several user have internet access and this depends on their user-id. some of them have admin-accounts and can run the ie as admin. the user logged into the AD as non-privileged user and this is controlled by the WMI-Process of the USER-Agent. But this construct didn't recognize when the user starts the IE with run as admin.
is there a chance to prevent this so that the FW allow only the access for the non privileged users.
Are these local admin accounts or domain/enterprise ?
Are your UserID agents also reading AD audit logs (login success)? As a domain acount login event (run as admin) should create an audit log which should switch the user/IP mapping to the admin account (until WMI re-reads the logged in user and falls back to the non-privileged user)
for setups like this the WMI probe can be problematic as it can only check which user is logged on to a system, not what kind of elevated access they are using to run a single process
From configuration mode on your firewall, you could use the following command:
set user-id-collector ignore-user [ <ignore-user1> <ignore-user2>... ]
This will prevent the firewall from creating mappings for users in this list. If you add "admin" or "administrator" to this list, then the users will continue to be mapped as non-privileged users from the firewall perspective and they won't get any additional access if they use "run-as".
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!