FAC Agent for Windows... seems any crafty user could add their own account as exempt. How to prevent changes once the approved config is in place?
Tried that, and when I'm logged in as regular domain user, then opening FAC Agent Configuration asks for admin account to permit changes. I tried to workaround this authorization with local admin, but with no luck.
However, if your agent has "Permit Built-In Password Providers", then you can log out and log in as 'Other' user, then use local admin account.
And this way you can reconfigure Agent completely, not just Exemption list. And as you are local admin, then you have free hands to do whatever you want, even uninstall the agent.
You can disable those built-in providers to prevent that, however read note there carefully, as it might have consequences.
So, do you have any details how "crafty" I had to be ?
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi
We have following environment:
- Windows Domain
- AWS Workspace
- Users are local Admin
To block local administrators' access to FortiAuth Agent settings, we did these:
- Limited access to registry editing tools, using Group Policies
- Defined Software Restricted Policies, for FAC configuration executable, using Group Policies
- Limited NTFS Access to FAC installation directory, locked modify access to Domain Administrators or some other management AD group.
So far, it is working well for us.
Cheers
Kev
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.