04-23-2019 12:16 AM - edited 02-21-2020 11:04 AM
Hello,
We are implementing ISE PIC - Stealthwatch integration via pxGrid.
One of the requests is to create ISE PIC user with certain permissions to use DCOM and WMI root access, as depicted in a great instructions on the link.
Customer want to know which WMI root/CIMv2 commands does ISE PIC user executes while accessing the domain controllers?
Also, on Windows Server 2016 there are limitations on providing permissions for DCOM and WMI root/CIMv2 usage. While defining permissions for ISE PIC user on DC, there also needs to be defined on which part do permissions refer to. On the whole domain or on certain Application.
On the instruction link there is a registry key value for an App id 76A64158-CB41-11D1-8B02-00600806D9B6. Does permission need to reffer to just on this App id or on the entire DC?
Thanks you,
Miroslav Vucevski
Solved! Go to Solution.
04-30-2019 08:02 AM
04-28-2019 05:59 PM - edited 04-28-2019 05:59 PM
ISE PassiveID WMI providers use WMI to query Kerberos events in the security event logs on the domain controllers. All the group membership, DCOM, WMI, and registry changes are to ensure that.
04-30-2019 06:23 AM
Hello hslai,
Thank you for your reply.
As our customer is security aware and a little bit skeptic they are interested which commands does user executes under the WMI.
Do you have that information?
Thanks!
04-30-2019 08:02 AM
05-01-2019 05:26 AM
Hello Tim,
Thanks for the answer!
Kind regards,
Miroslav
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: