topic Re: User-ID: gained access with run as admin in General Topics

User-ID: gained access with run as admin

kdd — Wed, 18 Jan 2017 07:38:40 GMT

Hi all,

several user have internet access and this depends on their user-id. some of them have admin-accounts and can run the ie as admin. the user logged into the AD as non-privileged user and this is controlled by the WMI-Process of the USER-Agent. But this construct didn't recognize when the user starts the IE with run as admin.

is there a chance to prevent this so that the FW allow only the access for the non privileged users.

Regards,

Klaus

Re: User-ID: gained access with run as admin

reaper — Wed, 18 Jan 2017 08:27:13 GMT

hi Klaus!

Are these local admin accounts or domain/enterprise ?

Are your UserID agents also reading AD audit logs (login success)? As a domain acount login event (run as admin) should create an audit log which should switch the user/IP mapping to the admin account (until WMI re-reads the logged in user and falls back to the non-privileged user)

for setups like this the WMI probe can be problematic as it can only check which user is logged on to a system, not what kind of elevated access they are using to run a single process

Re: User-ID: gained access with run as admin

kdd — Wed, 18 Jan 2017 10:30:21 GMT

Hi Reaper,

these are domain-accounts and our User-IDAgent reads the audit-logs. Thx for your hint. I will check the log of the User-ID Agent to see what is logged. Therefor i need the help of this specific user. I keep you updated.

Regards,

Klaus

Re: User-ID: gained access with run as admin

kdd — Wed, 18 Jan 2017 11:52:19 GMT

i took a look at the User-Id Agent log right after the user tried it with IE (run as admin) and i didn't see an entry with the admin account. Maybe there is no entry at the AD-log and PA has no chance to get the admin account. How is it possible to catch a user like this one?

Re: User-ID: gained access with run as admin

kdd — Thu, 19 Jan 2017 13:40:16 GMT

Re: User-ID: gained access with run as admin

kdd — Thu, 19 Jan 2017 14:43:40 GMT

Hi,

this can't be solved with PAN-OS because there no log-entry at the AD-log. The way i have to go is to use the GPO for these Clients. That is the answer of our systemhouse.

Regards,

Klaus

Re: User-ID: gained access with run as admin

jvalentine — Thu, 19 Jan 2017 15:23:17 GMT

From configuration mode on your firewall, you could use the following command:

set user-id-collector ignore-user [ <ignore-user1> <ignore-user2>... ]

This will prevent the firewall from creating mappings for users in this list. If you add "admin" or "administrator" to this list, then the users will continue to be mapped as non-privileged users from the firewall perspective and they won't get any additional access if they use "run-as".

Re: User-ID: gained access with run as admin

kdd — Fri, 20 Jan 2017 09:12:20 GMT

the log-entry is showing always the non-privileged user even the user starts the IE with run as. So how should this work?