Tom, there is a couple of moving parts here. First, if you have a system that is still patchable, then this applies because this is pushed in patches. Now, if you are still using WinXP or Server 2003, then probably not. Whether the fix
will break WMI monitoring on these old systems, I cannot say.
This is my feeling, should we let newer systems break with WMI monitoring or older (unsupported) systems break? I think it does not make sense to break new systems in favor of old.
I guess another option would be to make a config pram (WMI-signing?) if true, the new call is used?
But to be clear, right now, the WMI hardening results in error messages in the event log but the command succeeds….however…as of 2023, the command will fail and no info will be returned so doing nothing will break WMI.
Thanks for your time on this
From: observium <observium-bounces@observium.org>
On Behalf Of Tom Laermans via observium
Sent: Wednesday, April 13, 2022 7:26 AM
To: observium@observium.org
Cc: Tom Laermans <tom.laermans@powersource.cx>
Subject: Re: [Observium] wmi issues, need a syntax change
Hi Tony,
You're right, it's not used a lot I think right now.
Would that impact older Windows versions when this change is made?
Because of course that would present a problem...
Thanks,
Tom
On 2022-04-11 22:34, Tony Guadagno via observium wrote:
Hi, I am guessing that wmi polling is not used very much but I do use it and find it handy. If you do use it, you are probably aware that your event logs are filling up with this error:
The server-side authentication level policy does not allow the user domain\wmiuser SID (S-1-5-21-99999-3660327915-2769000259-31856) from address 1.1.1.1 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.
I am getting 4 eventlog errors every polling interval (5 minutes) on every windows server. This is due to Microsoft enhancing security on wmi. (KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414) (microsoft.com))
There is a solution to this, you need to call wmi with pkt integrity enabled (wmic RPC_C_AUTHN_LEVEL_PKT_INTEGRITY support · Issue #41 · greenbone/openvas-smb (github.com)).
So, for example
wmic --user=domain.local\\user --password= //server.domain.local "select * from Win32_ComputerSystem" - throws the error in the target servers event log…also, this will start failing next year.
However
wmic --user=domain.local\\user --password= //ncacn_ip_tcp:server.domain.local[sign] "select * from Win32_ComputerSystem" will not throw the error
wrapping the target server in ncacn_ip_tcp: and [sign] fixes the issue.
So, would it be possible for you to enhance Observium to make the wmi calls this way?
Thanks
Tony
_______________________________________________observium mailing listobservium@observium.orghttp://postman.memetic.org/cgi-bin/mailman/listinfo/observium