Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Tip of the Week - Using Identity Awareness AD Query without Administrator Privileges

_Val_
Admin
Admin
0 5 1,831

The Identity Awareness AD Query is designed to work when provided an Active Directory domain administrator user. However, you can also set it up with a Non-Admin user, given specific permissions.

Read this SecureKnowledge article for more information.

5 Comments
Vladimir
Champion
Champion

@_Val_ , I am repeatedly running into situations where clients are not happy about either option.

Obviously, non-AD Administrator option is preferable, but it still described as requiring full Server Operator privileges.

I doubt that all of the privileges in that group are necessary, but CP documentation does not address specific rights that could be removed from this account.

The Identity Collector is not always an option, depending on the structure of organizations.

You can see, for instance, how the competition is addressing this here:

Configure a Service Account for the PAN-OS Integrated User-ID Agent

_Val_
Admin
Admin

It would help if you can say which particular privileges are excessive, in you opinion

Vladimir
Champion
Champion

To begin with, Domain Administrator requirement goes completely against Microsoft's own recommendations.

Microsoft recommends that there are NO Domain Administrators should be present in that group at all.

Instead, there is a role that changes group memberships and, at a time when administrative action is needed, administrators are added to that group, perform necessary functions and subsequently removed from it.

This significantly reduces privilege escalation attacks success rate.

Second issue is the Server Operator in "Non AD Administrator" sk.

Does this user have to have an ability to shutdown or reboot servers, have RDP capabilities, etc? Because Server Operators do have these rights by default.

 

One more issue that is a thorn in my side is the absence of clarification of LDAP Account Unit user rights and its correlation with the user and credentials required when enabling IA:

There are NO specific requirements for the LDAP Account Unit user's group membership and rights anywhere in the documentation.

Even when it is defined with whatever rights, IA wizard still prompts you with new user and credentials.

It explicitly states on the prompt window that it should be a Domain Administrator, which is pretty bad, since there is no mention of the alternative sk, (btw, please suggest including sk references in the UI prompt).

Clients are asking to specifically describe what actions said user as well as LDAP Account Unit are performing that warrants the rights assigned to them and EXPLICITLY asking for Check Point's documentation they can refer to when requesting this from their IT counterparts.

As I was writing this, another such inquiry just landed in my inbox.

If you or someone in official position at CP can reply with detailed explanation for the above questions, I'd be much obliged, as it may tie me over until documentation is amended.

 

Thank you.

Vladimir

E_AGH107
Participant

@Vladimir did you receive answer about this?

@_Val_ @Vladimir Is there any CP documentation where it can be found the relationship between the permissions needed and the reason for?

Thank you in advance!

_Val_
Admin
Admin

Hi @E_AGH107, this discussion is more than 2 years old. 

There is plenty of documentation, for example, Identity Awareness Admin guides(available here https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowproductpage&product=436), best practices SK, ATRG SK, etc. 

For a while, we do recommend using Identity Collectors as the best option.