Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2505
Views
5
Helpful
4
Replies

ISE-PIC domain user permissions

Go to solution
miroslav.vucevski
Level 1
Level 1

‎04-23-2019 12:16 AM - edited ‎02-21-2020 11:04 AM

Hello,

We are implementing ISE PIC - Stealthwatch integration via pxGrid.
One of the requests is to create ISE PIC user with certain permissions to use DCOM and WMI root access, as depicted in a great instructions on the link.
Customer want to know which WMI root/CIMv2 commands does ISE PIC user executes while accessing the domain controllers?

Also, on Windows Server 2016 there are limitations on providing permissions for DCOM and WMI root/CIMv2 usage. While defining permissions for ISE PIC user on DC, there also needs to be defined on which part do permissions refer to. On the whole domain or on certain Application.
On the instruction link there is a registry key value for an App id 76A64158-CB41-11D1-8B02-00600806D9B6. Does permission need to reffer to just on this App id or on the entire DC?

Thanks you,
Miroslav Vucevski

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to miroslav.vucevski

‎04-30-2019 08:02 AM

These are the commands we use:

SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.LogFile = 'Security' AND (TargetInstance.EventIdentifier = 4768) AND (TargetInstance.EventType = '4')

Regards,
-Tim

View solution in original post

4 Replies 4

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-28-2019 05:59 PM - edited ‎04-28-2019 05:59 PM

ISE PassiveID WMI providers use WMI to query Kerberos events in the security event logs on the domain controllers. All the group membership, DCOM, WMI, and registry changes are to ensure that.

0 Helpful

Go to solution
miroslav.vucevski
Level 1
Level 1
In response to hslai

‎04-30-2019 06:23 AM

Hello hslai,

 

Thank you for your reply.

As our customer is security aware and a little bit skeptic they are interested which commands does user executes under the WMI.

Do you have that information?

 

Thanks!

0 Helpful

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to miroslav.vucevski

‎04-30-2019 08:02 AM

These are the commands we use:

SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.LogFile = 'Security' AND (TargetInstance.EventIdentifier = 4768) AND (TargetInstance.EventType = '4')

Regards,
-Tim

Go to solution
miroslav.vucevski
Level 1
Level 1
In response to Timothy Abbott

‎05-01-2019 05:26 AM

Hello Tim,

 

Thanks for the answer!

 

Kind regards,

Miroslav

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents