Create a Dedicated Service Account for the User-ID Agent
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
Create a Dedicated Service Account for the User-ID Agent
To use the Windows-based User-ID agent or
the PAN-OS integrated User-ID agent to map users as they log in
to your Exchange servers, domain controllers, eDirectory servers,
or Windows clients, create a dedicated service account for the User-ID
agent on a domain controller in each domain that the agent will
monitor.
The User-ID agent maps users based on logs for security
events. To ensure that the User-ID agent can successfully map users,
verify that the source for your mappings generates logs for Audit Logon, Audit Kerberos Authentication
Service, and Audit Kerberos Service Ticket
Operations events. At a minimum, the source must generate
logs for the following events:
- Logon Success (4624)
- Authentication Ticket Granted (4768)
- Service Ticket Granted (4769)
- Ticket Granted Renewed (4770)
The required permissions
for the service account depend on the user mapping methods and settings
you plan to use. For example, if you are using the PAN-OS integrated
User-ID agent, the service account requires Server Operator privileges
to monitor user sessions. If you are using the Windows-based User-ID
agent, the service account does not require Server Operator privileges
to monitor user sessions. To reduce the risk of compromising the
User-ID service account, always configure the account with the minimum
set of permissions necessary for the agent.
- If you are installing the Windows-based User-ID agent on a supported Windows server, Configure a Service Account for the Windows User-ID Agent.
- If you are using the PAN-OS integrated User-ID agent on the firewall, Configure a Service Account for the PAN-OS Integrated User-ID Agent.
User-ID provides many methods for safely collecting
user mapping information. Some legacy features designed for environments that
only required user mapping on Windows desktops attached to the local
network require privileged service accounts. If the privileged service account
is compromised, this would open your network to attack. As a best
practice, avoid using legacy features that require privileges that
would pose a threat if compromised, such as client probing, NTLM
authentication, and session monitoring.
Configure a Service Account for the Windows User-ID Agent
Create a dedicated Active Directory (AD) service
account for the Windows User-ID agent to access the services and
hosts it will monitor to collect user mappings. You must create
a service account in each domain the agent will monitor. After you
enable the required permissions for the service account, Configure
User Mapping Using the Windows User-ID Agent.
The
following workflow details all required privileges and provides
guidance for the User-ID features which require privileges that could
pose a threat so that you can decide how to best identify users
without compromising your overall security posture.
- Create an AD service account for the User-ID agent.You must create a service account in each domain the agent will monitor.
- Log in to the domain controller.
- Right-click the Windows icon (SearchforActive Directory Users and Computers, and launch the application.
- In the navigation pane, open the domain tree, right-clickManaged Service Accountsand select.NewUser
- Enter theFirst Name,Last Name, andUser logon nameof the user and clickNext.
- Enter thePasswordandConfirm Password, then clickNextandFinish.
- Configure either local or group policy to allow the service account to log on as a service.The permission to log on as a service is only needed locally on the Windows server that is the agent host.
- To assign permissions locally:
- select.Control PanelAdministrative ToolsLocal Security Policy
- Select.Local PoliciesUser Rights AssignmentLog on as a service
- Add User or Groupto add the service account.
- Enter the object names to select(the service account name) indomain\usernameformat and clickOK.
- To configure group policy if you are installing Windows User-ID agents on multiple servers, use the Group Policy Management Editor.
- Selectfor the Windows server that is the agent host.StartGroup Policy Management<your domain>Default Domain PolicyActionEdit
- Select.Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment
- Right-clickLog on as a service, then selectProperties.
- Add User or Groupto add the service account username or builtin group, then clickOKtwice.Administrators have this privilege by default.
- If you want to use WMI to collect user data, assign DCOM privileges to the service account so that it can use WMI queries on monitored servers.
- Select.Active Directory Users and Computers<your domain>BuiltinDistributed COM Users
- Right-clickand enter the service account name.PropertiesMembersAdd
- If you plan to use WMI probing, enable the account to read the CIMV2 namespace and assign the required permissions on the client systems to be probed.Do not enable client probing on high-security networks. Client probing can generate a large amount of network traffic and can pose a security threat when misconfigured. Instead collect user mapping information from more isolated and trusted sources, such as domain controllers and through integrations with Syslog or the XML API, which have the added benefit of allowing you to safely capture user mapping information from any device type or operating system, instead of just Windows clients.Perform this task on each client system that the User-ID agent will probe for user mapping information:
- Right-click the Windows icon (Searchforwmimgmt.msc, and launch the WMI Management Console.
- In the console tree, right-clickWMI Controland selectProperties.
- Select theSecuritytab, then select, and click theRootCIMV2Securitybutton.
- Addthe name of the service account you created,Check Namesto verify your entry, and clickOK.You might have to change theLocationsor clickAdvancedto query for account names. See the dialog help for details.
- In the Permissions for<Username>section,AllowtheEnable AccountandRemote Enablepermissions.
- ClickOKtwice.
- Use the Local Users and Groups MMC snap-in (lusrmgr.msc) to add the service account to the local Distributed Component Object Model (DCOM) Users and Remote Desktop Users groups on the system that will be probed.
- If you want to use Server Monitoring to identify users, add the service account to the Event Log Reader builtin group to allow the service account to read the security log events.
- On the domain controller or Exchange server that contains the logs you want the User-ID agent to read, or on the member server that receives events from Windows log forwarding, select, enterStartRunMMC.
- Select, then clickFileAdd/Remove Snap-inActive Directory Users and ComputersAddOKto run the MMC and launch the Active Directory Users and Computers snap-in.
- Navigate to the Builtin folder for the domain, right-click theEvent Log Readersgroup, and select.PropertiesMembers
- Addthe service account then clickCheck Namesto validate that you have the proper object name.
- ClickOKtwice to save the settings.
- Confirm that the builtin Event Log Reader group lists the service account as a member ().Event Log ReadersPropertiesMembers
- Assign account permissions to the installation folder to allow the service account to access the agent’s installation folder to read the configuration and write logs.You only need to perform this step if the service account you configured for the User-ID agent is not either a domain administrator or a local administrator on the User-ID agent server host.
- From the Windows Explorer, navigate toC:\Program Files(x86)\Palo Alto Networks, right-click the folder, and selectProperties.
- On theSecuritytab, clickEdit.
- Addthe User-ID agent service account andAllowpermissions toModify,Read & execute,List folder contents,Read, andWrite, and then clickOKto save the account settings.If you do not want to configure individual permissions, you canAllowtheFull Controlpermission instead.
- To allow the agent to make configuration changes (for example, if you select a different logging level), give the service account permissions to the User-ID agent registry sub-tree.
- Selectand enterStartRunregedt32and navigate to the Palo Alto Networks sub-tree in one of the following locations:
- 32-bit systems—HKEY_LOCAL_MACHINE\Software\Palo Alto Networks
- 64-bit systems—HKEY_LOCAL_MACHINE\Software\WOW6432Node\PaloAlto Networks
- Right-click thePalo Alto Networksnode and selectPermissions.
- Assign the User-ID service accountFull Controland then clickOKto save the setting.
- Disable service account privileges that are not required.By ensuring that the User-ID service account has the minimum set of account privileges, you can reduce the attack surface should the account be compromised.To ensure that the User-ID account has the minimum privileges necessary, deny the following privileges on the account.
- Deny interactive logon for the User-ID service account—While the User-ID service account does need permission to read and parse Active Directory security event logs, it does not require the ability to logon to servers or domain systems interactively. You can restrict this privilege using Group Policies or by using a Managed Service account (refer to Microsoft TechNet for more information).
- Select.Group Policy Management EditorDefault Domain PolicyComputer ConfigurationPoliciesWindows SettingsSecurity SettingsUser Rights Assignment
- ForDeny log on as a batch job,Deny log on locally, andDeny log on through Remote Desktop Services, right-clickProperties.
- Selectand add the service account name, then clickDefine these policy settingsAdd User or GroupOK.
- Deny remote access for the User-ID service account—This prevents an attacker from using the account to access your network from the outside the network.
- Select, enterStartRunMMC, and select.FileAdd/Remove Snap-inActive Directory Users and ComputersUsers
- Right-click the service account name, then selectProperties.
- SelectDial-in, thenDenytheNetwork Access Permission.
- As a next step, Configure User Mapping Using the Windows User-ID Agent.
Configure a Service Account for the PAN-OS Integrated User-ID
Agent
Create a dedicated Active Directory (AD) service
account for the PAN-OS Integrated User-ID agent to access the services and
hosts it will monitor to collect user mappings.You must create a
service account in each domain the agent will monitor. After you
enable the required permissions for the service account, Configure
User Mapping Using the PAN-OS Integrated User-ID Agent.
The
following workflow details all required privileges and provides
guidance for the User-ID features which require privileges that could
pose a threat so that you can decide how to best identify users
without compromising your overall security posture.
- Create an AD service account for the User-ID agent.You must create a service account in each domain the agent will monitor.
- Log in to the domain controller.
- Right-click the Windows icon (SearchforActive Directory Users and Computers, and launch the application.
- In the navigation pane, open the domain tree, right-clickManaged Service Accountsand select.NewUser
- Enter theFirst Name,Last Name, andUser logon nameof the user and clickNext.
- Enter thePasswordandConfirm Password, then clickNextandFinish.
- If you want to use Server Monitoring to identify users, add the service account to the Event Log Reader builtin group to allow the service account to read the security log events.
- On the domain controller or Exchange server that contains the logs you want the User-ID agent to read, or on the member server that receives events from Windows log forwarding, select, enterStartRunMMC.
