Information
Disable WMI probing if it is not required for User-ID functionality in the environment.
Rationale:
WMI probing normally requires a domain administrator account. A malicious user could capture the encrypted password hash for offline cracking or relayed authentication attacks. Relying on other forms of user identification, such as using UserID Agents or security log monitoring, mitigates this risk.
In addition, it is easy to mis-configure this feature such that it is enabled on untrusted interfaces. This can result in a domain administrator account and the associated password hash being sent to untrusted hosts on the internet, where malicious users can then capture that hash for offline cracking.
Impact:
While this removes the exposure of having the WMI user account password being compromised, it also reduces the effectiveness of user identification during operation of the firewall (applying rules and policies). This trade-off should be weighed carefully for all installations.
Solution
Navigate to Device > User Identification > User Mapping > Palo Alto Networks User ID Agent Setup.
Set Enable Probing so it is unchecked.
Default Value:
Not configured
Item Details
Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT
References: 800-53|AC-18, 800-53|AC-18(1), 800-53|AC-18(3), 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, CSCv7|9.2, CSCv7|16
Control ID: a4a94b94b20fa8bdc3be13af4b859cfed9fb8b7d45b48f414a0d0f65ae7b2f2d