Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
phlrnnr
Advisor

Identity Awareness, password rotation, and gMSA (Group Managed Service Accounts)

A feature request for ID Awareness - to simplify password rotations on service accounts for Identity Collector or even LDAP account units, it would be great to see support for gMSAs (Group Managed Service Accounts).  These handle the password rotation automatically, and securely.

Until then, however, any recommendations for ID Awareness / Identity Collector for password rotation without impacting service?

0 Kudos
4 Replies
phlrnnr
Advisor

Does anyone have any thoughts around password rotation of the LDAP Account Unit service accounts in a way that minimizes impact to an Identity Collector setup?  I'm guessing anyone that logs in during the password change process will not get any group information tied to their authentications, and policy will not work well with them.

Even worse, would be what happened here...

Any ideas to minimize the impact, other than setting the password to never expire?

0 Kudos
PhoneBoy
Admin
Admin

This gets into the whole "should we change passwords at all" debate.
Assuming the password is complex and long enough, I would personally say...no.
I assume the "safest" way to change the password would be to do it during an outage window.
0 Kudos
phlrnnr
Advisor

While I understand where you are coming from, and mostly agree in this instance, we live in a world where Security policy often requires fairly frequent password rotations of service accounts.  Therefore, anything Checkpoint can do to minimize the impact of those rotations would be helpful.

I can avoid an outage on the Identity Collector side by using 2 IDC servers and 2 different accounts that rotate separately.  However, the LDAP account unit is the bigger pain point as changing it will cause an outage for some users.  Anything Checkpoint can do to eliminate that would be helpful.

As to your suggestion to do it safely in an "outage window" the whole point of having redundancy in clusters, multiple identity collector servers, etc is to avoid an outage completely.  Now I have to try to sell to management an outage every X number of months based on the Security policy currently in effect.  That is a tough sell to a 24x7 operation.

0 Kudos
PhoneBoy
Admin
Admin

The LDAP lookup actually happens on the gateway to change passwords.
To change that requires a Security Policy push, which may create its own service impact.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events