Credential Phishing with credential submission method as Use Domain Credential Filter

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Credential Phishing with credential submission method as Use Domain Credential Filter

L1 Bithead

Hello team,

 

Customer has configured Credential Phishing with credential submission method as Use Domain Credential Filter and it does not work
The user id agent is configured on the writeable domain controller
But according to the below document to enable credential detection, must install the Windows-based User-ID agent on an RODC
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/configure-credenti...

Wanted to verify if RODC is mandatory to enable credential detection or will it work on writeable domain controller

The output of show user user-id-agent state SVR-DC2 is attached

 

Kindly verify regarding the same 

 

output.PNG

Regards

Banu Priya

7 REPLIES 7

L6 Presenter

When you asked the question, I was thinking the RODC was just a suggestion for security reasons, and the link you tagged actually states as such:

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/configure-credenti...

 

"Installing the User-ID agent on an RODC can be useful for a few reasons: access to the domain controller directory is not required to enable credential detection and you can support credential detection for a limited or targeted set of users. Because the directory the RODC hosts is read-only, the directory contents remain secure on the domain controller."

L2 Linker

Did you get your issue resolved?

I'd like to know the same, for I'd like to implement but I don't want to set up an RODC for the sole purpose of supporting this.

L1 Bithead

Have you got answer for this ?

 

Unfortunately for this feature to work an RODC is required. Starting from windows server 2012 (or maybe even 2008) the password hashes are not readable from an AD joined server and not even on the domaincontroller itself - even obviously the password hashes are available there. The only way to read these hashes is on an RODC.

(I received this answer from PaloAlto Support)

Yes, I tested the same configuring RODC when it was not working on AD. It worked on RODC only.

 

this is exactly what we needed to know.

  • 5223 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!