How To Create Service Account Windows Server

Create a Defended Service Account for the User-ID Agent

To employ the Windows-based User-ID agent or the PAN-Bone integrated User-ID amanuensis to map users as they log in to your Exchange servers, domain controllers, eDirectory servers, or Windows clients, create a dedicated service account for the User-ID agent on a domain controller in each domain that the agent will monitor.

Logon Success (4624)

Authentication Ticket Granted (4768)

Service Ticket Granted (4769)

Ticket Granted Renewed (4770)

The required permissions for the service business relationship depend on the user mapping methods and settings you plan to use. For example, if yous are using the PAN-OS integrated User-ID amanuensis, the service account requires Server Operator privileges to monitor user sessions. If y'all are using the Windows-based User-ID agent, the service account does non require Server Operator privileges to monitor user sessions. To reduce the risk of compromising the User-ID service account, always configure the account with the minimum set of permissions necessary for the agent.

If yous are installing the Windows-based User-ID amanuensis on a supported Windows server, Configure a Service Account for the Windows User-ID Agent.

If y'all are using the PAN-OS integrated User-ID amanuensis on the firewall, Configure a Service Account for the PAN-OS Integrated User-ID Agent.

User-ID provides many methods for safely collecting user mapping information. Some legacy features designed for environments that only required user mapping on Windows desktops attached to the local network require privileged service accounts. If the privileged service account is compromised, this would open up your network to assail. As a best practice, avoid using legacy features that require privileges that would pose a threat if compromised, such as customer probing, NTLM authentication, and session monitoring.

Configure a Service Account for the Windows User-ID Agent

Create a dedicated Active Directory (Advertisement) service account for the Windows User-ID agent to admission the services and hosts information technology will monitor to collect user mappings. Y'all must create a service account in each domain the amanuensis volition monitor. After you enable the required permissions for the service business relationship, Configure User Mapping Using the Windows User-ID Agent.

The following workflow details all required privileges and provides guidance for the User-ID features which require privileges that could pose a threat so that you can make up one's mind how to all-time identify users without compromising your overall security posture.

Create an Advertising service business relationship for the User-ID amanuensis.

Yous must create a service account in each domain the agent volition monitor.

Right-click the Windows icon ( ),

for

Active Directory Users and Computers

, and launch the application.

In the navigation pane, open the domain tree, correct-click

Managed Service Accounts

and select .

Enter the

Start Proper name

Last Name

, and

User logon proper noun

of the user and click

Side by side

Enter the

Countersign

and

Confirm Password

, then click

and

Finish

Configure either local or grouping policy to permit the service account to log on as a service.

The permission to log on equally a service is only needed locally on the Windows server that is the amanuensis host.

To assign permissions locally:

Add together User or Group

to add together the service account.

Enter the object names to select

(the service account name) in

domain\username

format and click

To configure group policy if you are installing Windows User-ID agents on multiple servers, use the Group Policy Management Editor.

Select for the Windows server that is the agent host.

Right-click

Log on as a service

, then select

Properties

Add User or Grouping

to add the service account username or builtin group, and so click

twice.

Administrators accept this privilege by default.

If you want to use WMI to collect user information, assign DCOM privileges to the service account and so that information technology tin can use WMI queries on monitored servers.

Select .

Right-click and enter the service account name.

If you lot plan to use WMI probing, enable the account to read the CIMV2 namespace and assign the required permissions on the client systems to exist probed.

Practice not enable client probing on high-security networks. Client probing tin generate a large corporeality of network traffic and can pose a security threat when misconfigured. Instead collect user mapping data from more isolated and trusted sources, such as domain controllers and through integrations with Syslog or the XML API, which have the added benefit of allowing yous to safely capture user mapping information from any device blazon or operating system, instead of only Windows clients.

Perform this task on each client organisation that the User-ID agent will probe for user mapping information:

Right-click the Windows icon ( ),

for

wmimgmt.msc

, and launch the WMI Direction Console.

In the panel tree, right-click

WMI Control

and select

Backdrop

Select the

Security

tab, then select , and click the

Security

button.

Add

the name of the service account you created,

Check Names

to verify your entry, and click

You might have to modify the

Locations

or click

Advanced

to query for business relationship names. Run across the dialog aid for details.

In the Permissions for

section,

Allow

the

Enable Business relationship

and

Remote Enable

permissions.

Click

twice.

Utilise the Local Users and Groups MMC snap-in (lusrmgr.msc) to add together the service business relationship to the local Distributed Component Object Model (DCOM) Users and Remote Desktop Users groups on the arrangement that will exist probed.

If you want to apply Server Monitoring to identify users, add the service business relationship to the Issue Log Reader builtin grouping to permit the service account to read the security log events.

On the domain controller or Exchange server that contains the logs y'all want the User-ID amanuensis to read, or on the fellow member server that receives events from Windows log forwarding, select , enter

MMC

Select , and so click

to run the MMC and launch the Active Directory Users and Computers snap-in.

Navigate to the Builtin folder for the domain, correct-click the

Event Log Readers

group, and select .

Add

the service account then click

Check Names

to validate that you accept the proper object name.

Click

twice to save the settings.

Confirm that the builtin Event Log Reader group lists the service business relationship as a member ().

Assign business relationship permissions to the installation folder to allow the service account to admission the amanuensis'southward installation folder to read the configuration and write logs.

You only demand to perform this pace if the service business relationship y'all configured for the User-ID agent is not either a domain ambassador or a local administrator on the User-ID agent server host.

From the Windows Explorer, navigate to

C:\Program Files(x86)\Palo Alto Networks

, correct-click the folder, and select

Properties

On the

Security

tab, click

Edit

Add

the User-ID amanuensis service account and

Permit

permissions to

Change

Read & execute

Listing folder contents

Read

, and

Write

, and then click

to save the business relationship settings.

If you do not want to configure individual permissions, you tin can

Allow

the

Total Control

permission instead.

To allow the agent to brand configuration changes (for example, if you select a different logging level), give the service account permissions to the User-ID amanuensis registry sub-tree.

Select and enter

regedt32

and navigate to the Palo Alto Networks sub-tree in one of the following locations:

32-scrap systems

—

HKEY_LOCAL_MACHINE\Software\Palo Alto Networks

64-bit systems

—

HKEY_LOCAL_MACHINE\Software\WOW6432Node\PaloAlto Networks

Right-click the

Palo Alto Networks

node and select

Permissions

Assign the User-ID service business relationship

Full Command

and and so click

to save the setting.

Disable service account privileges that are not required.

By ensuring that the User-ID service account has the minimum prepare of business relationship privileges, you can reduce the assault surface should the account be compromised.

To ensure that the User-ID account has the minimum privileges necessary, deny the following privileges on the account.

Deny interactive logon for the User-ID service account

—While the User-ID service account does need permission to read and parse Active Directory security effect logs, it does not require the ability to logon to servers or domain systems interactively. Yous can restrict this privilege using Grouping Policies or by using a Managed Service business relationship (refer to Microsoft TechNet for more information).

For

Deny log on every bit a batch task

Deny log on locally

, and

Deny log on through Remote Desktop Services

, correct-click

Properties

Select and add the service business relationship name, and then click

Deny remote admission for the User-ID service account

—This prevents an assaulter from using the account to admission your network from the outside the network.

Select , enter

MMC

, and select .

Correct-click the service account name, then select

Backdrop

Select

Dial-in

, then

Deny

the

Network Access Permission

Configure a Service Account for the PAN-OS Integrated User-ID Agent

Create a dedicated Active Directory (AD) service business relationship for the PAN-OS Integrated User-ID agent to access the services and hosts information technology will monitor to collect user mappings.You must create a service business relationship in each domain the agent will monitor. After you enable the required permissions for the service account, Configure User Mapping Using the PAN-Os Integrated User-ID Agent.

The following workflow details all required privileges and provides guidance for the User-ID features which crave privileges that could pose a threat so that y'all can determine how to best identify users without compromising your overall security posture.

Create an Advert service business relationship for the User-ID agent.

You lot must create a service account in each domain the agent will monitor.

Correct-click the Windows icon ( ),

for

Active Directory Users and Computers

, and launch the application.

In the navigation pane, open the domain tree, right-click

Managed Service Accounts

and select .

Enter the

Outset Name

Last Name

, and

User logon name

of the user and click

Side by side

Enter the

Password

and

Confirm Password

, then click

and

Finish

If you want to utilise Server Monitoring to identify users, add the service account to the Consequence Log Reader builtin grouping to allow the service account to read the security log events.

