Identity Collector Service Account Exclusion
Overview
About Service Accounts
A Service Account In Microsoft® Active Directory, a user account created explicitly to provide a security context for services running on Microsoft® Windows® Server. is a user account that provides a security context for services that run on Windows Server operating systems. The security context determines which local and network resources a service can use.
Identity Collector Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses and sends it to the Check Point Security Gateways or Infinity Identity solution for identity enforcement, you can download the Identity Collector package from the Support Center. gets information for usernames and for device Service Accounts.
The Identity Collector Service Account Exclusion feature automatically detects Service Accounts to conserve resources and lessen user management overhead on an Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway.
Example
When the Identity Collector identifies a login event, it creates a new entry in a <key>:<value> pair format.
For example: user_1:192.168.1.10
The process counts each time it identifies a login event for the same <key>:<value pair. When the number of simultaneous logins exceeds a pre-configured threshold value, the account is defined as a Service Account. The same account (username) can have more than one associated IP address.
If Service Account Exclusion is configured, the session is revoked and the account is removed from the database on the Identity Awareness Gateway. All the information for this account is deleted.
|
Important - This feature is enabled by default. |
Terms
Term |
Description |
---|---|
Detect Mode |
The process detects Service Accounts and does not revoke sessions. The process shows the list of detected Service Accounts. |
Prevent Mode (Auto-Exclude Mode) |
Identity Collector detects Service Accounts, revokes the account's current sessions, and blocks any future sessions. |
Detection Interval |
The time interval, during which Identity Collector counts the number of logins to identify the account as a Service Account. When Prevent Mode (Auto Exclude) is enabled, the administrator can add Service Accounts to the exception list. |
Exception |
Identity Collector treats accounts on the exception list as regular accounts, and does not revoke future sessions from these accounts. When Prevent Mode (Auto Exclude) is enabled, the administrator can add Service Accounts to the exception list. |
Threshold |
The minimum number of simultaneous logins for the same account during the Detection Interval that identifies it as a Service Account. Example: The Detection Interval is 5 minutes and the threshold is 100 simultaneous logins. If there are 100 or more simultaneous logins during this interval, Identity Collector treats the account as a Service Account. |
Service Account Database
Identity Awareness Gateway saves the session identifier and username c associated with an identified Service Account in the $FWDIR/conf/idc_servacc.db
file. The Service Account information loads from the file after a policy installation or reboot.
Configuration on Identity Awareness Gateway
The administrator can exclude the applicable Service Account information from the Identity Awareness process (Policy Decision Point / PDP Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways.) and its memory to conserve the gateway resources.
Parameter |
Description |
||
---|---|---|---|
Mode |
By default, the Prevent Mode (Auto-Exclude) is enabled. When Prevent Mode is enabled, Detect Mode is disabled. When you disable Prevent Mode, Detect Mode is enabled.
See pdp idc > " |
||
Threshold |
Configure the number of simultaneous logins, after which the PDP detects all usernames as Service Accounts. The default detection interval is See pdp idc > " |
||
Detection Interval |
Configure the length of the interval. The default is
|
-
Connect to the command line on the Identity Awareness Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / each Cluster Member Security Gateway that is part of a cluster..
-
Log in to the Expert mode.
-
Back up the current
$FWDIR/conf/pdp_overriding_attrs.C
file, if it exists:cp -v $FWDIR/conf/pdp_overriding_attrs.C{,_BKP}
-
Edit the current
$FWDIR/conf/pdp_overriding_attrs.C
file:vi $FWDIR/conf/pdp_overriding_attrs.C
-
Configure the applicable value for the
idc_muh_interval
attribute:(
:idc_muh_serviceaccount_interval (NUMBER OF SECONDS)
)
Default Value:
3600
secondsAccepted Values:
1
to86400
seconds -
Save the changes in the file and exit the editor.
-
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., install the Access Control policy.
Limitations
-
In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. and in Scalable Platforms, the Cluster Members and Security Group Members do not synchronize the information about Service Accounts.
-
In ClusterXL High Availability mode, Service Account detection and exclusion restarts after a cluster fail-over.
-
In ClusterXL Load Sharing mode and Scalable Platforms, each Cluster Member and Security Group Member detects its own Service Accounts.
As a workaround, we recommend that you add a filter in the Identity Collector with the known Service Accounts. See .
-
-
If a Service Account entry already exists in the exception list, this is the only command that removes it from the exception list (see pdp idc > "
service_accounts <options>
"):pdp idc service_accounts delete_exception <username_1> <username_2> ... <username_N>
After the account's session times out, the PDP removes the account from the exception list.
-
An Identity Collector that identifies login events with User Principal Name (UPN) (example:
user_1@domain.com
) records the account with theSAMAccountName
property (example:user_1
).
Troubleshooting
Step |
Instructions |
|
---|---|---|
1 |
Connect to the command line on the Identity Awareness Gateway. |
|
2 |
Log in to the Expert mode. |
|
3 |
Run:
|
Example Output:
|
Output Explanation:
The account (user) auto_test_106 uses 5
different IP addresses (5 sessions).
If you configure the threshold value to 6
, the next login event matches the threshold value and marks the account as a Service Account.
Step |
Instructions |
|
---|---|---|
1 |
Connect to the command line on the Identity Awareness Gateway. |
|
2 |
Log in to the Expert mode. |
|
3 |
Configure the PDP debug options (see pdp debug):
|
|
4 |
Start the PDP debug:
|
|
5 |
Replicate the issue. |
|
6 |
Set the PDP debug options:
|
|
7 |
Stop the PDP debug:
|
|
8 |
Collect and examine the debug output files:
|
This excerpt from a debug shows a new login event record for the user account "johndoe
":
|
An administrator configured the Prevent Mode (Auto-Exclude Mode).
This excerpt from a debug shows that:
-
The user account "
johndoe
" exceeds the configured Service Account threshold. -
The PDP increments the counter.
-
The user account "
johndoe
" is a Service Account. -
The PDP revokes the current sessions for this user account.
|
An administrator configured the Detect Mode.
This excerpt from a debug shows that the PDP records a user (account) login:
|