FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bmeta
Staff
Staff
Article Id 198065

Description

 

This article explains how to restrict a Fortinet Single Sign On Agent Service account. That would go into best practices for security hardening.

 

Note:

The term FSAE that is listed here, which stands for 'Fortinet Server Authentication Extension' and is the same as the Collector Agent or FSSO.

 

Scope

 

FortiGate with the Fortinet Single Sign On Agent (also known as the 'Collector Agent'). 


Solution

 

The Collector Agent uses its service Fortinet Single Sign On Agent Service (FSSO Agent Service) account privileges for most of its tasks.

 

That is why it is important that these services run with least privileges, but still properly configured permissions, or to understand the limitations it may bring when it is not set properly.

 

FSSO itself supports several features and modes in order to be flexible to a variety of Microsoft Active Directory (AD) implementations. Each of its operations modes (for example: DCAgent mode, WinSec polling, even polling by the FortiGate integrated poller, etc.) and/or features may require different levels of privileges.

 

In order to simplify configuration, Fortinet Single Sign On Agent Service is suggested to run with privileges of a domain admin account. It will assure that whatever mode or feature is selected, it will have enough permissions to complete its own task.

 

However, in some cases and scenario, such access may not be allowed or there are security concerns about using this account.

 

This article explains when and what permissions are needed, permission workarounds for some modes and which feature may need to be turned off, where there is not enough access level.
In the examples below, an account called 'fsso-svc' is used.

 

Stephen_G_0-1681313936119.png

 

These tests are based on default group privileges for AD based on Windows Server 2012, which could vary from other environments, where additional adjustments may be required.

Permission required during installation/uninstall/upgrade:

Collector Agent is required to be installed on a domain member host with a Windows OS. It is not required to be a Domain Controller (DC). For the supported Windows OS version, please refer to the release notes of each release. FSSO Agent notes are included in the FortiOS release notes section.

Collector agent installation needs to run with an account that is a member of the local administrators or domain administrators. The permissions are required for creating local registries, libraries, local folders, logs, etc.


It is a temporary requirement, however it is needed in order for the installation to complete properly.

After the installation of the agent is completed, the permissions could be reduced or changed with an account with a 'Domain Users' access level. However, the services account should have full access to the following registry keys and subkeys:


32bit machine:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\collectoragent]

 

64bit machine:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fortinet\FSAE\collectoragent]

 

For example:

 

 
 
  1. Full Control access level is required for local FSAE folder and subfolders:


C:\Program Files (x86)\Fortinet\FSAE

 

For example:

 
 

Note:

The error NT_STATUS_ACCESS_DENIED (0x80041003) may be encountered in the event viewer after giving full access to the FSSO service user account for the registry keys mentioned above. This happens because the change takes effect after a reboot of the Domain Controller.

 

Note:

After upgrading the Collector Agent, step 1 has to be reapplied. The following steps 2 and 3 are only valid for the DC Agent mode.
If event log polling is being used instead, these may be skipped.

 

  1. Install/uninstall/upgrade DCAgent module (optional):

DCAgent may be beneficial if the user count is high, for example, several thousand users. Note that with a DCAgent, the installation and upgrade of the DCAgent require a reboot of the DC. As such, it might be considerable to use the regular polling mode and not install the DCAgents.

The functionality is the same, but the DCAgents will be more efficient at the 'cost' of maintenance. If the reboot of the DC is not possible, the DCAgent should not be considered.

 

If the DCAgent is required for the use case, it is necessary to install the DCAgent module on all DCs that are in use or will be used for picking up user logons for use with FSSO.

 

DCAgent installation from or via the Collector Agent is an optional feature, and it requires Collector Agent services to run with an account with domain administrator's permissions. It needs to connect to remote DCs to add/modify registry entries and copy DLL file(s) to the Windows system directory.

This requirement could be avoided by manually installing the DCAgent application on each of the DCs. See the next step.

Manual installation of DCAgent can be started with the DCAgent_Setup at the DC in question.

 

For example:

DCAgent_Setup_5.0.0314.exe // executable installation file for 32-bit architecture.
DCAgent_Setup_5.0.0314.msi // MSI package for 32-bit architecture.
DCAgent_Setup_5.0.0314_x64.exe // executable installation file for 64-bit architecture.
DCAgent_Setup_5.0.0314_x64.msi // MSI package for 64-bit architecture.

 

Note:

After the collector agent upgrade, the DCAgent has to be manually upgraded.
An upgrade of the DCAgent will require a reboot as the DCAgent core component is a DLL ('dcagent.dll') hooked into the system32.

 

For more information about upgrade instructions:

Technical Tip: Upgrading FSSO Agents


Note:

The manual installation needs to run with the privileges of an account member of Local Administrators or Domain Administrators.

 

  1. Limitations when the Collector Agent uses limited access permissions in DCAgent operation mode:
  • Collector Agent will not be able to check the DCAgent status, thus it is expected to show a '?' next to DCAgent under 'DC Agent Status"\Select DC to Monitor'.
  • All DCAgent registry changes like the ignore list have to be updated manually on each DC (for example: [HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\DCAgent\ignore_list]).

This will not prevent DCAgent from sending login events to the Collector Agent.

 

  1. A primary function (common for all operation modes) is the access to the AD and to poll users' group membership. In these example lab tests the default 'Domain Users' group has such privileges.
  2. Permission restriction in Collector agent with WinSec and WMI modes:

In these modes, the Collector Agent needs to be able to log in to the DC and poll event logs. It requires the services account to be a member of 'Event Log Reader'.

 

For example:

 
 
  1. 'Event Log Reader' is also required when a FortiGate is configured in polling mode. Note that if the account is not a member of event log readers, error messages such as below may appear.:

 

02/21/2024 12:48:48 [ 6576] [E][EPPoller]Could not open the event log on:DCserver.domain.local (e=1314)

 

  1. Additional restriction in Collector agent configuration.

 

It is a best practice to include the Collector Agent service account under the 'Ignore User List'. This is a domain account, but it is not expected that users will use this account.
It also does not require internet access, and login events could be ignored.



For example:

 

 
  1. Additional AD restrictions to collector service agent account.


The collector agent service account could also additionally be restricted by adding it to Deny Logon Locally.

This is a services account, and it is not expected to be used by users for login.


For example:

 

 

Additional info about this Microsoft option is available on MSDN:

Microsoft documentation: Log on as a service

 

  1. WMI workstation test will not work without a domain admin account, or will not work if the account is not an admin on all workstations. For workstation checking, the user account must be an admin on all workstations the Collector Agent is checking. By default, this will be the domain admin. If the domain admin account cannot be used, the account used must be a local admin on all workstations.

 

The account also needs to be part of the local groups on the remote machine:

  • Performance Log Users -> Without this group, the Collector agent can't read the IP address of the machine.

  • Remote Desktop Users -> Without this group, the user will erroneously show as no longer being logged on. This is also required for an RDP session.

 

View the following Microsoft article for more information about WMI on a remote computer:

Microsoft documentation: Connecting to WMI on a Remote Computer

 

By the end of this article, it will be clear what is necessary for remote access through WMI. An admin account is required. Due to User Account Control, the account on the remote system must be a domain account in the Administrators group. For more information, see User Account Control and WMI.

If WMI access is not set properly, workstations in the Collector Agent will not be verified.

 

Note:

Some settings are required to restart the Collector Agent service (such as editing thread count in Collector Agent -> Advanced Settings, the Collector Agent will auto-restart the service after selecting OK). In such cases, an administrator account is required. It would be good to edit settings with an administrator account first and then restrict privileges later.

 

Note:
During the troubleshooting of FSSO issues, a TAC support engineer may ask to try a domain admin/system account instead of the currently used limited access account.

This is an expected step to test if the issue is related to the granted permission level.

 

Troubleshooting notes

If a service account is restricted too much, certain behaviors might be observed:

 

  • The Collector Agent log (inside the installation directory of the Collector Agent) does not update anymore or is not even created.

  • Various registry error messages.

  • Severe limitations on the Collector Agent side.

  • Running the command diag debug app auth -1 may return messages such as the following:


Server challenge:

7b 6e 93 2d 40 37 90 24 0a 00 0e 67 92 2a 82 06

MD5 response:

1b d7 74 10 cd 29 c5 e6 53 2b 6d de a0 c5 d1 1f

_process_auth[FSSO_collector]: server authentication failed, aborting
disconnect_server_only[FSSO_collector]: disconnecting

  • Connectivity on the FortiGate side is limited. While this is working and a telnet to the Collector Agent to port 8000 may work (FSAE connected), the FortiGate fails to connect and displays the icon as red. While this normally indicates a problem with the password, but may also be resolved by changing the service account.

 

Related articles:

Technical Tip: Upgrading FSSO Agents

Technical Tip: Windows event IDs used by FSSO in WinSec polling mode

Technical Note: How to enable audit of logon events on Windows Server for FSSO