Back when I was running my MSP, my team often had to enable WMI and local firewalls for the assessment tool to successfully run. I always hated doing this because I knew I would be knowingly making our prospect’s environment less secure. And I was terrified that we’d forget to enable local firewalls again.
My worst fear was to have someone on my team make a mistake that then opened our prospect up to become more vulnerable to a cyberattack.
Why worry about WMI?
WMI is involved in identifying and granting users access based on their permission level. If WMI were disabled and an attacker got onto a machine in your environment, they likely wouldn’t be able to access much else because the user level that they entered as most likely didn’t have permissions to move throughout your network.
Why should you be concerned?
After auditing a variety of businesses that have had assessments done on their networks, I’ve seen first-hand that MSPs using network assessment tools have actually made security WORSE for the prospects they were trying to help. That is because after enabling tools like WMI, they failed to put the network back to its securer state.
How would you feel if you were that prospect getting a network checkup or vulnerability assessment, later to learn that the folks performing it—even if it were a free assessment—ended up making your security stance less safe??
Today I want to walk briefly through WMI because I want everyone to understand that disabling security settings should be completely off limits when performing network assessments and audits.
Your Lateral Movement Problem
Today more than ever before, we’re notifying that lateral movement is the number one way that attackers become more invasive within your systems. Network-wide attacks rely on lateral moves within your network to create more damage to leverage bigger payouts. The more opportunities you open up for lateral moves, the worse off you or your client will be in the event of an attack.
Attackers are frequently moving laterally with tools inside Windows and we’ve been seeing WMI pop up quite often as a culprit of this movement.
When WMI is turned on or configured properly, attackers can launch processes on multiple computers across the network. Within minutes, an incident resulting in one computer can grow to several hundred machines compromised. I have had the unfortunate responsibility of recovering a hospital from ransomware stemming from a situation like this.
What I want to strike home today is that creating security risks within your client or prospect environments should not happen. If your tools require you to open up WMI in order to work correctly, there is something terribly wrong.
As MSPs we are the stewards of data. We are the ones everyone else expect to do the right thing and know how to keep information secure. If you’re reading this, I know you take security seriously and want what’s best for your clients.
What I want you to know is that if you’re currently using tools that force you to enable WMI, or disable local firewalls, or require administrator credentials just to generate reports, you’re doing it the old unsecure way.
There’s a better way
I decided to sell my MSP in January of 2020 because I knew there was a better way to help MSPs become more effective in selling. Part of this is being able to sell WITHOUT opening holes on a prospect’s network. When reading headlines back in 218 and 2019 about MSPs being the target of ransomware attacks, I knew that something had to change.
What I came up with was a way for MSPs to both check that their systems were running as expected (or promised), but also to prospect and educate prospective clients without using tools that opened them and their prospects to more security risks.
The better way than network assessments? To show your prospects how they are vulnerable to an attack through penetration testing. If you’re interested in learning more, consider testing your systems against the latest hacking techniques with a cyber stack evaluation.
