Hi Tony,
You're right, it's not used a lot I think right now.
Would that impact older Windows versions when this change is made? Because of course that would present a problem...
Thanks, Tom
On 2022-04-11 22:34, Tony Guadagno via observium wrote:
Hi, I am guessing that wmi polling is not used very much but I do use it and find it handy. If you do use it, you are probably aware that your event logs are filling up with this error:
The server-side authentication level policy does not allow the user domain\wmiuser SID (S-1-5-21-99999-3660327915-2769000259-31856) from address 1.1.1.1 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.
I am getting 4 eventlog errors every polling interval (5 minutes) on every windows server. This is due to Microsoft enhancing security on wmi. (KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414) (microsoft.com) https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c)
There is a solution to this, you need to call wmi with pkt integrity enabled (wmic RPC_C_AUTHN_LEVEL_PKT_INTEGRITY support · Issue #41 · greenbone/openvas-smb (github.com) https://github.com/greenbone/openvas-smb/issues/41).
So, for example
wmic --user=domain.local\user --password= //server.domain.local "select * from Win32_ComputerSystem" - throws the error in the target servers event log…also, this will start failing next year.
However
wmic --user=domain.local\user --password= //ncacn_ip_tcp:server.domain.local[sign] "select * from Win32_ComputerSystem" will not throw the error
wrapping the target server in ncacn_ip_tcp: and [sign] fixes the issue.
So, would it be possible for you to enhance Observium to make the wmi calls this way?
Thanks
Tony
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium