This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Agentless User-ID agent permissions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Agentless User-ID agent permissions

Stormblessed
L1 Bithead

‎08-17-2021 12:14 PM

We are attempting to use the agentless User-ID setup with the understanding that the service account needed to be a member of the following AD groups: Distributed COM Users, Event Log Readers, and Server Operators. However, after reading the following Palo Alto documentation on how to create the service account it seems that there is some conflicting information. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/map-ip-addresses-to-users/create-.... It states that the Server Operator privilege is "Not Recommended" do to security concerns.

 

Also, for the DCOM privileges and Event Log Reader setup the document starts each piece with "If you want to". Does that mean you can setup User-ID with any of the 3 AD privileges but not necessarily all of them?

 

"If you want to use Server Monitoring to identify users, add the service account to the Event Log Reader builtin group to allow the service account to read the security log events."

"If you want to use WMI to collect user data, assign DCOM privileges to the service account so that it can use WMI queries on monitored servers."

1 person had this problem.
0 Likes Likes
2 REPLIES 2

ajagtap
L1 Bithead

‎08-19-2021 01:16 AM

For agentless User-ID setup, the service account should be a member of both

- Event logs readers: It provides permission to read the security log

- DCOM Users : It is required for WMI Authentication

 

- Agentless User-ID uses WMI transport protocol to query AD server hence DCOM privileges are a must.

- User-ID agent uses MSRPC calls instead WMI to query AD server to get IP-user mappings, hence User-ID's service account requires only Event Log Readers privilege.

 

The PaloAlto document mentioned in your post is talking about creating a service account for both agent & agentless user-id hence you are seeing multiple "If you want to" statements 🙂

 

0 Likes Likes

Stormblessed
L1 Bithead

‎08-23-2021 10:14 AM - edited ‎08-23-2021 10:16 AM

Ajagtap, thanks for replying. That clarifies a lot.

 

How about the Server Operator permissions that show as "Not Recommended", what are the reason's to enable that? The document says "to allow the agent to monitor user sessions", however, wouldn't you be able to track log on/off with the Security Logs. If the service account is in the Event Log Readers groups than what do you get if it's also in the Server Operator group? 

  • 2515 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks