03-17-2018 01:44 AM
Hi All
As I know to read the logs from DC, "Event Log Readers" permission is required for service account.
For WMI probing to clients, I need all below (please correct me if I am wrong)
1- Service account permission should be "Server Operators" in AD to read the CIMV2 namespace on the client systems
2- Give proper permission to the service account for WMI CIMv2 on each client system by using wmimgmt.msc
3- Make sure the Windows firewall will allow client probing by adding a remote administration exception to the Windows firewall for each probed client
Questions:
- For point 2, this need to be done on each client system individually or can be done through GPO? I have more than 7000 users in network
- By default wmi probing is done by user-ID agent against only the clients? NOT against AD servers?
- For netbios probing, what permissions are required for service account?
03-17-2018 11:33 AM
@faizankhurshidwrote:
- For point 2, this need to be done on each client system individually or can be done through GPO? I have more than 7000 users in network
Unfortunately no, it is not possible with GPOs, but you can do it with admin logon or startup scripts (like in the example here: https://blogs.msdn.microsoft.com/spatdsg/2007/11/21/set-wmi-namespace-security-via-gpo-script/)
@faizankhurshidwrote:- By default wmi probing is done by user-ID agent against only the clients? NOT against AD servers?
It depends. To avoid these probes to servers you need to carefully set all the user-ID settings. For example if you have a zone enabled for user identification. In this zone you have 2 networks: 192.168.0.0/24 for clients and 192.168.1.0/24 for servers. By default, if you do not set the User-ID include or exclude networks in the zone configuration, and there is a connection from a server without existing user-ip mapping, then the firewall will probe that IP to try to get a user-ip mapping. So you need to make sure, that you set all the IP ranges where you expect users to avoid probes to be sent to servers.
@faizankhurshidwrote:
- For netbios probing, what permissions are required for service account?
A quote from (a quite old) user-id best practice document: "NetBIOS probes have no authentication and do not require any specific group membership of the Agent account." Source: https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/ConfigurationArticles/1348/1/Use...
Regards,
Remo
03-17-2018 11:33 AM
@faizankhurshidwrote:
- For point 2, this need to be done on each client system individually or can be done through GPO? I have more than 7000 users in network
Unfortunately no, it is not possible with GPOs, but you can do it with admin logon or startup scripts (like in the example here: https://blogs.msdn.microsoft.com/spatdsg/2007/11/21/set-wmi-namespace-security-via-gpo-script/)
@faizankhurshidwrote:- By default wmi probing is done by user-ID agent against only the clients? NOT against AD servers?
It depends. To avoid these probes to servers you need to carefully set all the user-ID settings. For example if you have a zone enabled for user identification. In this zone you have 2 networks: 192.168.0.0/24 for clients and 192.168.1.0/24 for servers. By default, if you do not set the User-ID include or exclude networks in the zone configuration, and there is a connection from a server without existing user-ip mapping, then the firewall will probe that IP to try to get a user-ip mapping. So you need to make sure, that you set all the IP ranges where you expect users to avoid probes to be sent to servers.
@faizankhurshidwrote:
- For netbios probing, what permissions are required for service account?
A quote from (a quite old) user-id best practice document: "NetBIOS probes have no authentication and do not require any specific group membership of the Agent account." Source: https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/ConfigurationArticles/1348/1/Use...
Regards,
Remo
03-26-2018 12:59 AM
@Remo thanks. Last question, for netbios probing is also done against clients ? I need to know how netbios probing works for getting the user-ip mapping.
Thanks
03-26-2018 09:01 AM
Netbios probing is primarily for probing clients, as you probably don't have that much users on servers. How it actually works is magic by microsoft ... a better explenation you can finde for example here: http://techgenix.com/nbtstatrevealswhoisloggedon/
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
