Create a Dedicated Service Account for the User-ID Agent
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 9.1 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Configure Banners, Message of the Day, and Logos
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
-
- Apply Tags to an Application Filter
- Create Custom Application Tags
- Workflow to Best Incorporate New and Modified App-IDs
- See the New and Modified App-IDs in a Content Release
- See How New and Modified App-IDs Impact Your Security Policy
- Ensure Critical New App-IDs are Allowed
- Monitor New App-IDs
- Disable and Enable App-IDs
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions
- Set Up Antivirus, Anti-Spyware, and Vulnerability Protection
- Set Up File Blocking
- Prevent Brute Force Attacks
- Customize the Action and Trigger Conditions for a Brute Force Signature
- Enable Evasion Signatures
- Monitor Blocked IP Addresses
- Threat Signature Categories
- Create Threat Exceptions
- Custom Signatures
- Threat Prevention Resources
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Decryption Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- High Availability Support for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
-
- How Decryption Broker Works
- Layer 3 Security Chain Guidelines
- Configure Decryption Broker with One or More Layer 3 Security Chain
- Transparent Bridge Security Chain Guidelines
- Configure Decryption Broker with a Single Transparent Bridge Security Chain
- Configure Decryption Broker with Multiple Transparent Bridge Security Chains
- Activate Free Licenses for Decryption Features
-
- About Palo Alto Networks URL Filtering Solution
- How Advanced URL Filtering Works
- URL Filtering Use Cases
- Plan Your URL Filtering Deployment
- URL Filtering Best Practices
- Activate The Advanced URL Filtering Subscription
- Configure URL Filtering
- Test URL Filtering Configuration
- Log Only the Page a User Visits
- Create a Custom URL Category
- URL Category Exceptions
- Use an External Dynamic List in a URL Filtering Profile
- Allow Password Access to Certain Sites
- URL Filtering Response Pages
- Customize the URL Filtering Response Pages
- HTTP Header Logging
- Request to Change the Category for a URL
-
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Use Interface Management Profiles to Restrict Access
- Virtual Routers
- Service Routes
- RIP
- Route Redistribution
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
- Dynamic DNS Overview
- Configure Dynamic DNS for Firewall Interfaces
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
End-of-Life (EoL)
Create a Dedicated Service Account for the User-ID Agent
To use the Windows-based User-ID agent or
the PAN-OS integrated User-ID agent to map users as they log in
to your Exchange servers, domain controllers, eDirectory servers,
or Windows clients, create a dedicated service account for the User-ID
agent on a domain controller in each domain that the agent will
monitor.
The User-ID agent maps users based on logs for security
events. To ensure that the User-ID agent can successfully map users,
verify that the source for your mappings generates logs for Audit Logon, Audit Kerberos Authentication
Service, and Audit Kerberos Service Ticket
Operations events. At a minimum, the source must generate
logs for the following events:
- Logon Success (4624)
- Authentication Ticket Granted (4768)
- Service Ticket Granted (4769)
- Ticket Granted Renewed (4770)
The required permissions
for the service account depend on the user mapping methods and settings
you plan to use. For example, if you are using the PAN-OS integrated
User-ID agent, the service account requires Server Operator privileges
to monitor user sessions. If you are using the Windows-based User-ID
agent, the service account does not require Server Operator privileges
to monitor user sessions. To reduce the risk of compromising the
User-ID service account, always configure the account with the minimum
set of permissions necessary for the agent.
- If you are
installing the Windows-based User-ID agent on a supported Windows
server, Configure a Service Account for the Windows User-ID Agent.
- If you are using the PAN-OS integrated User-ID agent on the
firewall, Configure a Service Account for the PAN-OS Integrated User-ID Agent.
User-ID provides many methods for safely collecting
user mapping information. Some legacy features designed for environments that
only required user mapping on Windows desktops attached to the local
network require privileged service accounts. If the privileged service account
is compromised, this would open your network to attack. As a best
practice, avoid using legacy features that require privileges that
would pose a threat if compromised, such as client probing, NTLM
authentication, and session monitoring.
Configure a Service Account for the Windows User-ID Agent
Create a dedicated Active Directory (AD) service
account for the Windows User-ID agent to access the services and
hosts it will monitor to collect user mappings. You must create
a service account in each domain the agent will monitor. After you
enable the required permissions for the service account, Configure
User Mapping Using the Windows User-ID Agent.
