This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Agent_Smith
Contributor
‎2025-01-16 01:12 PM

Password Keepers

The firewall is indicating that users are taking advantage of 1Password and Lastpass in the form of a browser plugin. How do I see if they are using them on personal sites or company urls. I want to prove if they are saving company passwords to personal password managers.

15 Replies
PhoneBoy
Admin
Admin
‎2025-01-16 01:34 PM

Not aware of a way to prove this from the network side of things. 
Having said that, controlling the browser plugins used by end users is something organizations typically do (e.g. allow only specific approved ones).

0 Kudos
the_rock
Legend
Legend
‎2025-01-16 03:13 PM

Do you have any log example you can attach? If yes, just blur out any sentisive data.

Andy

0 Kudos
Lesley
Mentor Mentor
Mentor
‎2025-01-17 02:36 AM

You cannot see this with a firewall. It would require HTTPS inspection and all the plain data to be readable for you. Then somehow collect this data what is inside this extension. 

From my point of view you should either block these types of extensions (can be done via GPO) or allow them. I would allow them and provide a tool managed by the company. Reason for that is, if a user is not allowed to use a password management tool the user will most likely write down the passwords on a piece of paper or put it in a plain text file on the desktop. Also it will force the user to use more easy passwords and reuse old passwords (just change 1 number and add up every reset). Last reason is that with a password tool a user is more likely to use a different password for different websites. Instead of 1 easy to remember password for all websites. 

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
the_rock
Legend
Legend
‎2025-01-17 04:05 AM
In response to Lesley

I was thinking maybe QUIC protocol, but probably not. Cant recall now if there are any browser logins that could be blocked via ssl inspection policy, but will check in the lab later.

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-01-17 04:14 AM

I think this is actually really good response from AI copilot, but it involves harmony endpoint.

Andy

**************************

To monitor and prevent the use of corporate passwords on personal sites, you can use the Password Reuse Protection feature in Harmony Endpoint. This feature alerts users and logs incidents when corporate passwords are used on non-corporate domains. Here’s how you can set it up:

Steps to Configure Password Reuse Protection

  1. Access the Policy Settings:

    • Go to Policy > Threat Prevention > Policy Capabilities.

  2. Select the Rule:

    • Select the rule set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.

  3. Navigate to Web & Files Protection:

    • In the Capabilities & Exclusions pane, select Web & Files Protection.

  4. Configure Credential Protection:

    • In the Web & Files Protection tab, scroll down to Credential Protection.
    • Under Password Reuse, select a mode:
      • Prevent mode: Blocks the user from entering the corporate password and opens the blocking page in a new tab. If you enable Allow users to dismiss the password reuse alert and access the website, then it allows the user to dismiss the blocking page and continue to enter the corporate password.
      • Detect mode: The system does not block the user from entering the corporate password. If a user enters the corporate password, it is captured in the Harmony Browse logs.
      • Off: Turns off password reuse protection.

Example Configuration

Prevent mode - Blocks the user from entering the corporate password and opens the blocking page in a new tab. If you enable Allow users to dismiss the password reuse alert and access the website, then it allows the user to dismiss the blocking page and continue to enter the corporate password.

Notes:

  • Detect mode: The system does not block the user from entering the corporate password. If a user enters the corporate password, it is captured in the Harmony Browse logs.
  • Off: Turns off password reuse protection.

Additional Information:

  • This feature is not supported with Safari and Internet Explorer browser extensions.
  • Ensure that the browser extension is installed and configured correctly for Chrome or Edge browsers.

By enabling and configuring the Password Reuse Protection feature, you can monitor and log incidents where corporate passwords are used on personal sites, helping you to prove if users are saving company passwords to personal password managers like 1Password and LastPass.

BE AWARE
Important - To prevent negative impact on your production environment, double-check the provided information in the Administration Guide for the involved product.
Learn more:
  1. R81.10 Harmony Endpoint Web Management Administration Guide (English) - Client_User_Interface_Settin...
  2. Harmony Endpoint Administration Guide (English) - Client_User_Interface_Settings
  3. R81.20 Harmony Endpoint Web Management Administration Guide - Client_User_Interface_Settings
  4. R80.40 Endpoint Security Administration Guide - Phishing
  5. R81 Harmony Endpoint Server Administration Guide - Phishing
  6. R82 Harmony Endpoint Server Administration Guide - Phishing
  7. Harmony Endpoint Administration Guide (English) - Web-and-Files-Protection
  8. R82 Harmony Endpoint Web Management Administration Guide - Web-and-Files-Protection
  9. R77 Identity Awareness Administration Guide - 62007
0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-17 07:23 AM
In response to the_rock

That doesn't really tell you if you're using a password manager (the original ask), though it will tell you if you're internal credentials on an external site.

the_rock
Legend
Legend
‎2025-01-17 07:31 AM
In response to PhoneBoy

Ah, got it, makes sense.

0 Kudos
Agent_Smith
Contributor
‎2025-01-17 07:56 AM
In response to the_rock

Yes what I want to do is see which sites they are using the password keeper for. If its Facebook I don't care. If its the AWS, Azure, intranet other corporate sites I do care as these password keepers are not company sanctioned and personal. Which means they are saving company passwords to a personal site. I am sure the firewall can see the URLs accessed but how to associate the password keeper usage. We do run HTTPS inspection.

0 Kudos
the_rock
Legend
Legend
‎2025-01-17 08:19 AM
In response to Agent_Smith

I see what @PhoneBoy was saying about the answer I pasted from Copilot AI, it most likely would not be useful in your case, since it wont say if they are using pass manager or not, just if say company creds might be on external site. This is really interesting/logical ask. Personally, I would also open TAC case and reference this link, so they can see what was already discussed. I sometimes do that when opening a case, it definitely helps.

Best,

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-17 08:22 AM
In response to Agent_Smith

Your question assumes that the password manager is "queried" over the network each time it is used for a specific site.
Pretty sure none of the password managers operate on that premise.

The only possible way you can see what sites a password manager is using is on the browser itself.
That assumes the password manager is a plugin and not, say, an external application the user copy/pastes the password from.

0 Kudos
the_rock
Legend
Legend
‎2025-01-17 08:25 AM
In response to PhoneBoy

Would maybe adding below to the right rule for urlf/appc layer help or you dont think so?

Andy

 

Screenshot_1.png

0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-17 08:30 AM
In response to the_rock

That might be useful in blocking access to ALL browser plugins.
Best way to do that is to use the Enterprise management features of the browser, which can restrict what plugins users are allowed to use.

Agent_Smith
Contributor
‎2025-01-17 10:21 AM
In response to the_rock

This is what I'm seeing in the logs. I don't know for sure its a browser plugin but one says.

Checkmate.jpg
Preview file
341 KB
0 Kudos
the_rock
Legend
Legend
‎2025-01-17 10:25 AM
In response to Agent_Smith

I was hoping that may give us more info, but does not look like it : - (

0 Kudos
Lesley
Mentor Mentor
Mentor
‎2025-01-18 04:29 AM
In response to Agent_Smith

You will not get more info then this from a firewall. There is not a way to know what passwords are in the plugin/tool (from fw point of view)

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top