{"id":3832,"date":"2018-12-21T10:33:41","date_gmt":"2018-12-21T10:33:41","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=3832"},"modified":"2018-12-21T10:33:41","modified_gmt":"2018-12-21T10:33:41","slug":"meraki-vpn-ad-auth-query-the-domain-controller-via-wmi","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/meraki-vpn-ad-auth-query-the-domain-controller-via-wmi","title":{"rendered":"Meraki VPN AD Auth : &#8220;Query the domain controller via WMI&#8221;"},"content":{"rendered":"<p>Meraki&#8217;s Advice to enable AD authentication for VPN is to create the Service account as &#8230;. Domain Administrator<\/p><p><a href=\"https:\/\/documentation.meraki.com\/MX\/Content_Filtering_and_Threat_Protection\/Active_Directory_Integration\">https:\/\/documentation.meraki.com\/MX\/Content_Filtering_and_Threat_Protection\/Active_Directory_Integration<\/a><\/p><p>This is big security no no ( Incase the account gets compromised then the whole domain gets compromised )\u00a0<\/p><p>You can set this account as Domain User which will give the access<\/p><ul><li>Query the user database via LDAP<\/li><li>Query group membership via LDAP<\/li><\/ul><p>You can then assign the WMI permissions for : Query the domain controller via WMI\u00a0<\/p><p>by doing the below on the domain controller\u00a0<\/p><h2 id=\"SettingWMIuseraccesspermissionsusingtheWMIControlPanel-TosettheWMIuseraccesspermissions\">To set the WMI user access permissions<\/h2><ol><li>Select\u00a0<strong>Start &gt; Run<\/strong>.<\/li><li>On the Run dialog, type\u00a0<strong>wmimgmt.msc<\/strong>\u00a0in the\u00a0<strong>Open<\/strong>\u00a0field.<\/li><li>Click\u00a0<strong>OK<\/strong>\u00a0to display the Windows Management Infrastructure (WMI) Control Panel.<\/li><li>In the left pane of the WMI Control Panel, highlight the\u00a0<strong>WMI Control (local)<\/strong>\u00a0entry, right-click, and select the\u00a0<strong>Properties<\/strong>\u00a0menu option. This displays the WMI Control (Local) Properties dialog box.<\/li><li>Select the\u00a0<strong>Security<\/strong>\u00a0tab in the WMI Control (Local) Properties dialog box.<\/li><li>In the namespace tree within the Security tab, expand the\u00a0<strong>Root<\/strong>\u00a0folder. This action lists the available WMI name spaces.<\/li><li>Click the\u00a0<strong>CIMV2<\/strong>\u00a0namespace to highlight it.<\/li><li>Click\u00a0<strong>Security<\/strong>\u00a0to display the Security for ROOT\\CIMV2 dialog box.<\/li><li>Click\u00a0<strong>Add<\/strong>\u00a0in the Security for ROOT\\CIMV2 dialog box to display the Select Users or Groups dialog box.<\/li><li>Add the domain user account that will be used as your proxy data collection user account. This should be a domain account (not a local computer account), but it does not need to be an account with administrative access.<\/li><li>Click\u00a0<strong>OK<\/strong>\u00a0to close the Select Users or Groups dialog box and return to the Security for ROOT\\CIMV2 dialog box. The user account you selected should now be listed in the\u00a0<strong>Name<\/strong>\u00a0list at the top of the dialog box.<\/li><li>Select the newly added user (if it is not already selected) and enable the following permissions:<ul><li>Enable Account<\/li><li>Remote Enable<br \/>Enable the permissions by clicking the\u00a0<strong>Allow<\/strong>\u00a0box, if it is not already checked for that permission. The\u00a0<strong>Enable Account<\/strong>\u00a0permission should already be selected, but the\u00a0<strong>Remote Enable<\/strong>\u00a0permission will need to be selected.<\/li><\/ul><\/li><li>Click\u00a0<strong>OK<\/strong>\u00a0to close the Security for ROOT\\CIMV2 dialog box.<br \/>The permissions should now be properly set for the proxy data collection user account.<\/li><\/ol>","protected":false},"excerpt":{"rendered":"<p>Meraki&#8217;s Advice to enable AD authentication for VPN is to create the Service account as &#8230;. Domain Administratorhttps:\/\/documentation.meraki.com\/MX\/Content_Filtering_and_Threat_Protection\/Active_Directory_IntegrationThis is big security no no ( Incase the account [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[2780,2783,1677,2460,1351,2784],"class_list":["post-3832","post","type-post","status-publish","format-standard","hentry","category-research","tag-auth","tag-domain-admin","tag-domain-controller","tag-meraki","tag-vpn","tag-wmi"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/3832","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=3832"}],"version-history":[{"count":1,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/3832\/revisions"}],"predecessor-version":[{"id":3833,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/3832\/revisions\/3833"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=3832"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=3832"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=3832"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}