topic Re: User loses privileges...UserID in General Topics

User loses privileges...UserID

soporteseguridad — Wed, 09 Oct 2013 08:23:17 GMT

In our company we have two internet browsing profiles.
Users who belong to the AD Domain users have limited access to internet and users AD group belongs to UsuariosInternet can access anywhere.

My AD user is canopr and I have internet access from my PC (10.5.1.149), when I log on to a server by remote desktop (mstsc) and I identify with the user oalgt\ explotacio, stopped internet access. The userID the user agent learns that identified on the IP 10.5.1.149 is explotacio. This performance understand that is wrong. Is there any way around it?

Thanks

Re: User loses privileges...UserID

dieter_b — Wed, 09 Oct 2013 09:44:42 GMT

If that's a terminal server where multiple users are active simultaneously, do you have the Terminal Services Agent installed and working ?

Re: User loses privileges...UserID

soporteseguridad — Wed, 09 Oct 2013 09:46:03 GMT

No. Its just a server where i can access via RDP to manage several apps.

Re: User loses privileges...UserID

dieter_b — Wed, 09 Oct 2013 10:03:39 GMT

Does UserID map the user who is connecting to RDP to an ip address ?

UserID can have the same user mapped to several ip's, but I'm not sure it can have several users mapped to one ip (except Terminal services agent). My guess is the RDP log on is captured as a logon event and the user is replaced in the ip mapping. We see this behaviour when we do administrative tasks (using a domain admin account) within a restricted user account. But that is expected behaviour for us...

In fact, I can reproduce the problem you're describing when connecting to a server using rdp. But shortly after, the normal user is mapped back to the client ip (we're using event log monitoring, session monitoring and wmi client probing; all with short intervals).

Re: User loses privileges...UserID

soporteseguridad — Wed, 09 Oct 2013 10:17:05 GMT

Yes, UserID maps the user who connects to the server via RDP. There is any way to keep the "privileges" although im working in other server via RDP?

Re: User loses privileges...UserID

dieter_b — Wed, 09 Oct 2013 10:24:38 GMT

What UserID mechanisms do you use ? At what intervals ?

Eventually, your normal user should automatically be picked up again. But that depends on the mechanisms and interval. If you want very tight correlation between actual users and ip's, you'll have to rethink your UserID setup.

Take a look at Architecting User Identification Deployments . This and the admin guide helped me a lot in getting UserID right and efficient.

Re: User loses privileges...UserID

soporteseguridad — Wed, 09 Oct 2013 15:30:43 GMT

I have read the manual it seems correctly configured. This problem also happens with the user has two diferent mail inbox.

Re: User loses privileges...UserID

soporteseguridad — Wed, 09 Oct 2013 15:33:34 GMT

What happens to me is that when I connect via terminal services to a server, my local IP address is associated with the user in which I connect.

Re: User loses privileges...UserID

dieter_b — Thu, 10 Oct 2013 06:31:23 GMT

Simply initiating a RDP session, logs some kind of logon event (checking against AD whether or not that user is allowed to make RDP connections). It doesn't even yet relate to the server you're trying to connect.

You can actually reproduce this with a similar logon event: make a connection to an administrative share (\\somepc\c$), Windows will ask for credentials. Say you log on with a domain admin account. That domain admin account will be mapped to your ip address. Until timeout OR until your normal user does some kind of logon event (accessing your home folder can be enough) OR until the WMI probe determines your user.

This is all by design.

Eventually, is your user mapped back to your ip or not ? If so, how long does it take ?

You can monitor it in the CLI using the command "show user ip-user-mapping ip [your ip]"

Re: User loses privileges...UserID

soporteseguridad — Thu, 10 Oct 2013 13:23:31 GMT

OK ill try to explain better.

I have my user oalgt/bruguepr in my local pc. I open a RDP in order to manage a server, i log in this server as oalgt/explotacion. When i log in this server via RDP my local pc (user: oalgt/bruguepr) get the same privilege like explotacio.

And if i check the UserID agent i can see that my ip has the user explotacio. If i close the rdp ill continue having the explotacio privileges......what is the correct behaviour for this???

This also happens with user who has 2 mail inbox, where they access with different users.

Re: User loses privileges...UserID

dieter_b — Thu, 10 Oct 2013 13:46:34 GMT

The problem you're having (user explotacion getting mapped to your local ip address) is perfectly clear. And like I said before: This is excpected behaviour because a logon event is logged. And no, we are not talking about the fact that user explotacio is logging on to the server, we are talking about "a" Windows logon event.

Check the security log in event viewer: you'll find thousands of logon events, that have nothing to do with a user logging on (entering username/password) to a computer.

The security log on a DC is the source PaloAlto uses to collect these events, since they contain the user and an ip....

After having logged on to the server, almost any action you do locally (like browsing in Windows Explorer, opening an application) will trigger a logon event that should eventually be picked up by UserID. On the conditions that you are in fact in a domein environment (the logon event is checked by the DC) and UserID interval is short enough.

Re: User loses privileges...UserID

soporteseguridad — Thu, 10 Oct 2013 14:45:48 GMT

I dont know why it should affect me in my local machine that I connect to other pc with other user by RDP and when i close this session i dont recuperate my privileges. In the moment that i connect to another machine via RDP with any user i get the privileges of this user in my local machine....... this is a weird behaviour....

Re: User loses privileges...UserID

dieter_b — Thu, 10 Oct 2013 14:54:49 GMT

Please understand that this actually has nothing to do with the RDP session.

This is standard Windows behaviour in a Windows domain: Your DC is the only "authority" that determines whether or not you have access to a resource. This is the logon even I'm talking about.

Nothing you do in PaloAlto config wil change that behaviour. All PA does is read that info.

Re: User loses privileges...UserID

apasupulati — Thu, 10 Oct 2013 15:56:34 GMT

Hello,

This behavior is expected, UserID does ip-user-mapping based off of the Windows Security logs and when a user RDP's to a machine, Windows logs the security event based on the IP of the PC that initiated the RDP.

The only workaround for this to add the username: oalgt\ explotacio in the ignore users list. This is not an issue with the firewall or the agent.

Refer:

https://live.paloaltonetworks.com/docs/DOC-2893

Hope that helps,

Aditi

Re: User loses privileges...UserID

soporteseguridad — Thu, 10 Oct 2013 16:21:47 GMT

And what would happen with the users whos has 2 inbox in their exchange??? it happens the same for them??

Re: User loses privileges...UserID

dieter_b — Fri, 11 Oct 2013 06:35:01 GMT

Depends on how they log on.

Does the user have full access permission to the 2nd mailbox ? If so, you can make everything work with the same credentials.

Or does the 2nd mailbox actually require logging on to it ? If so, you again have a logon event that will be picked up by UserID.

In a AD environment, using different logins to different resources, is not really best practice for me. Give a user one account and make sure he can access whatever resource he needs with that account. You shouln't bother your users with several logins.

Obviously this doesn't apply to users who do administrative tasks, where the admin account should be strictly separate from their everyday user account.

I hope you get it sorted out...