Hi, I am guessing that wmi polling is not used very much but I do use it and find it handy.  If you do use it, you are probably aware that your event logs are filling up with this error:

 

The server-side authentication level policy does not allow the user domain\wmiuser SID (S-1-5-21-99999-3660327915-2769000259-31856) from address 1.1.1.1 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

 

 

I am getting 4 eventlog errors every polling interval (5 minutes) on every windows server.  This is due to Microsoft enhancing security on wmi. (KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414) (microsoft.com))

 

There is a solution to this, you need to call wmi with pkt integrity enabled (wmic RPC_C_AUTHN_LEVEL_PKT_INTEGRITY support · Issue #41 · greenbone/openvas-smb (github.com)).

So, for example

 

wmic --user=domain.local\\user --password= //server.domain.local "select * from Win32_ComputerSystem"  - throws the error in the target servers event log…also, this will start failing next year.

 

However

 

wmic --user=domain.local\\user --password= //ncacn_ip_tcp:server.domain.local[sign] "select * from Win32_ComputerSystem" will not throw the error

wrapping the target server in ncacn_ip_tcp: and [sign]  fixes the issue.

 

So, would it be possible for you to enhance Observium to make the wmi calls this way?

 

Thanks

 

 

 

Tony