Elevated Privileges and User ID in Active Directory Environments



Similar documents
Palo Alto Networks AAC Lab Creation Guidelines v1.0

Configuring User Identification via Active Directory

User-ID Configuration

User Identification (User-ID) Tips and Best Practices

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

Centrify Cloud Connector Deployment Guide

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Network Detective. Security Assessment Module Using the New Network Detective User Interface Quick Start Guide

Ignify ecommerce. Item Requirements Notes

Configure your firewall for administrative access via RADIUS authentication

OneLogin Integration User Guide

Implementing Microsoft Windows Server Failover Clustering (WSFC) and SQL Server 2012 AlwaysOn Availability Groups in the AWS Cloud

Websense Support Webinar: Questions and Answers

Historical Reporting Client (HRC) User Login Fails

Avatier Identity Management Suite

How To - Implement Clientless Single Sign On Authentication with Active Directory

Administering View Cloud Pod Architecture

User-ID Best Practices

NetSpective Global Proxy Configuration Guide

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

GlobalProtect Features

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

Deploy Remote Desktop Gateway on the AWS Cloud

Enterprise Self Service Quick start Guide

AVG Business SSO Connecting to Active Directory

Dolphin Ocean Server and Dolphin Mobile Client Installation Guide for Android and ios. May 2012

DreamFactory on Microsoft SQL Azure

App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

Active Directory Integration

Pearl Echo Installation Checklist

Paxera Uploader Basic Troubleshooting

Test Case 3 Active Directory Integration

VM-Series for VMware. PALO ALTO NETWORKS: VM-Series for VMware

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

TechNote. Contents. Overview. System or Network Requirements. Deployment Considerations

SyncLockStatus Evaluator s Guide

Setting Up Scan to SMB on TaskALFA series MFP s.

Installing and Configuring vcenter Multi-Hypervisor Manager

AVG Business Secure Sign On Active Directory Quick Start Guide

Malwarebytes Enterprise Edition Best Practices Guide Version March 2014

External Authentication with Citrix Access Gateway Advanced Edition

Getting Started with Clearlogin A Guide for Administrators V1.01

Hardware/Software Guidelines

ACE Management Server Deployment Guide VMware ACE 2.0

CNS Implementing NetScaler 11.0 For App and Desktop Solutions

Active Directory Self-Service FAQ

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

Leaders in Windows Privilege Management. Least Privilege = Least Risk = Least Cost

External Authentication with Windows 2012 R2 Server with Remote Desktop Web Gateway Authenticating Users Using SecurAccess Server by SecurEnvoy

Security Best Practices for Microsoft Azure Applications

System Administration Training Guide. S100 Installation and Site Management

DameWare Server. Administrator Guide

User-ID Features. PAN-OS New Features Guide Version 6.0. Copyright Palo Alto Networks

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Covene Cohesion Server Installation Guide A Modular Platform for Pexip Infinity Management November 11, 2014 Version 2.0 Revision 1.

VMware vcloud Air Networking Guide

HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP

Palo Alto Networks User-ID Services. Unified Visitor Management

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Active Directory Management. Agent Deployment Guide

Dolphin Ocean Server and Dolphin Mobile Client Installation and Configuration instructions

PARK UNIVERSITY. Information Technology Services. VDI In-A-Box Virtual Desktop. Version 1.1

CXM 4.5 Deployed on Windows Chad Adams October 28, 2009

PANORAMA. Panorama provides centralized policy and device management over a network of Palo Alto Networks next-generation firewalls.

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Portland State University Office of Information Technologies Active Directory Standards and Guidelines for Campus Administrators

Remote Unix Lab Environment (RULE)

Assignment # 1 (Cloud Computing Security)

Active Directory Authentication Integration

Mobile Admin Architecture

Lab 00: Configuring the Microsoft Lync Ignite Environment Cloud Hosted Version

SWP-0003 tconsult Server Active Directory Integration. Revision: 3. Effective Date: 7/28/2010

Installation Steps for PAN User-ID Agent

Installation Troubleshooting Guide

Knowledge Base Article: Article 218 Revision 2 How to connect BAI to a Remote SQL Server Database?

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

WHITEPAPER SAML ALONE IS NOT SECURE - HERE S HOW TO FIX IT

Centralized Oracle Database Authentication and Authorization in a Directory

Cyber Essentials Questionnaire

Web based training for field technicians can be arranged by calling These Documents are required for a successful install:

Network Detective. Using the New Network Detective User Interface Quick Start Guide RapidFire Tools, Inc. All rights reserved.

