HP Integrity rx8620 HP Insight Management WBEM Providers on Integrity Servers - Page 17

Security

Get HP Integrity rx8620 PDF manuals and user guides View all HP Integrity rx8620 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 17 highlights

5 Security Security is a major concern and one of the primary reasons to switch from SNMP Agent-based server management to Insight Provider-based server management. The HP Insight Management WBEM Providers for Windows use Windows-based authentication for local and remote access to server management data. Implementation The Insight Providers for Windows are implemented as a set of Windows Management Instrumentation (WMI) providers. The access control is in the form of standard Windows account level access restrictions. An administrator account has sufficient rights and security group memberships to access the Insight Provider management information for both local and remote access. For a standard user account, there are two considerations for configuring security in order to access WMI information from the Insight Providers: • WMI namespace security • Distributed COM user group membership A standard user account needs security configurations to remotely access the Insight Provider management information on a remote server. For more information, see "Security requirements for the Insight Providers" (page 11). WMI namespace security settings govern access to WMI information. Windows user accounts can be allowed or denied specific privileges per WMI namespace. For more information on namespace security, see Access to WMI Namespaces (http:// msdn2.microsoft.com/en-us/library/aa822575.aspx). Only standard users who belong to the Distributed COM Users group can remotely connect to WMI and access management information. Administrators are in this group by default. Non-administrator users must be added to the Distributed COM Users group for remote WMI connectivity. For more information on this topic, see Connecting to WMI on a Remote Computer (http://msdn2.microsoft.com/enus/ library/aa389290.aspx). Best Practices According to the principle of least privilege, HP recommends you use a low rights user account (nonadministrator) to perform most read-only management tasks. Use of certain Insight Provider functionality always requires an administrator level account. An example of this is a method to reboot the system. This user does not need to be an administrator of the managed system and does not need logon rights. HP recommends that the domain administrator creates a special purpose domain account. Configuring Insight Provider Security for a User Account via the Windows® Command Line The following procedure provides access rights to allow a standard user account to view most management information. However, you must use an administrator account to perform some management tasks, such as rebooting a server. To configure a domain user or local user (non-administrator) account for remote management: 1. Open a Command Prompt window. 2. Change to the \Program Files\HPWBEM\Tools folder of the system drive. Implementation 17

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
5 Security
Security is a major concern and one of the primary reasons to switch from SNMP Agent-based
server management to Insight Provider-based server management. The HP Insight Management
WBEM Providers for Windows use Windows-based authentication for local and remote access
to server management data.
Implementation
The Insight Providers for Windows are implemented as a set of Windows Management
Instrumentation (WMI) providers. The access control is in the form of standard Windows account
level access restrictions.
An administrator account has sufficient rights and security group memberships to access the
Insight Provider management information for both local and remote access.
For a standard user account, there are two considerations for configuring security in order to
access WMI information from the Insight Providers:
WMI namespace security
Distributed COM user group membership
A standard user account needs security configurations to remotely access the Insight Provider
management information on a remote server. For more information, see
“Security requirements
for the Insight Providers” (page 11)
.
WMI namespace security settings govern access to WMI information. Windows user accounts
can be allowed or denied specific privileges per WMI namespace.
For more information on namespace security, see
Access to WMI Namespaces
(
http://
msdn2.microsoft.com/en-us/library/aa822575.aspx
).
Only standard users who belong to the Distributed COM Users group can remotely connect to
WMI and access management information. Administrators are in this group by default.
Non-administrator users must be added to the Distributed COM Users group for remote WMI
connectivity. For more information on this topic, see
Connecting to WMI on a Remote Computer
(
library/aa389290.aspx
).
Best Practices
According to the principle of least privilege, HP recommends you use a low rights user account
(nonadministrator) to perform most read-only management tasks. Use of certain Insight Provider
functionality always requires an administrator level account. An example of this is a method to
reboot the system. This user does not need to be an administrator of the managed system and
does not need logon rights. HP recommends that the domain administrator creates a special
purpose domain account.
Configuring Insight Provider Security for a User Account via the Windows®
Command Line
The following procedure provides access rights to allow a standard user account to view most
management information. However, you must use an administrator account to perform some
management tasks, such as rebooting a server.
To configure a domain user or local user (non-administrator) account for remote management:
1.
Open a Command Prompt window.
2.
Change to the
\Program Files\HPWBEM\Tools
folder of the system drive.
Implementation
17