User-ID: gained access with run as admin

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID: gained access with run as admin

L4 Transporter

Hi all,

 

several user have internet access and this depends on their user-id. some of them have admin-accounts and can run the ie as admin. the user logged into the AD as non-privileged user and this is controlled by the WMI-Process of the USER-Agent. But this construct didn't recognize when the user starts the IE with run as admin.

is there a chance to prevent this so that the FW allow only the access for the non privileged users.

 

Regards,

Klaus

1 accepted solution

Accepted Solutions

L4 Transporter

Hi,

 

this can't be solved with PAN-OS because there no log-entry at the AD-log. The way i have to go is to use the GPO for these Clients. That is the answer of our systemhouse.

 

Regards,

Klaus

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

hi Klaus!

 

Are these local admin accounts or domain/enterprise ?

Are your UserID agents also reading AD audit logs (login success)? As a domain acount login event (run as admin) should create an audit log which should switch the user/IP mapping to the admin account (until WMI re-reads the logged in user and falls back to the non-privileged user)

 

for setups like this the WMI probe can be problematic as it can only check which user is logged on to a system, not what kind of elevated access they are using to run a single process

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L4 Transporter

Hi Reaper,

 

these are domain-accounts and our User-IDAgent  reads the audit-logs. Thx for your hint. I will check the log of the User-ID Agent to see what is logged. Therefor i need the help of this specific user. I keep you updated.

Regards,

Klaus

 

 

L4 Transporter

i took a look at the User-Id Agent log right after the user tried it with IE (run as admin) and i didn't see an entry with the admin account. Maybe there is no entry at the AD-log and PA has no chance to get the admin account. How is it possible to catch a user like this one?

L4 Transporter
 

L4 Transporter

Hi,

 

this can't be solved with PAN-OS because there no log-entry at the AD-log. The way i have to go is to use the GPO for these Clients. That is the answer of our systemhouse.

 

Regards,

Klaus

L7 Applicator

From configuration mode on your firewall, you could use the following command:  

 

set user-id-collector ignore-user [ <ignore-user1> <ignore-user2>... ]

 

This will prevent the firewall from creating mappings for users in this list.  If you add "admin" or "administrator" to this list, then the users will continue to be mapped as non-privileged users from the firewall perspective and they won't get any additional access if they use "run-as".  

the log-entry is showing always the non-privileged user even the user starts the IE with run as. So how should this work?

  • 1 accepted solution
  • 6483 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!