- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
A feature request for ID Awareness - to simplify password rotations on service accounts for Identity Collector or even LDAP account units, it would be great to see support for gMSAs (Group Managed Service Accounts). These handle the password rotation automatically, and securely.
Until then, however, any recommendations for ID Awareness / Identity Collector for password rotation without impacting service?
Does anyone have any thoughts around password rotation of the LDAP Account Unit service accounts in a way that minimizes impact to an Identity Collector setup? I'm guessing anyone that logs in during the password change process will not get any group information tied to their authentications, and policy will not work well with them.
Even worse, would be what happened here...
Any ideas to minimize the impact, other than setting the password to never expire?
While I understand where you are coming from, and mostly agree in this instance, we live in a world where Security policy often requires fairly frequent password rotations of service accounts. Therefore, anything Checkpoint can do to minimize the impact of those rotations would be helpful.
I can avoid an outage on the Identity Collector side by using 2 IDC servers and 2 different accounts that rotate separately. However, the LDAP account unit is the bigger pain point as changing it will cause an outage for some users. Anything Checkpoint can do to eliminate that would be helpful.
As to your suggestion to do it safely in an "outage window" the whole point of having redundancy in clusters, multiple identity collector servers, etc is to avoid an outage completely. Now I have to try to sell to management an outage every X number of months based on the Security policy currently in effect. That is a tough sell to a 24x7 operation.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY