locked
Hardening WMI: Any security benefit to changing Impersonation level? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Does changing the Default Impersonation Level in WMI to "anonymous" or "identify" help mitigate against WMI exploitation, implants, and persistent threats? If so, please explain why... and also potential unintended problems that could arise with those settings, if any at all, thanks.

    This is changed at the registry key

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\Scripting]
"Default Impersonation Level"=dword:00000001

    These are the different webm impersonation levels

    wbemImpersonationLevelAnonymous
1
    Moniker: Anonymous
Hides the credentials of the caller. Calls to WMI may fail with this impersonation level.
wbemImpersonationLevelIdentify
2
    Moniker: Identify
Allows objects to query the credentials of the caller. Calls to WMI may fail with this impersonation level.
wbemImpersonationLevelImpersonate
3
    Moniker: Impersonate
Allows objects to use the credentials of the caller. This is the recommended impersonation level for Scripting API for WMI calls.
wbemImpersonationLevelDelegate
4
    Moniker: Delegate
Allows objects to permit other objects to use the credentials of the caller. This impersonation will work with Scripting API for WMI calls but may constitute an unnecessary security risk.

    If you find this interesting, this is closely related to, but not a duplicate of this https://social.technet.microsoft.com/Forums/en-US/ae8a570e-3ba0-4527-88a1-e50fcaf31a47/hardening-wmi-any-security-beneifit-to-winmgmt-standalonehost?forum=win10itprosecurity




    • Edited by tutudids Wednesday, July 22, 2020 2:16 PM
    Wednesday, July 22, 2020 1:21 PM

All replies