https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Agent-Run-App-as-admin/m-p/102946#M10221 <P>Hi,</P><P>The admins are elevating privileges when they install a new application, for example. It's not a full desktop login.</P> Mon, 23 Nov 2020 08:40:48 GMT Cesar_Santos 2020-11-23T08:40:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Agent-Run-App-as-admin/m-p/102364#M10217 <P>Hi Checkmates,</P><P>Let me share a quick question with you. So, what's the behaviour of the Identity Agent if a Domain Admin runs an Application as Administrator in a Windows session of a normal user? It will send an update to the Gateway with a new mapping of the IP and the user admin? In that case, the rules applied on the gateway will be far more distinct that if the user mapping remains with the normal user. Is there a way to exclude the Administrator user from the events of the Identity Agent logs and updates? I've searched the documentation, but I've found nothing about this. Can anyone share knowledge on this?</P><P>Thanks in advance.</P> Tue, 17 Nov 2020 17:16:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Agent-Run-App-as-admin/m-p/102364#M10217 Cesar_Santos 2020-11-17T17:16:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Agent-Run-App-as-admin/m-p/102669#M10218 <P>Hi Cesar,</P> <P>Are you asking about the Identity Agent or the Terminal Service (AKA MUH Agent)?</P> <P>In Identity Agent, a user must authenticate with Username/Password or via Kerberos ticket. Even if the&nbsp;<SPAN>Administrator will run an app in a Windows session of a normal user, no update will be sent to the Security Gateway,&nbsp;because the authentication was done with the normal user credentials.&nbsp;</SPAN></P> <P><SPAN>Please let me know if you have additional questions,</SPAN></P> <P>&nbsp;</P> <P><SPAN><STRONG>Elad Shoval </STRONG>| Team Leader, Identity Awareness, Identity Clients, R&amp;D</SPAN></P> Thu, 19 Nov 2020 14:46:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Agent-Run-App-as-admin/m-p/102669#M10218 Elad_Shoval 2020-11-19T14:46:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Agent-Run-App-as-admin/m-p/102677#M10219 <P>Hi Elad,</P><P>This is about the Identity Agent, not the MUH.</P><P>Are you sure that if I run an application in windows as administrator, the Identity Agent will just ignore that? Because we have a customer exactly wit this problem. So, basically the the end users are working properly, with the correct rules being applied, all normal. But, if a guy of the IT team run a software as administrator and uses his admin credentials, the Identity Agent running on background will pass a new IP/user mapping to the Gateway and the applied rules will be totally different. The only workaround that we know that works is to logoff and then logon again on the windows machine, which is not practical for our end users.&nbsp; &nbsp;</P><P>Any suggestion,</P><P>César Santos</P> Thu, 19 Nov 2020 15:28:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Agent-Run-App-as-admin/m-p/102677#M10219 Cesar_Santos 2020-11-19T15:28:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Agent-Run-App-as-admin/m-p/102858#M10220 <P>Are the admins elevating privileges when they run, say, the installer or are they doing a full desktop login to the same system?</P> Sun, 22 Nov 2020 01:36:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Agent-Run-App-as-admin/m-p/102858#M10220 PhoneBoy 2020-11-22T01:36:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Agent-Run-App-as-admin/m-p/102946#M10221 <P>Hi,</P><P>The admins are elevating privileges when they install a new application, for example. It's not a full desktop login.</P> Mon, 23 Nov 2020 08:40:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Agent-Run-App-as-admin/m-p/102946#M10221 Cesar_Santos 2020-11-23T08:40:48Z