Information
Only enable the User-ID option for interfaces that are both internal and trusted. There is rarely a legitimate need to allow WMI probing on an untrusted interface.
Rationale:
PAN released a customer advisory in October of 2014 warning of WMI probing on untrusted interfaces with User-ID enabled. This can result in theft of the password hash for the account used in WMI probing.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Navigate to Network > Network Profiles > Interface Management.
Set User-ID to be checked only for interfaces that are both internal and trusted; uncheck it for all other interfaces.
Impact:
If WMI probing is enabled without limiting the scope, internet hosts that are sources or destinations of traffic will be probed, and the password hash of the configured Domain Admin account can be captured by an outside attacker on such a host.
Default Value:
By default WMI probing and all User-ID functions are disabled.
Item Details
Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT
References: 800-53|AC-2, 800-53|AC-2(12), 800-53|AU-3, 800-53|AU-12, 800-53|CM-7b., CSCv6|6.5, CSCv6|9.1, CSCv6|16, CSCv6|16.10, CSCv7|6.2, CSCv7|9.2, CSCv7|16, CSCv7|16.13
Control ID: 04d74509c430a4576dd540684de5b92a23a11dc51d0ecb60b92fddcbea0be3a0