Description
This article explains how to restrict a Fortinet Single Sign On Agent Service account. That would go into best practices for security hardening.
Note:
The term FSAE that is listed here, which stands for 'Fortinet Server Authentication Extension' and is the same as the Collector Agent or FSSO.
Scope
FortiGate with the Fortinet Single Sign On Agent (also known as the 'Collector Agent').
Solution
The Collector Agent uses its service Fortinet Single Sign On Agent Service (FSSO Agent Service) account privileges for most of its tasks.
That is why it is important that these services run with least privileges, but still properly configured permissions, or to understand the limitations it may bring when it is not set properly.
FSSO itself supports several features and modes in order to be flexible to a variety of Microsoft Active Directory (AD) implementations. Each of its operations modes (for example: DCAgent mode, WinSec polling, even polling by the FortiGate integrated poller, etc.) and/or features may require different levels of privileges.
In order to simplify configuration, Fortinet Single Sign On Agent Service is suggested to run with privileges of a domain admin account. It will assure that whatever mode or feature is selected, it will have enough permissions to complete its own task.
However, in some cases and scenario, such access may not be allowed or there are security concerns about using this account.
This article explains when and what permissions are needed, permission workarounds for some modes and which feature may need to be turned off, where there is not enough access level.
In the examples below, an account called 'fsso-svc' is used.
These tests are based on default group privileges for AD based on Windows Server 2012, which could vary from other environments, where additional adjustments may be required.
Permission required during installation/uninstall/upgrade:
Collector Agent is required to be installed on a domain member host with a Windows OS. It is not required to be a Domain Controller (DC). For the supported Windows OS version, please refer to the release notes of each release. FSSO Agent notes are included in the FortiOS release notes section.
Collector agent installation needs to run with an account that is a member of the local administrators or domain administrators. The permissions are required for creating local registries, libraries, local folders, logs, etc.
It is a temporary requirement, however it is needed in order for the installation to complete properly.
After the installation of the agent is completed, the permissions could be reduced or changed with an account with a 'Domain Users' access level. However, the services account should have full access to the following registry keys and subkeys:
32bit machine:
[HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\collectoragent]
64bit machine:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fortinet\FSAE\collectoragent]
For example:
C:\Program Files (x86)\Fortinet\FSAE
For example:
Note:
After upgrading the Collector Agent, step 1 has to be reapplied. The following steps 2 and 3 are only valid for the DC Agent mode.
If event log polling is being used instead, these may be skipped.
DCAgent may be beneficial if the user count is high, for example, several thousand of users. Note that with a DCAgent, the installation and upgrade of the DCAgent require a reboot of the DC. As such, it might be considerable to use the regular polling mode and not install the DCAgents. The functionality is the same, but the DCAgents will be more efficient at the "cost" of maintenance. If the reboot of the DC is not possible, the DCAgent should not be considered.
If the DCAgent is required for the use case, it is necessary to install the DCAgent module on all DCs that are in use or will be used for picking up user logons for use with FSSO.
DCAgent installation from or via the Collector Agent is an optional feature, and it requires Collector Agent services to run with an account with domain administrator's permissions. It needs to connect to remote DCs to add/modify registry entries and copy DLL file(s) to the Windows system directory.
This requirement could be avoided by manually installing DCAgent application on each of DCs. See next step.
Manual installation of DCAgent can be started with the DCAgent_Setup at the DC in question.
For example:
DCAgent_Setup_5.0.0314.exe // executable installation file for 32-bit architecture.
DCAgent_Setup_5.0.0314.msi // MSI package for 32-bit architecture.
DCAgent_Setup_5.0.0314_x64.exe // executable installation file for 64-bit architecture.
DCAgent_Setup_5.0.0314_x64.msi // MSI package for 64-bit architecture.
Note:
After the collector agent upgrade, the DCAgent has to be manually upgraded.
An upgrade of the DCAgent will require a reboot as the DCAgent core component is a DLL (“dcagent.dll”) hooked into the system32.
For more information about upgrade instructions:
Technical Tip: Upgrading FSSO Agents
Note:
The manual installation needs to run with the privileges of an account member of Local Administrators or Domain Administrators.
This will not prevent DCAgent from sending login events to the Collector Agent.
In these modes, Collector Agent needs to be able to log in to the DC and poll event logs. It requires the services account to be a member of 'Event Log Reader'.
For example:
02/21/2024 12:48:48 [ 6576] [E][EPPoller]Could not open the event log on:DCserver.domain.local (e=1314)
It is a best practice to include the Collector Agent service account under the 'Ignore User List'. This is a domain account, but it is not expected that users will use this account.
It also does not require internet access, and login events could be ignored.
For example:
The collector agent service account could also additionally be restricted by adding it to Deny Logon Locally.
This is a services account, and it is not expected to be used by users for login.
For example:
Additional info about this Microsoft option is available on MSDN:
Microsoft documentation: Log on as a service
The account also needs to be part of the local groups on the remote machine:
View the following Microsoft article for more information about WMI on a remote computer:
Microsoft documentation: Connecting to WMI on a Remote Computer
By the end of this article, it will be clear what is necessary for remote access through WMI. An admin account is required. Due to User Account Control, the account on the remote system must be a domain account in the Administrators group. For more information, see User Account Control and WMI.
If WMI access is not set properly, workstations in the Collector Agent will not be verified.
Note:
During the troubleshooting of FSSO issues, a TAC support engineer may ask to try a domain admin/system account instead of the currently used limited access account.
This is an expected step in order to test if the issue is related to the granted permission level.
Troubleshooting notes
If a service account is restricted too much, certain behaviors might be observed:
Server challenge:
7b 6e 93 2d 40 37 90 24 0a 00 0e 67 92 2a 82 06
MD5 response:
1b d7 74 10 cd 29 c5 e6 53 2b 6d de a0 c5 d1 1f
_process_auth[FSSO_collector]: server authentication failed, aborting
disconnect_server_only[FSSO_collector]: disconnecting
Related articles:
Technical Tip: Upgrading FSSO Agents
Technical Tip: Windows event IDs used by FSSO in WinSec polling mode
Technical Note: How to enable audit of logon events on Windows Server for FSSO
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.