This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nzmatto1
Contributor
‎2022-10-13 03:38 PM
Jump to solution

WMI Permission denied - From this months Windows Update

Hi, 

We have a number or R81.10 gateways which are still using AD lookups and we have the workaround in place to permit this to still work as per: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

The next Microsoft date relating to this is supposed to be March 2023, however with this months patches going in on the domain controllers we have noticed our firewalls receiving the error WMI permission Denied when attempting to authenticate against the servers. Rolling back the patches on the AD server has fixed the issue. 

Is anyone else facing this and aside from moving to AD Collector is there a fix for it?  

https://community.checkpoint.com/t5/Security-Gateways/Move-from-Identity-Awareness-AD-Query-to-ID-Co...

Thanks.

0 Kudos
33 Replies
Greg_Harbers
Collaborator
‎2022-11-01 05:23 PM
In response to nzmatto1
Jump to solution

We have made some progress with this. When we made the ldap account unit service account a member of domain admins, all gateways that were reporting wmi permissions errors are now showing connection established to the DCs and the logon events/IDs are now being received.

We have re-confirmed that all actions as in sk93938 have been applied, this does not resolve the problem. 

0 Kudos
cir007
Contributor
Contributor
‎2022-11-01 10:25 PM
In response to Greg_Harbers
Jump to solution

Hello,

JHF does not help??

To apply the Microsoft hardening and continue using AD Query and Identity Logging, you must install a hotfix.

 

The hotfix is included in Jumbo Hotfix Accumulators for these supported versions of Security Gateways / Security Management / Multi-Domain Servers:

0 Kudos
Liel_Shaish
Employee
Employee
‎2022-11-03 07:03 AM
Jump to solution

Hi,

Thanks for the sharing this experience. 
After investigating the issue together with Microsoft, its related to a security hardening Microsoft had introduced in the October 2022 update.
As part of the hardening (not the DCOM which is described in sk176148), they changed the read privileges that affect the GW query to the DC.
In case ADQuery is configured with an admin user, there is no issue. but in case ADQuery is configured with a non admin user (sk93938) the query will fail with WMI error. We are looking on a way to adjust the default query to work in all cases.

Current suggestion is to change the query to the reduced query (sk104900).
**please note the reduced query will not read security events on specific DC which are forwarded from other DCs.
Identity Collector is not affected by this update.

Thanks,
Liel Shaish
Group Manager, Identity Awareness R&D

Greg_Harbers
Collaborator
‎2022-11-03 12:50 PM
In response to Liel_Shaish
Jump to solution

Hi Liel,

Thanks for the update,

One question for you, we have some SMB devices running R80.20.x. when I try to run adlogconfig on these devices I get "adlogconfig: command not found". Is there a method to define the reduced query mode on SMB devices.

Regards

Greg

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events