topic Re: User identification and WinRM on HTTP in General Topics

User identification and WinRM on HTTP

ConfindustriaBG — Thu, 21 Apr 2022 14:19:08 GMT

Hi to all, before to write i red some post here on the community and i just configured my NGFW and windows domain controllers.

Becuase i have every 3 sec an alert about "The server-side authentication level policy does not allow the user AAA\BBB SID (XXX) from address Y.Y.Y.Y activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application." i modified the server monitoring setting changing from WMI to WinRM-HTTP.

On the firewall interface i have all the domain controllers in connected status and, looking on monitor logs, i can see users id.

The problem is that on Event Viewer of domain controllers keep to see the error.

Please someone can help me?

Thank you

Re: User identification and WinRM on HTTP

reaper — Fri, 22 Apr 2022 12:41:05 GMT

are you able to try WinRM-HTTPS ?

Re: User identification and WinRM on HTTP

ConfindustriaBG — Fri, 22 Apr 2022 13:43:29 GMT

Hi Reaper, thank you for your reply.

I have to understand how to manage certs on domain controllers.

PAN-OS Administrator’s Guide explain how to obtain cert thumb but using only one server.

Another thing is that the guide say

"WinRM with Kerberos supports the aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96 ciphers. If the server you want to monitor uses RC4, you must download the Windows update and disable RC4 for Kerberos in the registry settings of the server you want to monitor."

Reading on internet, is not suggested to disable RC4 for Kerberos because could be some problems with clients.

However NGFW is working fine. The problem is only the event viewer of domain controllers.

I'll try to understand how to manage the certs.

Thank you

Re: User identification and WinRM on HTTP

TomYoung — Tue, 16 Aug 2022 18:25:53 GMT

Hi @ConfindustriaBG ,

It appears that you are running into this problem -> https://docs.microsoft.com/en-us/answers/questions/564347/server-2019-update-kb5005568-sept-2021-forcing-new.html. Notice that this thread said that the registry changes specified here -> https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c do not work. The security feature seems to have been implemented prematurely before the fix.

I had 1 client face this issue, and I recommended the Windows agent instead of agentless User-ID. We have not tested it yet, but it makes sense it will fix the annoying logs.

Thanks,

Tom

Edit: So you are getting the same error with WinRM? I guess changing the protocol is not a fix.

Edit 2: Backing out update KB5005568 could also be a fix if allowed by the security team.

Edit 3: The registry change works after June 14, 2022 as specified in the KB. This feature will be removed at March 14, 2023. So will be the ability to back out the update.

Re: User identification and WinRM on HTTP

ConfindustriaBG — Tue, 26 Apr 2022 08:45:50 GMT

Hi @TomYoung , thank you for your reply.

I'll try to install the agent on one of the Domain Controller and I'll let you know.

Ciao,

Marco

Re: User identification and WinRM on HTTP

ConfindustriaBG — Wed, 27 Apr 2022 06:54:13 GMT

Hello @TomYoung, just installed ID Agent. Now the log of domain controllers is clean!.

Thanks and have a nice day!

Ciao