How to create a dedicated user with the least privileges for the SSO agent

SSO agent could identify the user through NetAPI/WMI or DC/Exchange security log. NetAPI/WMI could run independently; however, the DC/Exchange security log needs WMI support. So if you choose DC/Exchange security log as an identity mechanism, then it is also needed to enable WMI access in the DC server or Exchange server, so that the SSO agent can get some information through WMI from the DC server or Exchange server. 

1.    Create a dedicated domain user for the SSO agent

In the DC server, open "Active Directory Users and Computers" and add a domain user. Below will take SSODC1\sso_test as an example.

1. Open Group Policy Management, right-click on the node highlighted below and select "Edit", bring up "Group Policy Management Editor"

In “Group Policy Management Editor”, go to "User Rights Assignment" highlighted below, double click "Log on as a service" and add "SSODC1\sso_test" to it

3.    DC/Exchange security log support

Add the user "SSODC1\sso_test" to "Event Log Readers" group 

In the Windows Defender firewall settings, select the Allow a program or feature through Windows Firewall option. Allow "Remote Event Log Management"

4.    WMI support

To make the SSO agent be able to query some information through WMI from client machines, make the following changes in each client machine.

NOTE: To support reading the security log from the DC/Exchange server, the same changes below need to be done on DC/Exchange server, except for the setting by lusrmgr.msc.

Search and open lusrmgr.msc in start menu and add the user "SSODC1\sso_test" to the "Distributed COM Users" and "Remote Desktop Users" group

Search and open "dcomcnfg" in start menu, right click on "My Computer" node and select "Properties",  bring up "My Computer Properties" dialog

In the "My Computer Properties" dialog, click the "COM Security" tab and then click "Edit Limits" in "Launch and Activation Permissions" 

In the "Launch and Activation Permission" dialog, select "Distributed COM Users" and allow all permissions.

Search and open "wmimgmt.msc" in start menu. Right-click on "WMI Control (Local)" and select "Properties". In the pop-up dialog, select the "Security" tab and then select the "Root" node, then click the "Security" button

In pop up dialog, add "SSODC1\sso_test" first, and then select it, allow "Execute Methods", "Enable Account", "Remote Enable", and "Read Security" permissions

Click the "Advanced" button, in the pop-up dialog, edit sso_test and change "Apply to" to "This namespace and subnamespaces"

In the Windows firewall settings, allow "Windows Management Instrumentation (WMI)"

5.    NetAPI support

To support NetAPI, SSODC1\sso_test needs to be added to the local "Server Operator" or "Printer Operator" group of the client machine, and if these two groups don't exist, SSODC1\sso_test needs to be added to the "Local Administrators" group of the client machine. In addition, in the Windows firewall settings, allow "File and Printer Sharing" pass

6.    SSO agent configuration

In "Service Management", input "SSODC1\sso_test" and the password, and then restart the service

Allow full control of "C:\ProgramData\SonicWall\SSOAgent" folder for sso_test

7.    Changes for Windows DCOM Server Security Feature

To improve the security of the DCOM, Microsoft has released the hardening changes in DCOM.

The user should install the security update for all the servers and clients. If an unpatched machine with an SSO agent installed try to query the users by WMI or DC log on a patched machine, the query will fail.

You can check more info on this page:
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

Do not try to edit the registry. Disabling the hardening changes by editing the registry would not take effect after the machine installs the patch Microsoft released in March 2023.

For all the servers and clients, install the patch on Nov. 8, 2022.

Possible issues and Troubleshooting steps

1. If the target address is a server, querying the user through WMI might fail or give an incorrect answer.
2. When a client machine could not be connected through WMI after applying the settings above, rebooting the client machine might be able to solve the issue.
3. The dedicated user you used to logon in to the "Service Management" may be identified and displayed in the "Users and Hosts" page, even though you have never logged in to that IP address with this user.