topic Re: User-ID Agent Ignore a group of users in General Topics

User-ID Agent Ignore a group of users

Clermont — Fri, 23 Feb 2018 09:36:02 GMT

Hello together,

Is it possible to ignore a group of users with the User-ID Agent, and also on the firewall without the agent?

I tryed to add a group ( example\Ignore User-ID ) to the ignore_user_list.txt for the Agent. But it seemed not to work.

I also tryed:

example\Ignore User-ID

Ignore User-ID

"example\Ignore User-ID"

"Ignore User-ID"

'example\Ignore User-ID'

'Ignore User-ID'

Maybe it is only prossible for singe user accounts and not for groups? But I think this would be a really good feature.

It would be nice if anyone can give me a hint on this

Best Regards

Marco

Re: User-ID Agent Ignore a group of users

Mick_Ball — Fri, 23 Feb 2018 10:03:57 GMT

i cant see how this would be possible as user-ip mappings are per user not group.

I can't see why you would want to ignore a group of users... if its for a security policy then just use the group information in the policy and deny it...

Re: User-ID Agent Ignore a group of users

reaper — Fri, 23 Feb 2018 10:49:04 GMT

You can't ignore a user group

The user-id agent records user ID's as they come in through events and then simply matches the user ID to the ignore list to see if it needs to be ignored, there is no group membership lookup

There is a feature request, however. So you can reach out to your local sales team and have them add your vote to FR ID: 1172

Re: User-ID Agent Ignore a group of users

Clermont — Fri, 23 Feb 2018 12:25:18 GMT

Thank you vermy much for your replay.

I want to ignore a group of users to prevent the "normal" accounts of the administrators to be overwritten by the administrative account of that user.

For example there is a rule for Internet traffic with User-ID. Traffic is allowed for all normal users. Not for administrative accounts.

I'm working on my computer with my normal account "marco". Then I connect to a Server via RDP using my administrative account "marco-admin". Sometimes User-ID then thinks my computer is assigned to "marco-admin" and i can not access the internet.

Re: User-ID Agent Ignore a group of users

reaper — Fri, 23 Feb 2018 12:29:25 GMT

hi @Clermont

This is very unfortunate!

Do you have a lot of admins? You can use wildcards in usernames in the ignore list, but only as the last character

so if you could change your usernames, you would be able to ignore all admin-*

Re: User-ID Agent Ignore a group of users

Mick_Ball — Fri, 23 Feb 2018 12:40:10 GMT

wow... how odd... i can understand the "server ip" to marco-admin but was not aware that the "clent device ip" could also be associated to the username used to logon to the server...

is this because of some network level authentication?

I'll need to watch out for that.....

cheers for the info.

Re: User-ID Agent Ignore a group of users

Mick_Ball — Fri, 23 Feb 2018 12:55:47 GMT

ok just rdp'd with my test account and client ip mapping also changed to test account.

I can now see how this could be useful...

thanks again for the info/explanation.

Re: User-ID Agent Ignore a group of users

Clermont — Fri, 23 Feb 2018 13:07:25 GMT

Thanks for your fast reply.

Unfortunatelly our admins end with "*adm" 😕

I have about 30 accounts. I think I will add them manuelly.

Just to make sure: Do I have to add them with the domain prefix "domain\marco-admin" or is the username "marco-admin" enough?

Have a nice weekend

Re: User-ID Agent Ignore a group of users

TerjeLundbo — Fri, 23 Feb 2018 13:12:42 GMT

Is this a bug or a feature? We are just getting started with user-ID, and I can see this being an issue for us working in the IT dept. We use RDP a lot.

Re: User-ID Agent Ignore a group of users

Clermont — Fri, 23 Feb 2018 13:27:44 GMT

Maybe something of both, because the RDP-Logon on a Server is linked for your local machine in User-ID. So we decided to ignore the administrative accounts for User-ID. Which would be much easier with a group.

Re: User-ID Agent Ignore a group of users

Mick_Ball — Fri, 23 Feb 2018 13:37:56 GMT

@TerjeLundbo, not sure if I would class this as a bug, more of a feature with some annoying aspects.

I have used user-id for some time now and have never had this issue, but only because my user logon also has server admin rights.

I have only become aware of this via this post, love this site....

if you use a different account for RDP then it will/could be an issue.

Re: User-ID Agent Ignore a group of users

reaper — Fri, 23 Feb 2018 13:41:38 GMT

@Clermont I'd recommend adding the domain while you're at it (not sure if mandatory but have always done it that way)

@TerjeLundbo which part are you referring to exactly? 🙂 the rdp anamoly is kinda how microsoft handles authentications (it passes along your source IP with the auth so the user-id agent gets the log and sees your admin pc's ip even though you're logging in remotely)

The ignore user list is there to help prevent this issue, and also in case there are automated scripts running on a workstation that could trigger after a user has logged on and cause a new authentication log for the workstation's ip, with a service account

Re: User-ID Agent Ignore a group of users

TerjeLundbo — Fri, 23 Feb 2018 13:56:44 GMT

If we want to have user-ID based rules also for admin accounts, to grant access to management systems etc, that won't work of course if we filter out those accounts in user-ID agents.

Re: User-ID Agent Ignore a group of users

reaper — Fri, 23 Feb 2018 14:04:19 GMT

that's correct, depending on the scenario:

when RDPing into a remote system, the ip mapping of the source will be affected, to which the admin is already logged in

If the admin then starts performing locat tasks "as administrator" there'll be a secondary authetication that affects the remoted system

You can also enable probes (netbios or WMI) which will periodically poll workstations for their actually 'logged in' user, so if the ip is hijacked by an admin or service account, the probe will correct that mapping also

Re: User-ID Agent Ignore a group of users

OtakarKlier — Fri, 23 Feb 2018 17:32:17 GMT

Hello,

So I ran into a similar situation and found that using exchange logs instead of a domain controllers security logs refreshed faster since outlook is constantly authenticating to exchange. Not sure if that will work in you environment.

Regards,