Configuring the Integrated User-ID dedicated service account with minimal permissions for server monitoring

Configuring the Integrated User-ID dedicated service account with minimal permissions for server monitoring

1647
Created On 06/13/24 17:43 PM - Last Modified 08/29/25 20:15 PM


Objective


  • Use a dedicated service account for User-ID services with the minimal permissions necessary to connect the server monitoring.
  • As a principle of least privilege, user accounts should have only minimum necessary permissions. If an attacker compromises a User-ID service account with domain admin rights, the organization is at far greater risk than if the service account were only granted minimum rights.  

Environment


  • PANOS 10.0 or above
  • Windows Server 2019 Active Directory
  • User ID Agent

Procedure


On the domain controller:

  1. Navigate to Active Directory Users and Computers
  2. Create the dedicated service account under "managed service accounts", e.g: palo-svc
  3. Open mmc.msc and set the service account for the User-ID integrated agent so that it is only a member of:
    • the Event Log Readers
    • Distributed COM Users
    • Domain Users
  4. For the Windows User-ID agent:
    • Event Log Readers
    • Server Operators
    • Domain Users groups

For detailed information Refer to the documentation: Create a Dedicated Service Account for the User-ID Agent.

Additional Information


On occasions when the service account was created under a custom security group, it broke the communication, resulting in an "access denied" error.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000scMcCAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail