User loses privileges...UserID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User loses privileges...UserID

L4 Transporter

In our company we have two internet browsing profiles.
Users who belong to the AD Domain users have limited access to internet and users AD group belongs to UsuariosInternet can access anywhere.


My AD user is canopr and I have internet access from my PC (10.5.1.149), when I log on to a server by remote desktop (mstsc) and I identify with the user oalgt\ explotacio, stopped internet access. The userID the user agent learns that identified on the IP 10.5.1.149 is explotacio. This performance understand that is wrong. Is there any way around it?



Thanks

15 REPLIES 15

L4 Transporter

If that's a terminal server where multiple users are active simultaneously, do you have the Terminal Services Agent installed and working ?

No. Its just a server where i can access via RDP to manage several apps.

Does UserID map the user who is connecting to RDP to an ip address ?

UserID can have the same user mapped to several ip's, but I'm not sure it can have several users mapped to one ip (except Terminal services agent). My guess is the RDP log on is captured as a logon event and the user is replaced in the ip mapping. We see this behaviour when we do administrative tasks (using a domain admin account) within a restricted user account. But that is expected behaviour for us...

In fact, I can reproduce the problem you're describing when connecting to a server using rdp. But shortly after, the normal user is mapped back to the client ip (we're using event log monitoring, session monitoring and wmi client probing; all with short intervals).

L4 Transporter

Yes, UserID maps the user who connects to the server via RDP. There is any way to keep the "privileges" although im working in other server via RDP?

What UserID mechanisms do you use ? At what intervals ?

Eventually, your normal user should automatically be picked up again. But that depends on the mechanisms and interval. If you want very tight correlation between actual users and ip's, you'll have to rethink your UserID setup.

Take a look at Architecting User Identification Deployments . This and the admin guide helped me a lot in getting UserID right and efficient.

L4 Transporter

I have read the manual it seems correctly configured. This problem also happens with the user has two diferent mail inbox.

What happens to me is that when I connect via terminal services to a server, my local IP address is associated with the user in which I connect.

Simply initiating a RDP session, logs some kind of logon event (checking against AD whether or not that user is allowed to make RDP connections). It doesn't even yet relate to the server you're trying to connect.

You can actually reproduce this with a similar logon event: make a connection to an administrative share (\\somepc\c$), Windows will ask for credentials. Say you log on with a domain admin account. That domain admin account will be mapped to your ip address. Until timeout OR until your normal user does some kind of logon event (accessing your home folder can be enough) OR until the WMI probe determines your user.

This is all by design.

Eventually, is your user mapped back to your ip or not ? If so, how long does it take ?

You can monitor it in the CLI using the command "show user ip-user-mapping ip [your ip]"

L4 Transporter

OK ill try to explain better.

I have my user oalgt/bruguepr  in my local pc. I open a RDP in order to manage a server, i log in this server as oalgt/explotacion. When i log in this server via RDP my local pc (user: oalgt/bruguepr) get the same privilege like explotacio.

And if i check the UserID agent i can see that my ip has the user explotacio. If i close the rdp ill continue having the explotacio privileges......what is the correct behaviour for this???

This also happens with user who has 2 mail inbox, where they access with different users.

The problem you're having (user explotacion getting mapped to your local ip address) is perfectly clear. And like I said before: This is excpected behaviour because a logon event is logged. And no, we are not talking about the fact that user explotacio is logging on to the server, we are talking about "a" Windows logon event.

Check the security log in event viewer: you'll find thousands of logon events, that have nothing to do with a user logging on (entering username/password) to a computer.

The security log on a DC is the source PaloAlto uses to collect these events, since they contain the user and an ip....

After having logged on to the server, almost any action you do locally (like browsing in Windows Explorer, opening an application) will trigger a logon event that should eventually be picked up by UserID. On the conditions that you are in fact in a domein environment (the logon event is checked by the DC) and UserID interval is short enough.

I dont know why it should affect me in my local machine that I connect to other pc with other user by RDP and when i close this session i dont recuperate my privileges. In the moment that i connect to another machine via RDP with any user i get the privileges of this user in my local machine....... this is a weird behaviour....

Please understand that this actually has nothing to do with the RDP session.

This is standard Windows behaviour in a Windows domain: Your DC is the only "authority" that determines whether or not you have access to a resource. This is the logon even I'm talking about.

Nothing you do in PaloAlto config wil change that behaviour. All PA does is read that info.

L4 Transporter

Hello,

This behavior is expected, UserID does ip-user-mapping based off of the Windows Security logs and when a user RDP's to a machine, Windows logs the security event based on the IP of the PC that initiated the RDP.

The only workaround for this to add the username: oalgt\ explotacio in the ignore users list. This is not an issue with the firewall or the agent.

Refer:

https://live.paloaltonetworks.com/docs/DOC-2893

Hope that helps,

Aditi

L4 Transporter

And what would happen with the users whos has 2 inbox in their exchange??? it happens the same for them??

  • 4561 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!