Escolar Documentos
Profissional Documentos
Cultura Documentos
created by ggarrison on Sep 16, 2014 4:21 PM, last modified by panagent on Jan 8, 2015 7:41 PM
Overview
User-ID services enables mapping of IP addresses to users, and when enabled gives network administrators
granular controls over what various users are allowed to do when filtered by a Palo Alto Networks Next-
Generation Firewall. As with enabling any network services, following best practices and configuration guidelines
when deploying User-ID can help to reduce and eliminate exposure to potential risk. This article is intended to
help network and security administrators avoid misconfiguration and safely enable User-ID services in network
environments.
Details
Only enable User-ID on trusted zones
By only enabling User-ID on internal and trusted zones, there is no exposure of these services to the Internet,
which helps to keep this service protected from any potential attacks. If User-ID and WMI probing are enabled on
an external untrusted zone (such as the Internet), probes could be sent outside your protected network, resulting
in an information disclosure of the User-ID Agent service account name, domain name, and encrypted password
hash. This information has the potential to be cracked and exploited by an attacker to gain unauthorized access
to protected resources. For this important reason, User-ID should never be enabled on an untrusted zone.
Use a dedicated service account for User-ID services with the minimal permissions necessary
User-ID deployments can be hardened by only including the minimum set of permissions necessary for the
service to function properly. This includes DCOM Users, Event Log Readers, and Server Operators. If the User-ID
service account were to be compromised by an attacker, having administrative and other unnecessary privileges
https://live.paloaltonetworks.com/docs/DOC-7912 Page 1 of 5
Best Practices for Securing User-ID Deployments | Palo Alto Networks Live 3/24/15, 9:41 AM
would expose the enterprise to additional risk of destruction or theft of sensitive data. Domain Admin and
Enterprise Admin rights are not required to read security event logs and consequently should not be granted.
See Also
For more information on setting up and configuring User-ID see the following:
User-ID section of the PAN-OS 6.1 Web Interface Reference
User-ID Best Practices - PAN-OS 5.0, 6.0
How to Configure Agentless User-ID
owner: ggarrison
7488 Views Categories: Setup, Management & Administration , User-ID & Authentication
Tags: user-id, best_practice, userid
(10 ratings)
8 Comments
My only challenge to the best practice of "Only enable User-ID on trusted zones" is that it conflicts with
recommendations/requirements for GlobalProtect. See:
https://live.paloaltonetworks.com/docs/DOC-7912 Page 2 of 5