Tips & Tricks: Considerations for TS Agent and User-ID Agent in a Mixed Environment

Tips & Tricks: Considerations for TS Agent and User-ID Agent in a Mixed Environment

19127
Created On 09/25/18 18:55 PM - Last Modified 12/12/19 19:25 PM


Resolution

In an environment where both Terminal Services (TS) Agent and User Identification (User-ID) Agent are used to ascertain which users are logged on to certain systems, some precautions need to be taken to prevent incorrect mapping of users, mainly regarding the terminal servers, where multiple users can be logged on at the same time.

 

Both agents achieve user mapping in their own distinct way:

 

  • The User-ID Agent maps a single user to a single IP by reading login events from the Active Directory, determining a logged-in-user by performing a netbios or WMI probe, access to a network drive, or an API call from an integrated AP.
  • The TSAgent is only active on the system it is installed on and works by assigning source port ranges (it actively participates in the network stack) to logged-in users, informing the firewall which source ports are used by each user.

If both clients are active in the same environment, and the TSAgent installed hosts are part of the same network as the regular clients, some conflicts may occur. Most commonly, a double mapping could be created where both the TSAgent and UIDAgent have a user mapping for a single IP address.

 

 

2016-07-27_10-57-57.jpg

 

 

> show user ip-user-mapping all
IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
10.192.16.98    vsys1  UIA     pantac\administrator             3590           3590         

> show user ip-port-user-mapping all

Global max host index 1, host hash count 1

TS-Agent 10.192.16.98
Vsys 1, Flag 3
Port range: 20000 - 39999, port count 20000
Number of ports allocated per user terminal session: 200; max 2000
Number of user terminal sessions (port block count): 100
20000-20199: pantac\eng
20200-20399: pantac\tpiens

 

This overlap, in most cases, is harmless: typically the logged-in users will be assigned a source port by the TSAgent and be identified as such by the firewall, while service accounts could be triggering UIDAgent login events -- picked up from the AD security log -- generating a UID entry in the ip-user-mapping. Any outgoing connections from such service accounts would be identified by the ip-user-mapping instead of the ip-port-mapping.

 

 

In some scenarios, it may be undesirable to allow ip-user-mapping to occur for a terminal server, as this mapping can be triggered by several processes and is hard to control (drive mapping to a server with a UID agent installed, performing remote tasks with different usernames), especially in a mixed environment where users with highly different privileges access the same terminal server.

 

From a security best practices perspective, it is recommended to exclude the terminal servers from the UIDAgent's discovery. This will prevent any regular ip-user-mapping to occur for the IPs associated with the terminal server farm, preventing accidental misidentification of a service account's activities with a known user who happened to perform a task that elicits identification by the UIDAgent:

 

2016-07-27_12-25-33.jpg

NOTE: If you add Exclude profiles without adding any Include profiles, the User-ID agent excludes all subnetworks, not just the ones you added.

 

Alternatively or additionally, users can be added to the ignore user list to prevent these from being mapped by the UIDAgent altogether:

 

2016-07-27_14-36-01.jpg

 

How to Add/Delete Users from Ignore User List using Agentless User-ID

How to Ignore Users in User-ID Agent

 

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClRV&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language