topic Re: User-ID. Is WMI really needed? in General Topics

User-ID. Is WMI really needed?

SOC_CSG — Mon, 06 Mar 2017 15:31:02 GMT

Hi all

I have an end-customer who is using ServerMonitoring and User-Id agent at the same time. His AD has been audited by Microsoft and discovered that their performance is affected by thew WMI probbing. My questions is. If they remove all ServerMonitoring and kept only the User-Id Agent? Do they need the WMI configuration in both Firewall and AD?

best regards

ACUNTIA COS

Re: User-ID. Is WMI really needed?

bradk14 — Mon, 06 Mar 2017 15:54:01 GMT

I know i've been advised to disable it. It's an extra layer, but it wasn't even effective in my case as the logs were filled with messages about the WMI queue being maxed out and it not adding additional clients to probe.

no approach seems to be perfect, but for the most part, you should be fine if the AD logs or whathaveyou are providing you with the info. The worst case scenario is since it doesn't handle logouts, you will have a persistent association between a user id and a source IP if a user is logged out, but in that case, your traffic sourced from that IP should be minimal and non-interactive and it will be updated when the next user logs in.

Re: User-ID. Is WMI really needed?

Sly_Cooper — Mon, 06 Mar 2017 16:49:12 GMT

We had lot of agent stability issue when we started with firewalls ~3 years back. One of the suggestions over troubleshooting by support was to disable WMI.

Re: User-ID. Is WMI really needed?

reaper — Tue, 07 Mar 2017 15:37:06 GMT

It depends on your environment

if you have a fairly static environment (typical office space) you may not need probing as your users will stay on the same ip address for a long time, you can simply increase the 'user identification timeout' to a workday (9 hours, about the time a kerberos ticket is valid for) and be ok (ip-user maping will be removed after 9 hours)

the big issue with probing comes into play in a dynamic environment with lots of roaming users that switch IP addresses without necessarily logging back in again (creating a new logon event for the UserID to pick up)

in such an environment you need to make sure user A has abandoned his or her IP and now user B has acquired it and is potentially 'overprivileged'

Re: User-ID. Is WMI really needed?

OtakarKlier — Tue, 07 Mar 2017 22:52:14 GMT

Hello,

Also WMI is very chatty and unencrypted. We had an internal pen test at one of my previous employers and they were able to sniff the password because their system was being intterogated via WMI.

Just another thought...

Regards,