PDQ Scan User Causing Firewall Issues

Comments

9 comments

  • Luke Nichols

    Kristopher,

    What do you mean when you say that your PDQ Scan Service Account is an AD Admin user? Do you mean it has domain admin privileges?

    Is your PDQ Inventory service account an actual AD managed service account (or group managed service account) or do you just mean it is running the service?

    What firewall are you using that is reporting PDQ as the logged on user?

    1
    Comment actions Permalink
  • Kristopher Boddie

    We currently use Palo Alto for our firewall. The service account is apart of our Domain Admins group in AD. 

    2
    Comment actions Permalink
  • Luke Nichols

    Oof, ok. Regardless of what your issue is I would definitely not recommend running a domain administrator as your PDQ service account. The only permissions the account needs is admin rights on the workstations and on the PDQ server, as well as read access to your package repository if you're using Deploy as well.

    Domain Administrators implicitly have a ton of rights that your account absolutely doesn't need for your use case. It sounds like your issue is with wanting to restrict rights to your service account, but that won't be easy so long as it's a domain administrator.

    I would recommend creating a new group for your PDQ service account and giving that group admin rights on your workstations (and servers, if they are in PDQ Inventory) as well as admin rights on your PDQ server. It doesn't need anything more than that if you are just doing Inventory. You could then remove the right of the service account to log into those machines and only allow them to run batch jobs or run as a service. I'm not sure if you could do the same with the account as-is because, as I said, domain admins get a ton of permissions implicitly.

    2
    Comment actions Permalink
  • Glen Thompson

    Hi Kristopher,

    You are not alone and we have the same issue. We have PDQ deployed across 4 continents and due to this issue are starting to look at other options for deployment software unless we can get quick resolution.

    We have spent a bit of time investigating and tracked the issue to the Windows 10 build - with 1809 and before there was no issues and the Scanning user (service account) would run the scan and then the profile was unloaded. Barely there and was not a problem.

    With Windows 10 version 1903 and upwards, after running a scan the user profile is still loaded and this is where the internet fabric breaks for us. You can see the issue by running the following against a 1809 and 1903 machine:

    • Get-WmiObject -Class Win32_UserProfile -Computer <insert endpoint name here> | Select LocalPath, Loaded

    On the 1809 machine the service account will briefly load during the scan to start the PDQInventory-scanner-1.exe and PDQInventoryScanner.exe processes and then unload the profile. With 1903 and beyond the profile will continue to stay loaded and therefore effectively logged on which is what the firewall picks up on. Looking in TaskManager will reveal there are no running processes for this account and no way to unload it.

    Nothing apart from a restart will resolve this and we even have some machines (read 700+) that after a restart still have the service account profile loaded. 

    This is causing us no end of issues and actually disrupted one of our countries recently for several hours.

    I've logged a support call with PDQ however am not 100% sure I'm explaining myself properly nor the impact this is causing. We could (don't want to but could) allow the service account internet access however with many internet profiles for users we are stuck either with being restrictive or not - either way we are in trouble. Add to this, an administrator ran a scan using their credentials so we now have two accounts loaded on the endpoints with no way to unload them - this could be nasty when the password expires :(

    Don't get me wrong - love PDQ and suspect this is actually a Microsoft issue however being a third party application is causing the issue, think that it needs to be escalated this way.

    Would be great if others could confirm they are seeing the same behavior and validate what we think is the issue, i.e. Windows 10 v1903 has changed something. 

    NOTE: In our case the service account is not in Domain Admins and agree that Domain Admins is not a great place for a service account :)

    Kind regards

    1
    Comment actions Permalink
  • Kristopher Boddie

    Hi Glen,

      Was your team able to find a solution or work-around for this issue? 

    0
    Comment actions Permalink
  • Glen Thompson

    Hi Kristopher,

    Yes and no :)

    It appears during a scan that a temporary service is created and Windows 10 has changed the behaviour meaning the account used to run the service stays logged in even after the service is removed.

    The apparent resolution is to exclude the service account from scanning on the PA (as documented here: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/user-identification/device-user-identification-user-mapping/user-id-agent-setup/user-id-agent-setup-ignore-user-list.html). This is where the yes/no comes in.

    In one of our regional domains they have tried this and the inventory user is still picked up. I’m unsure if the PA is not obeying the exclusion rule or if it’s something else.

    Either way try the exclusion and if you could let me know if that works for your environment. If it does then that is the solution :)

    Cheers!

    0
    Comment actions Permalink
  • Kristopher Boddie

    We looked into the PA exclusion, but after v.7.1 of the PA, this functionality is no longer available to implement. We are on codebase 8.1.15-h3 of the PA. The latest version is currently 9.1. PDQ needs to come up with a solution to this other than adding an exception to the firewall. We weren't affected by this issue prior to Windows 10 1809 even with the PA. Businesses in certain sectors have a strict security policy which this issue violates or weakens. 

    0
    Comment actions Permalink
  • Glen Thompson

    Hi Kristopher,

    Sorry for the really slow response but better late than never I hear.

    We are running a slightly older version than you (8.1.12) and it is working for us. It was the way that we were adding the accounts to the ignore_user_list.txt file and what I was trying to check. The 9.1 documents still talk about the list as well so be surprised if its depreciated. 

    For our implementation we have a user agent running on the Domain Controllers. The ignore_user_list.txt needs to be updated on all the domain controllers running the agent. To this file we added the variations of what the service account might logon with.

    As an example lets assume that we have the following:

    • Domain with a DNS name of example.com
    • NETBIOS domain name of EXAMPLE
    • Service account SamAccountName\Username is svc.pdq

    To the text file we added the following:

    In our case, this has the service account used for scanning being ignored by the PA and internet access continues unfettered.

    Trust this helps?

    0
    Comment actions Permalink

Please sign in to leave a comment.