On the domain controller or Substitution server that contains the logs you want the User-ID agent to read, or on the member server that receives events from Windows log forwarding, select , enter

MMC

Select , then click

to run the MMC and launch the Agile Directory Users and Computers snap-in.

Navigate to the Builtin binder for the domain, right-click the

Event Log Readers

group, and select .

Add

the service account then click

Cheque Names

to validate that y'all take the proper object name.

Click

twice to save the settings.

Confirm that the builtin Consequence Log Reader grouping lists the service account as a member ().

If y'all want to apply WMI to collect user information, assign DCOM privileges to the service account so that it can use WMI queries on monitored servers.

Select .

Right-click and enter the service account name.

Enable the service account to read the CIMV2 namespace on the domain controllers you want to monitor and assign the required permissions on the client systems to be probed.

Do not enable customer probing on high-security networks. Client probing can generate a large amount of network traffic and tin can pose a security threat when misconfigured. Instead collect user mapping information from more isolated and trusted sources, such as domain controllers and through integrations with Syslog or the XML API, which have the added benefit of allowing you to safely capture user mapping information from any device blazon or operating organization, instead of merely Windows clients.

Perform this chore on each customer organisation that the User-ID agent will probe for user mapping information:

Right-click the Windows icon ( ),

for

wmimgmt.msc

, and launch the WMI Direction Panel.

In the console tree, correct-click

WMI Control

and select

Properties

Select the

Security

tab, and so select , and click the

Security

button.

Add together

the name of the service account y'all created,

Bank check Names

to verify your entry, and click

You might take to change the

Locations

or click

Avant-garde

to query for account names. Run across the dialog assistance for details.

In the Permissions for

section,

Permit

the

Enable Business relationship

and

Remote Enable

permissions.

Click

twice.

Use the Local Users and Groups MMC snap-in (lusrmgr.msc) to add the service account to the local Distributed Component Object Model (DCOM) Users and Remote Desktop Users groups on the system that will be probed.

(

Not Recommended

) To let the agent to monitor user sessions to poll Windows servers for user mapping information, assign Server Operator privileges to the service account.

Because this group too has privileges for shutting down and restarting servers, just assign the account to this group if monitoring user sessions is very important.

Select .

Right-click and add together the service account proper noun.

If you want to configure NTLM authentication for Captive Portal, configure the firewall to join the domain.

If you plan to configure NTLM authentication for Captive Portal, the firewall where y'all've configured the amanuensis will need to join the domain. To enable this, enter the name of a grouping that has authoritative privileges to join the domain, write to the validated service principal name, and create a computer object inside the computers organization unit of measurement (

ou=computers

For a firewall with multiple virtual systems, just vsys1 can join the domain considering of AD restrictions on virtual systems running on the same host.

The PAN-Bone integrated agent requires privileged operations to join the domain, which poses a security threat if the account is compromised. As a best exercise, configure Kerberos unmarried sign-on (SSO) or SAML SSO hallmark for Captive Portal instead of NTLM. Kerberos and SAML are stronger, more secure authentication methods and do not require the firewall to bring together the domain.

Select , enter

MMC

, and select .

Right-click the domain and select

Delegate Control

Click

Adjacent

, and then

Add together

the service account name and click

Click

, then

Join a computer to the domain

Click

, verify the service account information, then

Terminate

Disable service business relationship privileges that are not required.

By ensuring that the User-ID service account has the minimum set of account privileges, you can reduce the attack surface should the account be compromised.

To ensure that the User-ID account has the minimum privileges necessary, deny the post-obit privileges on the account:

Deny interactive logon for the User-ID service account

—While the User-ID service business relationship does demand permission to read and parse Active Directory security event logs, information technology does not crave the ability to logon to servers or domain systems interactively. You tin restrict this privilege using Grouping Policies or by using a Managed Service account (refer to Microsoft TechNet for more than data).

For

Deny log on every bit a batch chore

Deny log on locally

, and

Deny log on through Remote Desktop Services

, right-click

Properties

, and then select and add the service account name, then click

Deny remote admission for the User-ID service account

—This prevents an attacker from using the account to admission your network from the exterior the network.

, enter

MMC

, and select .

Right-click the service business relationship name, then select

Properties

Select

Dial-in

, then

Deny

the

Network Admission Permission