Identity Collector Service Account Exclusion

Overview

About Service Accounts

A is a user account that provides a security context for services that run on Windows Server operating systems. The security context determines which local and network resources a service can use.

Identity CollectorClosed Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses and sends it to the Check Point Security Gateways or Infinity Identity solution for identity enforcement, you can download the Identity Collector package from the Support Center. gets information for usernames and for device Service Accounts.

The Identity Collector Service Account Exclusion feature automatically detects Service Accounts to conserve resources and lessen user management overhead on an Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway.

Example

When the Identity Collector identifies a login event, it creates a new entry in a <key>:<value> pair format.

For example: user_1:192.168.1.10

The process counts each time it identifies a login event for the same <key>:<value pair. When the number of simultaneous logins exceeds a pre-configured threshold value, the account is defined as a . The same account (username) can have more than one associated IP address.

If Service Account Exclusion is configured, the session is revoked and the account is removed from the database on the Identity Awareness Gateway. All the information for this account is deleted.

Important - This feature is enabled by default.

Terms

Term

Description

Detect Mode

The process detects Service Accounts and does not revoke sessions. The process shows the list of detected Service Accounts.

Prevent Mode (Auto-Exclude Mode)

Identity Collector detects Service Accounts, revokes the account's current sessions, and blocks any future sessions.

Detection Interval

The time interval, during which Identity Collector counts the number of logins to identify the account as a . When Prevent Mode (Auto Exclude) is enabled, the administrator can add Service Accounts to the exception list.

Exception

Identity Collector treats accounts on the exception list as regular accounts, and does not revoke future sessions from these accounts. When Prevent Mode (Auto Exclude) is enabled, the administrator can add Service Accounts to the exception list.

Threshold

The minimum number of simultaneous logins for the same account during the Detection Interval that identifies it as a .

Example:

The Detection Interval is 5 minutes and the threshold is 100 simultaneous logins.

If there are 100 or more simultaneous logins during this interval, Identity Collector treats the account as a .

Database

Identity Awareness Gateway saves the session identifier and username c associated with an identified in the $FWDIR/conf/idc_servacc.db file. The information loads from the file after a policy installation or reboot.

Configuration on Identity Awareness Gateway

The administrator can exclude the applicable information from the Identity Awareness process (Policy Decision Point / PDPClosed Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways.) and its memory to conserve the gateway resources.

Parameter

Description

Mode

By default, the Prevent Mode (Auto-Exclude) is enabled. When Prevent Mode is enabled, Detect Mode is disabled. When you disable Prevent Mode, Detect Mode is enabled.

Note - When you change from Detect Mode to Prevent Mode, the PDP revokes all sessions that are marked as a .

See pdp idc > "service_accounts <options>".

Threshold

Configure the number of simultaneous logins, after which the PDP detects all usernames as Service Accounts.

The default detection interval is 100 login events from the same account.

See pdp idc > "service_accounts <options>"

Detection Interval

Configure the length of the interval.

The default is 1 hour.

Note - A change in the interval length affects the detection interval for the Multi-User Host (MUH) feature. For more information, see Identity Awareness Clients Administration Guide.

Limitations

  • In a ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. and in Scalable Platforms, the Cluster Members and Security Group Members do not synchronize the information about Service Accounts.

    • In ClusterXL High Availability mode, detection and exclusion restarts after a cluster fail-over.

    • In ClusterXL Load Sharing mode and Scalable Platforms, each Cluster Member and Security Group Member detects its own Service Accounts.

      As a workaround, we recommend that you add a filter in the Identity Collector with the known Service Accounts. See .

  • If a entry already exists in the exception list, this is the only command that removes it from the exception list (see pdp idc > "service_accounts <options>"):

    pdp idc service_accounts delete_exception <username_1> <username_2> ... <username_N>

    After the account's session times out, the PDP removes the account from the exception list.

  • An Identity Collector that identifies login events with User Principal Name (UPN) (example: user_1@domain.com) records the account with the SAMAccountName property (example: user_1).

Troubleshooting