I have been trying to grasp the whole User-ID concept specifically with WMI and the more I read, the more I am confused.
I have a simple setup. I want to be able to use agentless configuration and have it read info from my Domain Controllers. I understand that I need an account with permissions for various groups (event log Readers, Distributed COM, Server Operators). Is this truly all that is needed to be setup? I only ask because I see references to WMIMGMT.MSC and the CIMV2 instance. Do I need to configure this on each domain controller that will be queried by the firewall? I see references to performing these steps if you want to use WMI client probing (which I don't need). My environment is pretty simple.
I also have a question about the service account. Some documentation (and videos) show creating a user account that is used for the specific purpose of querying the DC. It resides in an OU and is similar to other user accounts with the exception that it is designed for one purpose, the password never expires, and it is not allowed to logon interactively or remotely. . Other documentations says is should be a Managed Service Account? I used the former method sometime ago, and it works, however, if it's more secure to place it in the Managed Service Accounts container, I will.
Lastly do most people use the same service account for both user-id and LDAP? Should they be separate and do they require different permissions?
I apologize for all of the questions. Just as I think I have things figured out, I read (or watch) something that discusses completing the steps in another way. Not sure it matters, but my environment is PANOS 8.0.17 and I have Server 2008R2 (eliminating this soon) as well as 2012R2 Domain Controllers.
Thanks so much.
Probing really isn't recommended anymore except in certain situations.
MSAs are usually utilized when you want them to follow the computer password policies instead of user policies, but the big advantage is that they are tied to a specific computer so you don't have to really restrict their access because they are automatically locked down. Either method works, but I think MSAs are still the prefered method in most environments.
Service accounts really should only be utilized for one purpose, but you could also simply create one dedicated service account for your firewalls and give them access to read from the Domain Controllers for user-id and then LDAP access as well. Really just depends on how you want to do it in your org.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!