topic Re: Identity Awareness, password rotation, and gMSA (Group Managed Service Accounts) in Firewall and Security Management

Identity Awareness, password rotation, and gMSA (Group Managed Service Accounts)

phlrnnr — Thu, 21 Mar 2019 17:57:49 GMT

A feature request for ID Awareness - to simplify password rotations on service accounts for Identity Collector or even LDAP account units, it would be great to see support for gMSAs (Group Managed Service Accounts). These handle the password rotation automatically, and securely.

Until then, however, any recommendations for ID Awareness / Identity Collector for password rotation without impacting service?

Re: Identity Awareness, password rotation, and gMSA (Group Managed Service Accounts)

phlrnnr — Fri, 04 Oct 2019 15:30:19 GMT

Does anyone have any thoughts around password rotation of the LDAP Account Unit service accounts in a way that minimizes impact to an Identity Collector setup? I'm guessing anyone that logs in during the password change process will not get any group information tied to their authentications, and policy will not work well with them.

Even worse, would be what happened here...

Any ideas to minimize the impact, other than setting the password to never expire?

Re: Identity Awareness, password rotation, and gMSA (Group Managed Service Accounts)

PhoneBoy — Sat, 05 Oct 2019 04:41:42 GMT

This gets into the whole "should we change passwords at all" debate.
Assuming the password is complex and long enough, I would personally say...no.
I assume the "safest" way to change the password would be to do it during an outage window.

Re: Identity Awareness, password rotation, and gMSA (Group Managed Service Accounts)

phlrnnr — Mon, 07 Oct 2019 14:06:22 GMT

While I understand where you are coming from, and mostly agree in this instance, we live in a world where Security policy often requires fairly frequent password rotations of service accounts. Therefore, anything Checkpoint can do to minimize the impact of those rotations would be helpful.

I can avoid an outage on the Identity Collector side by using 2 IDC servers and 2 different accounts that rotate separately. However, the LDAP account unit is the bigger pain point as changing it will cause an outage for some users. Anything Checkpoint can do to eliminate that would be helpful.

As to your suggestion to do it safely in an "outage window" the whole point of having redundancy in clusters, multiple identity collector servers, etc is to avoid an outage completely. Now I have to try to sell to management an outage every X number of months based on the Security policy currently in effect. That is a tough sell to a 24x7 operation.

Re: Identity Awareness, password rotation, and gMSA (Group Managed Service Accounts)

PhoneBoy — Mon, 07 Oct 2019 18:09:46 GMT

The LDAP lookup actually happens on the gateway to change passwords.
To change that requires a Security Policy push, which may create its own service impact.