Customer advisory: Security Impact of User-ID Misconfiguration
Many networking and network security devices use a Microsoft feature called WMI probing to interrogate Windows hosts for collecting user information. For authentication purposes, a WMI probe contains the username and encrypted password hash of the service account configured. It has come to our attention that there may be some Palo Alto Networks customers who have improperly configured User-ID to enable WMI probing on external/untrusted zones, which results in the User-ID agent sending these probes to external/untrusted hosts. This can lead to possible credential exposure.
Customers are advised to review the Best Practices for Securing User-ID Deployments to make sure all safeguards are being followed, such as ensuring that User-ID is only enabled on internal/trust zones, and that only the minimum required privileges are enabled for the service account.
If User-ID was misconfigured to allow WMI probes to be sent to untrusted zones, customers are also advised to change the password of the service account used for WMI probing. Regular rotation of service account passwords is a recommended best practice. A helpful whitepaper on mitigating Windows service account credential theft coauthored by Rapid7, Microsoft, and Palo Alto Networks is available at: https://community.rapid7.com/docs/DOC-2881.
Palo Alto Networks thanks HD Moore of Rapid7 for contacting us with information that some customers may have misconfigured User-ID as described in this advisory. The Rapid7 advisory can be found at: https://community.rapid7.com/community/infosec/blog/2014/10/14/palo-alto-networks-userid-credential-exposure.