Ignoring Users in Mapping

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Ignoring Users in Mapping

L0 Member

Howdy,

 

Sorry if this has been asked thousands of times, but I cannot seem to locate something quite similiar.

 

We have noticed recently, that some users are logging in with a local computer account and then obviously being able to browse the internet falling into a catch all rule for 'Known Users' which is required. 

 

It was suggested, as an option that we try to not learn them as 'known Users' etc.  However, I am not sure how we would handle that in our case.

 

The problem is that the workstation name is not constant like if the user were coming in with their domain\username, so the users are appearing as below in the user mapping tables:

 

User:          mn2343234\administrator
User:          mn12345\administrator

User:          mn56789\administrator

etc etc

 

So if I am reading things correctly the only way to stop this access is that we would need to somehow make that text file the agent uses on the server dynamic and populate it with computer name/username items one per line, then restart the agent to apply the settings? Is there another easier way to ignore these users?

 

2 REPLIES 2

Cyber Elite
Cyber Elite

If the users are being learned, you have probing enabled: when an unknown IP connects to the firewall, the firewall will ask the UserID agent for information. if it does not havbe a mapping and probing is enabled, it will then probe the IP and detect the local account

 

Probing has pro's and cons: it will also periodically probe existing mappings and if a user has logged out or moved to a new ip (wifi roaming), the no-longer-active session/unused ip will be cleared from mapping. This helps prevent other iusers swooping in and abusing the previous user's mappings access

 

so the best option is to simply exclude the admin accounts from being registered, through the ignore_user_list.txt

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Cyber Elite
Cyber Elite

Hello,

One option would be to use user-id in your allow internet browsing policy. Then anyone who is not a 'domain user' would not be able to browse the internet. In the past I used the group 'Domain User' if anything fell outside of it it would fall int oa more stringent policy.

 

Hope it helps.

  • 2101 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!