Credential Phishing with credential submission method as Use Domain Credential Filter

Reply
Highlighted
L1 Bithead

Credential Phishing with credential submission method as Use Domain Credential Filter

Hello team,

 

Customer has configured Credential Phishing with credential submission method as Use Domain Credential Filter and it does not work
The user id agent is configured on the writeable domain controller
But according to the below document to enable credential detection, must install the Windows-based User-ID agent on an RODC
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/configure-credenti...

Wanted to verify if RODC is mandatory to enable credential detection or will it work on writeable domain controller

The output of show user user-id-agent state SVR-DC2 is attached

 

Kindly verify regarding the same 

 

output.PNG

Regards

Banu Priya

Highlighted
Cyber Elite

Re: Credential Phishing with credential submission method as Use Domain Credential Filter

When you asked the question, I was thinking the RODC was just a suggestion for security reasons, and the link you tagged actually states as such:

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/configure-credenti...

 

"Installing the User-ID agent on an RODC can be useful for a few reasons: access to the domain controller directory is not required to enable credential detection and you can support credential detection for a limited or targeted set of users. Because the directory the RODC hosts is read-only, the directory contents remain secure on the domain controller."

Highlighted
L2 Linker

Re: Credential Phishing with credential submission method as Use Domain Credential Filter

Did you get your issue resolved?

Highlighted
L3 Networker

Re: Credential Phishing with credential submission method as Use Domain Credential Filter

I'd like to know the same, for I'd like to implement but I don't want to set up an RODC for the sole purpose of supporting this.

Highlighted
L1 Bithead

Re: Credential Phishing with credential submission method as Use Domain Credential Filter

Have you got answer for this ?

 

Highlighted
Cyber Elite

Re: Credential Phishing with credential submission method as Use Domain Credential Filter

Unfortunately for this feature to work an RODC is required. Starting from windows server 2012 (or maybe even 2008) the password hashes are not readable from an AD joined server and not even on the domaincontroller itself - even obviously the password hashes are available there. The only way to read these hashes is on an RODC.

(I received this answer from PaloAlto Support)

Highlighted
L1 Bithead

Re: Credential Phishing with credential submission method as Use Domain Credential Filter

Yes, I tested the same configuring RODC when it was not working on AD. It worked on RODC only.

 

Highlighted
L4 Transporter

Re: Credential Phishing with credential submission method as Use Domain Cre

this is exactly what we needed to know.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!