User-ID: gained access with run as admin

Reply
kdd
L4 Transporter

User-ID: gained access with run as admin

Hi all,

 

several user have internet access and this depends on their user-id. some of them have admin-accounts and can run the ie as admin. the user logged into the AD as non-privileged user and this is controlled by the WMI-Process of the USER-Agent. But this construct didn't recognize when the user starts the IE with run as admin.

is there a chance to prevent this so that the FW allow only the access for the non privileged users.

 

Regards,

Klaus

Community Manager

Re: User-ID: gained access with run as admin

hi Klaus!

 

Are these local admin accounts or domain/enterprise ?

Are your UserID agents also reading AD audit logs (login success)? As a domain acount login event (run as admin) should create an audit log which should switch the user/IP mapping to the admin account (until WMI re-reads the logged in user and falls back to the non-privileged user)

 

for setups like this the WMI probe can be problematic as it can only check which user is logged on to a system, not what kind of elevated access they are using to run a single process

 


Help the community: Like helpful comments and mark solutions
Reaper out
kdd
L4 Transporter

Re: User-ID: gained access with run as admin

Hi Reaper,

 

these are domain-accounts and our User-IDAgent  reads the audit-logs. Thx for your hint. I will check the log of the User-ID Agent to see what is logged. Therefor i need the help of this specific user. I keep you updated.

Regards,

Klaus

 

 

kdd
L4 Transporter

Re: User-ID: gained access with run as admin

i took a look at the User-Id Agent log right after the user tried it with IE (run as admin) and i didn't see an entry with the admin account. Maybe there is no entry at the AD-log and PA has no chance to get the admin account. How is it possible to catch a user like this one?

kdd
L4 Transporter

Re: User-ID: gained access with run as admin

 
kdd
L4 Transporter

Re: User-ID: gained access with run as admin

Hi,

 

this can't be solved with PAN-OS because there no log-entry at the AD-log. The way i have to go is to use the GPO for these Clients. That is the answer of our systemhouse.

 

Regards,

Klaus

L7 Applicator

Re: User-ID: gained access with run as admin

From configuration mode on your firewall, you could use the following command:  

 

set user-id-collector ignore-user [ <ignore-user1> <ignore-user2>... ]

 

This will prevent the firewall from creating mappings for users in this list.  If you add "admin" or "administrator" to this list, then the users will continue to be mapped as non-privileged users from the firewall perspective and they won't get any additional access if they use "run-as".  

Highlighted
kdd
L4 Transporter

Re: User-ID: gained access with run as admin

the log-entry is showing always the non-privileged user even the user starts the IE with run as. So how should this work?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!