- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Identity Agent | Run App as admin
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Identity Agent | Run App as admin
Hi Checkmates,
Let me share a quick question with you. So, what's the behaviour of the Identity Agent if a Domain Admin runs an Application as Administrator in a Windows session of a normal user? It will send an update to the Gateway with a new mapping of the IP and the user admin? In that case, the rules applied on the gateway will be far more distinct that if the user mapping remains with the normal user. Is there a way to exclude the Administrator user from the events of the Identity Agent logs and updates? I've searched the documentation, but I've found nothing about this. Can anyone share knowledge on this?
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Cesar,
Are you asking about the Identity Agent or the Terminal Service (AKA MUH Agent)?
In Identity Agent, a user must authenticate with Username/Password or via Kerberos ticket. Even if the Administrator will run an app in a Windows session of a normal user, no update will be sent to the Security Gateway, because the authentication was done with the normal user credentials.
Please let me know if you have additional questions,
Elad Shoval | Team Leader, Identity Awareness, Identity Clients, R&D
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Elad,
This is about the Identity Agent, not the MUH.
Are you sure that if I run an application in windows as administrator, the Identity Agent will just ignore that? Because we have a customer exactly wit this problem. So, basically the the end users are working properly, with the correct rules being applied, all normal. But, if a guy of the IT team run a software as administrator and uses his admin credentials, the Identity Agent running on background will pass a new IP/user mapping to the Gateway and the applied rules will be totally different. The only workaround that we know that works is to logoff and then logon again on the windows machine, which is not practical for our end users.
Any suggestion,
César Santos
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are the admins elevating privileges when they run, say, the installer or are they doing a full desktop login to the same system?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The admins are elevating privileges when they install a new application, for example. It's not a full desktop login.
