cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1736
Views
5
Helpful
4
Replies

ISE-PIC domain user permissions

Hello,

We are implementing ISE PIC - Stealthwatch integration via pxGrid.
One of the requests is to create ISE PIC user with certain permissions to use DCOM and WMI root access, as depicted in a great instructions on the link.
Customer want to know which WMI root/CIMv2 commands does ISE PIC user executes while accessing the domain controllers?

Also, on Windows Server 2016 there are limitations on providing permissions for DCOM and WMI root/CIMv2 usage. While defining permissions for ISE PIC user on DC, there also needs to be defined on which part do permissions refer to. On the whole domain or on certain Application.
On the instruction link there is a registry key value for an App id 76A64158-CB41-11D1-8B02-00600806D9B6. Does permission need to reffer to just on this App id or on the entire DC?

Thanks you,
Miroslav Vucevski

1 ACCEPTED SOLUTION

Accepted Solutions

These are the commands we use:

SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.LogFile = 'Security' AND (TargetInstance.EventIdentifier = 4768) AND (TargetInstance.EventType = '4')

Regards,
-Tim

View solution in original post

4 REPLIES 4
hslai
Cisco Employee

ISE PassiveID WMI providers use WMI to query Kerberos events in the security event logs on the domain controllers. All the group membership, DCOM, WMI, and registry changes are to ensure that.

Hello hslai,

 

Thank you for your reply.

As our customer is security aware and a little bit skeptic they are interested which commands does user executes under the WMI.

Do you have that information?

 

Thanks!

These are the commands we use:

SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.LogFile = 'Security' AND (TargetInstance.EventIdentifier = 4768) AND (TargetInstance.EventType = '4')

Regards,
-Tim

View solution in original post

Hello Tim,

 

Thanks for the answer!

 

Kind regards,

Miroslav

Content for Community-Ad