Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Microsoft Windows Server via OMI/SNMP/WMI

Microsoft Windows Server via OMI/SNMP/WMI

Support Added: FortiSIEM 1.1

Last Modification: FortiSIEM 7.0.0

Vendor: Microsoft

Product Information: https://www.microsoft.com/en-us/windows-server

Supported OS Versions

  • Windows 2008 and 2008 R2
  • Windows 2012 and 2012 R2
  • Windows 2016
  • Windows 2019
  • Windows 2022
  • Windows 10
  • Windows 11

    Note: Starting with FortiSIEM 6.3.3, you can use Open Management Initiative (OMI) to discover and monitor and collect logs from Windows Servers. OMI uses a different API to collect data from the same WMI classes as WMI. So no changes to the Windows Server side is required to accommodate the OMI based communication. In other words, Windows Servers have to be configured identically for both WMI and OMI, and same restrictions apply for both.

What is Discovered and Monitored

Installed Software Monitored via SNMP

Protocol

Information Discovered

Metrics collected

Used for

SNMP Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports) Uptime, Overall CPU/Memory/Network Interface/Disk space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down Performance Monitoring
SNMP Vendor specific server hardware (hardware model, hardware serial number, fans, power supply, disk, raid battery). Currently supported vendors include HP and Dell Hardware module status - fan, power supply, thermal status, battery, disk, memory . Currently supported vendors include HP and Dell

Availability Monitoring

WMI or OMI Host name, OS (Win32_ComputerSystem), OS Serial Number (Win32_WindowsProductActivation), Memory, Uptime (Win32_OperatingSystem), Bios (Win32_BIOS), CPU (Win32_Processor), Disk info (Win32_LogicalDisk), Network interface (Win32_NetworkAdapterConfiguration), Services (Win32_Service), Running processes (Win32_Process), Installed Patches (Win32_QuickFixEngineering) Uptime (Win32_OperatingSystem), CPU utilization (Win32_PerfRawData_PerfOS_Processor), Memory utilization, paging/swapping metrics (Win32_PerfRawData_PerfOS_Memory), Disk space utilization (Win32_LogicalDisk), Paging file utilization (Win32_PerfRawData_PerfOS_PagingFile), Disk I/O metrics (Win32_PerfRawData_PerfDisk_LogicalDisk), Network Interface utilization (Win32_PerfRawData_Tcpip_NetworkInterface), Running process metrics (Win32_Process, Win32_Service, Win32_PerfRawData_PerfProc_Process) Performance Monitoring
WMI or OMI

Security, Application and System Event Logs including logon, file/folder edits, network traffic (Win32_NTLogEvent) Security and Compliance
Snare agent Security, Application and System Event Logs including logon, file/folder edits, network traffic (Win32_NTLogEvent) Security and Compliance
Correlog agent Security, Application and System Event Logs ncluding logon, file/folder edits, network traffic (Win32_NTLogEvent) Security and Compliance
FortiSIEM Agent Security, Application and System Event Logs, DNS, DHCP, IIS, DFS logs, Custom log files, File Integrity Monitoring, Registry Change Monitoring, Installed Software Change Monitoring, WMI and Powershell output monitoring, sysmon, User Entity Behavior Analysis (UEBA) Security and Compliance
FortiSIEM Agent 5.0.0 and later

Uptime, CPU (total, individual), Memory (Total, Virtual, PageFile), Disk (Total, Individual), Network (Total, Individual), Application (Total, Running process resources).
Application metrics (IIS, ASPNET, DNS, DHCP, NTDS)
Performance Monitoring

Recommendations:

Use Windows Agent 5.0.0 or later for all log collection, discovery and performance monitoring.

Notes:

  1. Installed Software Monitored via SNMP - Although information about installed software is available via both SNMP and WMI/OMI, FortiSIEM uses SNMP to obtain installed software information to avoid an issue in Microsoft's WMI implementation for the Win32_Product WMI class - see Microsoft KB 974524 article for more information. Because of this bug, WMI/OMI calls to the Win32_Product class create many unnecessary Windows event log messages indicating that the Windows Installer has reconfigured all installed applications.
  2. Winexe execution and its effect - FortiSIEM uses the winexe command during discovery and monitoring of Windows servers for the following purposes.
    1. Windows domain controller diagnostic (dcdiag) and replication monitoring (repadmin /replsummary)
    2. HyperV Performance Monitoring
    3. Windows Custom performance monitoring – to run a command (e.g. powershell) remotely on windows systems


    Note: When using the winexe command, you must make sure the Windows Server has installed winexesvc.

    1. If the Windows Server enabled smbv1, running the winexe command remotely will automatically install the winexesvc command on the Windows Server.

    2. If the Windows Server only enabled smbv2, you must take the following steps.

      1. Run the following command on Windows Powershell to check whether winexesvc is installed.

        Get-Service -Name winexesvc

        If it is installed, you are done. If it not installed, proceed to the next step.

      2. On the FortiSIEM instance, download winexe-static-2 from the following link.

        https://github.com/Opmantek/open-audit/blob/master/other/winexe-static-2

      3. Run the following command.

        ./winexe-static-2 -U '<Account Name>%<Account Password>' //<Windows Device IP> 'cmd.exe'

        The winexe-static-2 command will install winexesvc in the target Windows device automatically.

Data Collection Comparison - Agentless (WMI/OMI) versus FortiSIEM Windows Agent

Data Collection Features

WMI/OMI (Windows Mgmt Instrumentation)

FortiSIEM Windows Agent
Security, Application, System Event Logs Yes Yes
File/Folder Edits Yes Yes
File Integrity Monitoring (FIM) No Yes
IIS Audit Logs No Yes
DNS Analytical Logs No Yes
Detailed DHCP Audit Logging No Yes
Support for all Windows Log Channels No Yes
Custom Log Sources No Yes

Windows Event Collector (WEC) and Windows Event Forwarding Support

No

Yes

Sysmon Support

No

Yes

Registry Change Monitoring

No

Yes

Installed Software Change Monitoring

No

Yes

WMI and Powershell Output Monitoring

No

Yes

Supports UEBA Telemetry Data

Limited*

Yes

*For more detailed information on supported UEBA event sources, see the latest Online Help Appendix - Comparing UEBA Sources.

Performance Features

WMI/OMI (Windows Mgmt Instrumentation)

FortiSIEM Windows Agent

Scalable for Large Environments

No

Yes

EPS Performance

100 EPS max

5K EPS

Performance Monitoring

Yes

Yes, with Windows Agent 5.0.0 and later.

Administrative Features

WMI/OMI (Windows Mgmt Instrumentation)

FortiSIEM Windows Agent

Simplified Network Policies

No (TCP 135,1024-65535 inbound)

Yes (443 outbound)

Requires Domain or Local Service Account

No

No

Requires Install on Server or Workstation

No

Yes

FIPS Compliant Capable

No

Yes

Log Buffering Upon Connectivity Loss

No

Yes

Supports On and Off Network Monitoring

No

Yes

Secure Log Transmission

Yes

Yes

Event Types

In ADMIN > Device Support > Event Types, search for "windows server" to see the event types associated with this application or device.

Rules

In RESOURCES > Rules, search for "windows server" in the main content panel Search... field to see the rules associated with this application or device.

Reports

In RESOURCES > Reports, search for "windows server" in the main content panel Search... field to see the reports associated with this application or device.

Windows Server Configuration for Data Collection

WinRM Configuration

WinRM is needed for WMI/OMI monitoring and also for some FortiSIEM Remediation actions. It is enabled by default.

For WMI/OMI monitoring, WinRM service needs to be running. For FortiSIEM Remediation actions, the following additional steps are needed.

Enable WinRM and Set Authentication

Use the commands below to enable WinRM and set authentication on the target Windows Servers:

  1. To configure Windows Server, run the following commands:

    winrm quickconfig

    winrm set winrm/config/service/auth '@{Basic="true"}'

    winrm set winrm/config/service '@{AllowUnencrypted="true"}'

    winrm enumerate winrm/config/listener

    Notes:

    • If HTTPS is not enabled, then open Windows PowerShell console as an administrator, and run the following command.

    • Windows 2012 requires CA cert with EKU 1.3.6.1.5.5.7.3.1, Server Side authentication, OID to be included. Do not use the powershell command to create a self signed certificate.

      New-SelfSignedCertificate -Subject 'CN=<windows host name>' -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1'

Next, follow the instructions for your version of Microsoft Windows Server.

Microsoft Windows Server 2012

Windows 2012 requires CA cert with EKU 1.3.6.1.5.5.7.3.1, Server Side authentication, OID to be included. Do NOT use the PowerShell command to create a self signed certificate.

If HTTPS is not enabled, then open Windows PowerShell console as an administrator, and run the following commands.

winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="<windows host name>"; CertificateThumbprint="<thumbprint received by New-Self Signed Certificate>"}

winrm quickconfig -transport:https

winrm enumerate winrm/config/listener

Proceed to Configure FortiSIEM Client.

Microsoft Windows Server 2012 R2

For Microsoft Windows Server 2012 R2, take the following steps.

  1. Configure a Certificate Signing Request (CSR) from your Windows 2012 R2 server.

  2. Obtain a CA SSL Certificate with a Server side authentication EKU OID.

  3. In PowerShell, run the following command:

    Import-Certificate -FilePath: <path of ca certificate> -CertStoreLocation Cert:\LocalMachine\My

  4. From the output, record the thumbprint, for use in the next step. (Example output shown, with thumbprint in bold.)

    PS C:\Users\Administrator> Import-Certificate -FilePath C:\thisserver2.cer -CertStoreLocation Cert:\LocalMachine\My
        Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
    
    Thumbprint                                Subject
    ----------                                -------32525BCAC07E59E5321D297F96A94608421EDA71  CN=thisserver, OU=it, O=fortinet, L=sunnyvale, S=california, C=US
    
  5. Run the following commands:

    winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="<windows host name>"; CertificateThumbprint="<thumbprint received by New-Self Signed Certificate>"}

    winrm quickconfig -transport:https

    winrm enumerate winrm/config/listener

  6. To configure FortiSIEM Client (Supervisor or Collector), run the following command.

    pip3 install pywinrm

Microsoft Windows Server Earlier than 2012, or 2016 and Later

If HTTPS is not enabled, then open Windows PowerShell console as an administrator, and run the following commands:

Note: Single quotes are needed for Windows 2016 and later.

New-SelfSignedCertificate -Subject 'CN=<windows host name>' -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1'

winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="<windows host name>"; CertificateThumbprint="<thumbprint received by New-Self Signed Certificate>"}

winrm quickconfig -transport:https

winrm enumerate winrm/config/listener

Next, proceed to Configure FortiSIEM Client.

Configure FortiSIEM Client

To configure FortiSIEM Client (Supervisor or Collector), run the following command.

pip install pywinrm

WMI/OMI Configuration

These configurations are needed if you are using either WMI or OMI to monitor Windows Servers.

WMI/OMI Configuration for Windows 2012, 2012 R2, 2016, 2019, 2022, Windows 10, 11

You must create an user with sufficient permissions to access WMI objects. This user account will be used from FortiSIEM. There are two cases.

Note the difference in capabilities between these two users

Create a User Belonging to the Domain or Local Administrator Group

Log in to the Domain Controller with an administrator account.

Step 1. Create a User Belonging to Domain or Local Administrator Group
  1. Go to Start > Control Panel > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select New > User.
  3. Create a new user.
  4. Right-click Domain Admins in Users and select Properties.
  5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  6. Click Advanced > Find Now, add the Administrator and the user which you created during step 3.
  7. Click OK to close the User select dialog.
  8. Click OK to close the Domain Admins Properties dialog.
Step 2: Enable DCOM Permissions for the New User

Log in to the machine you want to monitor with an administrator account.

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access.
  5. Click OK.
  6. In the COM Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that the user has the permission Allow for both Local Access and Remote Access. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1.
  8. Click OK.
  9. In the COM Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1.
  11. In the COM Security tab, under Launch and Activation Permissions, click Edit Limits.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1from Create a Generic User (Not Belonging to Highly Privileged Domain Administrator Group).
  13. Click OK.
Step 3: Enable Account Privileges in WMI for the New User

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security tab.
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remote Enable. If the user is not present, then click Add to add the user you created.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Applies onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart.
Step 4: Allow WMI through Windows Firewall
  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK. You can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Step 5: Make sure WinRM Service is Running

For information on configuring WinRM, see WinRM Configuration. Note that in Windows 10 and Windows 11, it may be disabled by default and you need to enable it.

Create a Generic User (Not Belonging to Highly Privileged Domain Administrator Group)

Log in to the machine you want to monitor with an administrator account.

Step 1. Create a New User Belonging to Distributed COM Users, Remote Management Users and Performance Monitor Users Groups
  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select New User.
  3. Create a user.
  4. Select this user and right-click to select Properties > Member of tab.
  5. Click Add > Advanced > Find Now.
  6. Select and add the following groups:
    • Distributed COM Users group.
    • Performance Monitor Users group.
    • Remote Management Users group.

      Note: To select multiple groups, hold down the CTRL key and click the desired groups.

  7. Click OK to save.
Step 2: Add the User to Log Reader Group

To configure the non-administrative user to monitor windows event logs, follow the steps below:

  1. Go to Start > Control Panel > Administrative Tools > Active Directory Users and Computers (Computer Management > Local Users and Groups for servers that are not a domain controller).
  2. Right-click the non-admin user and select Properties.
  3. Select the Member of tab.
  4. Select the group Event Log Reader and click Add.
  5. Click Apply.
  6. Click OK to complete the configuration.
Step 3. Enable DCOM Permissions for the New User
  1. Go to Start > Control Panel > Administrative Tools > Component Services > Computers > My Computer.
  2. Right-click My Computer, and then Properties.
  3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
  5. Click OK.
  6. Under Access Permissions, click Edit Default.
  7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1.
  8. Click OK.
  9. Under Launch and Activation Permissions, click Edit Limits.
  10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. Click OK.
  12. Under Launch and Activation Permissions, click Edit Defaults.
  13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1.
  14. Click OK.
Step 4: Enable Access to Win32_Service Class

To gain access to Win32_Service, this needs to be executed (with admin privileges) on the Windows box using cmd.exe or powershell prompt:

sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

See Reference: https://stackoverflow.com/questions/3917477/granting-remote-user-non-admin-the-ability-to-enumerate-services-in-win32-serv/4432737#4432737

Step 5. Enable WMI Account Privileges for the New User

See the Enable Account Privileges in WMI for the New User section in Create a User Belonging to the Domain or Local Administrator Group for set up instructions to configure WMI.

Step 6: Allow WMI through Windows Firewall
  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow apps to communicate through Windows Defender Firewall.
  3. Click Change settings.
  4. Locate Windows Management Instrumentation (WMI), and click the checkbox to enable your connected networks.
  5. Locate Windows Remote Management, and click the checkbox to enable to enable your connected networks.
  6. Locate Windows Remote Management (Compatibility), and click the checkbox to enable your connected networks.
  7. Click OK. You can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Step 7: Make sure WinRM Service is Running

For information on configuring WinRM, see WinRM Configuration. Note that in Windows 10 and Windows 11, it may be disabled by default and you need to enable it.

Capability Difference between Domain/Local Administrator Users and Generic Users

Windows allows certain WMI classes to be pulled only via Administrator account. The following table shows this clearly.

WMI Class Administrator Non-Administrator
Win32_BIOS Yes No
Win32_ComputerSystem Yes Yes
Win32_LogicalDisk Yes No
Win32_NetworkAdapter Yes Yes
Win32_NetworkAdapterConfiguration Yes Yes
Win32_NTLogEvent Yes Yes
Win32_OperatingSystem Yes Yes
Win32_Process Yes Yes
Win32_Processor Yes Yes
Win32_Product Yes Yes
Win32_QuickFixEngineering Yes No
Win32_Service Yes Yes
Win32_UserAccount Yes No
win32_Volume Yes Yes
Win32_PerfFormattedData_DHCPServer_DHCPServer Yes Yes
Win32_PerfFormattedData_DNS_DNS Yes Yes
Win32_PerfFormattedData_W3SVC_WebService Yes Yes
Win32_PerfRawData_DirectoryServices_DirectoryServices Yes Yes
Win32_PerfRawData_NTDS_NTDS Yes Yes
Win32_PerfRawData_PerfDisk_LogicalDisk Yes Yes
Win32_PerfRawData_PerfDisk_PhysicalDisk Yes Yes
Win32_PerfRawData_PerfOS_Memory Yes Yes
Win32_PerfRawData_PerfOS_PagingFile Yes Yes
Win32_PerfRawData_PerfOS_Processor Yes Yes
Win32_PerfRawData_PerfProc_Process Yes Yes
Win32_PerfRawData_Tcpip_NetworkInterface Yes Yes

WMI/OMI Configuration for Windows 2008 and 2008 R2

You must create an user with sufficient permissions to access WMI objects. There are two cases.

  1. Create a New User Belonging to Domain or Local Administrator Group
  2. Create a Generic User (Not Belonging to Highly Privileged Domain Administrator Group)

Note the difference in capabilities between these two users

Capability Difference between Domain/Local Administrator Users and Generic Users

Create a New User Belonging to Domain or Local Administrator Group

Log in to the Domain Controller with an administrator account.

Step 1. Create a New User and Add the User to Domain or Local Administrator Group
  1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Administrators, and then click Add to Group.
  5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  6. For Enter the object names to select, enter the user you just created in step 3.
  7. Click OK to close the Domain Admins Properties dialog.
  8. Click OK.
Step 2: Enable DCOM Permissions for the New User

Log in to the machine you want to monitor with an administrator account.

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access.
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access.
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
Step 3: Enable WMI Account Privileges for the New User

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security tab.
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remote Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart.
Step 4: Allow WMI to Connect Through the Windows Firewall

Follow the appropriate instructions per your software.

Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  1. In the Start menu, select Run.
  2. Run gpedit.msc.
  3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  5. Select Windows Firewall: Allow remote administration exception.
  6. Run cmd.exe and enter these commands:
    netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP 
    
  7. Restart the server.
Allow WMI through Windows Firewall (Windows Server 2008, 2012)
  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.You can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Step 5: Make sure WinRM Service is Running

For information on configuring WinRM, see WinRM Configuration.

Create a Generic User (Not Belonging to Highly Privileged Domain Administrator Group)

Log in to the machine you want to monitor with an administrator account.

Step 1. Create a New User Belonging to Distributed COM Users and Performance Monitor Users Groups
  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select New User.
  3. Create a user.
  4. Select this user and right-click to select Properties > Member of tab.
  5. Select Distributed COM Users and click Add.
  6. Click OK to save.
    This is the account you must use to set up the Performance Monitor Users group permissions.
  7. Repeat steps 4 through 6 for the Performance Monitor Users group.
Step 2: Add the User to Log Reader Group

To configure the non-administrative user to monitor windows event logs, follow the steps below:

  1. Go to Start > Control Panel > Administrative Tools > Active Directory Users and Computers (Computer Management > Local Users and Groups for servers that are not a domain controller).
  2. Right-click the non-admin user and select Properties.
  3. Select the Member of tab.
  4. Select the group Event Log Reader and click Add.
  5. Click Apply.
  6. Click OK to complete the configuration.
Step 3. Enable DCOM Permissions for the New User
  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then Properties.
  3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
  5. Click OK.
  6. Under Access Permissions, click Edit Default.
  7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
  8. Click OK.
  9. Under Launch and Activation Permissions, click Edit Limits.
  10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. Click OK.
  12. Under Launch and Activation Permissions, click Edit Defaults.
  13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
Step 4: Enable WMI Account Privileges for the New User

See the Enable WMI Account Privileges for the New User section in the Create a New User Belonging to Domain or Local Administrator Group instructions to configure WMI.

Step 5: Allow WMI through Windows Firewall (Windows 2003 or Windows Server 2008, 2012)
Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  1. In the Start menu, select Run.
  2. Run gpedit.msc.
  3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  5. Select Windows Firewall: Allow remote administration exception.
  6. Run cmd.exe and enter these commands:
    netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP 
    
  7. Restart the server.
Allow WMI through Windows Firewall (Windows Server 2008, 2012)
  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.You can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Step 6: Make sure WinRM Service is Running

For information on configuring WinRM, see WinRM Configuration.

Capability Difference between Domain/Local Administrator Users and Generic Users

Windows allows certain WMI classes to be pulled only via Administrator account. The following table shows this clearly.

WMI Class Administrator Non-Administrator
Win32_BIOS Yes No
Win32_ComputerSystem Yes Yes
Win32_LogicalDisk Yes No
Win32_NetworkAdapter Yes Yes
Win32_NetworkAdapterConfiguration Yes Yes
Win32_NTLogEvent Yes Yes
Win32_OperatingSystem Yes Yes
Win32_Process Yes Yes
Win32_Processor Yes Yes
Win32_Product Yes Yes
Win32_QuickFixEngineering Yes No
Win32_Service Yes No
Win32_UserAccount Yes No
win32_Volume Yes Yes
Win32_PerfFormattedData_DHCPServer_DHCPServer Yes Yes
Win32_PerfFormattedData_DNS_DNS Yes Yes
Win32_PerfFormattedData_W3SVC_WebService Yes Yes
Win32_PerfRawData_DirectoryServices_DirectoryServices Yes Yes
Win32_PerfRawData_NTDS_NTDS Yes Yes
Win32_PerfRawData_PerfDisk_LogicalDisk Yes Yes
Win32_PerfRawData_PerfDisk_PhysicalDisk Yes Yes
Win32_PerfRawData_PerfOS_Memory Yes Yes
Win32_PerfRawData_PerfOS_PagingFile Yes Yes
Win32_PerfRawData_PerfOS_Processor Yes Yes
Win32_PerfRawData_PerfProc_Process Yes Yes
Win32_PerfRawData_Tcpip_NetworkInterface Yes Yes

Kerberos Configuration for OMI

If the Windows Server to be monitored using OMI is part of a Windows Domain that uses Kerberos authentication, then you need to take 2 steps:

  1. Add IP to Windows Server name mapping (PTR record) to Windows DNS Server.
  2. Add Windows DNS Server name to the list of resolvers in FortiSIEM Collector.

These steps are needed because FortiSIEM uses IP to communicate while OMI/Kerberos needs host name (FQDN).

Windows DNS Server Configuration
  1. Log into your Windows DNS server with an admin account.
  2. Find Windows Server DNS Manager.
  3. Navigate to Forward Lookup under DNS Zones, and locate your DNS domain.
  4. Under your DNS domain, locate the host name (A records) for each server you are monitoring via OMI and make sure the IP address is correct.
  5. Under Reverse Lookup Zones, look up the zone corresponding to your subnet. Add a PTR record for each server you are monitoring via OMI.
FortiSIEM Collector Configuration
  1. Open the file (/etc/resolve.conf)
  2. Add Windows DNS Server name to the list of resolvers.

    [admin@FSM-User]$ cat /etc/resolv.conf
    # Generated by NetworkManager
    ...
    nameserver <Windows DNS Server IP> 
    ...
  3. Save.

SNMP Configuration

Enabling SNMP on Windows Server 2012 R2, Server 2016, Server 2019, Server 2022

SNMP is typically enabled by default on Windows Server 2012 R2, Server 2016, and Server 2019. But you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First, you should check that SNMP Services have been enabled for your server.

  1. Log in to the Windows 2016 Server where you want to enable SNMP as an administrator.
  2. In the Start menu, select Control Panel.
  3. Under Programs, click Turn Windows features on/off.
  4. The Add Roles and Features Wizard will open automatically.
  5. Select Role-based or feature-based installation. Click Next until the Features option appears.
  6. Under Features, see if SNMP Services is installed.

    If not, check the checkbox before the SNMP Service and click Next to install the service.

  7. From the Start menu, select Services. Go to Services > SNMP Services.
  8. Select and open SNMP Service.
  9. Click the Security tab.
  10. Select Send authentication trap.
  11. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  12. Select Accept SNMP packets from these hosts.
  13. Click Add.
  14. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP.
  15. Click Add.
  16. Click Apply.
  17. Under SNMP Service, click Restart service.
  18. 18. Go to Control Panel > Windows Firewall.
  19. 19. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  20. 20. Select SNMP Service, and the click OK.
Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

  1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
  2. In the Start menu, select Control Panel.
  3. Under Programs, click Turn Windows features on/off.
  4. Under Features, see if SNMP Services is installed.
    If not, click Add Feature, then select SMNP Service and click Next to install the service.
  5. In the Server Manager window, go to Services > SNMP Services.
  6. Select and open SNMP Service.
  7. Click the Security tab.
  8. Select Send authentication trap.
  9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  10. Select Accept SNMP packets from these hosts.
  11. Click Add.
  12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP.
  13. Click Add.
  14. Click Apply.
  15. Under SNMP Service, click Restart service.
  16. 18. Go to Control Panel > Windows Firewall.
  17. 19. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  18. 20. Select SNMP Service, and the click OK.
Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you must make sure that the SNMP Management tool has been enabled for your device.

  1. In the Start menu, go to Administrative Tools > Services.
  2. Go to Control Panel > Add or Remove Programs.
  3. Click Add/Remove Windows Components.
  4. Select Management and Monitoring Tools and click Details.
    Make sure that Simple Network Management Tool is selected.
    If it isn't selected, select it, and then click Next to install.
  5. Go to Start > Administrative Tools > Services.
  6. Select and open SNMP Service.
  7. Click the Security tab.
  8. Select Send authentication trap.
  9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  10. Select Accept SNMP packets from these hosts.
  11. Click Add.
  12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP.
  13. Click Add.
  14. Click Apply.
  15. Under SNMP Service, click Restart service.
  16. 18. Go to Control Panel > Windows Firewall.
  17. 19. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  18. 20. Select SNMP Service, and the click OK.
Security Audit Policy Configuration

Because Windows generates a lot of security logs, you should specify the categories of events that you want logged and available for monitoring by FortiSIEM.

  1. Log in the machine where you want to configure the policy as an administrator.
  2. Go to Programs > Administrative Tools > Local Security Policy.
  3. Expand Local Policies and select Audit Policy.
    You will see the current security audit settings.
  4. Select a policy and edit the Local Security Settings for the events you want audited. Recommended settings are:
  5. Policy Description Settings
    Audit account logon events and Audit logon events For auditing logon activity Select Success and Failure
    Audit object access events For auditing access to files and folders. There is an additional configuration requirement for specifying which files and folders, users and user actions will be audited. See the next section, File Auditing Policy Configuration. Select Success and Failure
    Audit system events Includes system up/down messages

File Auditing Policy Configuration

When you enable the policy to audit object access events, you also must specify which files, folders, and user actions will be logged. You should be very specific with these settings, and set their scope to be as narrow as possible to avoid excessive logging. For this reason you should also specify system-level folders for auditing.

  1. Log in the machine where you want to set the policy with administrator privileges.
    On a domain computer, a Domain administrator account is needed
  2. Open Windows Explorer, select the file you want to set the auditing policy for, right-click on it, and select Properties.
  3. In the Security tab, click Advanced.
  4. Select the Auditing tab, and then click Add.
    This button is labeled Edit in Windows 2008.
  5. In the Select User or Group dialog, click Advanced, and then find and select the users whose access to this file you want to monitor.
  6. Click OK when you are done adding users.
  7. In the Permissions tab, set the permissions for each user you added.

The configuration is now complete. Windows will generate audit events when the users you specified take the actions specified on the files or folders for which you set the audit policies.

Disabling Audit Token Right Adjusted Success Events

As per Microsoft, it is recommended to Disable "Success" auditing for "Audit Token Right Adjusted".

Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703#security-monitoring-recommendations.

By enabling "Success Auditing" for Audit Token Right Adjusted (Detailed Tracking ), 800+ (4703) events can be generated in a second, resulting in this high volume event impacting system performance.

Complete these steps to disable "Success" for "Audit Token Right Adjusted".

  1. Log in, with administrator privileges, to the machine where you want to set the policy.

    On a domain computer, you must have a Domain administrator account.

  2. Go to Programs > Administrative Tools > Local Security Policy.
  3. Expand to Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Detailed Tracking.
  4. Go to the Detailed Tracking subcategory, and select Audit Token Right Adjusted.
  5. Double click Audit Token Right Adjusted, select the Configure the following audit events: checkbox.
  6. Uncheck the Success checkbox if needed to disable.
  7. Click Apply.

Syslog Configuration

See the Windows Agent Installation Guide for information on configuring the sending of syslog from your device to FortiSIEM.

Sample Windows Server Syslog

<108>2014 Dec 17 15:05:47 CorreLog_Win_Agent 1NDCITVWCVLT05.tsi.lan Login Monitor: Local Console User Login: User Name: example-admin

Print Log Configuration

FortiSIEM supports pull Windows print log from Windows agent. To configure, take the following steps.

Enabling Logging Print Log after WMI Configuration

After WMI Configuration is completed, enable logging print log by taking the following steps.

  1. Open the Event Viewer window and navigate to Applications and Services Logs > Microsoft > Windows > PrintService.
  2. Click Operational.
  3. Right click, and select Properties.
  4. Add a checkmark to the Enable logging checkbox.
  5. Click Apply.
  6. Click OK.

    All print activities will be logged by Event Viewer through WMI. Event logs can be viewed under Applications and Services Logs -> Microsoft -> Windows -> PrintService -> Operational.
Setup in FortiSIEM

Take the following steps to access print logs in FortiSIEM.

  1. Log on to your Windows Server and navigate to Event viewer > App and Service logs > Microsoft > windows > printservice > properties.
  2. Copy the full name from log properties.
  3. Log onto FortiSIEM in super global.
  4. Navigate to ADMIN > Setup > Windows Agent.
  5. Under Windows Agent Monitor Templates, click New to create a Monitor Template.
  6. In the Name field, enter a name for the template.
  7. Click the Event tab.
  8. In the Event Log row, click on New.
  9. In the Type drop-down list, select Other.
  10. In the Event Name field, enter/paste the full name from step 2.
  11. Click < Save.
  12. Click Save.
  13. Under Host to Template Associations, create a host to template association by clicking New.
  14. In the Name field, enter a name.
  15. Choose an organization.
  16. Select the monitor template you created through steps 5-12.
  17. Select a collector.
  18. Click Save.
  19. Click Apply.

FortiSIEM now automatically parses events received via WMI or FortiSIEM Windows Agent.

Setting Access Credentials on FortiSIEM

Navigate to ADMIN > Setup > Credentials, and in Step 1: Enter Credentials, click New to create a new Access Credential.

After the credential has been created, navigate to Step 2: Enter IP Range to Credential Associations, click New to create a mapping for the newly created Access Credential.

For general information on setting credentials see Setting Credentials. Specific Access Credentials settings are available here.

SNMP, Telnet and SSH Access Credentials

See Access Credentials.

LDAP, LDAPS, LDAP Start TLS / OpenLDAP Access Credentials
Settings Value
Name <set name>
Device Type Microsoft Windows Server *
Access Protocol LDAP / LDAPS / LDAP Start TLS
Used For OpenLDAP
Server Port

Default - 3268 (Global Catalog port) for LDAP, LDAP Start TLS; 3269 (Global Catalog port) for LDAPS.

or

389 for LDAP, LDAP Start TLS; 636 for LDAPS.

Note: Global catalog ports when used, are much more performant versus the LDAP ports, but not all LDAP attributes may be present by default in Global Catalog service.

Base DN Specify the root of the LDAP tree as the Base DN. For example: dc=companyABC,dc=com
Password Config See Password Configuration in Access Credentials.
User Name For user discoveries from an OpenLDAP directory, specify the full DN as the user name. For example: uid=jdoe,ou=hr,ou=unit,dc=companyABC,dc=com
Password Password of the user able to access this system

LDAP, LDAPS, LDAP Start TLS / Microsoft Active Directory Access Credentials
Settings Value
Name <set name>
Device Type Microsoft Windows Server *
Access Protocol LDAP / LDAPS / LDAP Start TLS
Used For Microsoft Active Directory
Server Port

Default - 3268 (Global Catalog port) for LDAP, LDAP Start TLS; 3269 (Global Catalog port) for LDAPS.

or

389 for LDAP, LDAP Start TLS; 636 for LDAPS.

Note: Global catalog ports when used, are much more performant versus the LDAP ports, but not all LDAP attributes may be present by default in Global Catalog service.

Base DN Specify the root of the LDAP tree as the Base DN. For example: dc=companyABC,dc=com
NetBIOS/Domain The domain name or NetBIOS name attribute
Password Config See Password Configuration in Access Credentials.
User Name For Microsoft Active Directory, the user name can be just the login name.
Password Password of the user able to access this system

WMI Access Credentials
Settings Value
Name <set name>
Device Type Microsoft Windows Server *
Access Protocol WMI
Pull Interval 1 minute
NetBIOS/Domain The domain name or NetBIOS name attribute
Password Config See Password Configuration in Access Credentials.
User Name Name of the user able to access this system
Password Password of the user able to access this system

OMI Access Credentials
Settings Value
Name <set name>
Device Type Microsoft Windows Server *
Access Protocol OMI

Authentication

Select "ntlm auth" or "kerberos auth". If you have FIPS enabled, kerberos auth is required for FIPs to work. Kerberos authentication requires the following fields to be entered:

  • kerberos-AD-Server: Enter the fully qualified domain name or IP Address of the kerberos active directory server. See Kerberos Configuration for more information.

  • kerberos-domain: Enter the full Kerberos domain name.

