Advise on using AD user-id in local PA groups?

Reply
L2 Linker

Advise on using AD user-id in local PA groups?

I am struggling with utilizing ActiveDirectory groups in firewall policy. My concern is then our AD administrators have control over transversing our firewall policy. Generally speaking say for example we have a FW policy setup where AD group ServerAdmins has <some type of> to a resource, they (the AD administrator) could very easily throw any user into that group thus giving sed person access to the resource. However I do love the user-ID capabilities and want to leverage that but it gets tideous having individiaul users defined in policy.

 

So my thought\question is if I could have a locally defined PA group (that I administrator) this would allow me to add the ActiveDirectory defined users into this group and then use this group in FW policy. Now I'm getting the benefits of user-ID and efficiency of using groups in firewall policy.

 

Curious if this is at all possible or if anyone else has any other options\ideas?

L7 Applicator

Re: Advise on using AD user-id in local PA groups?

Hello,

Yes this could be an issue. What we did was implement compensating controls. We have our security analysts review the revious days SIEM reports for users added/removed from certain groups. If there is a change, then a support ticket needs to have been entered for the correct action, i.e. user B was added to group F for reason Y. I can also see how this could become a tedious process in a large environment but reports can be substituted for alerts/alarms that need to be reviewed.

 

If you go with a local user/group the end user now needs to have those credentials and this can be tedious as well for the firewall admins. 

 

Hope that helps.

L6 Presenter

Re: Advise on using AD user-id in local PA groups?

Similar issue for us, we are very restrictive on file uploading and block all webmail.

 

to get around the AD admin issues mentioned we have policies that overide some restrictions (where needed) and just add the users direct to that policy.

 

its no different than having local groups but if you have many policies that are an issue then yes groups will just save you entering individual names.

 

 

L6 Presenter

Re: Advise on using AD user-id in local PA groups?

Oops sorry @zthiel , i just noticed your comments on individual users....

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!