- Select, then clickFileAdd/Remove Snap-inActive Directory Users and ComputersAddOKto run the MMC and launch the Active Directory Users and Computers snap-in.
- Navigate to the Builtin folder for the domain, right-click theEvent Log Readersgroup, and select.PropertiesMembers
- Addthe service account then clickCheck Namesto validate that you have the proper object name.
- ClickOKtwice to save the settings.
- Confirm that the builtin Event Log Reader group lists the service account as a member ().Event Log ReadersPropertiesMembers
- If you want to use WMI to collect user data, assign DCOM privileges to the service account so that it can use WMI queries on monitored servers.
- Select.Active Directory Users and Computers<your domain>BuiltinDistributed COM Users
- Right-clickand enter the service account name.PropertiesMembersAdd
- Enable the service account to read the CIMV2 namespace on the domain controllers you want to monitor and assign the required permissions on the client systems to be probed.Do not enable client probing on high-security networks. Client probing can generate a large amount of network traffic and can pose a security threat when misconfigured. Instead collect user mapping information from more isolated and trusted sources, such as domain controllers and through integrations with Syslog or the XML API, which have the added benefit of allowing you to safely capture user mapping information from any device type or operating system, instead of just Windows clients.Perform this task on each client system that the User-ID agent will probe for user mapping information:
- Right-click the Windows icon (Searchforwmimgmt.msc, and launch the WMI Management Console.
- In the console tree, right-clickWMI Controland selectProperties.
- Select theSecuritytab, then select, and click theRootCIMV2Securitybutton.
- Addthe name of the service account you created,Check Namesto verify your entry, and clickOK.You might have to change theLocationsor clickAdvancedto query for account names. See the dialog help for details.
- In the Permissions for<Username>section,AllowtheEnable AccountandRemote Enablepermissions.
- ClickOKtwice.
- Use the Local Users and Groups MMC snap-in (lusrmgr.msc) to add the service account to the local Distributed Component Object Model (DCOM) Users and Remote Desktop Users groups on the system that will be probed.
- (Not Recommended) To allow the agent to monitor user sessions to poll Windows servers for user mapping information, assign Server Operator privileges to the service account.Because this group also has privileges for shutting down and restarting servers, only assign the account to this group if monitoring user sessions is very important.
- Select.Active Directory Users and Computers<your domain>BuiltinServer Operators Group
- Right-clickand add the service account name.PropertiesMembersAdd
- If you want to configure NTLM authentication for Captive Portal, configure the firewall to join the domain.For a firewall with multiple virtual systems, only vsys1 can join the domain because of AD restrictions on virtual systems running on the same host.If you plan to configure NTLM authentication for Captive Portal, the firewall where you’ve configured the agent will need to join the domain. To enable this, enter the name of a group that has administrative privileges to join the domain, write to the validated service principal name, and create a computer object within the computers organization unit (ou=computers).The PAN-OS integrated agent requires privileged operations to join the domain, which poses a security threat if the account is compromised. As a best practice, configure Kerberos single sign-on (SSO) or SAML SSO authentication for Captive Portal instead of NTLM. Kerberos and SAML are stronger, more secure authentication methods and do not require the firewall to join the domain.
- Select, enterStartRunMMC, and select.FileAdd/Remove Snap-inActive Directory Users and ComputersUsers
- Right-click the domain and selectDelegate Control.
- ClickNext, thenAddthe service account name and clickOK.
- ClickNext, thenJoin a computer to the domain.
- ClickNext, verify the service account information, thenFinish.
- Disable service account privileges that are not required.By ensuring that the User-ID service account has the minimum set of account privileges, you can reduce the attack surface should the account be compromised.To ensure that the User-ID account has the minimum privileges necessary, deny the following privileges on the account:
- Deny interactive logon for the User-ID service account—While the User-ID service account does need permission to read and parse Active Directory security event logs, it does not require the ability to logon to servers or domain systems interactively. You can restrict this privilege using Group Policies or by using a Managed Service account (refer to Microsoft TechNet for more information).
- Select.Group Policy Management EditorDefault Domain PolicyComputer ConfigurationPoliciesWindows SettingsSecurity SettingsUser Rights Assignment
- ForDeny log on as a batch job,Deny log on locally, andDeny log on through Remote Desktop Services, right-clickProperties, then selectand add the service account name, then clickDefine these policy settingsAdd User or GroupOK.
- Deny remote access for the User-ID service account—This prevents an attacker from using the account to access your network from the outside the network.
- , enterStartRunMMC, and select.FileAdd/Remove Snap-inActive Directory Users and ComputersUsers
- Right-click the service account name, then selectProperties.
- SelectDial-in, thenDenytheNetwork Access Permission.
- As a next step, Configure User Mapping Using the PAN-OS Integrated User-ID Agent.