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

User Guide. Version R91. English

How To - Implement Single Sign On Authentication with Active Directory

NETASQ ACTIVE DIRECTORY INTEGRATION

How To Set Up Safetica Insight 9 (Safetica) For A Safetrica Management Service (Sms) For An Ipad Or Ipad (Smb) (Sbc) (For A Safetaica) (

Veeam Task Manager for Hyper-V

VMware vsphere 5.0 Evaluation Guide

WINGS WEB SERVICE MODULE

REPORT & ENFORCE POLICY

Deploying NetScaler Gateway in ICA Proxy Mode

Windows XP Service Pack 2 Windows Firewall Group Policy Setup for Executive Software Products

How it works. b) IP addresses are allocated dynamically and may change any time.

Configuring MassTransit Server to listen on ports less than 1024 using WaterRoof on Macintosh Workstations

Secret Server Qualys Integration Guide

LEARNING SOLUTIONS website milner.com/learning phone

Transcription:

Elevated Privileges and User ID in Active Directory Environments Nick Piagentini Palo Alto Networks 3300 Olcott Street Santa Clara, CA 95054 www.paloaltonetworks.com

Table of Contents Background... 3 Objections... 3 Solution... 4 2011 Palo Alto Networks Page 2

Background The most common scenario in which we encounter issues with User Identification (Used-ID) and elevated privileges is in the case of network administrators who have multiple accounts within the same directory. One account is most commonly a regular user account that provides access to traditional network services such as file shares and email. The other is an account with administrative rights on the network and is used to perform specific tasks on demand through either the use of an RDP session to a network server or through the Windows Run As command from the desktop. There are additional examples of this in the form of any cloud based SaS solutions where network users have separate credentials for access to the cloud service then for local network access. Examples include Salesforce.com as well as Google Apps. In these cases, the current Palo Alto Networks User-ID solution will associate only one network identity with the users IP address (or IP / Port combination in the case of Terminal Services). For example if a network administrator has been identified based on their user level account, and the administrative level account was used in firewall policy to allow access to a resource, they would be unable to accomplish their required administrative task. The inverse is also a problem. If they are mapped with their administrative level account they may lose access to email or user drives which are provisioned based on their user level account. In theory this issue can be extended to any other set of credentials the user possess, although credentials outside the scope of the enterprise network are probably not required in firewall policy. The problem becomes what account should be used for any given firewall policy. Objections Most commonly administrators will wish to use Admin level accounts in firewall policy for administrative traffic, and user level accounts for base traffic. The screen shot below captures a common initial configuration. The following assumptions are made regarding the users Active Directory design. Administrators have 2 AD accounts 2011 Palo Alto Networks Page 3

One account is a member of Corporate Employees One account is a member of IT Admins The IT Admins account is not a member of Corporate Employees, it is a group that only has access to higher administrative functions. In most cases members of this group will not have been provisioned for email or other basic user services. The accounts are solely used for high level administrative tasks. The user will most likely log into their workstation as a member of the Corp Employees group and then launch RDP to access the domain controller where they would need to provide IT Admin permissions. Since User-ID would have them mapped to their general purpose user account they would not be able to initiate the RDP session in the first place. Even if they launched the RDP client using Run as it would not work since the use of the Run as command does not generate the proper events in the Windows security log. Without a full understanding of how User-ID on a network firewall should be deployed this issue can be perceived as a significant shortcoming. Solution The key concept to addressing this issue is to define network security policy based around who the user is, rather than the level of access they are currently exercising. In the scenario where entities in the customer environment have multiple user identities for access to different resources, the firewall rules should be defined on the base user group. In the above example the firewall rules would be defined around Joe Doe s JDoe user account. This account would be allowed to run RDP to the domain controllers as well as be allowed access to the Exchange server. When connecting to the domain controller, Joe will need to provide his JD-Admin account credentials to successfully connect. This maintains the two discrete levels of access for administrative functions. Along the same lines, if Joe needs to run a SQL server client on his workstation as the JD-Admin user to manage a database, his JDoe account would be provisioned on the firewall to allow SQL access, while the SQL server would still require the elevated credentials provided when Joe ran the client using Run as The Base account will usually be a member of groups based on general job function. So while JDoe is not a member of the IT Admins group that would provide access to Domain Controllers, he is most certainly a member of a group such as Network Services. These organizational groups can be used to identify the users that will most likely have secondary elevated accounts. By provisioning applications based on this account, and then securing the end points based on the elevated account we can achieve both a clean and logical firewall policy set with the enhanced security of the dual user role. 2011 Palo Alto Networks Page 4

It is critical to note that the use of the base account groups for policy does not represent a loss of security. Nor should firewall rules be seen as a replacement for the granular security provided by end points such as file servers, terminal servers and data base systems. 2011 Palo Alto Networks Page 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information