Create a Dedicated Service Account for the User-ID Agent

To use the Windows-based User-ID agent or the PAN-OS integrated User-ID agent to map users as they log in to your Exchange servers, domain controllers, eDirectory servers, or Windows clients, create a dedicated service account for the User-ID agent on a domain controller in each domain that the agent will monitor.
The required permissions for the service account depend on the user mapping methods and settings you plan to use. For example, if you are using the PAN-OS integrated User-ID agent, the service account requires Server Operator privileges to monitor user sessions. If you are using the Windows-based User-ID agent, the service account does not require Server Operator privileges to monitor user sessions. To reduce the risk of compromising the User-ID service account, always configure the account with the minimum set of permissions necessary for the agent.
User-ID provides many methods for safely collecting user mapping information. Some legacy features designed for environments that only required user mapping on Windows desktops attached to the local network require privileged service accounts. If the privileged service account is compromised, this would open your network to attack. As a best practice, avoid using legacy features that require privileges that would pose a threat if compromised, such as client probing, NTLM authentication, and session monitoring.

Configure a Service Account for the Windows User-ID Agent

Create a dedicated Active Directory service account for the Windows User-ID agent to access the services and hosts it will monitor to collect user mappings. You must create a service account in each domain the agent will monitor. After you enable the required permissions for the service account, Configure User Mapping Using the Windows User-ID Agent.
The following workflow details all required privileges and provides guidance for the User-ID features which require privileges that could pose a threat so that you can decide how to best identify users without compromising your overall security posture.
  1. Create an AD account for the User-ID agent.
    You must create a service account in each domain the agent will monitor.
    1. Log in to the domain controller.
    2. Right-click the Windows icon ( Windows_icon.png ),
      Search
      for
      Active Directory Users and Computers
      , and launch the application.
    3. In the navigation pane, open the domain tree, right-click
      Managed Service Accounts
      and select
      New
      User
      .
    4. Enter the
      First Name
      ,
      Last Name
      , and
      User logon name
      of the user and click
      Next
      .
    5. Enter the
      Password
      and
      Confirm Password
      , then click
      Next
      and
      Finish
      .
  2. Configure either local or group policy to allow the service account to log on as a service.
    The permission to log on as a service is only needed locally on the Windows server that is the agent host.
    • To assign permissions locally:
      1. select
        Control Panel
        Administrative Tools
        Local Security Policy
        .
      2. install-windows-agent-admin-tools.png
      3. Select
        Local Policies
        User Rights Assignment
        Log on as a service
        .
        install-windows-agent-local-security-policy-log-on-as-service.png
      4. Add User or Group
        to add the service account.
        install-windows-agent-add-user.png
      5. Enter the object names to select
        (the service account name) in
        domain\username
        format and click
        OK
        .
        install-windows-agent-select-users.png
    • To configure group policy if you are installing Windows User-ID agents on multiple servers, use the Group Policy Management Editor.
      1. Select
        Start
        Group Policy Management
        <your domain>
        Default Domain Policy
        Action
        Edit
        for the Windows server that is the agent host.
        user-id-agent-service-account-gpo-default-domain-policy.png
      2. Select
        Computer Configuration
        Policies
        Windows Settings
        Security Settings
        Local Policies
        User Rights Assignment
        .
        user-id-agent-service-account-gpo-log-on-as-a-service.png
      3. Right-click
        Log on as a service
        , then select
        Properties
        .
      4. Add User or Group
        to add the service account username or builtin group, then click
        OK
        twice.
        Administrators have this privilege by default.
        install-windows-agent-select-users.png
  3. If you want to use server monitoring to identify users, add the service account to the Event Log Reader builtin group to allow the service account to read the security log events.
