User-ID. Is WMI really needed?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID. Is WMI really needed?

L4 Transporter

Hi all

 

I have an end-customer who is using ServerMonitoring and User-Id agent at the same time. His AD has been audited by Microsoft and discovered that their performance is affected by thew WMI probbing. My questions is. If they remove all ServerMonitoring and kept only the User-Id Agent? Do they need the WMI configuration in both Firewall and AD?

 

best regards 

ACUNTIA COS

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

It depends on your environment

 

if you have a fairly static environment (typical office space) you may not need probing as your users will stay on the same ip address for a long time, you can simply increase the 'user identification timeout' to a workday (9 hours, about the time a kerberos ticket is valid for) and be ok (ip-user maping will be removed after 9 hours)

 

the big issue with probing comes into play in a dynamic environment with lots of roaming users that switch IP addresses without necessarily logging back in again (creating a new logon event for the UserID to pick up)

in such an environment you need to make sure user A has abandoned his or her IP and now user B has acquired it and is potentially 'overprivileged'

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

4 REPLIES 4

L3 Networker

I know i've been advised to disable it. It's an extra layer, but it wasn't even effective in my case as the logs were filled with messages about the WMI queue being maxed out and it not adding additional clients to probe.

 

no approach seems to be perfect, but for the most part, you should be fine if the AD logs or whathaveyou are providing you with the info. The worst case scenario is since it doesn't handle logouts, you will have a persistent association between a user id and a source IP if a user is logged out, but in that case, your traffic sourced from that IP should be minimal and non-interactive and it will be updated when the next user logs in.

 

 

L4 Transporter

We had lot of agent stability issue when we started with firewalls ~3 years back. One of the suggestions over troubleshooting by support was to disable WMI.

Cyber Elite
Cyber Elite

It depends on your environment

 

if you have a fairly static environment (typical office space) you may not need probing as your users will stay on the same ip address for a long time, you can simply increase the 'user identification timeout' to a workday (9 hours, about the time a kerberos ticket is valid for) and be ok (ip-user maping will be removed after 9 hours)

 

the big issue with probing comes into play in a dynamic environment with lots of roaming users that switch IP addresses without necessarily logging back in again (creating a new logon event for the UserID to pick up)

in such an environment you need to make sure user A has abandoned his or her IP and now user B has acquired it and is potentially 'overprivileged'

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hello,

Also WMI is very chatty and unencrypted. We had an internal pen test at one of my previous employers and they were able to sniff the password because their system was being intterogated via WMI. 

 

Just another thought...

 

Regards,

  • 1 accepted solution
  • 3963 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!