InformationOnly enable the User-ID option for interfaces that are both internal and trusted. There is rarely a legitimate need to allow WMI probing (or any user-id identification) on an untrusted interface. The exception to this is identification of remote-access VPN users, who are identified as they connect.
PAN released a customer advisory in October of 2014 warning of WMI probing on untrusted interfaces with User-ID enabled. This can result in theft of the password hash for the account used in WMI probing.
If WMI probing is enabled without limiting the scope, internet hosts that are sources or destinations of traffic will be probed, and the password hash of the configured Domain Admin account can be captured by an outside attacker on such a host.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
SolutionNavigate to Network > Network Profiles > Interface Management.
Set User-ID to be checked only for interfaces that are both internal and trusted; uncheck it for all other interfaces.
By default WMI probing and all User-ID functions are disabled.
Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT
References: 800-53|AC-18, 800-53|AC-18(1), 800-53|AC-18(3), 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, CSCv7|6.2, CSCv7|9.2, CSCv7|16, CSCv7|16.13
Control ID: 3b9059e8a2e888de5f8761a1152961cbd0cf11ce3716ffb0da10d222cac04948