user-id user on servers

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

user-id user on servers

L4 Transporter

How do I stop users who are working on servers from apearing in the logs as matched user-id users?

 

Rob

12 REPLIES 12

L7 Applicator

Best way for me was to only allow server admin via a server admin account. Then add them to the user ignore list.

 

@RobinClayton,

I didn't go quite as far as @Mick_Ball; but I did give everyone a seperate 'server-admin' account so that I could ignore just those users with the user ignore list. 

Ahh right, had not spotted the ignore list.

 

Guess it will be good for 99% of what we do.

 

Rob

 

 

Hello,

What we did, it was unintentional but would work in this case, was to only look at Exchange logs. Since our admin accounts dont have email accounts and we dont allow outlook on servers, we dont see user-id's on servers since moving away from active-directory lookups.

 

Just a thought.

... or you simply exclude the servernetworks from user-id. This way these users still show up in the logs when they work from a computer in a clientnetwork.

Hmmm so what is the other 1%......

L4 Transporter

why wouldn't you want to see the admin accounts in the logs? Wouldn't you want to know what they're doing?

Thats a valid point @ce1028 but we never allow our servers to connect to tinternet.

as soon as a valid user is associated with the server it goes off and does all manner of things..

We could have achieved this via security policy but ignoring users works for us, not everybodys cup of tea...

 

others may haVe different reasons.

We have servers that get DNS (this is required to make the world work)

We have servers that connect to SMTP ( e-mail seems to be a requirement of modern living)

Servers that transfer business related files ( SFTP, FTPS, ETC...)

 

All these run as service accounts, they don't generate a USER-ID...

 

As soon as an admin logs in, they become the associated user of this "server" traffic. Anythign they may really be initiatin gets lost. So it's a bit pointless.


@RobinClayton wrote:

As soon as an admin logs in, they become the associated user of this "server" traffic. Anythign they may really be initiatin gets lost. So it's a bit pointless.


Thats why we exclude the servernetworks completely. All servers have specific firewallrules for exactly what they need without internet access. The logins on the servers are restricted to the users that really need to install/change something on the servers, so it isn't possible that an admin from team A connects to a server of team B. So at least in our case it makes more sense to exclude the networks instead of the users, just in case an admin somehow logs in on a device located in the clientnetwork we will see this also in the firewalllogs.

@Remo unrelated to the topic I guess, but are you using virtual firewalls to control that server access?

@ce1028

In most cases physical firewalls (with vsys enabled).

Are you asking about the access frol the servers or the access to the servers? The second is also restricted with groups on the servers itself to the people that need access.

  • 4334 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!