If you plan to use either the Windows-based User-ID agent or the PAN-OS integrated User-ID agent to map users as they log in to your Exchange servers, domain controllers, eDirectory servers, or Windows clients, you must create a dedicated service account for the User-ID agent on a domain controller in each domain that the agent will monitor.
The required permissions for the service account depend on what user mapping methods and settings you plan to use. For example, if you are using the PAN-OS integrated User-ID agent, the service account requires Server Operator privileges. If you are using the Windows-based User-ID agent, the service account does not require Server Operator privileges. To reduce the risk associated with compromise of the User-ID service account, always configure the account with the minimum set of permissions necessary for the agent to function properly.
User-ID provides many methods for safely collecting user mapping information. Some of the legacy features, which were designed for environments that only required mapping of users on Windows desktops attached to the local network, require privileged service accounts. In the event that the privileged service account is compromised, this would open your network to attack. As a best practice, avoid using these legacy features—such as client probing, NTLM authentication, and session monitoring—that require privileges that would pose a threat if compromised. The following workflow details all privileges required and provide guidance as to which User-ID features require privileges that could pose a threat so that you can decide how to best identify users without compromising your overall security posture.
Configure an Active Directory account for the User-ID Agent
Create an AD account for the User-ID agent. You must create a service account in each domain the agent will monitor. Log in to the domain controller. Right-click the Windows icon ( ), Search for Active Directory Users and Computers , and launch the application. In the navigation pane, open the domain tree, right-click Managed Service Accounts and select New > User. Enter the First Name, Last Name, and User logon name of the user and click Next. Enter the Password and Confirm Password, and then click Next and Finish.
Add the account to the Builtin groups that have privileges for accessing the services and hosts the User-ID agent will monitor. Right-click the service account you just added and Add to a group. Enter the object names to select as follows to assign the account to groups. Separate each entry with a semicolon. Event Log Readers or a custom group that has privileges for reading Security log events. These privileges are required if the User-ID agent will collect mapping information by monitoring Security logs. ( PAN-OS integrated agent only ) Distributed COM Users group, which has privileges for launching, activating, and using Distributed Component Object Model (DCOM) objects. ( PAN-OS integrated agent only - Not recommended ) Server Operators group, which has privileges for opening sessions. The agent only requires these privileges if you plan to configure it to refresh existing mapping information by monitoring user sessions. Because this group also has privileges for shutting down and restarting servers, assign the account to it only if monitoring user sessions is very important. ( PAN-OS integrated agent only ) If you plan to configure NTLM authentication for Captive Portal, the firewall where you’ve configured the agent will need to join the domain. To enable this, enter the name of a group that has administrative privileges to join the domain, write to the validated service principal name, and create a computer object within the computers organization unit (ou=computers). The PAN-OS integrated agent requires privileged operations to join the domain, which poses a security threat if the account is compromised. Consider configuring Kerberos authentication for Captive Portal instead of NTLM. Kerberos is a stronger, more secure authentication method and it does not require the firewall to join the domain. For a firewall with multiple virtual systems, only vsys1 can join the domain because of AD restrictions on virtual systems running on the same host. Check Names to validate your entries and click OK twice.
If you plan to use WMI probing, enable the account to read the CIMV2 namespace and assign the required permissions on the client systems to be probed. By default, accounts in the Server Operators group have this permission. Do not enable client probing on high-security networks. Client probing can generate a large amount of network traffic and can pose a security threat when misconfigured. Instead collect user mapping information from more isolated and trusted sources, such as domain controllers and through integrations with Syslog or the XML API, which have the added benefit of allowing you to safely capture user mapping information from any device type or operating system, instead of just Windows clients. Perform this task on each client system that the User-ID agent will probe for user mapping information: Right-click the Windows icon ( ), Search for wmimgmt.msc , and launch the WMI Management Console. In the console tree, right-click WMI Control and select Properties. Select Security, select Root > CIMV2, and click Security. Add the name of the service account you created, Check Names to verify your entry, and click OK. You might have to change the Locations or click Advanced to query for account names. See the dialog help for details. In the Permissions for <Username> section, Allow the Enable Account and Remote Enable permissions. Click OK twice. Use the Local Users and Groups MMC snap-in (lusrmgr.msc) to add the service account to the local Distributed Component Object Model (DCOM) Users and Remote Desktop Users groups on the system that will be probed.
Turn off account privileges that are not necessary. By ensuring that the User-ID service account has the minimum set of account privileges, you can reduce the attack surface should the account be compromised. To ensure that the User-ID account has the minimum privileges necessary, deny the following privileges on the account: Deny interactive logon for the User-ID service account —While the User-ID service account does need permission to read and parse Active Directory security event logs, it does not require the ability to logon to servers or domain systems interactively. You can restrict this privilege using Group Policies or by using a Managed Service account (refer to Microsoft TechNet for more information). Deny remote access for the User-ID service account —This prevents an attacker from using the account to access your network from the outside the network.
Next steps... You are now ready to: Configure User Mapping Using the Windows User-ID Agent. Configure User Mapping Using the PAN-OS Integrated User-ID Agent.

Related Documentation