WMI filters in Group Policy gives me errors

When I started working with WMI filters to use in Group Policy, I was struck down by an error “Either the namespace entered is not a valid namespace on the local computer or you do not have access to this namespace on this computer”, the namespace being root\CIMv2.

After researching this issue on the Internet, I realised that I was not alone by any means, it seemed like a great deal of people had these problems. They felt their WMI queries were correct but Windows told them differently every time they saved the query. So, what to do about this?

First of all, make sure that you can list the root\CIMv2 namespace. You can do this by using Powershell with the following command:

PS1> (gwmi -namespace "root" -class "__Namespace" | Select Name)

You should see CIMv2 listed, otherwise you have bigger problems. Then you have to head into troubleshooting WMI and perhaps even repairing your WMI repository. You can read more about this at lansweeper.com. Microsoft also has a guide for WMI troubleshooting and also a specific tool called WMI Diagnosis Utility.

If you do see it, chances are that the error produced in GPMC (Group Policy Management Console) is actually just an irritating bug. I found two tools that can actually help you in building your queries, those being the Powershell “gwmi” command and the other being WMI Code Creator from Microsoft. The latter tool can produce code for querying WMI, but the reason I employ it is because it easily allows me to find all classes and parameters as well as query the properties on the machine I run it on. It can also query a remote machine. This allows me to check my WMI filters to see that they target the right type of computers or whatever the case may be.

The “gwmi” command is quite useful as it has a query flag which can be used like this:

PS1> gwmi -Query 'Select * from Win32_OperatingSystem where Version like "6.1%"'

This allows you to run your WMI query and check the output. The example above should produce output if you are running Windows 7. A very neat resource of WMI queries for different operating systems can be found on nogeekleftbehind.com.

WMI filters can be very powerful when employed in Group Policy. Instead of having to target every organisational unit that contains workstations running Windows 7, one WMI filter targeting all Windows 7 machines can be used instead. However, a word of caution as it is easy to make a mistake with your WMI filter and you can end up targeting other machines then the ones intended. This can produce some strange problems, so do test your WMI queries once or twice before deploying them.

I still get the same error as I started this post with when I try to save a WMI filter i GPMC, but it works never the less. The domain controller is fully patched, but it has not resolved the issue. For the time being, it seems that I have to live with this, but as long as it still works, I can deal with it.

EC-Council certification – Never again

A lot of websites and blogs out there uses WordPress at their platform, including me. It has tons of features, is quite easy to use and the security is not bad either as long as it is properly maintained. As for EC-Council, they must have missed something when it comes to security for their CMS which also uses WordPress.

As I have written before, anyone can get hacked, usually it is just a matter of time. It occurred to me today actually that I should tighten my own security measures a bit. The reason for this is that I get regular reports of script kiddies trying to brute force my username and password for this blog. Nothing new, it probably happens to most of us. My password is not found in any dictionary out there as far as I know, but anyway, given enough time, even a script kiddie can get lucky. So, by adding multi-factor authentication as a requirement for logging in to my blog, I have made it a lot harder to gain unauthorized access. It was simple to do, took less than 10 minutes and there was no cost except for the 10 minutes spent setting it up. Also, thanks to my hosting provider, I enabled SSL for this site which means my username and password is not submitted in clear text anymore. Yes of course, I changed the password for this blog over SSL to make sure I am the only one with knowledge about my password.

Being hacked is one thing, being hacked and having your website infecting visitors with one of the worst pieces of malware out there is even more troublesome. The thing that makes it beyond bad is the fact that EC-Council certifies people for having skills in IT security, myself included. Teaching people and not living as you teach and preach is perhaps the best way of losing everyones respect. In an industry that need more skilled professionals, actions taken by EC-Council is not what we want to see. Several people have argued about the fact that once EC-Council knew about the exploit kit, their site should have been removed from the network and reinstated once it was cleaned. Now it remained on the network for several days and by doing do, they might have helped spreading the exploit kit to unsuspecting visitors. To me, this behaviour is not OK, it simply is not. I can appreciate the shame and guilt that comes with being hacked, but acting responsibly could have at least restored some credibility on their behalf, instead they did the opposite.

Honestly, the CEH certification that I have is not worth much as it does not really prove much. However, the training I took was great. The material was OK, the teacher was excellent, an older british gentleman with a background from GCHQ. He knew his stuff very well, so I learned a lot that week, no doubt about that.

EC-Council has cleaned their website as of march 26th according to their announcement, but I find it quite interesting that they made the announcement on Facebook and Twitter. Should they at least not on their website acknowledge the fact and even more, informing visitors of what could have infected them and given them guidelines on how they could check if they became victim of this attack? Instead, they go with the silent treatment in hope that this incident will pass and fade over time.

I just wonder, does EC-Council really have a future after this and their DNS compromise in 2014? I do not know, but I will not keep my CEH certification once it expires. It did not stand for much before all this and now I feel it does not stand for anything good at all. So long EC-Council.

The blog post about EC-Council serving a exploit kit can be found at http://blog.fox-it.com/2016/03/24/website-of-security-certification-provider-spreading-ransomware/