Pull Interval 1 minute
NetBIOS/Domain The domain name or NetBIOS name attribute
Password Config See Password Configuration in Access Credentials.
User Name Name of the user able to access this system
Password Password of the user able to access this system

Microsoft Windows Server via OMI/SNMP/WMI

Microsoft Windows Server via OMI/SNMP/WMI

Support Added: FortiSIEM 1.1

Last Modification: FortiSIEM 7.0.0

Vendor: Microsoft

Product Information: https://www.microsoft.com/en-us/windows-server

Supported OS Versions

  • Windows 2008 and 2008 R2
  • Windows 2012 and 2012 R2
  • Windows 2016
  • Windows 2019
  • Windows 2022
  • Windows 10
  • Windows 11

    Note: Starting with FortiSIEM 6.3.3, you can use Open Management Initiative (OMI) to discover and monitor and collect logs from Windows Servers. OMI uses a different API to collect data from the same WMI classes as WMI. So no changes to the Windows Server side is required to accommodate the OMI based communication. In other words, Windows Servers have to be configured identically for both WMI and OMI, and same restrictions apply for both.

What is Discovered and Monitored

Installed Software Monitored via SNMP

Protocol

Information Discovered

Metrics collected

Used for

SNMP Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports) Uptime, Overall CPU/Memory/Network Interface/Disk space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down Performance Monitoring
SNMP Vendor specific server hardware (hardware model, hardware serial number, fans, power supply, disk, raid battery). Currently supported vendors include HP and Dell Hardware module status - fan, power supply, thermal status, battery, disk, memory . Currently supported vendors include HP and Dell

Availability Monitoring

WMI or OMI Host name, OS (Win32_ComputerSystem), OS Serial Number (Win32_WindowsProductActivation), Memory, Uptime (Win32_OperatingSystem), Bios (Win32_BIOS), CPU (Win32_Processor), Disk info (Win32_LogicalDisk), Network interface (Win32_NetworkAdapterConfiguration), Services (Win32_Service), Running processes (Win32_Process), Installed Patches (Win32_QuickFixEngineering) Uptime (Win32_OperatingSystem), CPU utilization (Win32_PerfRawData_PerfOS_Processor), Memory utilization, paging/swapping metrics (Win32_PerfRawData_PerfOS_Memory), Disk space utilization (Win32_LogicalDisk), Paging file utilization (Win32_PerfRawData_PerfOS_PagingFile), Disk I/O metrics (Win32_PerfRawData_PerfDisk_LogicalDisk), Network Interface utilization (Win32_PerfRawData_Tcpip_NetworkInterface), Running process metrics (Win32_Process, Win32_Service, Win32_PerfRawData_PerfProc_Process) Performance Monitoring
WMI or OMI

Security, Application and System Event Logs including logon, file/folder edits, network traffic (Win32_NTLogEvent) Security and Compliance
Snare agent Security, Application and System Event Logs including logon, file/folder edits, network traffic (Win32_NTLogEvent) Security and Compliance
Correlog agent Security, Application and System Event Logs ncluding logon, file/folder edits, network traffic (Win32_NTLogEvent) Security and Compliance
FortiSIEM Agent Security, Application and System Event Logs, DNS, DHCP, IIS, DFS logs, Custom log files, File Integrity Monitoring, Registry Change Monitoring, Installed Software Change Monitoring, WMI and Powershell output monitoring, sysmon, User Entity Behavior Analysis (UEBA) Security and Compliance
FortiSIEM Agent 5.0.0 and later

Uptime, CPU (total, individual), Memory (Total, Virtual, PageFile), Disk (Total, Individual), Network (Total, Individual), Application (Total, Running process resources).
Application metrics (IIS, ASPNET, DNS, DHCP, NTDS)
Performance Monitoring

Recommendations:

Use Windows Agent 5.0.0 or later for all log collection, discovery and performance monitoring.

Notes:

  1. Installed Software Monitored via SNMP - Although information about installed software is available via both SNMP and WMI/OMI, FortiSIEM uses SNMP to obtain installed software information to avoid an issue in Microsoft's WMI implementation for the Win32_Product WMI class - see Microsoft KB 974524 article for more information. Because of this bug, WMI/OMI calls to the Win32_Product class create many unnecessary Windows event log messages indicating that the Windows Installer has reconfigured all installed applications.
  2. Winexe execution and its effect - FortiSIEM uses the winexe command during discovery and monitoring of Windows servers for the following purposes.
    1. Windows domain controller diagnostic (dcdiag) and replication monitoring (repadmin /replsummary)
    2. HyperV Performance Monitoring
    3. Windows Custom performance monitoring – to run a command (e.g. powershell) remotely on windows systems


    Note: When using the winexe command, you must make sure the Windows Server has installed winexesvc.

    1. If the Windows Server enabled smbv1, running the winexe command remotely will automatically install the winexesvc command on the Windows Server.

    2. If the Windows Server only enabled smbv2, you must take the following steps.

      1. Run the following command on Windows Powershell to check whether winexesvc is installed.

        Get-Service -Name winexesvc

        If it is installed, you are done. If it not installed, proceed to the next step.

      2. On the FortiSIEM instance, download winexe-static-2 from the following link.

        https://github.com/Opmantek/open-audit/blob/master/other/winexe-static-2

      3. Run the following command.

        ./winexe-static-2 -U '<Account Name>%<Account Password>' //<Windows Device IP> 'cmd.exe'

        The winexe-static-2 command will install winexesvc in the target Windows device automatically.

Data Collection Comparison - Agentless (WMI/OMI) versus FortiSIEM Windows Agent

Data Collection Features

WMI/OMI (Windows Mgmt Instrumentation)

FortiSIEM Windows Agent
Security, Application, System Event Logs Yes Yes
File/Folder Edits Yes Yes
File Integrity Monitoring (FIM) No Yes
IIS Audit Logs No Yes
DNS Analytical Logs No Yes
Detailed DHCP Audit Logging No Yes
Support for all Windows Log Channels No Yes
Custom Log Sources No Yes

Windows Event Collector (WEC) and Windows Event Forwarding Support

No

Yes

Sysmon Support

No

Yes

Registry Change Monitoring

No

Yes

Installed Software Change Monitoring

No

Yes

WMI and Powershell Output Monitoring

No

Yes

Supports UEBA Telemetry Data

Limited*

Yes

*For more detailed information on supported UEBA event sources, see the latest Online Help Appendix - Comparing UEBA Sources.

Performance Features

WMI/OMI (Windows Mgmt Instrumentation)

FortiSIEM Windows Agent

Scalable for Large Environments

No

Yes

EPS Performance

100 EPS max

5K EPS

Performance Monitoring

Yes

Yes, with Windows Agent 5.0.0 and later.

Administrative Features

WMI/OMI (Windows Mgmt Instrumentation)

FortiSIEM Windows Agent

Simplified Network Policies

No (TCP 135,1024-65535 inbound)

Yes (443 outbound)

Requires Domain or Local Service Account

No

No

Requires Install on Server or Workstation

No

Yes

FIPS Compliant Capable

No

Yes

Log Buffering Upon Connectivity Loss

No

Yes

Supports On and Off Network Monitoring

No

Yes

Secure Log Transmission

Yes

Yes

Event Types

In ADMIN > Device Support > Event Types, search for "windows server" to see the event types associated with this application or device.

Rules

In RESOURCES > Rules, search for "windows server" in the main content panel Search... field to see the rules associated with this application or device.

Reports

In RESOURCES > Reports, search for "windows server" in the main content panel Search... field to see the reports associated with this application or device.

Windows Server Configuration for Data Collection

WinRM Configuration

WinRM is needed for WMI/OMI monitoring and also for some FortiSIEM Remediation actions. It is enabled by default.

For WMI/OMI monitoring, WinRM service needs to be running. For FortiSIEM Remediation actions, the following additional steps are needed.

Enable WinRM and Set Authentication

Use the commands below to enable WinRM and set authentication on the target Windows Servers:

  1. To configure Windows Server, run the following commands:

    winrm quickconfig

    winrm set winrm/config/service/auth '@{Basic="true"}'

    winrm set winrm/config/service '@{AllowUnencrypted="true"}'

    winrm enumerate winrm/config/listener

    Notes:

    • If HTTPS is not enabled, then open Windows PowerShell console as an administrator, and run the following command.

    • Windows 2012 requires CA cert with EKU 1.3.6.1.5.5.7.3.1, Server Side authentication, OID to be included. Do not use the powershell command to create a self signed certificate.

      New-SelfSignedCertificate -Subject 'CN=<windows host name>' -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1'

Next, follow the instructions for your version of Microsoft Windows Server.

Microsoft Windows Server 2012

Windows 2012 requires CA cert with EKU 1.3.6.1.5.5.7.3.1, Server Side authentication, OID to be included. Do NOT use the PowerShell command to create a self signed certificate.

