topic Re: user-id user on servers in General Topics

user-id user on servers

RobinClayton — Wed, 29 Aug 2018 16:15:24 GMT

How do I stop users who are working on servers from apearing in the logs as matched user-id users?

Rob

Re: user-id user on servers

Mick_Ball — Wed, 29 Aug 2018 20:03:59 GMT

Best way for me was to only allow server admin via a server admin account. Then add them to the user ignore list.

Re: user-id user on servers

BPry — Wed, 29 Aug 2018 20:40:01 GMT

@RobinClayton,

I didn't go quite as far as @Mick_Ball; but I did give everyone a seperate 'server-admin' account so that I could ignore just those users with the user ignore list.

Re: user-id user on servers

RobinClayton — Fri, 31 Aug 2018 10:52:26 GMT

Ahh right, had not spotted the ignore list.

Guess it will be good for 99% of what we do.

Rob

Re: user-id user on servers

OtakarKlier — Fri, 31 Aug 2018 16:39:35 GMT

Hello,

What we did, it was unintentional but would work in this case, was to only look at Exchange logs. Since our admin accounts dont have email accounts and we dont allow outlook on servers, we dont see user-id's on servers since moving away from active-directory lookups.

Just a thought.

Re: user-id user on servers

Remo — Sat, 01 Sep 2018 12:10:38 GMT

... or you simply exclude the servernetworks from user-id. This way these users still show up in the logs when they work from a computer in a clientnetwork.

Re: user-id user on servers

Mick_Ball — Sat, 01 Sep 2018 17:59:10 GMT

Hmmm so what is the other 1%......

Re: user-id user on servers

ce1028 — Sat, 01 Sep 2018 18:24:50 GMT

why wouldn't you want to see the admin accounts in the logs? Wouldn't you want to know what they're doing?

Re: user-id user on servers

Mick_Ball — Sun, 02 Sep 2018 18:35:44 GMT

Thats a valid point @ce1028 but we never allow our servers to connect to tinternet.

as soon as a valid user is associated with the server it goes off and does all manner of things..

We could have achieved this via security policy but ignoring users works for us, not everybodys cup of tea...

others may haVe different reasons.

Re: user-id user on servers

RobinClayton — Mon, 03 Sep 2018 07:56:41 GMT

We have servers that get DNS (this is required to make the world work)

We have servers that connect to SMTP ( e-mail seems to be a requirement of modern living)

Servers that transfer business related files ( SFTP, FTPS, ETC...)

All these run as service accounts, they don't generate a USER-ID...

As soon as an admin logs in, they become the associated user of this "server" traffic. Anythign they may really be initiatin gets lost. So it's a bit pointless.

Re: user-id user on servers

Remo — Mon, 03 Sep 2018 08:32:10 GMT

@RobinClayton wrote:
As soon as an admin logs in, they become the associated user of this "server" traffic. Anythign they may really be initiatin gets lost. So it's a bit pointless.

Thats why we exclude the servernetworks completely. All servers have specific firewallrules for exactly what they need without internet access. The logins on the servers are restricted to the users that really need to install/change something on the servers, so it isn't possible that an admin from team A connects to a server of team B. So at least in our case it makes more sense to exclude the networks instead of the users, just in case an admin somehow logs in on a device located in the clientnetwork we will see this also in the firewalllogs.

Re: user-id user on servers

ce1028 — Mon, 03 Sep 2018 21:44:42 GMT

@Remo unrelated to the topic I guess, but are you using virtual firewalls to control that server access?

Re: user-id user on servers

Remo — Tue, 04 Sep 2018 16:10:55 GMT

@ce1028

In most cases physical firewalls (with vsys enabled).

Are you asking about the access frol the servers or the access to the servers? The second is also restricted with groups on the servers itself to the people that need access.