BMC Atrium Discovery Community Forum

forgot password?
   
 
About WMI Encryption over the network
 
Eulise Silvera
Posted: 02 February 2012 04:17 AM   [ Ignore ]  
RankRankRank
Contributor
Total Posts:  39
Joined:  2009-11-17

Hi Forum,

Based on the fact the WMI sends data over the network in clear text, there are some methods to enhance the security by modifying the authentication level according to this link from MS.

The question here is, Is ADDM capable of handling the authentication level (tweak) required to encrypt the connection?

There are some concerns (from my security team) about the details of the user being exposed to the network without security.

I know there are some entries (in the Forum) related to this issue but they were addressed by the usage of PSTOOLS. Now that slaves have been updated and renamed to Windows Proxies would be nice to know if this matter was also covered and solved.

Thanks.

Eulise
Profile
 
 
Andrew Waters
Posted: 02 February 2012 07:19 AM   [ Ignore ]   [ # 1 ]  
BMC ADDM Staff
RankRankRankRank
Administrator
Total Posts:  876
Joined:  2008-02-12

I am not sure I understand you question.

Your link just talks about limit access to WMI namespaces.

The Windows proxy requests packet privacy when talking to WMI on hosts. See here and here.

So you can set WMI to require packet privacy and it will continue to work.
Profile
 
 
Anders Lauri
Posted: 02 February 2012 07:57 AM   [ Ignore ]   [ # 2 ]  
RankRankRankRank
Guru
Total Posts:  121
Joined:  2011-04-19

Eulise Silvera - 02 February 2012 04:17 AM
Hi Forum,

Based on the fact the WMI sends data over the network in clear text, there are some methods to enhance the security by modifying the authentication level according to this link from MS.

The question here is, Is ADDM capable of handling the authentication level (tweak) required to encrypt the connection?

There are some concerns (from my security team) about the details of the user being exposed to the network without security.

I know there are some entries (in the Forum) related to this issue but they were addressed by the usage of PSTOOLS. Now that slaves have been updated and renamed to Windows Proxies would be nice to know if this matter was also covered and solved.

Thanks.

Eulise

Yes, accordingly to BMC support (which actually checked the code), ADDM is explicitly using the switches for enhanced security for WMI. Also, as this whitepaper states (see page 48), both data encryption and Kerberos authentication is default on the later versions of Windows.
Profile
 
 
Eulise Silvera
Posted: 02 February 2012 10:54 PM   [ Ignore ]   [ # 3 ]  
RankRankRank
Contributor
Total Posts:  39
Joined:  2009-11-17

Andrew Waters - 02 February 2012 07:19 AM
I am not sure I understand you question.

Your link just talks about limit access to WMI namespaces.

The Windows proxy requests packet privacy when talking to WMI on hosts. See here and here.

So you can set WMI to require packet privacy and it will continue to work.

Thanks Andrew, but the links didn’t work…
Profile
 
 
Eulise Silvera
Posted: 02 February 2012 11:13 PM   [ Ignore ]   [ # 4 ]  
RankRankRank
Contributor
Total Posts:  39
Joined:  2009-11-17

Thanks Anders,

Very good reading…

I actually found this in the documentation after posting in the forum. I think I didn’t search properly before… Apologies….

All WMI communication from BMC Atrium Discovery is sent with Packet Privacy enabled. If the host being discovered does not support Packet Privacy, for example if running a version older than Windows Server 2003 with Service Pack 1 (SP1), the flag is ignored and WMI returns the requested information

I think though, the whitepaper will make my life easier in dealing with the security people.

Thanks again.

Eulise
Profile
 
 
   
 
 
‹‹ CSV Report export dates issue      3rd Party Data Collector ››