Technical Tip: Restricting FSSO service account
Products
FortiGate
Description
The Collector Agent uses its service (Fortinet Single Sign On Agent Service) account  privileges for most of its task.
That is why it is important that these services run with properly configured permissions, or to understand the limitations it may bring when it is not set properly.

FSSO itself supports several features and modes in order to be flexible to a variety of Microsoft Active Directory (AD) implementations. Each of its operations modes (for example: DCAgent mode, WinSec polling, even polling by the FortiGate integrated poller, etc) and/or features may require different levels of privileges.
In order to simplify configuration, Fortinet Single Sign On Agent Service is suggested to run with privileges of a domain admin account. It will assure that whatever mode or feature is selected it will have enough permissions to complete its own task.
However, in some cases and scenario such access may not be allowed or there are security concerns about using this account.

This article explains when and what permissions are needed, permission workarounds for some modes and which feature may need to be turned off, where there is not enough access level. In the examples below, an account called "fsso-svc" is used.


Note: In this article, the term FSAE stands for “Fortinet Server Authentication Extension” and is same to the Collector Agent or FSSO.
Scope
FortiGate with Fortinet Single Sign On Agent (also known as Collector Agent)
Solution
These tests are based on default group privileges for AD based on Windows Server 2012, which could vary from other environments, where additional adjustments may be required.

1) Permission required during installation/uninstall/upgrade:

1.1) Collector Agent is required to be installed on domain member host with windows OS. It is not required to be a Domain Controller (DC). For supported Windows OS please refer to the release notes of each release.

1.2) Collector agent installation needs to run with an account account that is member of the local administrators or domain administrators. The permissions are required for creating local registries, libraries, local folders, logs, etc.
It is a temporary requirement, however it is needed in order for the installation to complete properly.

1.3) After installation is completed, the permissions could be reduced or changed with account with a "Domain Users" access level.
However, the services account should have full access to following registry keys and subkeys:

32bit machine:
[HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\collectoragent]

64bit machine:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fortinet\FSAE\collectoragent]




For example:

1.4) Full Control access level is required for local FSAE folder and subfolders:

\Program Files (x86)\Fortinet\FSAE


Note: After upgrade of the Collector Agent, steps 1.3-1.4 have to be reapplied.

The following two steps (2 and 3) are only valid for the DC Agent mode. If using event log polling instead, these may be skipped.

2) Install/uninstall/upgrade DCAgent module:

2.1) It is required to be installed on all DCs used or will be used for picking up user logons for use with FSSO.

2.2) DCAgent installation from Collector Agent is a feature and it requires Collector Agent services to run under account with domain administrators permissions.
It needs to connect to remote DCs add/modify registry entries and copy dll file(s) to the Windows system directory.
This requirement could be avoided by manually installing DCAgent application on each of DCs. See next step.

2.3) Manual installation of DCAgent could be started with a DCAgent_Setup from the DC in question.

For example:
DCAgent_Setup_5.0.0282.exe:         executable installation file for 32bit architecture
DCAgent_Setup_5.0.0282.msi:          MSI package for 32bit architecture
DCAgent_Setup_5.0.0282_x64.exe: executable installation file for 64bit architecture
DCAgent_Setup_5.0.0282_x64.msi:  MSI package for 64bit architecture

Note: After collector agent upgrade, the DCAgent has to be manually upgraded.
An upgrade of the DCAgent will require a reboot as the DCAgent core component is a DLL (“dcagent.dll”) hooked into the system.

See the KB on the Field "Related Articles" for more information about upgrade instructions.

Note: The manual installation needs to run with privileges of an account member of Local Administrators or Domain Administrators.

3) Limitations when Collector Agent using limited access permissions in DCAgent operation mode:

3.1) Collector Agent will not able to check DCAgent status, thus it is expected to shown '?' next to DCAgent under "DC Agent Status"\Select DC to Monitor".

3.2) All DCAgent registry changes like ignore list have to be updated manually on each of DC (for example: [HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\DCAgent\ignore_list])

3.3) This will not prevent DCAgent from sending login events to the Collector Agent.

4) A primary function (common for all operation modes) is the access to the AD and to poll users' group membership. In these examples lab tests the default "Domain Users" group has such privileges.

5) Permission restriction in Collector agent with WinSec and WMI modes:

5.1) In these modes Collector Agent needs to be able to login to DC and poll event logs. It requires the services account to be member of "Event Log Reader".

For example:


6) "Event Log Reader" is also required when a FortiGate is configured in Polling mode.

7) Additional restriction in Collector agent configuration.
It is a best practice to include the Collector Agent service account under the “Ignore User List”.
This is a domain account, but it is not expected that users will use this account. It also does not require internet access and login events could be ignored.

For example: