-1

Microsoft's instructions for configuring Windows Event Forwarding from event source computers to an event collector server that isn't in the same domain with the sources seems wildly problematic from a security standpoint (https://docs.microsoft.com/en-us/windows/win32/wec/setting-up-a-source-initiated-subscription#setting-up-a-source-initiated-subscription-where-the-event-sources-are-not-in-the-same-domain-as-the-event-collector-computer). The instructions walk you through enabling certificate-based authentication for WinRM (Windows Remote Management) on the event collector server, then mapping the client certificates presented by the event source computer to a "local administrator account" on the event collector server. This strikes me as ridiculously insecure and unwise, especially when what I'm trying to do is get non-domain hosts in a DMZ to send events to a domain server on an internal network. I saw someone else describe this as "handing out a root login on a syslog server to a syslog source."

Is there a less irresponsible way to set this up?

George Glynn
  • 1
  • I do not see this requirement in the page you refer to. It can be that it has been removed, but right now I am sending logs between non domain joined hosts using certificates and no local administrative account as the mapped account. I have even disabled the account after mapping the certificate, and it still works after a reboot of the WEC. – natxo asenjo Mar 11 '23 at 14:17

1 Answers1

0

I also saw this requirement and it looked to me absolutely ridiculous from the security point of view, as there is no reason that the administrator account get such privileged access.

To mitigate this, and instead of granting read access permissions to the "Administrator" account on the concerned certificate private key, I simply granted this access to the "Network system" account. And it worked!

However I found quiet complex to apply such a change on a large organization and you may need to script it to make it happening. Hope it helped...

Michel de Crevoisier
  • 571
  • 4
  • 9
  • I have recently setup this as well, and no administrative access was required on the WEC host. In fact I have disabled the user account and it still working (after rebooting the WEC, logs still come from WEFs authenticating with the certificate mapping). This in in windows 2022. – natxo asenjo Mar 11 '23 at 14:12