End-of-Life (EoL)

Create a Dedicated Service Account for the User-ID Agent

If you plan to use either the Windows-based User-ID agent or the PAN-OS integrated User-ID agent to map users as they log in to your Exchange servers, domain controllers, eDirectory servers, or Windows clients, you must create a dedicated service account for the User-ID agent on a domain controller in each domain that the agent will monitor.
The required permissions for the service account depend on what user mapping methods and settings you plan to use. For example, if you are using the PAN-OS integrated User-ID agent, the service account requires Server Operator privileges. If you are using the Windows-based User-ID agent, the service account does not require Server Operator privileges. To reduce the risk associated with compromise of the User-ID service account, always configure the account with the minimum set of permissions necessary for the agent to function properly.
User-ID provides many methods for safely collecting user mapping information. Some of the legacy features, which were designed for environments that only required mapping of users on Windows desktops attached to the local network, require privileged service accounts. In the event that the privileged service account is compromised, this would open your network to attack. As a best practice, avoid using these legacy features—such as client probing, NTLM authentication, and session monitoring—that require privileges that would pose a threat if compromised. The following workflow details all privileges required and provide guidance as to which User-ID features require privileges that could pose a threat so that you can decide how to best identify users without compromising your overall security posture.
  1. Create an AD account for the User-ID agent.
    You must create a service account in each domain the agent will monitor.
    1. Log in to the domain controller.
    2. Right-click the Windows icon ( ),
      Active Directory Users and Computers
      , and launch the application.
    3. In the navigation pane, open the domain tree, right-click
      Managed Service Accounts
      and select
    4. Enter the
      First Name
      Last Name
      , and
      User logon name
      of the user and click
    5. Enter the
      Confirm Password
      , and then click
  2. Add the account to the Builtin groups that have privileges for accessing the services and hosts the User-ID agent will monitor.
    1. Right-click the service account you just added and
      Add to a group
    2. Enter the object names to select
      as follows to assign the account to groups. Separate each entry with a semicolon.
      • Event Log Readers
        or a custom group that has privileges for reading Security log events. These privileges are required if the User-ID agent will collect mapping information by monitoring Security logs.
      • (
        PAN-OS integrated agent only
        Distributed COM Users
        group, which has privileges for launching, activating, and using Distributed Component Object Model (DCOM) objects.
      • (
        PAN-OS integrated agent only - Not recommended
        Server Operators
        group, which has privileges for opening sessions. The agent only requires these privileges if you plan to configure it to refresh existing mapping information by monitoring user sessions.
        Because this group also has privileges for shutting down and restarting servers, assign the account to it only if monitoring user sessions is very important.
      • (
        PAN-OS integrated agent only
        ) If you plan to configure NTLM authentication for Captive Portal, the firewall where you’ve configured the agent will need to join the domain. To enable this, enter the name of a group that has administrative privileges to join the domain, write to the validated service principal name, and create a computer object within the
        organization unit (ou=computers).
        The PAN-OS integrated agent requires privileged operations to join the domain, which poses a security threat if the account is compromised. Consider configuring Kerberos authentication for Captive Portal instead of NTLM. Kerberos is a stronger, more secure authentication method and it does not require the firewall to join the domain.
        For a firewall with multiple virtual systems, only vsys1 can join the domain because of AD restrictions on virtual systems running on the same host.
    3. Check Names
      to validate your entries and click
  3. If you plan to use WMI probing, enable the account to read the CIMV2 namespace and assign the required permissions on the client systems to be probed.
    By default, accounts in the Server Operators group have this permission.
    Do not enable client probing on high-security networks. Client probing can generate a large amount of network traffic and can pose a security threat when misconfigured. Instead collect user mapping information from more isolated and trusted sources, such as domain controllers and through integrations with Syslog or the XML API, which have the added benefit of allowing you to safely capture user mapping information from any device type or operating system, instead of just Windows clients.
    Perform this task on each client system that the User-ID agent will probe for user mapping information:
    1. Right-click the Windows icon ( ),
      , and launch the WMI Management Console.
    2. In the console tree, right-click
      WMI Control
      and select
    3. Select
      , select
      , and click
    4. Add
      the name of the service account you created,
      Check Names
      to verify your entry, and click
      You might have to change the
      or click
      to query for account names. See the dialog help for details.
    5. In the Permissions for <Username> section,
      Enable Account
      Remote Enable
    6. Click
    7. Use the Local Users and Groups MMC snap-in (lusrmgr.msc) to add the service account to the local Distributed Component Object Model (DCOM) Users and Remote Desktop Users groups on the system that will be probed.
  4. Turn off account privileges that are not necessary.
    By ensuring that the User-ID service account has the minimum set of account privileges, you can reduce the attack surface should the account be compromised.
    To ensure that the User-ID account has the minimum privileges necessary, deny the following privileges on the account:
    • Deny interactive logon for the User-ID service account
      —While the User-ID service account does need permission to read and parse Active Directory security event logs, it does not require the ability to logon to servers or domain systems interactively. You can restrict this privilege using Group Policies or by using a Managed Service account (refer to Microsoft TechNet for more information).
    • Deny remote access for the User-ID service account
      —This prevents an attacker from using the account to access your network from the outside the network.

Recommended For You