Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
03-06-2017 07:31 AM
Hi all
I have an end-customer who is using ServerMonitoring and User-Id agent at the same time. His AD has been audited by Microsoft and discovered that their performance is affected by thew WMI probbing. My questions is. If they remove all ServerMonitoring and kept only the User-Id Agent? Do they need the WMI configuration in both Firewall and AD?
best regards
ACUNTIA COS
03-07-2017 07:37 AM
It depends on your environment
if you have a fairly static environment (typical office space) you may not need probing as your users will stay on the same ip address for a long time, you can simply increase the 'user identification timeout' to a workday (9 hours, about the time a kerberos ticket is valid for) and be ok (ip-user maping will be removed after 9 hours)
the big issue with probing comes into play in a dynamic environment with lots of roaming users that switch IP addresses without necessarily logging back in again (creating a new logon event for the UserID to pick up)
in such an environment you need to make sure user A has abandoned his or her IP and now user B has acquired it and is potentially 'overprivileged'
03-06-2017 07:53 AM - edited 03-06-2017 07:54 AM
I know i've been advised to disable it. It's an extra layer, but it wasn't even effective in my case as the logs were filled with messages about the WMI queue being maxed out and it not adding additional clients to probe.
no approach seems to be perfect, but for the most part, you should be fine if the AD logs or whathaveyou are providing you with the info. The worst case scenario is since it doesn't handle logouts, you will have a persistent association between a user id and a source IP if a user is logged out, but in that case, your traffic sourced from that IP should be minimal and non-interactive and it will be updated when the next user logs in.
03-06-2017 08:49 AM
We had lot of agent stability issue when we started with firewalls ~3 years back. One of the suggestions over troubleshooting by support was to disable WMI.
03-07-2017 07:37 AM
It depends on your environment
if you have a fairly static environment (typical office space) you may not need probing as your users will stay on the same ip address for a long time, you can simply increase the 'user identification timeout' to a workday (9 hours, about the time a kerberos ticket is valid for) and be ok (ip-user maping will be removed after 9 hours)
the big issue with probing comes into play in a dynamic environment with lots of roaming users that switch IP addresses without necessarily logging back in again (creating a new logon event for the UserID to pick up)
in such an environment you need to make sure user A has abandoned his or her IP and now user B has acquired it and is potentially 'overprivileged'
03-07-2017 02:52 PM
Hello,
Also WMI is very chatty and unencrypted. We had an internal pen test at one of my previous employers and they were able to sniff the password because their system was being intterogated via WMI.
Just another thought...
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
