Downloads
16529.zip

Remote Performance Monitor Access Without Administrator Credentials

\[Editor's Note: Email your Windows 2000 or Windows NT security tips or solutions (400 words or less) to Reader to Reader at secadmin@win2000mag.com. We edit submissions for style, grammar, and length. If we print your contribution, you receive $100.\]

Sometimes, users need remote Microsoft Performance Monitor capability on a server. For example, when you separate application and OS support, both support groups need performance-monitoring capability, but only one group needs administrative access to the OS.

By default, when nonadministrative users attempt to read remote server performance data, they receive the message Computer name not found, which often results in "system broken" troubletickets and unnecessary calls to the Help desk. To use Performance Monitor, users need registry access; for remote access, the system checks an ACL on the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg subkey. If users don't have Read capability on this subkey, the system returns Insufficient privilege, which results in the message Computer name not found. (For more information about the Winreg registry subkey, see the Microsoft article "Clarification of the Winreg Operation in Windows NT at http://support.microsoft.com/support/kb/articles/q186/4/33.asp.)

By default, administrators and backup operators have access to this registry subkey. If you need to grant other people remote Performance Monitor access, don't grant Read access to the Everyone group because this change can introduce security problems; users with this access can remotely access the entire registry based on individual key permissions. Instead, add a read entry to the ACL for a group (I use a local group called PerfMonAccess), then add trusted people to the group.

You can add entries to registry ACLs in many ways. Three common methods are

  • Through the Security, Permissions menu in regedt32.exe
  • With a Microsoft Windows NT Server 4.0 Resource Kit and Microsoft Windows 2000 Resource Kit tool called regini.exe (This tool lets you add entries only for built-in groups, such as Administrators and Everyone.)
  • With an NT Server 4.0 resource kit and W2K resource kit tool called secadd.exe (Note that Microsoft replaced secadd.exe with subinacl.exe in the Win2k resource kit.)

Secadd.exe and subinacl.exe are handy because you can script the process and make the ACL permission change part of a server build. If you don't have the resource kits or want an easier method for setting the ACL on the Winreg registry subkey, I've written a command-line freeware utility called winregread.exe. You can download winregread.exe from the Code Library on the Security Administrator Web site (http://www.secadministrator.com). I designed the tool for use during the server-build process, so it works only on the local system on which it's running.

On my software depot server, I have an installation share with a folder called \perfmonaccess. That folder contains winregread.exe and a script that creates the PerfMonAccess local group and calls winregread.exe to apply Read permissions. I run this script on every system I build, so if I want to grant users Performance Monitor access, I just add their ID from any trusted domain to the PerfMonAccess group.

Your Security Bookshelf
The Windows 2000 Magazine Network puts security resources, both print and online, at your fingertips. Here are a few resources to get you started.

Windows 2000 Magazine
You can find these articles online on the Windows 2000 Magazine Web site (http://www.win2000mag.com):

Randy Franklin Smith, "Top 10 Security Tools in the Win2K Server Resource Kit," December 2000, InstantDoc ID 15969
Randy Franklin Smith, "Effective Access Control for Win2K and NT," October 2000, InstantDoc ID 15482
Jan De Clercq, "Win2K Security and Exchange 2000," October 2000, InstantDoc ID 15491
Douglas Toombs, "Configure a Win2K VPN," September 2000, InstantDoc ID 9650
Andrey Kruchkov, "The Accidental Hacker," Windows NT Magazine, February 1998, InstantDoc ID 3112

Windows IT Security
Windows IT Security (http://www.WindowsITsecurity.com) brings you the latest security alerts, news, and information to keep your environment secure. The site also features security articles by authors such as Mark Joseph Edwards, David LeBlank, and Randy Franklin Smith. Sign on to the discussion forums, or read Edwards' book Internet Security with Windows NT free online.

Security UPDATE
Security UPDATE is a free weekly email newsletter from the publishers of Windows 2000 Magazine. Each issue brings you the latest security news about Win2K and Windows NT as well a feature articles, product reviews, new products, tips and techniques, and links to important security resources. You can view the back issues online or subscribe at http://www.win2000mag.net/email.