Hi, I am guessing that wmi polling is not
used very much but I do use it and find it handy. If you do
use it, you are probably aware that your event logs are
filling up with this error:
The server-side authentication level policy
does not allow the user domain\wmiuser SID
(S-1-5-21-99999-3660327915-2769000259-31856) from address
1.1.1.1 to activate DCOM server. Please raise the activation
authentication level at least to
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.
I am getting 4 eventlog errors every
polling interval (5 minutes) on every windows server. This is
due to Microsoft enhancing security on wmi. (KB5004442—Manage changes for Windows
DCOM Server Security Feature Bypass (CVE-2021-26414)
(microsoft.com))
There is a solution to this, you need to
call wmi with pkt integrity enabled (wmic RPC_C_AUTHN_LEVEL_PKT_INTEGRITY
support · Issue #41 · greenbone/openvas-smb (github.com)).
So, for example
wmic --user=domain.local\\user --password=
//server.domain.local "select * from Win32_ComputerSystem" -
throws the error in the target servers event log…also, this
will start failing next year.
However
wmic --user=domain.local\\user --password=
//ncacn_ip_tcp:server.domain.local[sign] "select * from
Win32_ComputerSystem" will not throw the error
wrapping the target server in ncacn_ip_tcp:
and [sign] fixes the issue.
So, would it be possible for you to enhance
Observium to make the wmi calls this way?
Thanks
Tony