FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bmeta
Staff
Staff
Article Id 198065

Description

 

This article explains how to restrict a Fortinet Single Sign On Agent Service account. That would go into best practices for security hardening.

 

Note:

The term FSAE that is listed here which stands for 'Fortinet Server Authentication Extension' and is the same as the Collector Agent or FSSO.

 

Scope

 

FortiGate with the Fortinet Single Sign On Agent (also known as the 'Collector Agent'). 


Solution

 

The Collector Agent uses its service Fortinet Single Sign On Agent Service (FSSO Agent Service) account privileges for most of its tasks.

 

That is why it is important that these services run with least priviliges, but still properly configured permissions, or to understand the limitations it may bring when it is not set properly.

 

FSSO itself supports several features and modes in order to be flexible to a variety of Microsoft Active Directory (AD) implementations. Each of its operations modes (for example: DCAgent mode, WinSec polling, even polling by the FortiGate integrated poller, etc.) and/or features may require different levels of privileges.

 

In order to simplify configuration, Fortinet Single Sign On Agent Service is suggested to run with privileges of a domain admin account. It will assure that whatever mode or feature is selected it will have enough permissions to complete its own task.

 

However, in some cases and scenario such access may not be allowed or there are security concerns about using this account.

 

This article explains when and what permissions are needed, permission workarounds for some modes and which feature may need to be turned off, where there is not enough access level.
In the examples below, an account called 'fsso-svc' is used.

 

Stephen_G_0-1681313936119.png

 

These tests are based on default group privileges for AD based on Windows Server 2012, which could vary from other environments, where additional adjustments may be required.

Permission required during installation/uninstall/upgrade:

Collector Agent is required to be installed on a domain member host with a Windows OS. It is not required to be a Domain Controller (DC). For the supported Windows OS version please refer to the release notes of each release. FSSO Agent notes are included in the FortiOS release notes section.

Collector agent installation needs to run with an account that is a member of the local administrators or domain administrators. The permissions are required for creating local registries, libraries, local folders, logs, etc.


It is a temporary requirement, however it is needed in order for the installation to complete properly.

After installation is completed the permissions could be reduced or changed with an account with a 'Domain Users' access level. However, the services account should have full access to the following registry keys and subkeys:


32bit machine:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\collectoragent]

 

64bit machine:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fortinet\FSAE\collectoragent]

 

For example:

 

 
 

1) 4 Full Control access level is required for local FSAE folder and subfolders:


C:\Program Files (x86)\Fortinet\FSAE

 

For example:

 
 

Note:

After upgrading the Collector Agent, steps 1.3-1.4 have to be reapplied. The following steps 2 and 3 are only valid for the DC Agent mode.
If event log polling is being used instead, these may be skipped.

 

2) Install/uninstall/upgrade DCAgent module:

 

It is necessary to install the DCAgent module on all DCs that are in use or will be used for picking up user logons for use with FSSO.

 

DCAgent installation from or via the Collector Agent is an optional feature, and it requires Collector Agent services to run with an account with domain administrator's permissions. It needs to connect to remote DCs to add/modify registry entries and copy DLL file(s) to the Windows system directory.

This requirement could be avoided by manually installing DCAgent application on each of DCs. See next step.

Manual installation of DCAgent can be started with the DCAgent_Setup at the DC in question.

 

For example:

DCAgent_Setup_5.0.0295.exe // executable installation file for 32bit architecture
DCAgent_Setup_5.0.0295.msi // MSI package for 32bit architecture
DCAgent_Setup_5.0.0295_x64.exe // executable installation file for 64bit architecture
DCAgent_Setup_5.0.0295_x64.msi // MSI package for 64bit architecture

 

Note:

After the collector agent upgrade, the DCAgent has to be manually upgraded.
An upgrade of the DCAgent will require a reboot as the DCAgent core component is a DLL (“dcagent.dll”) hooked into the system32.

