Best Practices for Securing User-ID Deployments | Palo Alto Networks Live 3/24/15, 9:41 AM

All Places > Knowledge Base > Documents

Best Practices for Securing User-ID

Deployments Version 11

created by ggarrison on Sep 16, 2014 4:21 PM, last modified by panagent on Jan 8, 2015 7:41 PM

Overview
User-ID services enables mapping of IP addresses to users, and when enabled gives network administrators
granular controls over what various users are allowed to do when filtered by a Palo Alto Networks Next-
Generation Firewall. As with enabling any network services, following best practices and configuration guidelines
when deploying User-ID can help to reduce and eliminate exposure to potential risk. This article is intended to
help network and security administrators avoid misconfiguration and safely enable User-ID services in network
environments.

Details
Only enable User-ID on trusted zones
By only enabling User-ID on internal and trusted zones, there is no exposure of these services to the Internet,
which helps to keep this service protected from any potential attacks. If User-ID and WMI probing are enabled on
an external untrusted zone (such as the Internet), probes could be sent outside your protected network, resulting
in an information disclosure of the User-ID Agent service account name, domain name, and encrypted password
hash. This information has the potential to be cracked and exploited by an attacker to gain unauthorized access
to protected resources. For this important reason, User-ID should never be enabled on an untrusted zone.

Specify included and excluded networks when configuring User-ID

The include and exclude lists available on the User-ID Agent as well as agentless User-ID on PAN firewalls can be
used to limit the scope of User-ID. Typically, administrators are only concerned with the portion of IP address
space used in their organization. By explicitly specifying networks to be included with or excluded from User-ID,
we can help to ensure that only trusted and company-owned assets are probed, and that no unwanted mappings
will be created unexpectedly.

Disable WMI probing if it will not be used

WMI, or Windows Management Instrumentation, is a powerful mechanism that can be used to actively probe
systems to learn IP-user mappings. If enabled on an external untrusted interface, it is possible for WMI probes to
be sent outside of your protected network, resulting in an information disclosure of the username, domain name,
and encrypted password hash of the service account configured for use with User-ID. Consequently, this
information could potentially be cracked and exploited by an attacker. If you are only going to be using the User-
ID Agent to parse AD security event logs, syslog, or the XML API to obtain User-ID mappings, then WMI probing
can be safely disabled.

Use a dedicated service account for User-ID services with the minimal permissions necessary
User-ID deployments can be hardened by only including the minimum set of permissions necessary for the
service to function properly. This includes DCOM Users, Event Log Readers, and Server Operators. If the User-ID
service account were to be compromised by an attacker, having administrative and other unnecessary privileges

https://live.paloaltonetworks.com/docs/DOC-7912 Page 1 of 5
Best Practices for Securing User-ID Deployments | Palo Alto Networks Live 3/24/15, 9:41 AM

would expose the enterprise to additional risk of destruction or theft of sensitive data. Domain Admin and
Enterprise Admin rights are not required to read security event logs and consequently should not be granted.

Deny interactive logon for the User-ID service account

While the User-ID service account does require certain permissions in order to read and parse Active Directory
security event logs, it does not require the ability to log on to servers or domain systems interactively. This
privilege can be restricted using Group Policies, or by using a Managed Service Account with User-ID (See
Microsoft Technet for more information on configuring Group Policies and Managed Service Accounts.) If the
User-ID service account were to be compromised by a malicious user, the potential attack surface would be
greatly reduced by denying interactive logon.

Deny remote access for the User-ID service account

Typically, service accounts should not be members of any security groups that are used to grant remote access. If
the User-ID service account credentials were to be compromised, this would prevent the attacker from using the
account to gain access to your network from the outside using a VPN.

Configure egress filtering on outbound internal trac

Prevent any unwanted trac (including potentially unwanted User-ID Agent trac) from leaving your protected
networks out to the Internet by implementing egress filtering on perimeter firewalls. In sensitive environments,
white listing trusted and business essential applications diminishes the possibility of allowing unwanted trac,
and also helps reduce possible vectors that could be used to exfiltrate data.

See Also
For more information on setting up and configuring User-ID see the following:
User-ID section of the PAN-OS 6.1 Web Interface Reference
User-ID Best Practices - PAN-OS 5.0, 6.0
How to Configure Agentless User-ID

owner: ggarrison

7488 Views Categories: Setup, Management & Administration , User-ID & Authentication
Tags: user-id, best_practice, userid

Average User Rating

(10 ratings)

8 Comments

andrew.stanton Oct 14, 2014 1:02 PM

My only challenge to the best practice of "Only enable User-ID on trusted zones" is that it conflicts with
recommendations/requirements for GlobalProtect. See:

https://live.paloaltonetworks.com/docs/DOC-7912 Page 2 of 5