windows_exporter icon indicating copy to clipboard operation
windows_exporter copied to clipboard

Published 20 hours ago verified publisher icon prometheus-community

Document needed user permissions

Open Knuspel opened this issue 5 years ago • 6 comments

Due to my companies security policies we're supposed to start the windows_exporter service using a "service-account" with reduced permissions. I cannot find documentation on which permissions a user would minimally need to run the exporter properly.

As an admin I'd like to know the proper permissions so we can set up a user correspondingly.

Knuspel avatar Sep 09 '20 11:09 Knuspel

Hi @Knuspel, To the best of our knowledge, there isn't a permission set exposed by Windows which allows querying the APIs we use (primarily WMI and perflib). Perhaps your security team has some deeper knowledge about how to accomplish this, and if so we'd be very happy to have it added to the documentation!

carlpett avatar Sep 12 '20 09:09 carlpett

For what it's worth, I am running the exporter as a Windows service account (e.g. NT Service\windows_exporter) that has been added to the local "Performance Monitor Users" group (found in Computer Management > Users and Groups > Groups).

I use a different name for the service (PrometheusWMIExporter), so it's a little different, but here's the PowerShell script I use to set this up.

$serviceName = "PrometheusWMIExporter"
$exeLocation = "E:\windows_exporter\windows_exporter.exe"
$collectorsEnabled = @(
  "system",
  "cpu",
  "memory",
  "os",
  "cs",
  "logical_disk",
  "mssql",
  "process"
)

# Create the service
New-Service -Name $serviceName `
  -Description "Prometheus Exporter for WMI" `
  -BinaryPathName """$exeLocation"" --log.format logger:eventlog?name=windows_exporter  --telemetry.addr :9182 --collectors.enabled $($collectorsEnabled - Join ',')"

# Run as service account
C:\Windows\System32\sc.exe config $serviceName obj= "NT Service\$serviceName"

# Add service account to Performance Monitor group
Add-LocalGroupMember -Group (get-localgroup -name "Performance Monitor Users") -Member "NT Service\$serviceName"

Start-Service $serviceName

So far, it works like a charm. :)

iinuwa avatar Oct 21 '20 20:10 iinuwa

That sounds like something we should try. I’ll see if it works for our setup.

Knuspel avatar Oct 22 '20 05:10 Knuspel

Is there any difference if we are running windows exporter as admin vs service account as mentioned above. And if there are no differences how can we conclude on that?

shubhampal288 avatar Jan 28 '21 06:01 shubhampal288

So after testing with the other rights it appears to work with the user rights.

Our security likes to have non system users running services so the rights are as restricted as possible.

Knuspel avatar Feb 01 '21 12:02 Knuspel

Definitely good information to add to documentation.

Also, if need only to "log as service" and that following policies can apply to user "Deny log on locally" "Deny log on as a batch job" "Deny log on through Remote Desktop Services" https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services

Would there be a way to use managed service account for exporter user? https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-group-managed

juju4 avatar Apr 10 '22 02:04 juju4

This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs.

github-actions[bot] avatar Nov 25 '23 05:11 github-actions[bot]