Showing results for 
Search instead for 
Did you mean: 
Post a Question

AD groups as administrators instead of just users.

Has anyone thought about or asked about the idea of AD based user groups for administration access?

The idea would be to have AD groups for full Admin control and another for Read-Only admin access.

The users would be added or removed in the AD groups and an administrator configuration would be built for the AD group not the individual users.

The AD groups can be managed for who is in there and have rights.  There could be risks but also allows flexibility in Admin control.


0 Kudos
5 Replies

Re: AD groups as administrators instead of just users.

Personally for me I think that it's potentially opening up the platform and would become an additional security risk to consider. Obviously the level of risk would be dependant on how secure the Active Directory is.

Generally it would allow for anybody say with domain administrator access to be able to grant themselves access firewall management. Unless delegation was put in place over the AD groups. But on the other hand it would be a great way to manage access. Of the active directory was ever to be compromised this would then also put your firewall platform at risk also. 

Having the permissions controlled by the SMS rather than AD is a lot more secure and would reduce the risk.

If it was available it would be a matter of weighing up the risk with the benefit. 

Maybe if it ever does become available then delegating access to the as group that controls access to the firewall would become a best practice. 

Those are my thoughts.

Re: AD groups as administrators instead of just users.

We use separate AD for infrastructure management so groups are tight and well controlled. Having to add/remove admins manually in CP is a hassle and likewise can lead to admins that are not removed after they have left the team. I vote AD groups. And direct AD integration. One point of control.

Re: AD groups as administrators instead of just users.

What about this question Multi-domain Admin user authentication to AD? 

So in short Yes this question was asked recently.

Regards, Maarten
0 Kudos

Re: AD groups as administrators instead of just users.

I am not talking about authentication.  I know you can do Radius to get AD auth.  I am referring to having AD groups instead of users for Admin logins.  Then populate the AD group.  The issue is more to have a more central way to control admins instead of individual accounts.

0 Kudos

Re: AD groups as administrators instead of just users.

Login by AD groups (and not just by single users) is also part of the solution we recently developed, that Maarten referred you to. 

This solution, of authenticating administrators with AD, is currently in limited availability. So in order to get it, please approach Check Point solution center.