2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones

Information

Create security policies to deny Palo Alto User-ID traffic originating from the interface configured for the UID Agent service that are destined to any untrusted zone.

Rationale:

If User-ID and WMI probes are sent to untrusted zones, the risk of privileged information disclosure exists. The information disclosed can include the User-ID Agent service account name, domain name, and encrypted password hashes sent in User-ID and WMI probes. To prevent this exposure, msrpc traffic originating from the firewall to untrusted networks should be explicitly denied. This security policy should be in effect even for environments not currently using WMI probing to help guard against possible probe misconfigurations in the future.

This setting is a 'fail safe' to prevent exposure of this information if any of the other WMI User control settings are misconfigured.

Solution

Navigate to Device > Setup > Services > Services Features > Service Route Configuration > Customize.
Click on the protocol in use (IPv4 and/or IPv6).
Click UID Agent.
Click on the address object for the UID Agent's IP address.
Set SOURCE/NAME to 'Deny msrpc to untrusted'.
Set SOURCE/ZONE to 'INSIDE'.
Set SOURCE/Address to the Address object for the UID Agent.
Set DESTINATION/ZONE to 'GUEST' and 'OUTSIDE'.
Set DESTINATION/Address to 'any'.
Set DESTINATION/Application to 'msrpc'.
Set DESTINATION/Service to 'application-default'.
Set DESTINATION/Action to 'Block' (red circle with diagonal line).

See Also

https://workbench.cisecurity.org/benchmarks/17915

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(2), 800-53|AC-6(5), CSCv7|9.2

Plugin: Palo_Alto

Control ID: 3cea9d45f927a1d78c114f1ca80209f584c858425665a10cc03ca85a89889457