If HTTPS is not enabled, then open Windows PowerShell console as an administrator, and run the following commands.

winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="<windows host name>"; CertificateThumbprint="<thumbprint received by New-Self Signed Certificate>"}

winrm quickconfig -transport:https

winrm enumerate winrm/config/listener

Proceed to Configure FortiSIEM Client.

Microsoft Windows Server 2012 R2

For Microsoft Windows Server 2012 R2, take the following steps.

  1. Configure a Certificate Signing Request (CSR) from your Windows 2012 R2 server.

  2. Obtain a CA SSL Certificate with a Server side authentication EKU OID.

  3. In PowerShell, run the following command:

    Import-Certificate -FilePath: <path of ca certificate> -CertStoreLocation Cert:\LocalMachine\My

  4. From the output, record the thumbprint, for use in the next step. (Example output shown, with thumbprint in bold.)

    PS C:\Users\Administrator> Import-Certificate -FilePath C:\thisserver2.cer -CertStoreLocation Cert:\LocalMachine\My
        Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
    
    Thumbprint                                Subject
    ----------                                -------32525BCAC07E59E5321D297F96A94608421EDA71  CN=thisserver, OU=it, O=fortinet, L=sunnyvale, S=california, C=US
    
  5. Run the following commands:

    winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="<windows host name>"; CertificateThumbprint="<thumbprint received by New-Self Signed Certificate>"}

    winrm quickconfig -transport:https

    winrm enumerate winrm/config/listener

  6. To configure FortiSIEM Client (Supervisor or Collector), run the following command.

    pip3 install pywinrm

Microsoft Windows Server Earlier than 2012, or 2016 and Later

If HTTPS is not enabled, then open Windows PowerShell console as an administrator, and run the following commands:

Note: Single quotes are needed for Windows 2016 and later.

New-SelfSignedCertificate -Subject 'CN=<windows host name>' -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1'

winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="<windows host name>"; CertificateThumbprint="<thumbprint received by New-Self Signed Certificate>"}

winrm quickconfig -transport:https

winrm enumerate winrm/config/listener

Next, proceed to Configure FortiSIEM Client.

Configure FortiSIEM Client

To configure FortiSIEM Client (Supervisor or Collector), run the following command.

pip install pywinrm

WMI/OMI Configuration

These configurations are needed if you are using either WMI or OMI to monitor Windows Servers.

WMI/OMI Configuration for Windows 2012, 2012 R2, 2016, 2019, 2022, Windows 10, 11

You must create an user with sufficient permissions to access WMI objects. This user account will be used from FortiSIEM. There are two cases.

Note the difference in capabilities between these two users

Create a User Belonging to the Domain or Local Administrator Group

Log in to the Domain Controller with an administrator account.

Step 1. Create a User Belonging to Domain or Local Administrator Group
  1. Go to Start > Control Panel > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select New > User.
  3. Create a new user.
  4. Right-click Domain Admins in Users and select Properties.
  5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  6. Click Advanced > Find Now, add the Administrator and the user which you created during step 3.
  7. Click OK to close the User select dialog.
  8. Click OK to close the Domain Admins Properties dialog.
Step 2: Enable DCOM Permissions for the New User

Log in to the machine you want to monitor with an administrator account.

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access.
  5. Click OK.
  6. In the COM Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that the user has the permission Allow for both Local Access and Remote Access. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1.
  8. Click OK.
  9. In the COM Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1.
  11. In the COM Security tab, under Launch and Activation Permissions, click Edit Limits.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1from Create a Generic User (Not Belonging to Highly Privileged Domain Administrator Group).
  13. Click OK.
Step 3: Enable Account Privileges in WMI for the New User

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security tab.
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remote Enable. If the user is not present, then click Add to add the user you created.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Applies onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart.
Step 4: Allow WMI through Windows Firewall
  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK. You can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Step 5: Make sure WinRM Service is Running

For information on configuring WinRM, see WinRM Configuration. Note that in Windows 10 and Windows 11, it may be disabled by default and you need to enable it.

Create a Generic User (Not Belonging to Highly Privileged Domain Administrator Group)

Log in to the machine you want to monitor with an administrator account.

Step 1. Create a New User Belonging to Distributed COM Users, Remote Management Users and Performance Monitor Users Groups
  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select New User.
  3. Create a user.
  4. Select this user and right-click to select Properties > Member of tab.
  5. Click Add > Advanced > Find Now.
  6. Select and add the following groups:
    • Distributed COM Users group.
    • Performance Monitor Users group.
    • Remote Management Users group.

      Note: To select multiple groups, hold down the CTRL key and click the desired groups.

  7. Click OK to save.
Step 2: Add the User to Log Reader Group

To configure the non-administrative user to monitor windows event logs, follow the steps below:

  1. Go to Start > Control Panel > Administrative Tools > Active Directory Users and Computers (Computer Management > Local Users and Groups for servers that are not a domain controller).
  2. Right-click the non-admin user and select Properties.
  3. Select the Member of tab.
  4. Select the group Event Log Reader and click Add.
  5. Click Apply.
  6. Click OK to complete the configuration.
Step 3. Enable DCOM Permissions for the New User
  1. Go to Start > Control Panel > Administrative Tools > Component Services > Computers > My Computer.
  2. Right-click My Computer, and then Properties.
  3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
  5. Click OK.
  6. Under Access Permissions, click Edit Default.
  7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1.
  8. Click OK.
  9. Under Launch and Activation Permissions, click Edit Limits.
  10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. Click OK.
  12. Under Launch and Activation Permissions, click Edit Defaults.
  13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1.
  14. Click OK.
Step 4: Enable Access to Win32_Service Class

To gain access to Win32_Service, this needs to be executed (with admin privileges) on the Windows box using cmd.exe or powershell prompt:

sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

See Reference: https://stackoverflow.com/questions/3917477/granting-remote-user-non-admin-the-ability-to-enumerate-services-in-win32-serv/4432737#4432737

Step 5. Enable WMI Account Privileges for the New User

See the Enable Account Privileges in WMI for the New User section in Create a User Belonging to the Domain or Local Administrator Group for set up instructions to configure WMI.

Step 6: Allow WMI through Windows Firewall
  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow apps to communicate through Windows Defender Firewall.
  3. Click Change settings.
  4. Locate Windows Management Instrumentation (WMI), and click the checkbox to enable your connected networks.
  5. Locate Windows Remote Management, and click the checkbox to enable to enable your connected networks.
  6. Locate Windows Remote Management (Compatibility), and click the checkbox to enable your connected networks.
  7. Click OK. You can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Step 7: Make sure WinRM Service is Running

For information on configuring WinRM, see WinRM Configuration. Note that in Windows 10 and Windows 11, it may be disabled by default and you need to enable it.

Capability Difference between Domain/Local Administrator Users and Generic Users

Windows allows certain WMI classes to be pulled only via Administrator account. The following table shows this clearly.

WMI Class Administrator Non-Administrator
Win32_BIOS Yes No
Win32_ComputerSystem Yes Yes
Win32_LogicalDisk Yes No
Win32_NetworkAdapter Yes Yes
Win32_NetworkAdapterConfiguration Yes Yes
Win32_NTLogEvent Yes Yes
Win32_OperatingSystem Yes Yes
Win32_Process Yes Yes
Win32_Processor Yes Yes
Win32_Product Yes Yes
Win32_QuickFixEngineering Yes No
Win32_Service Yes Yes
Win32_UserAccount Yes No
win32_Volume Yes Yes
Win32_PerfFormattedData_DHCPServer_DHCPServer Yes Yes
Win32_PerfFormattedData_DNS_DNS Yes Yes
Win32_PerfFormattedData_W3SVC_WebService Yes Yes
Win32_PerfRawData_DirectoryServices_DirectoryServices Yes Yes
Win32_PerfRawData_NTDS_NTDS Yes Yes
Win32_PerfRawData_PerfDisk_LogicalDisk Yes Yes
Win32_PerfRawData_PerfDisk_PhysicalDisk Yes Yes
Win32_PerfRawData_PerfOS_Memory Yes Yes
Win32_PerfRawData_PerfOS_PagingFile Yes Yes
Win32_PerfRawData_PerfOS_Processor Yes Yes
Win32_PerfRawData_PerfProc_Process Yes Yes
Win32_PerfRawData_Tcpip_NetworkInterface Yes Yes

WMI/OMI Configuration for Windows 2008 and 2008 R2

You must create an user with sufficient permissions to access WMI objects. There are two cases.

