topic Re: Identity Collector and multiple accounts with different privileges on same machine in Firewall and Security Management

Identity Collector and multiple accounts with different privileges on same machine

JPR — Fri, 01 Dec 2023 14:50:46 GMT

Hi there,

I'm experiencing some issues with the Identity Collector and firewall rules that are dependent on that service.

I will try to explain the issues in the following:

I log on to ip 1.2.3.4 with my accoount Y and Identity Collector tells that to the firewall (user Y is logged on to 1.2.3.4).

I have a rule that says if you're a member of AD group X, it can download executables etc. My account Y is member of that group, and can download.

So good so far.

Now I open a command prompt with my administrator account Z on the same machine with ip 1.2.3.4. The Identity Collector registers that account Z is now logged on to 1.2.3.4. If I now go and try to download an executable (e.g. a patch from somewhere) I can't because account Z is not member of the AD group that allows download.

So, it seems like the Identity Collector gets confused when I use different accounts on the some ip: I have logged on to Windows on the machine with ip 1.2.3.4 and account Y, but I need to use my administrator account Z on occasion and now the Identity Collector tells the firewall that Z is logged on to 1.2.3.4.

I don't know if that is by design, however, it is causing some issues for me an my team.

Have any of you experienced something similar and have you got an idea how to fix it so to say? Is there a way to get around this issue?

I hope it makes sense and 'm sorry if it all sounds a bit confusing. Please ask me to elaborate if necessary.

Thanks.

Re: Identity Collector and multiple accounts with different privileges on same machine

PhoneBoy — Fri, 01 Dec 2023 14:57:29 GMT

The only way you can differentiate multiple users with different levels of access on the same IP is to deploy MUH on the relevant workstation.
It is otherwise not possible for the gateway to determine which user at that IP is making the connection.
Therefore, this is expected behavior.

Re: Identity Collector and multiple accounts with different privileges on same machine

JPR — Tue, 05 Dec 2023 09:10:26 GMT

Okay, thanks. That's what I thought as well.

So, I tried marking my own computer as MUH, but now it doesn't recognize my account as being part of the allow download group.

The download rule is an inline rule at looks like this:

But now when I try to download an executable I hit the above rule (as I should), however, it gets blocked by the clean up rule (209.4) and not accepted by the 209.1 (I am member of the AD group that allows download). Do you have any idea why that is and if I can do anything about that?

Thanks!

Re: Identity Collector and multiple accounts with different privileges on same machine

PhoneBoy — Tue, 05 Dec 2023 18:49:37 GMT

What version/JHF?
The log card for the drop should show the groups that were identified for that user.
Does the user show up in pdp monitor output?