The
following workflow details all required privileges and provides
guidance for the User-ID features which require privileges that could
pose a threat so that you can decide how to best identify users
without compromising your overall security posture.
- Create an AD service account for the User-ID agent.You must create a service account in each domain the agent will monitor.
- Log in to the domain controller.
- Right-click the Windows icon (
- In the navigation pane, open the domain tree, right-click Managed Service Accounts and select NewUser.
- Enter the First Name, Last Name, and User logon name of the user and click Next.
- Enter the Password and Confirm Password, then click Next and Finish.
- Configure either local or group policy to allow the service
account to log on as a service.The permission to log on as a service is only needed locally on the Windows server that is the agent host.
- To assign permissions locally:
- select Control PanelAdministrative ToolsLocal Security Policy.
- Select Local PoliciesUser Rights AssignmentLog on as a service.
- Add User or Group to add the service account.
- Enter the object names to select (the service account name) in domain\username format and click OK.
- To configure group policy if you are installing Windows User-ID agents on multiple servers, use the Group Policy Management Editor.
- Select StartGroup
Policy Management<your domain>Default Domain PolicyActionEdit for the Windows server
that is the agent host.
- Select Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment.
- Right-click Log on as a service, then select Properties.
- Add User or Group to add the service
account username or builtin group, then click OK twice.Administrators have this privilege by default.
- Select StartGroup
Policy Management<your domain>Default Domain PolicyActionEdit for the Windows server
that is the agent host.
- If you want to use WMI to collect
user data, assign DCOM privileges to the service account so that
it can use WMI queries on monitored servers.
- Select Active Directory Users and Computers<your domain>BuiltinDistributed COM Users.
- Right-click PropertiesMembersAdd and enter the service account name.
- If you plan to use WMI probing,
enable the account to read the CIMV2 namespace and assign the required
permissions on the client systems to be probed.Do not enable client probing on high-security networks. Client probing can generate a large amount of network traffic and can pose a security threat when misconfigured. Instead collect user mapping information from more isolated and trusted sources, such as domain controllers and through integrations with Syslog or the XML API, which have the added benefit of allowing you to safely capture user mapping information from any device type or operating system, instead of just Windows clients.Perform this task on each client system that the User-ID agent will probe for user mapping information:
- Right-click the Windows icon (
- In the console tree, right-click WMI Control and
select Properties.
- Select the Security tab, then
select RootCIMV2,
and click the Security button.
- Add the name of the service
account you created, Check Names to verify
your entry, and click OK.You might have to change the Locations or click Advanced to query for account names. See the dialog help for details.
- In the Permissions for <Username> section, Allow the Enable Account and Remote
Enable permissions.
- Click OK twice.
- Use the Local Users and Groups MMC snap-in (lusrmgr.msc) to add the service account to the local Distributed Component Object Model (DCOM) Users and Remote Desktop Users groups on the system that will be probed.
- Right-click the Windows icon (
- If you want to use Server Monitoring to identify
users, add the service account to the Event Log Reader builtin group
to allow the service account to read the security log events.
- On the domain controller or Exchange server that contains the logs you want the User-ID agent to read, or on the member server that receives events from Windows log forwarding, select StartRun, enter MMC.
- Select FileAdd/Remove Snap-inActive Directory Users
and ComputersAdd,
then click OK to run the MMC and launch the Active
Directory Users and Computers snap-in.
- Navigate to the Builtin folder for the domain, right-click
the Event Log Readers group, and select PropertiesMembers.
- Add the service account then
click Check Names to validate that you have
the proper object name.
- Click OK twice to save the settings.
- Confirm that the builtin Event Log Reader group lists the service account as a member (Event Log ReadersPropertiesMembers).
- Assign account permissions to the installation folder
to allow the service account to access the agent’s installation
folder to read the configuration and write logs.You only need to perform this step if the service account you configured for the User-ID agent is not either a domain administrator or a local administrator on the User-ID agent server host.
- From the Windows Explorer, navigate to C:\Program Files(x86)\Palo Alto Networks, right-click the folder, and select Properties.
- On the Security tab, click Edit.
- Add the User-ID agent service
account and Allow permissions to Modify, Read
& execute, List folder contents, Read,
and Write, and then click OK to
save the account settings.If you do not want to configure individual permissions, you can Allow the Full Control permission instead.
