Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
John_Fulater
Contributor

AD groups as administrators instead of just users.

Has anyone thought about or asked about the idea of AD based user groups for administration access?

The idea would be to have AD groups for full Admin control and another for Read-Only admin access.

The users would be added or removed in the AD groups and an administrator configuration would be built for the AD group not the individual users.

The AD groups can be managed for who is in there and have rights.  There could be risks but also allows flexibility in Admin control.

Thoughts....

0 Kudos
10 Replies
Mark_Mitchell
Advisor

Personally for me I think that it's potentially opening up the platform and would become an additional security risk to consider. Obviously the level of risk would be dependant on how secure the Active Directory is.

Generally it would allow for anybody say with domain administrator access to be able to grant themselves access firewall management. Unless delegation was put in place over the AD groups. But on the other hand it would be a great way to manage access. Of the active directory was ever to be compromised this would then also put your firewall platform at risk also. 

Having the permissions controlled by the SMS rather than AD is a lot more secure and would reduce the risk.

If it was available it would be a matter of weighing up the risk with the benefit. 

Maybe if it ever does become available then delegating access to the as group that controls access to the firewall would become a best practice. 

Those are my thoughts.

Kaspars_Zibarts
Employee Employee
Employee

We use separate AD for infrastructure management so groups are tight and well controlled. Having to add/remove admins manually in CP is a hassle and likewise can lead to admins that are not removed after they have left the team. I vote AD groups. And direct AD integration. One point of control.

Maarten_Sjouw
Champion
Champion

What about this question Multi-domain Admin user authentication to AD? 

So in short Yes this question was asked recently.

Regards, Maarten
0 Kudos
John_Fulater
Contributor

I am not talking about authentication.  I know you can do Radius to get AD auth.  I am referring to having AD groups instead of users for Admin logins.  Then populate the AD group.  The issue is more to have a more central way to control admins instead of individual accounts.

0 Kudos
Asif_Klar
Employee
Employee

Login by AD groups (and not just by single users) is also part of the solution we recently developed, that Maarten referred you to. 

This solution, of authenticating administrators with AD, is currently in limited availability. So in order to get it, please approach Check Point solution center. 

Hadi
Explorer

HI All,

Is there any update for this feature in latest R80.30 intakes? is there a plan to have this publicly released?

0 Kudos
S_E_
Advisor

Hi

is this on the roadmap or already in R80.40?

Is there any other way to use a some kind of an admingroup instead of adding/removing every single admin for SmartConsole access?

CP_R80.40_Multi-DomainSecurityManagement_AdminGuide.pdf did not really help.

Thanks

Regards

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Have you reviewed sk145392: SmartConsole Active Directory Authentication ?

CCSM R77/R80/ELITE
0 Kudos
S_E_
Advisor

hi yes, very limited . Is it really supported when you need Solution Center for it...
Thanks

Authenticating administrators using Active Directory (AD) is in limited availability.
Contact the Check Point Solution Center via your local Check Point office to enable this feature.
0 Kudos
PhoneBoy
Admin
Admin

Customer releases like this are supported, though you may be limited to specific hotfixes and the like.
It's still worth engaging with your local Check Point office around this requirement to help prioritize bringing it into maintrain.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events