Agentless User-ID agent permissions

cancel
Showing results for 
Search instead for 
Did you mean: 

Agentless User-ID agent permissions

L1 Bithead

We are attempting to use the agentless User-ID setup with the understanding that the service account needed to be a member of the following AD groups: Distributed COM Users, Event Log Readers, and Server Operators. However, after reading the following Palo Alto documentation on how to create the service account it seems that there is some conflicting information. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/map-ip-addresses-to-users/create-.... It states that the Server Operator privilege is "Not Recommended" do to security concerns.

 

Also, for the DCOM privileges and Event Log Reader setup the document starts each piece with "If you want to". Does that mean you can setup User-ID with any of the 3 AD privileges but not necessarily all of them?

 

"If you want to use Server Monitoring to identify users, add the service account to the Event Log Reader builtin group to allow the service account to read the security log events."

"If you want to use WMI to collect user data, assign DCOM privileges to the service account so that it can use WMI queries on monitored servers."

2 REPLIES 2

L1 Bithead

For agentless User-ID setup, the service account should be a member of both

- Event logs readers: It provides permission to read the security log

- DCOM Users : It is required for WMI Authentication

 

- Agentless User-ID uses WMI transport protocol to query AD server hence DCOM privileges are a must.

- User-ID agent uses MSRPC calls instead WMI to query AD server to get IP-user mappings, hence User-ID's service account requires only Event Log Readers privilege.

 

The PaloAlto document mentioned in your post is talking about creating a service account for both agent & agentless user-id hence you are seeing multiple "If you want to" statements 🙂

 

L1 Bithead

Ajagtap, thanks for replying. That clarifies a lot.

 

How about the Server Operator permissions that show as "Not Recommended", what are the reason's to enable that? The document says "to allow the agent to monitor user sessions", however, wouldn't you be able to track log on/off with the Security Logs. If the service account is in the Event Log Readers groups than what do you get if it's also in the Server Operator group? 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!