguration: network interface Win32_Service: Services Win32_Process: Running processes Win32_QuickFixEngineering: Installed Patches Win32_OperatingSystem: Uptime Win32_PerfRawData_PerfOS_Processor: Detailed CPU utilization Win32_PerfRawData_PerfOS_Memory: Memory utilization, paging/swapping metrics Win32_LogicalDisk: Disk space utilization Win32_PerfRawData_PerfOS_PagingFile: Paging file utilization Win32_PerfRawData_PerfDisk_LogicalDisk: Disk I/O metrics Win32_PerfRawData_Tcpip_NetworkInterface: Network Interface utilization Win32_Service: Running process uptime, start/stop status Win32_Process, Win32_PerfRawData_PerfProc_Process: Process CPU/memory/I/O utilization Performance Monitoring
    WMI

    		Security, Application and System Event Logs including logon, file/folder edits, network traffic (Win32_NTLogEvent) Security and Compliance
    Snare agent Security, Application and System Event Logs including logon, file/folder edits, network traffic (Win32_NTLogEvent) Security and Compliance
    Correlog agent Security, Application and System Event Logs ncluding logon, file/folder edits, network traffic (Win32_NTLogEvent) Security and Compliance
    FortiSIEM Agent Security, Application and System Event Logs, DNS, DHCP, IIS, DFS logs, Custom log files, File Integrity Monitoring, Registry Change Monitoring, Installed Software Change Monitoring, WMI and Powershell output monitoring Security and Compliance

    Event Types

    In ADMIN > Device Support > Event, search for "windows server" in the Description column to see the event types associated with this application or device.

    Rules

    In RESOURCE > Rules, search for "windows server" in the Name column to see the rules associated with this application or device.

    Reports

    In RESOURCE > Reports , search for "windows server" in the Name column to see the reports associated with this application or device.

    Configuration

    WinRM Configurations

    WinRM is used for some FortiSIEM Remediation actions. If Windows Remediation actions are not used in FortiSIEM, this configuration step is not required.

    Enable WinRM and set authentication

    Use the commands below to enable WinRM and set authentication on the target Windows Servers:

    1. To configure Windows Server:

      winrm quickconfig

      winrm set winrm/config/service/auth ‘@{Basic="true"}’

      winrm set winrm/config/service ‘@{AllowUnencrypted="true"}’

      winrm enumerate winrm/config/listener

      Notes:

      • If HTTPS is not enabled, then open Windows PowerShell console as an administrator, and run the following commands.

      New-SelfSignedCertificate -Subject 'CN=<windows host name>' -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1'

      winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="<windows host name>"; CertificateThumbprint="<thumbprint received by New-Self Signed Certificate>"}

      winrm quickconfig -transport:https

      winrm enumerate winrm/config/listener

      • Single quotes are needed for Windows 2016 and later.

    2. To configure FortiSIEM Client (Super or Collector):

      pip install pywinrm

    SNMP Configurations
    Enabling SNMP on Windows Server 2012R2, Server 2016, Server 2019

    SNMP is typically enabled by default on Windows Server 2012R2, Server 2016, and Server 2019. But you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First, you should check that SNMP Services have been enabled for your server.

    1. Log in to the Windows 2016 Server where you want to enable SNMP as an administrator.
    2. In the Start menu, select Control Panel.
    3. Under Programs, click Turn Windows features on/off.
    4. The Add Roles and Features Wizard will open automatically.
    5. Select Role-based or feature-based installation. Click Next until the Features option appears.
    6. Under Features, see if SNMP Services is installed.

      If not, check the checkbox before the SNMP Service and click Next to install the service.

    7. From the Start menu, select Services. Go to Services > SNMP Services.
    8. Select and open SNMP Service.
    9. Click the Security tab.
    10. Select Send authentication trap.
    11. Under Accepted communities, make sure there is an entry for public that is set to read-only.
    12. Select Accept SNMP packets from these hosts.
    13. Click Add.
    14. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP.
    15. Click Add.
    16. Click Apply.
    17. Under SNMP Service, click Restart service.
    Enabling SNMP on Windows 7 or Windows Server 2008 R2

    SNMP is typically enabled by default on Windows Server 2008, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