  1. Create a New User Belonging to Domain or Local Administrator Group
  2. Create a Generic User (Not Belonging to Highly Privileged Domain Administrator Group)

Note the difference in capabilities between these two users

Capability Difference between Domain/Local Administrator Users and Generic Users

Create a New User Belonging to Domain or Local Administrator Group

Log in to the Domain Controller with an administrator account.

Step 1. Create a New User and Add the User to Domain or Local Administrator Group
  1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Administrators, and then click Add to Group.
  5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  6. For Enter the object names to select, enter the user you just created in step 3.
  7. Click OK to close the Domain Admins Properties dialog.
  8. Click OK.
Step 2: Enable DCOM Permissions for the New User

Log in to the machine you want to monitor with an administrator account.

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access.
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access.
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
Step 3: Enable WMI Account Privileges for the New User

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security tab.
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remote Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart.
Step 4: Allow WMI to Connect Through the Windows Firewall

Follow the appropriate instructions per your software.

Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  1. In the Start menu, select Run.
  2. Run gpedit.msc.
  3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  5. Select Windows Firewall: Allow remote administration exception.
  6. Run cmd.exe and enter these commands:
    netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP 
    
  7. Restart the server.
Allow WMI through Windows Firewall (Windows Server 2008, 2012)
  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.You can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Step 5: Make sure WinRM Service is Running

For information on configuring WinRM, see WinRM Configuration.

Create a Generic User (Not Belonging to Highly Privileged Domain Administrator Group)

Log in to the machine you want to monitor with an administrator account.

Step 1. Create a New User Belonging to Distributed COM Users and Performance Monitor Users Groups
  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select New User.
  3. Create a user.
  4. Select this user and right-click to select Properties > Member of tab.
  5. Select Distributed COM Users and click Add.
  6. Click OK to save.
    This is the account you must use to set up the Performance Monitor Users group permissions.
  7. Repeat steps 4 through 6 for the Performance Monitor Users group.
Step 2: Add the User to Log Reader Group

To configure the non-administrative user to monitor windows event logs, follow the steps below:

  1. Go to Start > Control Panel > Administrative Tools > Active Directory Users and Computers (Computer Management > Local Users and Groups for servers that are not a domain controller).
  2. Right-click the non-admin user and select Properties.
  3. Select the Member of tab.
  4. Select the group Event Log Reader and click Add.
  5. Click Apply.
  6. Click OK to complete the configuration.
Step 3. Enable DCOM Permissions for the New User
  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then Properties.
  3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
  5. Click OK.
  6. Under Access Permissions, click Edit Default.
  7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
  8. Click OK.
  9. Under Launch and Activation Permissions, click Edit Limits.
  10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. Click OK.
  12. Under Launch and Activation Permissions, click Edit Defaults.
  13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
Step 4: Enable WMI Account Privileges for the New User

See the Enable WMI Account Privileges for the New User section in the Create a New User Belonging to Domain or Local Administrator Group instructions to configure WMI.

Step 5: Allow WMI through Windows Firewall (Windows 2003 or Windows Server 2008, 2012)
Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  1. In the Start menu, select Run.
  2. Run gpedit.msc.
  3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  5. Select Windows Firewall: Allow remote administration exception.
  6. Run cmd.exe and enter these commands:
    netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP 
    
  7. Restart the server.
Allow WMI through Windows Firewall (Windows Server 2008, 2012)
  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.You can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Step 6: Make sure WinRM Service is Running

For information on configuring WinRM, see WinRM Configuration.

Capability Difference between Domain/Local Administrator Users and Generic Users

Windows allows certain WMI classes to be pulled only via Administrator account. The following table shows this clearly.

WMI Class Administrator Non-Administrator
Win32_BIOS Yes No
Win32_ComputerSystem Yes Yes
Win32_LogicalDisk Yes No
Win32_NetworkAdapter Yes Yes
Win32_NetworkAdapterConfiguration Yes Yes
Win32_NTLogEvent Yes Yes
Win32_OperatingSystem Yes Yes
Win32_Process Yes Yes
Win32_Processor Yes Yes
Win32_Product Yes Yes
Win32_QuickFixEngineering Yes No
Win32_Service Yes No
Win32_UserAccount Yes No
win32_Volume Yes Yes
Win32_PerfFormattedData_DHCPServer_DHCPServer Yes Yes
Win32_PerfFormattedData_DNS_DNS Yes Yes
Win32_PerfFormattedData_W3SVC_WebService Yes Yes
Win32_PerfRawData_DirectoryServices_DirectoryServices Yes Yes
Win32_PerfRawData_NTDS_NTDS Yes Yes
Win32_PerfRawData_PerfDisk_LogicalDisk Yes Yes
Win32_PerfRawData_PerfDisk_PhysicalDisk Yes Yes
Win32_PerfRawData_PerfOS_Memory Yes Yes
Win32_PerfRawData_PerfOS_PagingFile Yes Yes
Win32_PerfRawData_PerfOS_Processor Yes Yes
Win32_PerfRawData_PerfProc_Process Yes Yes
Win32_PerfRawData_Tcpip_NetworkInterface Yes Yes

Kerberos Configuration for OMI

If the Windows Server to be monitored using OMI is part of a Windows Domain that uses Kerberos authentication, then you need to take 2 steps:

  1. Add IP to Windows Server name mapping (PTR record) to Windows DNS Server.
  2. Add Windows DNS Server name to the list of resolvers in FortiSIEM Collector.

These steps are needed because FortiSIEM uses IP to communicate while OMI/Kerberos needs host name (FQDN).

Windows DNS Server Configuration
  1. Log into your Windows DNS server with an admin account.
  2. Find Windows Server DNS Manager.
  3. Navigate to Forward Lookup under DNS Zones, and locate your DNS domain.
  4. Under your DNS domain, locate the host name (A records) for each server you are monitoring via OMI and make sure the IP address is correct.
  5. Under Reverse Lookup Zones, look up the zone corresponding to your subnet. Add a PTR record for each server you are monitoring via OMI.
FortiSIEM Collector Configuration
  1. Open the file (/etc/resolve.conf)
  2. Add Windows DNS Server name to the list of resolvers.

    [admin@FSM-User]$ cat /etc/resolv.conf
    # Generated by NetworkManager
    ...
    nameserver <Windows DNS Server IP> 
    ...
  3. Save.

SNMP Configuration

Enabling SNMP on Windows Server 2012 R2, Server 2016, Server 2019, Server 2022

SNMP is typically enabled by default on Windows Server 2012 R2, Server 2016, and Server 2019. But you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First, you should check that SNMP Services have been enabled for your server.

  1. Log in to the Windows 2016 Server where you want to enable SNMP as an administrator.
  2. In the Start menu, select Control Panel.
  3. Under Programs, click Turn Windows features on/off.
  4. The Add Roles and Features Wizard will open automatically.
  5. Select Role-based or feature-based installation. Click Next until the Features option appears.
  6. Under Features, see if SNMP Services is installed.

    If not, check the checkbox before the SNMP Service and click Next to install the service.

  7. From the Start menu, select Services. Go to Services > SNMP Services.
  8. Select and open SNMP Service.
  9. Click the Security tab.
  10. Select Send authentication trap.
  11. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  12. Select Accept SNMP packets from these hosts.
  13. Click Add.
  14. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP.
  15. Click Add.
  16. Click Apply.
  17. Under SNMP Service, click Restart service.
  18. 18. Go to Control Panel > Windows Firewall.
  19. 19. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  20. 20. Select SNMP Service, and the click OK.
Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

  1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
  2. In the Start menu, select Control Panel.
  3. Under Programs, click Turn Windows features on/off.
  4. Under Features, see if SNMP Services is installed.
    If not, click Add Feature, then select SMNP Service and click Next to install the service.
  5. In the Server Manager window, go to Services > SNMP Services.
  6. Select and open SNMP Service.
  7. Click the Security tab.
  8. Select Send authentication trap.
  9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  10. Select Accept SNMP packets from these hosts.
  11. Click Add.
  12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP.
  13. Click Add.
  14. Click Apply.
  15. Under SNMP Service, click Restart service.
  16. 18. Go to Control Panel > Windows Firewall.
  17. 19. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  18. 20. Select SNMP Service, and the click OK.
Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you must make sure that the SNMP Management tool has been enabled for your device.

