Details
Only enable the User-ID option for interfaces that are both internal and trusted. There is rarely a legitimate need to allow WMI probing on an untrusted interface.
Rationale:
PAN released a customer advisory in October of 2014 warning of WMI probing on untrusted interfaces with User-ID enabled. This can result in theft of the password hash for the account used in WMI probing.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Navigate to Network > Network Profiles > Interface Management.
Set User-ID to be checked only for interfaces that are both internal and trusted; uncheck it for all other interfaces.
Impact:
If WMI probing is enabled without limiting the scope, internet hosts that are sources or destinations of traffic will be probed, and the password hash of the configured Domain Admin account can be captured by an outside attacker on such a host.
Default Value:
By default WMI probing and all User-ID functions are disabled.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Audit and Accountability, System and Information Integrity.This control applies to the following type of system Palo_Alto.
References
- 800-53|AC-2(12)
- 800-53|AU-3
- 800-53|AU-12
- 800-53|SI-4
- CSCv6|6.5
- CSCv6|9.1
- CSCv6|16
- CSCv6|16.10
- CSCv7|6.2
- CSCv7|9.2
- CSCv7|16
- CSCv7|16.13