 

For more information about upgrade instructions:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Upgrading-FSSO-Agents/ta-p/191906


Note:

The manual installation needs to run with privileges of an account member of Local Administrators or Domain Administrators.


3) Limitations when the Collector Agent using limited access permissions in DCAgent operation mode:

- Collector Agent will not able to check the DCAgent status, thus it is expected to show a '?' next to DCAgent under 'DC Agent Status"\Select DC to Monitor'.

- All DCAgent registry changes like the ignore list have to be updated manually on each DC (for example: [HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\DCAgent\ignore_list]).

This will not prevent DCAgent from sending login events to the Collector Agent.

 

4) A primary function (common for all operation modes) is the access to the AD and to poll users' group membership. In these example lab tests the default 'Domain Users' group has such privileges.

 

5) Permission restriction in Collector agent with WinSec and WMI modes:

 

In these modes, Collector Agent needs to be able to log in to the DC and poll event logs. It requires the services account to be a member of 'Event Log Reader'.

 

For example:

 
 

6) 'Event Log Reader' is also required when a FortiGate is configured in polling mode.


7) Additional restriction in Collector agent configuration.

 

It is a best practice to include the Collector Agent service account under the 'Ignore User List'. This is a domain account, but it is not expected that users will use this account.
It also does not require internet access and login events could be ignored.



For example:

 

 

8) Additional AD restrictions to collector service agent account.


The collector agent service account could also additionally be restricted by adding it to Deny Logon Locally.

This is a services account, and it is not expected to be used by users for login.


For example:

 

 

Additional info about this Microsoft option is available on MSDN:


https://learn.microsoft.com/en-us/previous-versions/ms813948(v=msdn.10)

https://learn.microsoft.com/en-us/previous-versions/ms813948(v=msdn.10)

 

9) WMI workstation test will not work without a domain admin account, or will not work if the account is not an admin on all workstations.

 

For workstation checking, the user account must be an admin on all workstations the Collector Agent is checking. By default, this will be the domain admin. If the domain admin account cannot be used, the account used must be a local admin on all workstations.

 

The account also needs to be part of the local groups on the remote machine:

- Performance Log Users -> without this group the Collector agent can't read the IP address of the machine.

- Remote Desktop Users --> without this group, the user will erroneously show as no longer being logged on. This is also required for an RDP session.

 

View the following Microsoft article for more information about WMI on a remote computer:

 

https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-on-a-remote-computer

 

By the end of this article, it will be clear what is necessary for remote access through WMI. An admin account is required. Due to User Account Control, the account on the remote system must be a domain account in the Administrators group. For more information, see User Account Control and WMI.

If WMI access is not set properly, workstations in the Collector Agent will not be verified.

 

Note:

During the troubleshooting of FSSO issues, a TAC support engineer may ask to try a domain admin/system account instead of the currently used limited access account.

This is an expected step in order to test if the issue is related to the granted permission level.

 

Troubleshooting notes

 

If a service account is restricted too much, certain behaviors might be observed:

 

- Collector Agent log does not update anymore or isn't even created.

- Various registry error message.

- Severe limitation on the Collector Agent side.

- Running the command diag debug app auth -1 may return messages such as the following:


Server challenge:

7b 6e 93 2d 40 37 90 24 0a 00 0e 67 92 2a 82 06

MD5 response:

1b d7 74 10 cd 29 c5 e6 53 2b 6d de a0 c5 d1 1f

_process_auth[FSSO_collector]: server authentication failed, aborting
disconnect_server_only[FSSO_collector]: disconnecting

- Connectivity on the FortiGate side is limited. While this is working and a telnet to the Collector Agent to port 8000 may work (FSAE connected), the FortiGate fails to connect and displays the icon as red.

While this normally indicates a problem with the password, but may also be resolved by changing the service account.

 

Related articles:

- Technical Tip: Upgrading FSSO Agents

- Technical Tip: Windows event IDs used by FSSO in WinSec polling mode

- Technical Note: How to enable audit of logon events on Windows Server for FSSO