topic Advise on using AD user-id in local PA groups? in General Topics

Advise on using AD user-id in local PA groups?

zthiel — Wed, 10 Apr 2019 18:39:38 GMT

I am struggling with utilizing ActiveDirectory groups in firewall policy. My concern is then our AD administrators have control over transversing our firewall policy. Generally speaking say for example we have a FW policy setup where AD group ServerAdmins has <some type of> to a resource, they (the AD administrator) could very easily throw any user into that group thus giving sed person access to the resource. However I do love the user-ID capabilities and want to leverage that but it gets tideous having individiaul users defined in policy.

So my thought\question is if I could have a locally defined PA group (that I administrator) this would allow me to add the ActiveDirectory defined users into this group and then use this group in FW policy. Now I'm getting the benefits of user-ID and efficiency of using groups in firewall policy.

Curious if this is at all possible or if anyone else has any other options\ideas?

Re: Advise on using AD user-id in local PA groups?

OtakarKlier — Wed, 10 Apr 2019 19:03:13 GMT

Hello,

Yes this could be an issue. What we did was implement compensating controls. We have our security analysts review the revious days SIEM reports for users added/removed from certain groups. If there is a change, then a support ticket needs to have been entered for the correct action, i.e. user B was added to group F for reason Y. I can also see how this could become a tedious process in a large environment but reports can be substituted for alerts/alarms that need to be reviewed.

If you go with a local user/group the end user now needs to have those credentials and this can be tedious as well for the firewall admins.

Hope that helps.

Re: Advise on using AD user-id in local PA groups?

Mick_Ball — Thu, 11 Apr 2019 05:26:34 GMT

Similar issue for us, we are very restrictive on file uploading and block all webmail.

to get around the AD admin issues mentioned we have policies that overide some restrictions (where needed) and just add the users direct to that policy.

its no different than having local groups but if you have many policies that are an issue then yes groups will just save you entering individual names.

Re: Advise on using AD user-id in local PA groups?

Mick_Ball — Thu, 11 Apr 2019 05:47:55 GMT

Oops sorry @zthiel , i just noticed your comments on individual users....