PANW-AG-000035 - The Palo Alto Networks security platform must only enable User-ID on trusted zones.
User-ID can use Windows Management Instrumentation (WMI) probing as a method of mapping users to IP addresses. If this is used, the User-ID Agent will send a probe to each learned IP address in its list to verify that the same user is still logged in. The results of the probe will be used to update the record on the agent and then be passed on to the firewall. WMI probing is a Microsoft feature that collects user information from Windows hosts and contains a username and encrypted password hash of a Domain Administrator account. If User-ID and WMI probing are enabled on an external untrusted zone (such as the Internet), probes could be sent outside the protected network, resulting in an information disclosure of the User-ID Agent service account name, domain name, and encrypted password hash. This information has the potential to be cracked and exploited by an attacker to gain unauthorized access to protected resources. For this important reason, User-ID should never be enabled on an untrusted zone. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
To deny User-ID on untrusted zones: Go to Network >> Zones, select the name of the zone. If the Zone is untrusted, In the Zone window, deselect (uncheck) the Enable User Identification check box. Select 'OK'. Go to Network >> Network Profiles >> Interface Mgmt Select 'Add' to create a new profile or select the name of a profile to edit it. In the 'Interface Management Profile' window, deselect the 'User-ID' check box if it is selected. Select 'OK'. Note: This action precludes that particular Interface Management Profile from supporting User-ID. An interface does not need an Interface Management Profile to operate; only to be managed on that interface. Go Network >> Interfaces Each interface is listed; note that there are four tabs - Ethernet, VLAN, Loopback, and Tunnel. Each type can have an Interface Management Profile applied to it. View each interface that is in an untrusted security zone; if it has an Interface Management Profile applied to it, the Interface Management Profile must be one that does not have User-ID enabled.