    1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
    2. In the Start menu, select Control Panel.
    3. Under Programs, click Turn Windows features on/off.
    4. Under Features, see if SNMP Services is installed.
      If not, click Add Feature, then select SMNP Service and click Next to install the service.
    5. In the Server Manager window, go to Services > SNMP Services.
    6. Select and open SNMP Service.
    7. Click the Security tab.
    8. Select Send authentication trap.
    9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
    10. Select Accept SNMP packets from these hosts.
    11. Click Add.
    12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP.
    13. Click Add.
    14. Click Apply.
    15. Under SNMP Service, click Restart service.
    Enabling SNMP on Windows Server 2003

    SNMP is typically enabled by default on Windows Server 2003, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you must make sure that the SNMP Management tool has been enabled for your device.

    1. In the Start menu, go to Administrative Tools > Services.
    2. Go to Control Panel > Add or Remove Programs.
    3. Click Add/Remove Windows Components.
    4. Select Management and Monitoring Tools and click Details.
      Make sure that Simple Network Management Tool is selected.
      If it isn't selected, select it, and then click Next to install.
    5. Go to Start > Administrative Tools > Services.
    6. Select and open SNMP Service.
    7. Click the Security tab.
    8. Select Send authentication trap.
    9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
    10. Select Accept SNMP packets from these hosts.
    11. Click Add.
    12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP.
    13. Click Add.
    14. Click Apply.
    15. Under SNMP Service, click Restart service.
    WMI Configurations
    WMI Configuration for Windows 2012, 2012R2, 2016, 2019

    To configure WMI on your device so that FortiSIEM can discover and monitor it, you must create a user who has access to WMI objects on the device. There are two ways to do this:

    Creating a Generic User Who Does Not Belong to the Local Administrator Group

    Log in to the machine you want to monitor with an administrator account.

    Step 1. Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group
    1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
    2. Right-click Users and select New User.
    3. Create a user.
    4. Select this user and right-click to select Properties > Member of tab.
    5. Click Add > Advanced > Find Now.
    6. Select and add the following groups:

      Note: To select multiple groups, hold down the CTRL key and click the desired groups.

      • Distributed COM Users group.
      • Performance Monitor Users group.
      • Remote Desktop Users group.
    7. Click OK to save.
    Step 2. Enable DCOM Permissions for the Monitoring Account
    1. Go to Start > Control Panel > Administrative Tools > Component Services > Computers > My Computer.
    2. Right-click My Computer, and then Properties.
    3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
    4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
    5. Click OK.
    6. Under Access Permissions, click Edit Default.
    7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1.
    8. Click OK.
    9. Under Launch and Activation Permissions, click Edit Limits.
    10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
    11. Click OK.
    12. Under Launch and Activation Permissions, click Edit Defaults.
    13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1.
    14. Click OK.
    Step 3. See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.
    Step 4. Configuring Log Monitoring for Non-Administrative User

    To configure the non-administrative user to monitor windows event logs, follow the steps below:

    1. Go to Start > Control Panel > Administrative Tools > Active Directory Users and Computers (Computer Management > Local Users and Groups for servers that are not a domain controller).
    2. Right-click the non-admin user and select Properties.
    3. Select the Member of tab.
    4. Select the group Event Log Reader and click Add.
    5. Click Apply.
    6. Click OK to complete the configuration.
    7. The following groups should be applied to the user:
      • Distributed COM Users
      • Domain Users
      • Event Log Reader
    Creating a User Who Belongs to the Domain Administrator Group

    Log in to the Domain Controller with an administrator account.

    Step 1. Enable remote WMI requests by adding a Monitoring Account to the Domain Administrators Group
    1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
    2. Right-click Users and select New > User.
    3. Create a user for the @accelops.com domain.

      For example, YJTEST@accelops.com.

    4. Right-click Domain Admins in Users and select Properties.
    5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
    6. Click Advanced > Find Now, add the Administrator and the user which you created in Step 3.
    7. Click OK to close the User select dialog
    8. Click OK to close the Domain Admins Properties dialog.
    Step 2. Enable the Monitoring Account to Access the Monitored Device

    Log in to the machine you want to monitor with an administrator account.

    Enable DCOM Permissions for the Monitoring Account
    1. Go to Start > Control Panel > Administrative Tools > Component Services.
    2. Right-click My Computer, and then select Properties.
    3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
    4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access.
    5. Click OK.
    6. In the COM Security tab, under Access Permissions, click Edit Defaults.
    7. Find the user you created for the monitoring account, and make sure that the user has the permission Allow for both Local Access and Remote Access. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1.
    8. Click OK.
    9. In the COM Security tab, under Launch and Activation Permissions, click Edit Limits.
    10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1.
    11. In the COM Security tab, under Launch and Activation Permissions, click Edit Limits.
    12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1.
    13. Click OK.
    Enable Account Privileges in WMI

    The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

    1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
    2. Select WMI Control, and then right-click and select Properties.
    3. Select the Security tab.
    4. Expand the Root directory and select CIMV2.
    5. Click Security.
    6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remote Enable. If the user isn ot present, then click Add to add the user you created.
    7. Click Advanced.
    8. Select the user you created for the monitoring account, and then click Edit.
    9. In the Applies onto menu, select This namespace and subnamespaces.
    10. Click OK to close the Permission Entry for CIMV2 dialog.
    11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
    12. In the left-hand navigation, under Services and Applications, select Services.
    13. Select Windows Management Instrumentation, and then click Restart.
    Allow WMI through Windows Firewall (Windows Server 2012, 2016 and 2019)
    1. Go to Control Panel > Windows Firewall.
    2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
    3. Select Windows Management Instrumentation, and the click OK. You can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
    Differences Between Administrator and Non-Administrator Account

    Windows allows certain WMI classes to be pulled only via Administrator account. The following table shows this clearly.

    WMI Class Administrator Non-Administrator
    Win32_BIOS Yes No
    Win32_ComputerSystem Yes Yes
    Win32_LogicalDisk Yes No
    Win32_NetworkAdapter Yes Yes
    Win32_NetworkAdapterConfiguration Yes Yes
    Win32_NTLogEvent Yes Yes
    Win32_OperatingSystem Yes Yes
    Win32_Process Yes Yes
    Win32_Processor Yes Yes
    Win32_Product Yes Yes
    Win32_QuickFixEngineering Yes No
    Win32_Service Yes No
    Win32_UserAccount Yes No
    win32_Volume Yes Yes
    Win32_PerfFormattedData_DHCPServer_DHCPServer Yes Yes
    Win32_PerfFormattedData_DNS_DNS Yes Yes
    Win32_PerfFormattedData_W3SVC_WebService Yes Yes
    Win32_PerfRawData_DirectoryServices_DirectoryServices Yes Yes
    Win32_PerfRawData_NTDS_NTDS Yes Yes
    Win32_PerfRawData_PerfDisk_LogicalDisk Yes Yes
    Win32_PerfRawData_PerfDisk_PhysicalDisk Yes Yes
    Win32_PerfRawData_PerfOS_Memory Yes Yes
    Win32_PerfRawData_PerfOS_PagingFile Yes Yes
    Win32_PerfRawData_PerfOS_Processor Yes Yes
    Win32_PerfRawData_PerfProc_Process Yes Yes
    Win32_PerfRawData_Tcpip_NetworkInterface Yes Yes
    WMI Configurations for Windows 2008 and 2008R2

    To configure WMI on your device so that FortiSIEM can discover and monitor it, you must create a user who has access to WMI objects on the device. There are two ways to do this:

    Creating a Generic User Who Does Not Belong to the Local Administrator Group

    Log in to the machine you want to monitor with an administrator account.

    Step 1. Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group
    1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
    2. Right-click Users and select New User.
    3. Create a user.
    4. Select this user and right-click to select Properties > Member of tab.
    5. Select Distributed COM Users and click Add.
    6. Click OK to save.
      This is the account you must use to set up the Performance Monitor Users group permissions.
    7. Repeat steps 4 through 6 for the Performance Monitor Users group.
    Step 2. Enable DCOM Permissions for the Monitoring Account
    1. Go to Start > Control Panel > Administrative Tools > Component Services.
    2. Right-click My Computer, and then Properties.
    3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
    4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
    5. Click OK.
    6. Under Access Permissions, click EditDefault.
    7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
    8. Click OK.
    9. Under Launch and Activation Permissions, click Edit Limits.
    10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
    11. Click OK.
    12. Under Launch and Activation Permissions, click Edit Defaults.
    13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

    See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

    Configuring Log Monitoring for Non-Administrative User

    To configure the non-administrative user to monitor windows event logs, follow the steps below:

    1. Go to Start > Control Panel > Administrative Tools > Active Directory Users and Computers (Computer Management > Local Users and Groups for servers that are not a domain controller).
    2. Right-click the non-admin user and select Properties.
    3. Select the Member of tab.
    4. Select the group Event Log Reader and click Add.
    5. Click Apply.
    6. Click OK to complete the configuration.

    The following groups should be applied to the user:

    • Distributed COM Users
    • Domain Users
    • Event Log Reader
    Creating a User Who Belongs to the Domain Administrator Group

    Log in to the Domain Controller with an administrator account.

    Step 1. Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group
    1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
    2. Right-click Users and select Add User.
    3. Create a user for the @accelops.com domain.
      For example, YJTEST@accelops.com.
    4. Go to Groups, right-click Administrators, and then click Add to Group.
    5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
    6. For Enter the object names to select, enter the user you created in step 3.
    7. Click OK to close the Domain Admins Properties dialog.
    8. Click OK.
    Step 2. Enable the Monitoring Account to Access the Monitored Device

    Log in to the machine you want to monitor with an administrator account.

    Enable DCOM Permissions for the Monitoring Account
    1. Go to Start > Control Panel > Administrative Tools > Component Services.
    2. Right-click My Computer, and then select Properties.
    3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
    4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access.
    5. Click OK.
    6. In the Com Security tab, under Access Permissions, click Edit Defaults.
    7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access.
    8. Click OK.
    9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
    10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
    11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
    12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
    Enable Account Privileges in WMI

    The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

    1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
    2. Select WMI Control, and then right-click and select Properties.
    3. Select the Security tab.
    4. Expand the Root directory and select CIMV2.
    5. Click Security.
    6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remote Enable.
    7. Click Advanced.
    8. Select the user you created for the monitoring account, and then click Edit.
    9. In the Apply onto menu, select This namespace and subnamespaces.
    10. Click OK to close the Permission Entry for CIMV2 dialog.
    11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
    12. In the left-hand navigation, under Services and Applications, select Services.
    13. Select Windows Management Instrumentation, and then click Restart.
    Allow WMI to Connect Through the Windows Firewall (Windows 2003)
    1. In the Start menu, select Run.
    2. Run gpedit.msc.
    3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
    4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
    5. Select Windows Firewall: Allow remote administration exception.
    6. Run cmd.exe and enter these commands:
      netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP
    7. Restart the server.
    Allow WMI through Windows Firewall (Windows Server 2008, 2012)
    1. Go to Control Panel > Windows Firewall.
    2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
    3. Select Windows Management Instrumentation, and the click OK.You can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
    Differences Between Administrator and Non-Administrator Account

    Windows allows certain WMI classes to be pulled only via Administrator account. The following table shows this clearly.

    WMI Class Administrator Non-Administrator
    Win32_BIOS Yes No
    Win32_ComputerSystem Yes Yes
    Win32_LogicalDisk Yes No
    Win32_NetworkAdapter Yes Yes
    Win32_NetworkAdapterConfiguration Yes Yes
    Win32_NTLogEvent Yes Yes
    Win32_OperatingSystem Yes Yes
    Win32_Process Yes Yes
    Win32_Processor Yes Yes
    Win32_Product Yes Yes
    Win32_QuickFixEngineering Yes No
    Win32_Service Yes No
    Win32_UserAccount Yes No
    win32_Volume Yes Yes
    Win32_PerfFormattedData_DHCPServer_DHCPServer Yes Yes
    Win32_PerfFormattedData_DNS_DNS Yes Yes
    Win32_PerfFormattedData_W3SVC_WebService Yes Yes
    Win32_PerfRawData_DirectoryServices_DirectoryServices Yes Yes
    Win32_PerfRawData_NTDS_NTDS Yes Yes
    Win32_PerfRawData_PerfDisk_LogicalDisk Yes Yes
    Win32_PerfRawData_PerfDisk_PhysicalDisk Yes Yes
    Win32_PerfRawData_PerfOS_Memory Yes Yes
    Win32_PerfRawData_PerfOS_PagingFile Yes Yes
    Win32_PerfRawData_PerfOS_Processor Yes Yes
    Win32_PerfRawData_PerfProc_Process Yes Yes
    Win32_PerfRawData_Tcpip_NetworkInterface Yes Yes
    Windows Agent Configurations

    For information on configuring Windows Agent, see Windows Agent Installation Guide.

    Syslog Configurations

    See the Windows Agent Installation Guide for information on configuring the sending of syslogs from your device to FortiSIEM.

    Sample Windows Server Syslog

    <108>2014 Dec 17 15:05:47 CorreLog_Win_Agent 1NDCITVWCVLT05.tsi.lan Login Monitor: Local Console User Login: User Name: weighalll-admin
    Configuring the Security Audit Logging Policy

    Because Windows generates a lot of security logs, you should specify the categories of events that you want logged and available for monitoring by FortiSIEM.

    1. Log in the machine where you want to configure the policy as an administrator.
    2. Go to Programs > Administrative Tools > Local Security Policy.
    3. Expand Local Policies and select Audit Policy.
      You will see the current security audit settings.
    4. Selet a policy and edit the Local Security Settings for the events you want audited. Recommended settings are:

      5. Policy Description Settings
      Audit account logon events and Audit logon events For auditing logon activity Select Success and Failure
      Audit object access events For auditing access to files and folders. There is an additional configuration requirement for specifying which files and folders, users and user actions will be audited. See the next section, Configuring the File Auditing Policy. Select Success and Failure
      Audit system events Includes system up/down messages
    Configuring the File Auditing Policy

    When you enable the policy to audit object access events, you also must specify which files, folders, and user actions will be logged. You should be very specific with these settings, and set their scope to be as narrow as possible to avoid excessive logging. For this reason you should also specify system-level folders for auditing.

    1. Log in the machine where you want to set the policy with administrator privileges.
      On a domain computer, a Domain administrator account is needed
    2. Open Windows Explorer, select the file you want to set the auditing policy for, right-click on it, and select Properties.
    3. In the Security tab, click Advanced.
    4. Select the Auditing tab, and then click Add.
      This button is labeled Edit in Windows 2008.
    5. In the Select User or Group dialog, click Advanced, and then find and select the users whose access to this file you want to monitor.
    6. Click OK when you are done adding users.
    7. In the Permissions tab, set the permissions for each user you added.

    The configuration is now complete. Windows will generate audit events when the users you specified take the actions specified on the files or folders for which you set the audit policies.

    Setting Access Credentials

    SNMP, Telnet, and SSH Access Credentials for All Devices

    See Access Credentials.

    LDAP, LDAPS, LDAP Start TLS / OpenLDAP Access Credentials for All Devices

    Settings Value
    Name <set name>
    Device Type Microsoft Windows Server *
    Access Protocol LDAP / LDAPS / LDAP Start TLS
    Used For OpenLDAP
    Server Port 389 for LDAP, LDAP Start TLS; 636 for LDAPS
    Base DN Specify the root of the LDAP tree as the Base DN. For example: dc=companyABC,dc=com
    Password Config See Password Configuration
    User Name For user discoveries from an OpenLDAP directory, specify the full DN as the user name. For example: uid=jdoe,ou=hr,ou=unit,dc=companyABC,dc=com
    Password Password of the user able to access this system

    LDAP, LDAPS, LDAP Start TLS / Microsoft Active Directory Access Credentials for All Devices

    Settings Value
    Name <set name>
    Device Type Microsoft Windows Server *
    Access Protocol LDAP / LDAPS / LDAP Start TLS
    Used For Microsoft Active Directory
    Server Port 389 for LDAP, LDAP Start TLS; 636 for LDAPS
    Base DN Specify the root of the LDAP tree as the Base DN. For example: dc=companyABC,dc=com
    NetBIOS/Domain The domain name or NetBIOS name attribute
    Password Config See Password Configuration
    User Name For Microsoft Active Directory, the user name can be just the login name.
    Password Password of the user able to access this system

    WMI Access Credentials for All Devices

    Settings Value
    Name <set name>
    Device Type Microsoft Windows Server *
    Access Protocol WMI
    Pull Interval 1 minute
    NetBIOS/Domain The domain name or NetBIOS name attribute
    Password Config See Password Configuration
    User Name Name of the user able to access this system
    Password Password of the user able to access this system
    Previous
    Next