Create User Groups for Access to Allowed Applications

Safely enabling applications means not only defining the list of applications you want to allow, but also enabling access only for those users who have a legitimate business need. For example, some applications, such as SaaS applications that enable access to Human Resources services (such as Workday or Service Now) must be available to any known user on your network. However, for more sensitive applications you can reduce your attack surface by ensuring that only users who need these applications can access them. For example, while IT support personnel may legitimately need access to remote desktop applications, the majority of your users do not. Limiting user access to applications prevents potential security holes for an attacker to gain access to and control over systems in your network.
To enable user-based access to applications:
  • Enable User-ID in zones from which your users initiate traffic.
  • For each application allow rule you define, identify the user groups that have a legitimate business need for the applications allowed by the rule. Keep in mind that because the best practice approach is to map the application allow rules to your business goals (which includes considering which users have a business need for a particular type of application), you will have a much smaller number of rules to manage than if you were trying to map individual port-based rules to users.
  • If you don’t have an existing group on your AD server, you can alternatively create custom LDAP groups to match the list of users who need access to a particular application.
  • It just takes one end user to click on a phishing link and supply their credentials to enable an attacker to gain access to your network. To defend against this very simple and effective attack technique, set up credential phishing protection on all of your Security policy rules that allow user access to the internet. Configure credential detection with the Windows-based User-ID agent to ensure that you can detect when your users are submitting their corporate credentials to a site in an unauthorized category.

Recommended For You