    1. On the domain controller or Exchange server that contains the logs you want the User-ID agent to read, or on the member server that receives events from Windows log forwarding, select
      Start
      Run
      , enter
      MMC
      , and select
      File
      Add/Remove Snap-in
      Active Directory Users and Computers
      Add
      , then click
      OK
      to run the MMC and launch the Active Directory Users and Computers snap-in.
      user-id-agent-service-account-server-monitoring-mmc-snap-ins-ad-users-and-computers.png
    2. Navigate to the Builtin folder for the domain, right-click the
      Event Log Readers
      group, and select
      Add to a Group
      .
      user-id-agent-service-account-server-monitoring-mmc-builtin-event-log-readers-add-to-group.png
    3. Enter the name of the service account then click
      Check Names
      to validate that you have the proper object name.
      install-windows-agent-select-users.png
    4. Click
      OK
      twice to save the settings.
    5. Confirm that the builtin Event Log Reader group lists the service account as a member.
      user-id-agent-permissions-event-log-readers.png
  4. Assign account permissions to the installation folder to allow the service account to access the agent’s installation folder to read the configuration and write logs.
    You only need to perform this step if the service account you configured for the User-ID agent is not either a domain administrator or a local administrator on the User-ID agent server host.
    1. From the Windows Explorer, navigate to
      C:\Program Files(x86)\Palo Alto Networks
      , right-click the folder, and select
      Properties
      .
    2. On the
      Security
      tab, click
      Edit
      .
      user-id-agent-permissions-edit.png
    3. Add
      the User-ID agent service account and
      Allow
      permissions to
      Modify
      ,
      Read & execute
      ,
      List folder contents
      ,
      Read
      , and
      Write
      , and then click
      OK
      to save the account settings.
      user-id-agent-permissions-allow.png
      If you do not want to configure individual permissions, you can
      Allow
      the
      Full Control
      permission instead.
  5. To allow the agent to make configuration changes (for example, if you select a different logging level), give the service account permissions to the User-ID agent registry sub-tree.
    1. Select
      Start
      Run
      and enter
      regedt32
      and navigate to the Palo Alto Networks sub-tree in one of the following locations:
      • 32-bit systems
        HKEY_LOCAL_MACHINE\Software\Palo Alto Networks
      • 64-bit systems
        HKEY_LOCAL_MACHINE\Software\WOW6432Node\PaloAlto Networks
    2. Right-click the
      Palo Alto Networks
      node and select
      Permissions
      .
      user-id-agent-service-account-registry-sub-tree-permissions.png
    3. Assign the User-ID service account
      Full Control
      and then click
      OK
      to save the setting.
      user-id-agent-service-account-registry-sub-tree-full-control.png
  6. Disable service account privileges that are not required.
    By ensuring that the User-ID service account has the minimum set of account privileges, you can reduce the attack surface should the account be compromised.
    To ensure that the User-ID account has the minimum privileges necessary, deny the following privileges on the account.
    • Deny interactive logon for the User-ID service account
      —While the User-ID service account does need permission to read and parse Active Directory security event logs, it does not require the ability to logon to servers or domain systems interactively. You can restrict this privilege using Group Policies or by using a Managed Service account (refer to Microsoft TechNet for more information).
      1. Select
        Group Policy Management Editor
        Default Domain Policy
        Computer Configuration
        Policies
        Windows Settings
        Security Settings
        User Rights Assignment
        .
      2. For
        Deny log on as a batch job
        ,
        Deny log on locally
        , and
        Deny log on through Remote Desktop Services
        , right-click
        Properties
        .
      3. Select
        Define these policy settings
        Add User or Group
        and add the service account name, then click
        OK
        .
        user-id-agent-service-account-deny-interactive-logon.png
    • Deny remote access for the User-ID service account
      —This prevents an attacker from using the account to access your network from the outside the network.
      1. Select
        Start
        Run
        , enter
        MMC
        , and select
        File
        Add/Remove Snap-in
        Active Directory Users and Computers
        Users
        .
      2. Right-click the service account name, then select
        Properties
        .