- To allow the agent to make configuration changes (for
example, if you select a different logging level), give the service
account permissions to the User-ID agent registry sub-tree.
- Select StartRun and enter regedt32 and
navigate to the Palo Alto Networks sub-tree in one of the following
locations:
- 32-bit systems—HKEY_LOCAL_MACHINE\Software\Palo Alto Networks
- 64-bit systems—HKEY_LOCAL_MACHINE\Software\WOW6432Node\PaloAlto Networks
- Right-click the Palo Alto Networks node
and select Permissions.
- Assign the User-ID service account Full
Control and then click OK to
save the setting.
- Select StartRun and enter regedt32 and
navigate to the Palo Alto Networks sub-tree in one of the following
locations:
- Disable service account privileges that are not required.By ensuring that the User-ID service account has the minimum set of account privileges, you can reduce the attack surface should the account be compromised.To ensure that the User-ID account has the minimum privileges necessary, deny the following privileges on the account.
- Deny interactive logon for the User-ID
service account—While the User-ID service account does need
permission to read and parse Active Directory security event logs,
it does not require the ability to logon to servers or domain systems
interactively. You can restrict this privilege using Group Policies
or by using a Managed Service account (refer to Microsoft TechNet for more information).
- Select Group Policy Management EditorDefault Domain PolicyComputer ConfigurationPoliciesWindows SettingsSecurity SettingsUser Rights Assignment.
- For Deny log on as a batch job, Deny log on locally, and Deny log on through Remote Desktop Services, right-click Properties.
- Select Define these policy settingsAdd User or Group and add the service account name, then click OK.
- Deny remote access for the User-ID service account—This
prevents an attacker from using the account to access your network from
the outside the network.
- Select StartRun, enter MMC, and select FileAdd/Remove Snap-inActive Directory Users and ComputersUsers.
- Right-click the service account name, then select Properties.
- Select Dial-in, then Deny the Network Access Permission.
- Deny interactive logon for the User-ID
service account—While the User-ID service account does need
permission to read and parse Active Directory security event logs,
it does not require the ability to logon to servers or domain systems
interactively. You can restrict this privilege using Group Policies
or by using a Managed Service account (refer to Microsoft TechNet for more information).
- As a next step, Configure User Mapping Using the Windows User-ID Agent.
Configure a Service Account for the PAN-OS Integrated User-ID Agent
Create a dedicated Active Directory (AD) service
account for the PAN-OS Integrated User-ID agent to access the services and
hosts it will monitor to collect user mappings.You must create a
service account in each domain the agent will monitor. After you
enable the required permissions for the service account, Configure
User Mapping Using the PAN-OS Integrated User-ID Agent.
The
following workflow details all required privileges and provides
guidance for the User-ID features which require privileges that could
pose a threat so that you can decide how to best identify users
without compromising your overall security posture.
- Create an AD service account for the User-ID agent.You must create a service account in each domain the agent will monitor.
- Log in to the domain controller.
- Right-click the Windows icon (
- In the navigation pane, open the domain tree, right-click Managed Service Accounts and select NewUser.
- Enter the First Name, Last Name, and User logon name of the user and click Next.
- Enter the Password and Confirm Password, then click Next and Finish.
- If you want to use Server Monitoring to identify
users, add the service account to the Event Log Reader builtin group
to allow the service account to read the security log events.
- On the domain controller or Exchange server that contains the logs you want the User-ID agent to read, or on the member server that receives events from Windows log forwarding, select StartRun, enter MMC.
- Select FileAdd/Remove Snap-inActive Directory Users
and ComputersAdd,
then click OK to run the MMC and launch the Active
Directory Users and Computers snap-in.
- Navigate to the Builtin folder for the domain, right-click
the Event Log Readers group, and select PropertiesMembers.
- Add the service account then
click Check Names to validate that you have
the proper object name.
- Click OK twice to save the settings.
- Confirm that the builtin Event Log Reader group lists the service account as a member (Event Log ReadersPropertiesMembers).
- If you want to use WMI to collect
user data, assign DCOM privileges to the service account so that
it can use WMI queries on monitored servers.
- Select Active Directory Users and Computers<your domain>BuiltinDistributed COM Users.
