Sie sind auf Seite 1von 2

Best Practices for Securing User-ID Deployments | Palo Alto Networks Live

3/24/15, 9:41 AM

Best Practices for Securing User-ID Deployments

Version 11

created by ggarrison on Sep 16, 2014 4:21 PM, last modified by panagent on Jan 8, 2015 7:41 PM


User-ID services enables mapping of IP addresses to users, and when enabled gives network administrators granular controls over what various users are allowed to do when filtered by a Palo Alto Networks Next- Generation Firewall. As with enabling any network services, following best practices and configuration guidelines when deploying User-ID can help to reduce and eliminate exposure to potential risk. This article is intended to help network and security administrators avoid misconfiguration and safely enable User-ID services in network environments.


Only enable User-ID on trusted zones By only enabling User-ID on internal and trusted zones, there is no exposure of these services to the Internet, which helps to keep this service protected from any potential attacks. If User-ID and WMI probing are enabled on an external untrusted zone (such as the Internet), probes could be sent outside your protected network, resulting in an information disclosure of the User-ID Agent service account name, domain name, and encrypted password hash. This information has the potential to be cracked and exploited by an attacker to gain unauthorized access to protected resources. For this important reason, User-ID should never be enabled on an untrusted zone.

Specify included and excluded networks when configuring User-ID The include and exclude lists available on the User-ID Agent as well as agentless User-ID on PAN firewalls can be used to limit the scope of User-ID. Typically, administrators are only concerned with the portion of IP address space used in their organization. By explicitly specifying networks to be included with or excluded from User-ID, we can help to ensure that only trusted and company-owned assets are probed, and that no unwanted mappings will be created unexpectedly.

Disable WMI probing if it will not be used WMI, or Windows Management Instrumentation, is a powerful mechanism that can be used to actively probe systems to learn IP-user mappings. If enabled on an external untrusted interface, it is possible for WMI probes to be sent outside of your protected network, resulting in an information disclosure of the username, domain name, and encrypted password hash of the service account configured for use with User-ID. Consequently, this information could potentially be cracked and exploited by an attacker. If you are only going to be using the User- ID Agent to parse AD security event logs, syslog, or the XML API to obtain User-ID mappings, then WMI probing can be safely disabled.

Use a dedicated service account for User-ID services with the minimal permissions necessary User-ID deployments can be hardened by only including the minimum set of permissions necessary for the service to function properly. This includes DCOM Users, Event Log Readers, and Server Operators. If the User-ID service account were to be compromised by an attacker, having administrative and other unnecessary privileges

Page 1 of 5

Best Practices for Securing User-ID Deployments | Palo Alto Networks Live

3/24/15, 9:41 AM

would expose the enterprise to additional risk of destruction or theft of sensitive data. Domain Admin and Enterprise Admin rights are not required to read security event logs and consequently should not be granted.

Deny interactive logon for the User-ID service account While the User-ID service account does require certain permissions in order to read and parse Active Directory security event logs, it does not require the ability to log on to servers or domain systems interactively. This privilege can be restricted using Group Policies, or by using a Managed Service Account with User-ID (See Microsoft Technet for more information on configuring Group Policies and Managed Service Accounts.) If the User-ID service account were to be compromised by a malicious user, the potential attack surface would be greatly reduced by denying interactive logon.

Deny remote access for the User-ID service account Typically, service accounts should not be members of any security groups that are used to grant remote access. If the User-ID service account credentials were to be compromised, this would prevent the attacker from using the account to gain access to your network from the outside using a VPN.

Configure egress filtering on outbound internal tra c Prevent any unwanted tra c (including potentially unwanted User-ID Agent trac) from leaving your protected networks out to the Internet by implementing egress filtering on perimeter firewalls. In sensitive environments, white listing trusted and business essential applications diminishes the possibility of allowing unwanted tra c, and also helps reduce possible vectors that could be used to exfiltrate data.

For more information on setting up and configuring User-ID see the following:

Categories: Setup, Management & Administration , User-ID & Authentication

Average User Rating

(10 ratings)

, userid Average User Rating (10 ratings) 8 Comments andrew.stanton Oct 14, 2014 1:02 PM My

My only challenge to the best practice of "Only enable User-ID on trusted zones" is that it conflicts with recommendations/requirements for GlobalProtect. See:

Page 2 of 5