2.2 Ensure that WMI probing is disabled

Information

Disable WMI probing if it is not required for User-ID functionality in the environment.
Rationale:
WMI probing normally requires a domain administrator account. A malicious user could capture the encrypted password hash for offline cracking or relayed authentication attacks. Relying on other forms of user identification, such as security log monitoring, mitigates this risk.

Solution

Navigate to Device > User Identification > User Mapping > Palo Alto Networks User ID Agent Setup.
Set Enable Probing so it is unchecked.
Impact:
While this removes the exposure of having the WMI user account password being compromised, it also reduces the effectiveness of user identification during operation of the firewall (applying rules and policies). This trade-off should be weighed carefully for all installations.
Default Value:
Not configured

See Also

https://workbench.cisecurity.org/files/2104

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

References: 800-53|AC-2, 800-53|AC-11, 800-53|AU-3, 800-53|AU-12, 800-53|CM-7b., CSCv6|6.5, CSCv6|9.1, CSCv6|16, CSCv6|16.5, CSCv7|6.2, CSCv7|9.2, CSCv7|16, CSCv7|16.11

Plugin: Palo_Alto

Control ID: 1a1c33cd787fd3117e966d675240a9c668691980e02c1fb1a5e30b0d0f07a6e1