topic User-ID based policies exclusion in General Topics

User-ID based policies exclusion

faizankhurshid — Thu, 17 May 2018 10:06:59 GMT

I want to enable user-id features in all security policies. But I have a question, from users to Domain controller, I should not use user-id feature? as firewall does not know about user-ip mapping untill users are login to domain controller?

Also on which security rules, I should not enable user-ID?

Re: User-ID based policies exclusion

Brandon_Wertz — Thu, 17 May 2018 15:32:19 GMT

@faizankhurshid wrote:
...But I have a question, from users to Domain controller, I should not use user-id feature? as firewall does not know about user-ip mapping untill users are login to domain controller?

Can you clarify this?

For this:

"Also on which security rules, I should not enable user-ID?"

There's really no scenario where you wouldn't want it. It's always good to have that additional bit of granularity of access control.

That said there might be scenarios where process are executing the network access and thus no "logged in" user is actually executing the traffic. This would be a scenario where user-id controls will not work.

Re: User-ID based policies exclusion

faizankhurshid — Thu, 17 May 2018 15:51:55 GMT

@Brandon_Wertz Thanks

For This "But I have a question, from users to Domain controller, I should not use user-id feature? as firewall does not know about user-ip mapping untill users are login to domain controller?"

What I mean is, lets say users are in trust zone and domain controller are in server zone. I need to make policy to allow users to communicate with DC then this policy I should not use user-ID?

Re: User-ID based policies exclusion

BPry — Thu, 17 May 2018 16:43:28 GMT

@faizankhurshid,

That would be one example; as if the machine has reached user-id age-out and you are restricting access to the domain controllers as 'known-users' for example, this would start denying the traffic.

Re: User-ID based policies exclusion

faizankhurshid — Thu, 17 May 2018 18:35:29 GMT

@BPry So users to DC policies, I should not enable user-id?

Re: User-ID based policies exclusion

Remo — Thu, 17 May 2018 19:30:05 GMT

@faizankhurshid exactly, towards your domain controllers you shouldn't enforce User-ID. In addition printservers, profileshares and other mapped network drives are also critical connections. It is possible to enable user-ID there but you have to make sure that the User-IDs are almost instantly present on the firewalls because otherwise it takes a lot longer for the users to log in as windows receives the information on what to do with the group policies and then it tries to to this. And if the connection is not possible pretty fast then windows tries again and again and again - so in this case it could take a lot longer for the users to log in. So to enable there make sure that the log-read frequency of the domain conteoller logs is set to 1 second (the lowest possible value).