This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
phlrnnr
Advisor
‎2019-03-21 10:57 AM

Identity Awareness, password rotation, and gMSA (Group Managed Service Accounts)

A feature request for ID Awareness - to simplify password rotations on service accounts for Identity Collector or even LDAP account units, it would be great to see support for gMSAs (Group Managed Service Accounts).  These handle the password rotation automatically, and securely.

Until then, however, any recommendations for ID Awareness / Identity Collector for password rotation without impacting service?

0 Kudos
4 Replies
phlrnnr
Advisor
‎2019-10-04 08:30 AM

Does anyone have any thoughts around password rotation of the LDAP Account Unit service accounts in a way that minimizes impact to an Identity Collector setup?  I'm guessing anyone that logs in during the password change process will not get any group information tied to their authentications, and policy will not work well with them.

Even worse, would be what happened here...

Any ideas to minimize the impact, other than setting the password to never expire?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-04 09:41 PM
In response to phlrnnr

This gets into the whole "should we change passwords at all" debate.
Assuming the password is complex and long enough, I would personally say...no.
I assume the "safest" way to change the password would be to do it during an outage window.
0 Kudos
phlrnnr
Advisor
‎2019-10-07 07:06 AM
In response to PhoneBoy

While I understand where you are coming from, and mostly agree in this instance, we live in a world where Security policy often requires fairly frequent password rotations of service accounts.  Therefore, anything Checkpoint can do to minimize the impact of those rotations would be helpful.

I can avoid an outage on the Identity Collector side by using 2 IDC servers and 2 different accounts that rotate separately.  However, the LDAP account unit is the bigger pain point as changing it will cause an outage for some users.  Anything Checkpoint can do to eliminate that would be helpful.

As to your suggestion to do it safely in an "outage window" the whole point of having redundancy in clusters, multiple identity collector servers, etc is to avoid an outage completely.  Now I have to try to sell to management an outage every X number of months based on the Security policy currently in effect.  That is a tough sell to a 24x7 operation.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-07 11:09 AM
In response to phlrnnr

The LDAP lookup actually happens on the gateway to change passwords.
To change that requires a Security Policy push, which may create its own service impact.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events