Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
nzmatto1
Contributor
Jump to solution

WMI Permission denied - From this months Windows Update

Hi, 

We have a number or R81.10 gateways which are still using AD lookups and we have the workaround in place to permit this to still work as per: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

The next Microsoft date relating to this is supposed to be March 2023, however with this months patches going in on the domain controllers we have noticed our firewalls receiving the error WMI permission Denied when attempting to authenticate against the servers. Rolling back the patches on the AD server has fixed the issue. 

Is anyone else facing this and aside from moving to AD Collector is there a fix for it?  

https://community.checkpoint.com/t5/Security-Gateways/Move-from-Identity-Awareness-AD-Query-to-ID-Co...

Thanks.

0 Kudos
33 Replies
Greg_Harbers
Collaborator

We have made some progress with this. When we made the ldap account unit service account a member of domain admins, all gateways that were reporting wmi permissions errors are now showing connection established to the DCs and the logon events/IDs are now being received.

We have re-confirmed that all actions as in sk93938 have been applied, this does not resolve the problem. 

0 Kudos
jb1
Contributor
Contributor

Hello,

JHF does not help??

To apply the Microsoft hardening and continue using AD Query and Identity Logging, you must install a hotfix.

 

The hotfix is included in Jumbo Hotfix Accumulators for these supported versions of Security Gateways / Security Management / Multi-Domain Servers:

0 Kudos
Liel_Shaish
Employee
Employee

Hi,

Thanks for the sharing this experience. 
After investigating the issue together with Microsoft, its related to a security hardening Microsoft had introduced in the October 2022 update.
As part of the hardening (not the DCOM which is described in sk176148), they changed the read privileges that affect the GW query to the DC.
In case ADQuery is configured with an admin user, there is no issue. but in case ADQuery is configured with a non admin user (sk93938) the query will fail with WMI error. We are looking on a way to adjust the default query to work in all cases.

Current suggestion is to change the query to the reduced query (sk104900).
**please note the reduced query will not read security events on specific DC which are forwarded from other DCs.
Identity Collector is not affected by this update.

Thanks,
Liel Shaish
Group Manager, Identity Awareness R&D

Greg_Harbers
Collaborator

Hi Liel,

Thanks for the update,

One question for you, we have some SMB devices running R80.20.x. when I try to run adlogconfig on these devices I get "adlogconfig: command not found". Is there a method to define the reduced query mode on SMB devices.

Regards

Greg

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events