01-17-2017 11:38 PM
Hi all,
several user have internet access and this depends on their user-id. some of them have admin-accounts and can run the ie as admin. the user logged into the AD as non-privileged user and this is controlled by the WMI-Process of the USER-Agent. But this construct didn't recognize when the user starts the IE with run as admin.
is there a chance to prevent this so that the FW allow only the access for the non privileged users.
Regards,
Klaus
01-19-2017 06:43 AM
Hi,
this can't be solved with PAN-OS because there no log-entry at the AD-log. The way i have to go is to use the GPO for these Clients. That is the answer of our systemhouse.
Regards,
Klaus
01-18-2017 12:27 AM
hi Klaus!
Are these local admin accounts or domain/enterprise ?
Are your UserID agents also reading AD audit logs (login success)? As a domain acount login event (run as admin) should create an audit log which should switch the user/IP mapping to the admin account (until WMI re-reads the logged in user and falls back to the non-privileged user)
for setups like this the WMI probe can be problematic as it can only check which user is logged on to a system, not what kind of elevated access they are using to run a single process
01-18-2017 02:30 AM
Hi Reaper,
these are domain-accounts and our User-IDAgent reads the audit-logs. Thx for your hint. I will check the log of the User-ID Agent to see what is logged. Therefor i need the help of this specific user. I keep you updated.
Regards,
Klaus
01-18-2017 03:52 AM
i took a look at the User-Id Agent log right after the user tried it with IE (run as admin) and i didn't see an entry with the admin account. Maybe there is no entry at the AD-log and PA has no chance to get the admin account. How is it possible to catch a user like this one?
01-19-2017 06:43 AM
Hi,
this can't be solved with PAN-OS because there no log-entry at the AD-log. The way i have to go is to use the GPO for these Clients. That is the answer of our systemhouse.
Regards,
Klaus
01-19-2017 07:23 AM
From configuration mode on your firewall, you could use the following command:
set user-id-collector ignore-user [ <ignore-user1> <ignore-user2>... ]
This will prevent the firewall from creating mappings for users in this list. If you add "admin" or "administrator" to this list, then the users will continue to be mapped as non-privileged users from the firewall perspective and they won't get any additional access if they use "run-as".
01-20-2017 01:12 AM
the log-entry is showing always the non-privileged user even the user starts the IE with run as. So how should this work?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
