locked
Hardening WMI: Any security beneifit to “winmgmt /standalonehost”? RRS feed

  • Question

  • Any security benefit to winmgmt operating outside of shared svchost processes via the command

    winmgmt /standalonehost ?

    As for security, yes, it is useful for changing wbem Authentication levels, which is changed by the command winmgmt /standalonehost [#] but does setting winmgmt as a standalone host have any security benefit on its own, ex winmgmt /standalonehost? For example, does a standalone host mitigate against attacks upon shared processes in svchost?

    Group policy Svchost.exe mitigations add ACG-CIG exploit-protection enforcement and other process mitigation code integrity policies to svchost procsses. Does running WMI as a standalone or shared host result in any security impact with this policy enabled?

    Just for reference, I will include Webm Authentication levels

    WbemAuthenticationLevelDefault
    0
        Moniker: Default
    WMI uses the default Windows authentication setting. This is the recommended setting that allows WMI to negotiate to the level required by the server returning data. However, if the namespace requires encryption, use WbemAuthenticationLevelPktPrivacy.
    WbemAuthenticationLevelNone
    1
        Moniker: None
    Uses no authentication.
    WbemAuthenticationLevelConnect
    2
        Moniker: Connect
    Authenticates the credentials of the client only when the client establishes a relationship with the server.
    WbemAuthenticationLevelCall
    3
        Call
    Authenticates only at the beginning of each call when the server receives the request.
    WbemAuthenticationLevelPkt
    4
        Moniker: Pkt
    Authenticates that all data received is from the expected client.
    WbemAuthenticationLevelPktIntegrity
    5
        Moniker: PktIntegrity
    Authenticates and verifies that none of the data transferred between client and server has been modified.
    WbemAuthenticationLevelPktPrivacy
    6
        Moniker: PktPrivacy
    Authenticates all previous impersonation levels and encrypts the argument value of each remote procedure call. Use this setting if the namespace to which you are connecting requires an encrypted connection.

    If you find this interesting, this is closely related to, but not a duplicate of this https://social.technet.microsoft.com/Forums/en-US/bf1382e9-6bf2-420e-a759-20a9df1589fe/hardening-wmi-any-security-benefit-to-changing-impersonation-level?forum=win10itprosecurity






    • Edited by tutudids Wednesday, July 22, 2020 2:16 PM
    Wednesday, July 22, 2020 1:20 PM

Answers

  • Hi,

    It doesn't instruct much information about security benefits on the command"winmgmt /standalone" in official document. It just enables users to configure the WMI service on Windows hosts to utilize a single port and won't impact the WMI configuration and functionality.

    https://docs.microsoft.com/en-us/windows/win32/wmisdk/winmgmt#switches

     

    The level argument mentioned is the authentication level for the Svchost process. You can run the WMI process with a different level of authentication than default by choosing the value of your expeceted security level.

     

    This "Windows 10 Security" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

     

    Thanks,

    Jenny


    "Windows 10 Security" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Windows 10 Security"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.


    Thursday, July 23, 2020 9:47 AM

All replies

  • Hi,

    It doesn't instruct much information about security benefits on the command"winmgmt /standalone" in official document. It just enables users to configure the WMI service on Windows hosts to utilize a single port and won't impact the WMI configuration and functionality.

    https://docs.microsoft.com/en-us/windows/win32/wmisdk/winmgmt#switches

     

    The level argument mentioned is the authentication level for the Svchost process. You can run the WMI process with a different level of authentication than default by choosing the value of your expeceted security level.

     

    This "Windows 10 Security" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

     

    Thanks,

    Jenny


    "Windows 10 Security" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Windows 10 Security"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.


    Thursday, July 23, 2020 9:47 AM
  • Hello,

    Hope you all well. I am checking to see how things are going there on this post.

     

    You can click “Mark as answer” if any of above reply is helpful. It would make this reply to the top and easier to be found for other people who has the similar problem.

     

    Thanks,

    Jenny


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 29, 2020 2:21 AM
  • Thanks for your help! You guys are the best on here.
    Saturday, August 1, 2020 3:13 AM