  1. In the Start menu, go to Administrative Tools > Services.
  2. Go to Control Panel > Add or Remove Programs.
  3. Click Add/Remove Windows Components.
  4. Select Management and Monitoring Tools and click Details.
    Make sure that Simple Network Management Tool is selected.
    If it isn't selected, select it, and then click Next to install.
  5. Go to Start > Administrative Tools > Services.
  6. Select and open SNMP Service.
  7. Click the Security tab.
  8. Select Send authentication trap.
  9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  10. Select Accept SNMP packets from these hosts.
  11. Click Add.
  12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP.
  13. Click Add.
  14. Click Apply.
  15. Under SNMP Service, click Restart service.
  16. 18. Go to Control Panel > Windows Firewall.
  17. 19. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  18. 20. Select SNMP Service, and the click OK.
Security Audit Policy Configuration

Because Windows generates a lot of security logs, you should specify the categories of events that you want logged and available for monitoring by FortiSIEM.

  1. Log in the machine where you want to configure the policy as an administrator.
  2. Go to Programs > Administrative Tools > Local Security Policy.
  3. Expand Local Policies and select Audit Policy.
    You will see the current security audit settings.
  4. Select a policy and edit the Local Security Settings for the events you want audited. Recommended settings are:
  5. Policy Description Settings
    Audit account logon events and Audit logon events For auditing logon activity Select Success and Failure
    Audit object access events For auditing access to files and folders. There is an additional configuration requirement for specifying which files and folders, users and user actions will be audited. See the next section, File Auditing Policy Configuration. Select Success and Failure
    Audit system events Includes system up/down messages

File Auditing Policy Configuration

When you enable the policy to audit object access events, you also must specify which files, folders, and user actions will be logged. You should be very specific with these settings, and set their scope to be as narrow as possible to avoid excessive logging. For this reason you should also specify system-level folders for auditing.

  1. Log in the machine where you want to set the policy with administrator privileges.
    On a domain computer, a Domain administrator account is needed
  2. Open Windows Explorer, select the file you want to set the auditing policy for, right-click on it, and select Properties.
  3. In the Security tab, click Advanced.
  4. Select the Auditing tab, and then click Add.
    This button is labeled Edit in Windows 2008.
  5. In the Select User or Group dialog, click Advanced, and then find and select the users whose access to this file you want to monitor.
  6. Click OK when you are done adding users.
  7. In the Permissions tab, set the permissions for each user you added.

The configuration is now complete. Windows will generate audit events when the users you specified take the actions specified on the files or folders for which you set the audit policies.

Disabling Audit Token Right Adjusted Success Events

As per Microsoft, it is recommended to Disable "Success" auditing for "Audit Token Right Adjusted".

Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703#security-monitoring-recommendations.

By enabling "Success Auditing" for Audit Token Right Adjusted (Detailed Tracking ), 800+ (4703) events can be generated in a second, resulting in this high volume event impacting system performance.

Complete these steps to disable "Success" for "Audit Token Right Adjusted".

  1. Log in, with administrator privileges, to the machine where you want to set the policy.

    On a domain computer, you must have a Domain administrator account.

  2. Go to Programs > Administrative Tools > Local Security Policy.
  3. Expand to Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Detailed Tracking.
  4. Go to the Detailed Tracking subcategory, and select Audit Token Right Adjusted.
  5. Double click Audit Token Right Adjusted, select the Configure the following audit events: checkbox.
  6. Uncheck the Success checkbox if needed to disable.
  7. Click Apply.

Syslog Configuration

See the Windows Agent Installation Guide for information on configuring the sending of syslog from your device to FortiSIEM.

Sample Windows Server Syslog

<108>2014 Dec 17 15:05:47 CorreLog_Win_Agent 1NDCITVWCVLT05.tsi.lan Login Monitor: Local Console User Login: User Name: example-admin

Print Log Configuration

FortiSIEM supports pull Windows print log from Windows agent. To configure, take the following steps.

Enabling Logging Print Log after WMI Configuration

After WMI Configuration is completed, enable logging print log by taking the following steps.

  1. Open the Event Viewer window and navigate to Applications and Services Logs > Microsoft > Windows > PrintService.
  2. Click Operational.
  3. Right click, and select Properties.
  4. Add a checkmark to the Enable logging checkbox.
  5. Click Apply.
  6. Click OK.

    All print activities will be logged by Event Viewer through WMI. Event logs can be viewed under Applications and Services Logs -> Microsoft -> Windows -> PrintService -> Operational.
Setup in FortiSIEM

Take the following steps to access print logs in FortiSIEM.

  1. Log on to your Windows Server and navigate to Event viewer > App and Service logs > Microsoft > windows > printservice > properties.
  2. Copy the full name from log properties.
  3. Log onto FortiSIEM in super global.
  4. Navigate to ADMIN > Setup > Windows Agent.
  5. Under Windows Agent Monitor Templates, click New to create a Monitor Template.
  6. In the Name field, enter a name for the template.
  7. Click the Event tab.
  8. In the Event Log row, click on New.
  9. In the Type drop-down list, select Other.
  10. In the Event Name field, enter/paste the full name from step 2.
  11. Click < Save.
  12. Click Save.
  13. Under Host to Template Associations, create a host to template association by clicking New.
  14. In the Name field, enter a name.
  15. Choose an organization.
  16. Select the monitor template you created through steps 5-12.
  17. Select a collector.
  18. Click Save.
  19. Click Apply.

FortiSIEM now automatically parses events received via WMI or FortiSIEM Windows Agent.

Setting Access Credentials on FortiSIEM

Navigate to ADMIN > Setup > Credentials, and in Step 1: Enter Credentials, click New to create a new Access Credential.

After the credential has been created, navigate to Step 2: Enter IP Range to Credential Associations, click New to create a mapping for the newly created Access Credential.

For general information on setting credentials see Setting Credentials. Specific Access Credentials settings are available here.

SNMP, Telnet and SSH Access Credentials

See Access Credentials.

LDAP, LDAPS, LDAP Start TLS / OpenLDAP Access Credentials
Settings Value
Name <set name>
Device Type Microsoft Windows Server *
Access Protocol LDAP / LDAPS / LDAP Start TLS
Used For OpenLDAP
Server Port

Default - 3268 (Global Catalog port) for LDAP, LDAP Start TLS; 3269 (Global Catalog port) for LDAPS.

or

389 for LDAP, LDAP Start TLS; 636 for LDAPS.

Note: Global catalog ports when used, are much more performant versus the LDAP ports, but not all LDAP attributes may be present by default in Global Catalog service.

Base DN Specify the root of the LDAP tree as the Base DN. For example: dc=companyABC,dc=com
Password Config See Password Configuration in Access Credentials.
User Name For user discoveries from an OpenLDAP directory, specify the full DN as the user name. For example: uid=jdoe,ou=hr,ou=unit,dc=companyABC,dc=com
Password Password of the user able to access this system

LDAP, LDAPS, LDAP Start TLS / Microsoft Active Directory Access Credentials
Settings Value
Name <set name>
Device Type Microsoft Windows Server *
Access Protocol LDAP / LDAPS / LDAP Start TLS
Used For Microsoft Active Directory
Server Port

Default - 3268 (Global Catalog port) for LDAP, LDAP Start TLS; 3269 (Global Catalog port) for LDAPS.

or

389 for LDAP, LDAP Start TLS; 636 for LDAPS.

Note: Global catalog ports when used, are much more performant versus the LDAP ports, but not all LDAP attributes may be present by default in Global Catalog service.

Base DN Specify the root of the LDAP tree as the Base DN. For example: dc=companyABC,dc=com
NetBIOS/Domain The domain name or NetBIOS name attribute
Password Config See Password Configuration in Access Credentials.
User Name For Microsoft Active Directory, the user name can be just the login name.
Password Password of the user able to access this system

WMI Access Credentials
Settings Value
Name <set name>
Device Type Microsoft Windows Server *
Access Protocol WMI
Pull Interval 1 minute
NetBIOS/Domain The domain name or NetBIOS name attribute
Password Config See Password Configuration in Access Credentials.
User Name Name of the user able to access this system
Password Password of the user able to access this system

OMI Access Credentials
Settings Value
Name <set name>
Device Type Microsoft Windows Server *
Access Protocol OMI

Authentication

Select "ntlm auth" or "kerberos auth". If you have FIPS enabled, kerberos auth is required for FIPs to work. Kerberos authentication requires the following fields to be entered:

  • kerberos-AD-Server: Enter the fully qualified domain name or IP Address of the kerberos active directory server. See Kerberos Configuration for more information.

  • kerberos-domain: Enter the full Kerberos domain name.

Pull Interval 1 minute
NetBIOS/Domain The domain name or NetBIOS name attribute
Password Config See Password Configuration in Access Credentials.
User Name Name of the user able to access this system
Password Password of the user able to access this system