Identity Collector - Service Account Exclusion

Overview

About Service Accounts

A Service Account In Microsoft® Active Directory, a user account created explicitly to provide a security context for services running on Microsoft® Windows® Server. is a user account that provides a security context for services that run on Windows Server operating systems. The security context determines which local and network resources a service can use.

Identity Collector Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement. For more information, see sk108235. You can download the Identity Collector package from sk134312. gets information for usernames and for device Service Accounts.

The Identity Collector Service Account Exclusion feature automatically detects Service Accounts to conserve resources and lessen user management overhead on an Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway.

Example

When the Identity Collector identifies a login event, it creates a new entry in a <key>:<value> pair format.

For example: user_1:192.168.1.10

The process counts each time it identifies a login event for the same <key>:<value pair. When the number of simultaneous logins exceeds a pre-configured threshold value, the account is defined as a Service Account. The same account (username) can have more than one associated IP address.

If Service Account Exclusion is configured, the session is revoked and the account is removed from the database on the Identity Awareness Gateway. All the information for this account is deleted.

Availability

The feature is available starting from these Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. versions:

Version	Availability
R81.20	Check Point R81.20
R81.10	R81.10 Jumbo Hotfix Accumulator - from Take 14
R81	R81 Jumbo Hotfix Accumulator - from Take 51
R80.40	R80.40 Jumbo Hotfix Accumulator -from Take 131

Important - In Security Gateway versions for which the feature is available, it is enabled by default.

Terms

Term	Description
Detect Mode	The process detects Service Accounts and does not revoke sessions. The process shows the list of detected Service Accounts.
Prevent Mode (Auto-Exclude Mode)	Identity Collector detects Service Accounts, revokes the account's current sessions, and blocks any future sessions.
Detection Interval	The time interval, during which Identity Collector counts the number of logins to identify the account as a Service Account. When Prevent Mode (Auto Exclude) is enabled, the administrator can add Service Accounts to the exception list.
Exception	Identity Collector treats accounts on the exception list as regular accounts, and does not revoke future sessions from these accounts. When Prevent Mode (Auto Exclude) is enabled, the administrator can add Service Accounts to the exception list.
Threshold	The minimum number of simultaneous logins for the same account during the Detection Interval that identifies it as a Service Account. Example: The Detection Interval is 5 minutes and the threshold is 100 simultaneous logins. If there are 100 or more simultaneous logins during this interval, Identity Collector treats the account as a Service Account.

Service Account Database

Identity Awareness Gateway saves the session identifier and username c associated with an identified Service Account in the $FWDIR/conf/idc_servacc.db file. The Service Account information loads from the file after a policy installation or reboot.

Configuration on Identity Awareness Gateway

The administrator can exclude the applicable Service Account information from the Identity Awareness process (Policy Decision Point / PDP Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways.) and its memory to conserve the gateway resources.

See the table below for a description of relevant parameters. For more information, see the CLI Reference Guide for the version of the Security Gateway > pdp idc section > "service_accounts <options>":

Parameter

Description

Mode

By default, the Prevent Mode (Auto-Exclude) is enabled. When Prevent Mode is enabled, Detect Mode is disabled. When you disable Prevent Mode, Detect Mode is enabled.

Note - When you change from Detect Mode to Prevent Mode, the PDP revokes all sessions that are marked as a Service Account.

Threshold

Configure the number of simultaneous logins, after which the PDP detects all usernames as Service Accounts.

Detection Interval

Configure the length of the interval.

Note - A change in the interval length affects the detection interval for the Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from sk134312. for a Terminal Server feature. For more information about this feature, see Identity Agent for a Terminal Server

To change the detection interval

Connect to the command line on the Identity Awareness Security Gateway / each Cluster Member Security Gateway that is part of a cluster..
Log in to the Expert mode.

Back up the current $FWDIR/conf/pdp_overriding_attrs.C file, if it exists:

cp -v $FWDIR/conf/pdp_overriding_attrs.C{,_BKP}

Edit the current $FWDIR/conf/pdp_overriding_attrs.C file:

vi $FWDIR/conf/pdp_overriding_attrs.C

Configure the applicable value for the idc_muh_interval attribute:

:idc_muh_serviceaccount_interval (NUMBER OF SECONDS)

Default Value: 3600 seconds

Accepted Values: 1 to 86400 seconds

Save the changes in the file and exit the editor.
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., install the Access Control policy.

Limitations

In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. and in Scalable Platforms, the Cluster Members and Security Group Members do not synchronize the information about Service Accounts.
- In ClusterXL High Availability mode, Service Account detection and exclusion restarts after a cluster fail-over.
- In ClusterXL Load Sharing mode and Scalable Platforms, each Cluster Member and Security Group Member detects its own Service Accounts.
  
  As a workaround, we recommend that you add a filter in the Identity Collector with the known Service Accounts. See Identity Collector - Filters for Login Events

If a Service Account entry already exists in the exception list, this is the only command that removes it from the exception list:

pdp idc service_accounts delete_exception <username_1> <username_2> ... <username_N>

After the account's session times out, the PDP removes the account from the exception list.

An Identity Collector that identifies login events with User Principal Name (UPN) (example: user_1@domain.com) records the account with the SAMAccountName property (example: user_1).

Troubleshooting

To view the list of accounts and the number of IP addresses these accounts use

Step

Instructions

Connect to the command line on the Identity Awareness Gateway.

Run:

pdp __ed show_srv_account_tracker

Example Output:

auto_test_106->5

Output Explanation:

The account (user) auto_test_106 uses 5 different IP addresses (5 sessions).

If you configure the threshold value to 6, the next login event matches the threshold value and marks the account as a Service Account.

Collecting the debug

Step

Instructions

Connect to the command line on the Identity Awareness Gateway.

Configure the PDP debug options:

pdp debug set IDC all CCC_SERVICE all IDC_SRV_ACC_PERSISTENCE_DB all IDP all

Start the PDP debug:

pdp debug on

Replicate the issue.

Set the PDP debug options:

pdp debug reset

pdp debug set TRACKER all

Stop the PDP debug:

pdp debug off

Collect and examine the debug output files:

$FWDIR/log/pdpd.elg*

Example 2

An administrator configured the Prevent Mode (Auto-Exclude Mode).

This excerpt from a debug shows that:

The user account "johndoe" exceeds the configured Service Account threshold.
The PDP increments the counter.
The user account "johndoe" is a Service Account.
The PDP revokes the current sessions for this user account.

[15408 4057798528]@MyGW[28 Apr 13:12:02] [IDC (TD::Events)] pdp::AssociationsDB::aboveServiceAccountThreshold: account johndoe is above service account threshold

[15408 4057798528]@MyGW[28 Apr 13:12:02] [CCC_SERVICE (TD::Events)] pdp::IDCEvent::shouldPreventAccount: the user johndoe is a new service account and prevention is on, reporting it as service account and revoking existing sessions.