- Right-click PropertiesMembersAdd and enter the service account name.
- Enable the service account to read the CIMV2 namespace
on the domain controllers you want to monitor and assign the required permissions
on the client systems to be probed.Do not enable client probing on high-security networks. Client probing can generate a large amount of network traffic and can pose a security threat when misconfigured. Instead collect user mapping information from more isolated and trusted sources, such as domain controllers and through integrations with Syslog or the XML API, which have the added benefit of allowing you to safely capture user mapping information from any device type or operating system, instead of just Windows clients.Perform this task on each client system that the User-ID agent will probe for user mapping information:
- Right-click the Windows icon (
- In the console tree, right-click WMI Control and
select Properties.
- Select the Security tab, then
select RootCIMV2,
and click the Security button.
- Add the name of the service
account you created, Check Names to verify
your entry, and click OK.You might have to change the Locations or click Advanced to query for account names. See the dialog help for details.
- In the Permissions for <Username> section, Allow the Enable Account and Remote
Enable permissions.
- Click OK twice.
- Use the Local Users and Groups MMC snap-in (lusrmgr.msc) to add the service account to the local Distributed Component Object Model (DCOM) Users and Remote Desktop Users groups on the system that will be probed.
- Right-click the Windows icon (
- (Not Recommended) To allow the agent to monitor
user sessions to poll Windows servers for user mapping information, assign
Server Operator privileges to the service account.Because this group also has privileges for shutting down and restarting servers, only assign the account to this group if monitoring user sessions is very important.
- Select Active Directory Users and Computers<your domain>BuiltinServer Operators Group.
- Right-click PropertiesMembersAdd and add the service account name.
- If you want to configure NTLM authentication
for Captive Portal,
configure the firewall to join the domain.If you plan to configure NTLM authentication for Captive Portal, the firewall where you’ve configured the agent will need to join the domain. To enable this, enter the name of a group that has administrative privileges to join the domain, write to the validated service principal name, and create a computer object within the computers organization unit (ou=computers).For a firewall with multiple virtual systems, only vsys1 can join the domain because of AD restrictions on virtual systems running on the same host.The PAN-OS integrated agent requires privileged operations to join the domain, which poses a security threat if the account is compromised. As a best practice, configure Kerberos single sign-on (SSO) or SAML SSO authentication for Captive Portal instead of NTLM. Kerberos and SAML are stronger, more secure authentication methods and do not require the firewall to join the domain.
- Select StartRun, enter MMC, and select FileAdd/Remove Snap-inActive Directory Users and ComputersUsers.
- Right-click the domain and select Delegate
Control.
- Click Next, then Add the service account name and click OK.
- Click Next, then Join
a computer to the domain.
- Click Next, verify the service account information, then Finish.
- Disable service account privileges that are not required.By ensuring that the User-ID service account has the minimum set of account privileges, you can reduce the attack surface should the account be compromised.To ensure that the User-ID account has the minimum privileges necessary, deny the following privileges on the account:
- Deny interactive logon for the User-ID
service account—While the User-ID service account does need
permission to read and parse Active Directory security event logs,
it does not require the ability to logon to servers or domain systems
interactively. You can restrict this privilege using Group Policies
or by using a Managed Service account (refer to Microsoft TechNet for more information).
- Select Group Policy Management EditorDefault Domain PolicyComputer ConfigurationPoliciesWindows SettingsSecurity SettingsUser Rights Assignment.
- For Deny log on as a batch job, Deny log on locally, and Deny log on through Remote Desktop Services, right-click Properties, then select Define these policy settingsAdd User or Group and add the service account name, then click OK.
- Deny remote access for the User-ID service account—This
prevents an attacker from using the account to access your network from
the outside the network.
- StartRun, enter MMC, and select FileAdd/Remove Snap-inActive Directory Users and ComputersUsers.
- Right-click the service account name, then select Properties.
- Select Dial-in, then Deny the Network Access Permission.
- Deny interactive logon for the User-ID
service account—While the User-ID service account does need
permission to read and parse Active Directory security event logs,
it does not require the ability to logon to servers or domain systems
interactively. You can restrict this privilege using Group Policies
or by using a Managed Service account (refer to Microsoft TechNet for more information).
- As a next step, Configure User Mapping Using the PAN-OS Integrated User-ID Agent.