: Create User Groups for Access to Allowed Applications
Focus
Focus

Create User Groups for Access to Allowed Applications

Table of Contents

Create User Groups for Access to Allowed Applications

Safely enabling applications means defining the list of applications you want to allow and enabling access only for users who have a legitimate business need. For example, some applications, such as SaaS applications that enable access to Human Resources services such as Workday or Service Now must be available to any known user on your network. However, for more sensitive applications, reduce your attack surface by enabling access only for users who need the applications for business purposes. For example, IT support personnel might legitimately need access to remote desktop applications, but most users do not. Limiting user access to applications prevents potential security gaps that an attacker might use to gain access and control over systems in your network.
To enable user-based access to applications:
  • Enable User-ID in zones from which your users initiate traffic.
  • For each application allow rule you define, identify the user groups that have a legitimate business need to access the applications. Mapping application allow rules to business goals (which includes considering which users have a business need for a particular type of application) results in a smaller number of rules to manage compared to mapping port-based rules to users.
  • If you don’t have existing user groups on your Active Directory (AD) server, alternatively, create custom LDAP groups to match groups of users who need access to a particular application.
  • It takes just one end user to click on a phishing link and enter credentials to enable an attacker to gain access to your network. To defend against this simple and effective attack technique, set up credential phishing protection on all of your Security policy rules that allow user access to the internet. Configure credential detection with the Windows-based User-ID agent to ensure that you can detect when your users are submitting their corporate credentials to a site in an unauthorized category.