Solved: Re: Need to Rename or disable GAIA Admin Account

Duminda_SAT · ‎2022-02-10

Hi Please help me to Disable or Rename GAIA Admin account due to compliance requirements.

Thank you,

Duminda Lakmal.

the_rock · ‎2022-02-10

You cannot really disable or delete default admin account. As @G_W_Albrecht , you can create new admin account and then edit to give it a different name.

Best,
Andy
"Have a great day and if its not, change it"

View solution in original post

G_W_Albrecht · ‎2022-02-10

- Login to GAiA WebGUI

- on the left go to User Management > Users

- define new admin user with admin role

- select and edit the user admin to nologin role

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

the_rock · ‎2022-02-10

You cannot really disable or delete default admin account. As @G_W_Albrecht , you can create new admin account and then edit to give it a different name.

Best,
Andy
"Have a great day and if its not, change it"

HeikoAnkenbrand · ‎2022-02-11

Note:
If it is an SMS and you also use the "admin" account in the SmartConsole, you must also change the account with "cpconfig".

➜ CCSM Elite, CCME, CCTE, CCVS ➜ www.checkpoint.tips

_Val_ · ‎2022-02-10

I am curious, what exact compliance issues are there with that admin account?

Bob_Zimmerman · ‎2022-02-11

A lot of assessors don't like default usernames (like 'admin' specifically on Check Point boxes), predictable usernames (like 'admin', 'root', 'Administrator', and so on), or accounts with admin privileges whose usernames identify them as admin accounts (like 'BobZAdmin').

I routinely get all three complaints from assessors for every single box I manage.

the_rock · ‎2022-02-11

I think you would have to pay someone at CP a LOT of money to change that : - )

Best,
Andy
"Have a great day and if its not, change it"

Bob_Zimmerman · ‎2022-02-11

The "BobZAdmin" example is because it's also a compliance issue if administrators don't have separate accounts for administrative actions, but the compliance assessors don't like the privileged accounts to have the substring "admin" in their usernames.

The default username 'admin' hits all three of those compliance complaints.

Setting its password hash to "*" is enough to prevent a user from logging in as 'admin', and doesn't risk breaking other stuff. Specifically, setting the shell to /sbin/nologin causes interactive sessions to fail, so if you log in as an unprivileged user (logging in as UID 0 is yet another compliance issue), you can't elevate to root privileges.

_Val_ · ‎2022-02-12

Open an RFE 🙂

PhoneBoy · ‎2022-02-11

See also: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

masher · ‎2022-02-15

This is also documented in sk112163.

- https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Are you a member of CheckMates?

Need to Rename or disable GAIA Admin Account