Securing WMI Monitoring with UPN User Format and Kerberos Authentication
Effective WMI monitoring requires a secure authentication approach to protect against vulnerabilities and ensure long-term compatibility. Learn why you need to plan for transitioning from the outdated NTLM protocol to the more secure Kerberos authentication
Windows Management Instrumentation (WMI) monitoring is essential for tracking the health and performance of your Windows infrastructure. WMI provides a powerful interface for collecting real-time metrics on critical Windows system resources like CPU, memory, and network utilization. This data is key for identifying and resolving performance bottlenecks.
The Security Risks of NTLM
NTLM (NT LAN Manager) has been the traditional authentication method used for WMI connections. However, it comes with significant security vulnerabilities that attackers can exploit. NTLM is susceptible to attacks, such as NTLM relay and pass-the-hash, endangering credential theft and unauthorized access to your systems.
Recognizing these risks, Microsoft is actively working to phase out NTLM in favor of the more secure Kerberos authentication protocol. Microsoft plans to disable NTLM by default in Windows 11.
How username format affects authorization method used
NetCrunch allows you to use two Windows user formats, although Kerberos is the preferred. You must be aware of the consequences that each of these formats have.
Here's a breakdown:
Domain\user:
This format is known as the NetBIOS domain name format or "down-level logon name." The Domain part refers to the pre-Windows 2000 domain name, a shorter, NetBIOS version of the full domain name. The user part is the username of the account within that domain.
This format is often associated with older, legacy systems that use NetBIOS, a networking protocol implemented by systems to communicate over a LAN.
When a user logs in using the Domain\user format in a domain environment, it can trigger the use of the NTLM authentication protocol, especially if Kerberos authentication fails or is not possible for some reason.
user@adcontainer:
This is known as the User Principal Name (UPN) format. The user part is still the username, but the @adcontainer part refers to the DNS (Domain Name System) domain name. This is more aligned with Internet standards. This format is more flexible and scalable, especially in complex network environments with multiple domains and subdomains.
Entering a username in this format means that NetCrunch uses Kerberos for WMI authorization for this user.
Comparing NTLM and Kerberos security
NTLM is considered less secure than Kerberos for several reasons:
- Encryption and Security: NTLM uses weaker encryption methods than Kerberos. Kerberos uses stronger encryption techniques and mutual authentication between the client and server, thus enhancing security.
- Vulnerability to Attacks: NTLM is more susceptible to various types of attacks, such as pass-the-hash attacks, where attackers can authenticate to remote services using the hashed values of a user's password, without needing the plain text password.
- No Delegation of Authentication: Unlike Kerberos, NTLM does not support delegation of authentication, where a server can act on behalf of the user to access resources on another server. This limits the protocol's flexibility and security in distributed systems.
- Reliance on the Domain Controller: NTLM authentication involves more direct communication with the domain controller to validate the user's credentials, which can increase the load on the domain controller and potentially affect network performance.
Reasons for Migrating to UPN and Kerberos
You should consider transitioning your WMI monitoring to use the UPN (User Principal Name) user format and Kerberos authentication to ensure:
- Modernization and Standardization: The UPN format (user@adcontainer) is more aligned with Internet standards, which makes it more compatible with modern network environments and cloud services.
- Flexibility: UPN allows for more flexible username policies. For instance, it can easily accommodate email addresses as usernames, which can be more intuitive for users.
- Scalability: UPN format provides a clearer and more manageable way to handle user identities in environments with multiple domains and subdomains. It's easier to manage and less ambiguous than the NetBIOS format, which can be limited in complex network architectures.
- Security: Moving away from older protocols and formats like NetBIOS can also have security benefits, as newer protocols and naming conventions often come with improved security features and are better supported with updates and patches.
- Cloud Compatibility: As organizations move more services to the cloud, the UPN format is more compatible with cloud services, including Microsoft's Azure AD. Many cloud services use email-like formats for usernames, making the UPN format a better fit for cloud integration.
Summary
While the Domain\user format is still functional and supported in many environments, transitioning to the user@adcontainer format is generally recommended for modern, scalable, and secure network environments, especially those that leverage cloud services and follow Internet naming conventions.
Due to its limitations and security concerns, Microsoft recommends moving away from NTLM when possible and using more secure authentication protocols like Kerberos. The user@adcontainer format (or UPN format) is more aligned with the Kerberos authentication protocol, making it a more secure and modern standard for network authentication in Windows environments.
How NetCrunch supports your transition to Kerberos authorization
In NetCrunch, the username format you use determines the authorization method applied for WMI connections. Using the UPN user format will automatically enable Kerberos authentication, providing an additional layer of security compared to the NTLM protocol. This integration ensures that your WMI monitoring is aligned with Microsoft's security best practices and the evolving authentication landscape.
This approach will not only enhance the security of your remote management capabilities but also ensure long-term compatibility as Microsoft continues to deprecate NTLM. By staying ahead of this transition, you can proactively protect your network and maintain the reliability of your performance monitoring solutions.
- [06.03.2023] Five Reasons to Keep Your Software Subscription Up-to-Date
Why upgrade if you don’t want new features? Discover security, compatibility, and other reasons for maintaining an active subscription for the systems running on your servers
- [25.04.2023] Agentless, agents - or is there a third way?
Are you tired of being limited to an agent or agentless solutions? Fortunately, there is a third option that provides even more flexibility and customization for your network monitoring needs.
- [20.07.2020] Setting up secure access to the monitoring server via Windows IIS Reverse Proxy with SSL certificate
A reverse proxy protects applications against cybercriminals and malicious software. It also allows limiting access to applications based on username, IP, domain, or geographical location.
- [02.07.2020] How to set up secure remote access to monitoring server using a NginX Reverse Proxy with SSL certificate
A reverse proxy protects applications against cybercriminals and malicious software. It also allows limiting access to applications based on username, IP, domain, or geographical location.
- [05.04.2017] Using NetCrunch to track Port Security status of Cisco switches.
Cisco port security is a great feature to make your network safer. Learn how to configure NetCrunch to display the status of Cisco Port Security on the switch interfaces.
- [08.07.2019]The risks of not updating software
Failing to update your software may expose your network to at least 5 types of risks. Are you ready to face them?
- [15.09.2017] 7 proactive ways of monitoring your network in order to stay compliant with GDPR
The General Data Protection Regulation (GDPR) is about to come in-effect on May 25th, 2018 in the European Union. In a nutshell, it’s the first law of its kind which will define what is third-party personal data and how this data should be protected. Moreover, the law stipulates hefty fines on individuals and businesses alike, in case personal data is leaked into the wrong hands and the IT administrator (or business owner) does not handle the situation accordingly.
