Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1112
Views
0
Helpful
6
Replies

PIC identity mapping question about DCOM and WMI Registry key

csco11552159
Level 5
Level 5

‎07-11-2018 07:21 AM

i m following the PIC document:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_01000.html#task_784A7…

when we talk to our Corp Sec and ID team for changing registry key to allow our account with full control of DCOM/WMI key, they want to know the reason of the change. If we have Domain Admin account with read only access, will this do the work?

anyone can explain why we need full control?

this will be really help.

thank you.

0 Helpful
6 Replies 6

csco11552159
Level 5
Level 5

‎07-11-2018 07:27 AM

these 2 keys:

HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎07-11-2018 10:19 AM

In my earlier tests, it's to facilitate adding registry keys and values; that is, we won't be able to add the two registry keys (shown below) unless the administrators have the ownership and full control to "HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}".

  • reg add HKCR\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6} /v AppID /t REG_SZ /d "{76A64158-CB41-11D1-8B02-00600806D9B6}"
  • reg add HKCR\AppID\{76A64158-CB41-11D1-8B02-00600806D9B6} /v DllSurrogate /t REG_SZ /d "  "

IIRC, we need not touch the other key, the one under HKLM\Software, as it gets it from the first one.

0 Helpful

csco11552159
Level 5
Level 5
In response to hslai

‎07-11-2018 11:46 AM

thank you. so if we manually created these keys, we can try to avoid "Full control", right ?

regarding the key is adding, for 64 bit is located at, right?

HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
AppID = {76A64158-CB41-11D1-8B02-00600806D9B6}

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to csco11552159

‎07-11-2018 01:59 PM

I can't think of a way for us to avoid changing owner to "Administrators" with "Full Control" in order to perform the "reg add" operations successfully.

We might be able to revert the ownership change afterwards but I've never tried it myself.

0 Helpful

csco11552159
Level 5
Level 5
In response to hslai

‎07-12-2018 11:10 AM

so we have to change all our DC's registry to make it work ,right?

will require the same setup for Server 16?

thank you.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to csco11552159

‎07-12-2018 09:17 PM

Yes, if to use WMI providers directly, on all domain controllers, including Windows 2016 servers, to be monitored. If not using Easy Connect, you might want to consider installing PIC agents.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents