Details
Disable WMI probing if it is not required for User-ID functionality in the environment.
Rationale:
WMI probing normally requires a domain administrator account. A malicious user could capture the encrypted password hash for offline cracking or relayed authentication attacks. Relying on other forms of user identification, such as security log monitoring, mitigates this risk.
Solution
Navigate to Device > User Identification > User Mapping > Palo Alto Networks User ID Agent Setup.
Set Enable Probing so it is unchecked.
Impact:
While this removes the exposure of having the WMI user account password being compromised, it also reduces the effectiveness of user identification during operation of the firewall (applying rules and policies). This trade-off should be weighed carefully for all installations.
Default Value:
Not configured
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Audit and Accountability, System and Information Integrity.This control applies to the following type of system Palo_Alto.
References
- 800-53|AC-11
- 800-53|AU-3
- 800-53|AU-12
- 800-53|SI-4
- CSCv6|6.5
- CSCv6|9.1
- CSCv6|16
- CSCv6|16.5
- CSCv7|6.2
- CSCv7|9.2
- CSCv7|16
- CSCv7|16.11