      3. Select
        Dial-in
        , then
        Deny
        the
        Network Access Permission
        .
        user-id-agent-service-account-deny-remote-access.png

Configure a Service Account for the PAN-OS Integrated User-ID Agent

Create a dedicated Active Directory service account for the PAN-OS Integrated User-ID agent to access the services and hosts it will monitor to collect user mappings.You must create a service account in each domain the agent will monitor. After you enable the required permissions for the service account, Configure User Mapping Using the PAN-OS Integrated User-ID Agent.
The following workflow details all required privileges and provides guidance for the User-ID features which require privileges that could pose a threat so that you can decide how to best identify users without compromising your overall security posture.
  1. Create an AD account for the User-ID agent.
    You must create a service account in each domain the agent will monitor.
    1. Log in to the domain controller.
    2. Right-click the Windows icon ( Windows_icon.png ),
      Search
      for
      Active Directory Users and Computers
      , and launch the application.
    3. In the navigation pane, open the domain tree, right-click
      Managed Service Accounts
      and select
      New
      User
      .
    4. Enter the
      First Name
      ,
      Last Name
      , and
      User logon name
      of the user and click
      Next
      .
    5. Enter the
      Password
      and
      Confirm Password
      , then click
      Next
      and
      Finish
      .
  2. If you want to use server monitoring to identify users, add the service account to the Event Log Reader builtin group to allow the service account to read the security log events.
    1. On the domain controller or Exchange server that contains the logs you want the User-ID agent to read, or on the member server that receives events from Windows log forwarding, select
      Start
      Run
      , enter
      MMC
      , and select
      File
      Add/Remove Snap-in
      Active Directory Users and Computers
      Add
      , then click
      OK
      to run the MMC and launch the Active Directory Users and Computers snap-in.
      user-id-agent-service-account-server-monitoring-mmc-snap-ins-ad-users-and-computers.png
    2. Navigate to the Builtin folder for the domain, right-click the
      Event Log Readers
      group, and select
      Add to a group
      .
      user-id-agent-service-account-server-monitoring-mmc-builtin-event-log-readers-add-to-group.png
    3. Enter the name of the service account then click
      Check Names
      to validate that you have the proper object name.
      install-windows-agent-select-users.png
    4. Click
      OK
      twice to save the settings.
    5. Confirm that the builtin Event Log Reader group lists the service account as a member.
      user-id-agent-permissions-event-log-readers.png
  3. If you want to use WMI to collect user data, assign DCOM privileges to the service account so that it can use WMI queries on monitored servers.
    1. Select
      Active Directory Users and Computers
      <your domain>
      Builtin
      Distributed COM Users
      .
    2. Right-click
      Properties
      Members
      Add
      and enter the service account name.
  4. If you plan to use WMI probing, enable the account to read the CIMV2 namespace and assign the required permissions on the client systems to be probed.
    Do not enable client probing on high-security networks. Client probing can generate a large amount of network traffic and can pose a security threat when misconfigured. Instead collect user mapping information from more isolated and trusted sources, such as domain controllers and through integrations with Syslog or the XML API, which have the added benefit of allowing you to safely capture user mapping information from any device type or operating system, instead of just Windows clients.
    Perform this task on each client system that the User-ID agent will probe for user mapping information:
    1. Right-click the Windows icon ( Windows_icon.png ),
      Search
      for
      wmimgmt.msc
      , and launch the WMI Management Console.
    2. In the console tree, right-click
      WMI Control
      and select
      Properties
      .
      user-id-agent-service-account-wmi-probing-wmi-control-properties.png
    3. Select the
      Security
      tab, then select
      Root
      CIMV2
      , and click the
      Security
      button.
      user-id-agent-service-account-wmi-probing-root-cimv2-security.png
    4. Add
      the name of the service account you created,
      Check Names
      to verify your entry, and click
      OK
      .
      You might have to change the
      Locations
      or click
      Advanced
      to query for account names. See the dialog help for details.
    5. In the Permissions for
      <Username>
      section,
      Allow
      the
      Enable Account
      and
      Remote Enable
      permissions.
      user-id-agent-service-account-wmi-probing-enable-account-remote-enable.png
    6. Click
      OK
      twice.
    7. Use the Local Users and Groups MMC snap-in (lusrmgr.msc) to add the service account to the local Distributed Component Object Model (DCOM) Users and Remote Desktop Users groups on the system that will be probed.
  5. (
    Not Recommended
    ) To allow the agent to monitor user sessions to poll Windows servers for user mapping information, assign Server Operator privileges to the service account.
    Because this group also has privileges for shutting down and restarting servers, only assign the account to this group if monitoring user sessions is very important.
    1. Select
      Active Directory Users and Computers
      <your domain>
      Builtin
      Server Operators Group
      .
    2. Right-click
      Properties
      Members
      Add
      add service account name
  6. If you want to configure NTLM authentication for Captive Portal, configure the firewall to join the domain.
    If you plan to configure NTLM authentication for Captive Portal, the firewall where you’ve configured the agent will need to join the domain. To enable this, enter the name of a group that has administrative privileges to join the domain, write to the validated service principal name, and create a computer object within the
    computers
    organization unit (ou=computers).
    For a firewall with multiple virtual systems, only vsys1 can join the domain because of AD restrictions on virtual systems running on the same host.
    The PAN-OS integrated agent requires privileged operations to join the domain, which poses a security threat if the account is compromised. As a best practice, configure Kerberos single sign-on (SSO) or SAML SSO authentication for Captive Portal instead of NTLM. Kerberos and SAML are stronger, more secure authentication methods and do not require the firewall to join the domain.
    1. Select
      Start
      Run
      , enter
      MMC
      , and select
      File
      Add/Remove Snap-in
      Active Directory Users and Computers
      Users
      .
    2. Right-click the domain and select
      Delegate Control
      .
      user-id-agent-service-account-ntlm-auth-delegate-control.png
    3. Click
      Next
      , then
      Add
      the service account name and click
      OK
      .
    4. Click
      Next
      , then
      Join a computer to the domain
      .
      user-id-agent-service-account-ntlm-auth-join-domain.png
    5. Click
      Next
      , verify the service account information, then
      Finish
      .
  7. Disable service account privileges that are not required.
    By ensuring that the User-ID service account has the minimum set of account privileges, you can reduce the attack surface should the account be compromised.
    To ensure that the User-ID account has the minimum privileges necessary, deny the following privileges on the account:
    • Deny interactive logon for the User-ID service account
      —While the User-ID service account does need permission to read and parse Active Directory security event logs, it does not require the ability to logon to servers or domain systems interactively. You can restrict this privilege using Group Policies or by using a Managed Service account (refer to Microsoft TechNet for more information).
      1. Select
        Group Policy Management Editor
        Default Domain Policy
        Computer Configuration
        Policies
        Windows Settings
        Security Settings
        User Rights Assignment
        .
      2. For
        Deny log on as a batch job
        ,
        Deny log on locally
        , and
        Deny log on through Remote Desktop Services
        , right-click
        Properties
        , then select
        Define these policy settings
        Add User or Group
        and add the service account name, then click
        OK
        .
        user-id-agent-service-account-deny-interactive-logon.png
    • Deny remote access for the User-ID service account
      —This prevents an attacker from using the account to access your network from the outside the network.
      1. Start
        Run
        , enter
        MMC
        , and select
        File
        Add/Remove Snap-in
        Active Directory Users and Computers
        Users
        .
      2. Right-click the service account name, then select
        Properties
        .
      3. Select
        Dial-in
        , then
        Deny
        the
        Network Access Permission
        .
        user-id-agent-service-account-deny-remote-access.png

Related Documentation