The Palo Alto Networks security platform must disable WMI probing if it is not used.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-228838 | PANW-AG-000036 | SV-228838r557387_rule | CCI-000381 | medium |
| Description | ||||
| User-ID can use Windows Management Instrumentation (WMI) probing as a method of mapping users to IP addresses. If this is used, the User-ID Agent will send a probe to each learned IP address in its list to verify that the same user is still logged in. The results of the probe will be used to update the record on the agent and then be passed on to the firewall. WMI probing is a Microsoft feature that collects user information from Windows hosts, and contains a username and encrypted password hash of a Domain Administrator account. WMI probing on external/untrusted zones can result in the User-ID agent sending WMI probes to external/untrusted hosts. An attacker can capture these probes and obtain the username, domain name and encrypted password hash associated with the User-ID account. If WMI probing is not used as a method of user to IP address mapping, it must be disabled. | ||||
| STIG | Date | |||
| Palo Alto Networks ALG Security Technical Implementation Guide | 2025-03-12 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-7
1.00
- DISA · V3R4 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.4.6
1.00
- DISA · V3R4 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000381
1.00
- DISA · V3R4 · disa_xccdf · related
Details
Check Text (C-228838r557387_chk)
Ask the Administrator if User-ID uses WMI Probing; if it does, this is not a finding.
Go to Device >> User Identification
On the "User Mapping" tab, in the "Palo Alto Networks User ID Agent" pane, view the "Enable Probing" check box. If it is selected, this is a finding.
Fix Text (F-31050r513810_fix)
To disable WMI probing if it is not used:
Go to Device >> User Identification
On the "User Mapping" tab, in the "Palo Alto Networks User ID Agent" pane, view the "Enable Probing" check box.
If it is selected, select the "Edit" icon in the upper-right corner of the pane.
In the "Palo Alto Networks User ID Agent Setup" window, in the "Client Probing" tab, deselect the "Enable Probing" check box.