Permissions of user-ID service account for wmi and netbios probing

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Permissions of user-ID service account for wmi and netbios probing

L3 Networker

Hi All

 

As I know to read the logs from DC, "Event Log Readers" permission is required for service account. 

For WMI probing to clients, I need all below (please correct me if I am wrong)

 

1- Service account permission should be "Server Operators" in AD to read the CIMV2 namespace on the client systems

2- Give proper permission to the service account for WMI CIMv2 on each client system by using wmimgmt.msc

3- Make sure the Windows firewall will allow client probing by adding a remote administration exception to the Windows firewall for each probed client

 

Questions:

- For point 2, this need to be done on each client system individually or can be done through GPO? I have more than 7000 users in network

- By default wmi probing is done by user-ID agent against only the clients? NOT against AD servers?

- For netbios probing, what permissions are required for service account?

1 accepted solution

Accepted Solutions

L7 Applicator

Hi @faizankhurshid

 


@faizankhurshidwrote:

 

- For point 2, this need to be done on each client system individually or can be done through GPO? I have more than 7000 users in network


Unfortunately no, it is not possible with GPOs, but you can do it with admin logon or startup scripts (like in the example here: https://blogs.msdn.microsoft.com/spatdsg/2007/11/21/set-wmi-namespace-security-via-gpo-script/)

 


@faizankhurshidwrote:

- By default wmi probing is done by user-ID agent against only the clients? NOT against AD servers?


It depends. To avoid these probes to servers you need to carefully set all the user-ID settings. For example if you have a zone enabled for user identification. In this zone you have 2 networks: 192.168.0.0/24 for clients and 192.168.1.0/24 for servers. By default, if you do not set the User-ID include or exclude networks in the zone configuration, and there is a connection from a server without existing user-ip mapping, then the firewall will probe that IP to try to get a user-ip mapping. So you need to make sure, that you set all the IP ranges where you expect users to avoid probes to be sent to servers.

 


@faizankhurshidwrote:

 

- For netbios probing, what permissions are required for service account?


A quote from (a quite old) user-id best practice document: "NetBIOS probes have no authentication and do not require any specific group membership of the Agent account." Source: https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/ConfigurationArticles/1348/1/Use...

 

Regards,

Remo

 

 







View solution in original post

3 REPLIES 3

L7 Applicator

Hi @faizankhurshid

 


@faizankhurshidwrote:

 

- For point 2, this need to be done on each client system individually or can be done through GPO? I have more than 7000 users in network


Unfortunately no, it is not possible with GPOs, but you can do it with admin logon or startup scripts (like in the example here: https://blogs.msdn.microsoft.com/spatdsg/2007/11/21/set-wmi-namespace-security-via-gpo-script/)

 


@faizankhurshidwrote:

- By default wmi probing is done by user-ID agent against only the clients? NOT against AD servers?


It depends. To avoid these probes to servers you need to carefully set all the user-ID settings. For example if you have a zone enabled for user identification. In this zone you have 2 networks: 192.168.0.0/24 for clients and 192.168.1.0/24 for servers. By default, if you do not set the User-ID include or exclude networks in the zone configuration, and there is a connection from a server without existing user-ip mapping, then the firewall will probe that IP to try to get a user-ip mapping. So you need to make sure, that you set all the IP ranges where you expect users to avoid probes to be sent to servers.

 


@faizankhurshidwrote:

 

- For netbios probing, what permissions are required for service account?


A quote from (a quite old) user-id best practice document: "NetBIOS probes have no authentication and do not require any specific group membership of the Agent account." Source: https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/ConfigurationArticles/1348/1/Use...

 

Regards,

Remo

 

 







@Remo thanks. Last question, for netbios probing is also done against clients ? I need to know how netbios probing works for getting the user-ip mapping.

 

Thanks

Hi @faizankhurshid

 

Netbios probing is primarily for probing clients, as you probably don't have that much users on servers. How it actually works is magic by microsoft ... a better explenation you can finde for example here: http://techgenix.com/nbtstatrevealswhoisloggedon/

  • 1 accepted solution
  • 3264 Views
  • 3 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!