Creating and Changing an Administrator Account

To successfully manage security for a large network, we recommend that you first set up your administrative team, and delegate tasks.

We recommend that you create administrator accounts in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., with the procedure below or with the First Time Configuration Wizard.

If you create it through the SmartConsole, you can choose one of these authentication methods:

• Check Point Password

  Check Point password is a static password that is configured in SmartConsole. For administrators, the password is stored in the local database on the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.. For users, it is stored on the local database on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. No additional software is required.

• OS Password

  OS Password is stored on the operating system of the computer on which the Security Gateway (for users) or Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. (for administrators) is installed. You can also use passwords that are stored in a Windows domain. No additional software is required.

• RADIUS

  Remote Authentication Dial-In User Service (RADIUS) is an external authentication method that provides security and scalability by separating the authentication function from the access server.

  Using RADIUS, the Security Gateway forwards authentication requests by remote users to the RADIUS server. For administrators, the Security Management Server forwards the authentication requests. The RADIUS server, which stores user account information, does the authentication.

  The RADIUS protocol uses UDP to communicate with the Security Gateway or the Security Management Server.

  RADIUS servers and RADIUS server group objects are defined in SmartConsole.

• SecurID

  SecurID requires users to both possess a token authenticator and to supply a PIN or password. Token authenticators generate one-time passwords that are synchronized to an RSA Authentication Manager and may come in the form of hardware or software. Hardware tokens are key-ring or credit card-sized devices, while software tokens reside on the PC or device from which the user wants to authenticate. All tokens generate a random, one-time use access code that changes approximately every minute. When a user attempts to authenticate to a protected resource, the one-time use code must be validated by the Authentication Manager.

  Using SecurID, the Security Gateway forwards authentication requests by remote users to the Authentication Manager. For administrators, it is the Security Management Server that forwards the requests. The Authentication Manager manages the database of RSA users and their assigned hard or soft tokens. The Security Gateway or the Security Management Server act as an Authentication Manager agent and direct all access requests to the RSA Authentication Manager for authentication. For additional information on agent configuration, refer to RSA Authentication Manager documentation.

  There are no specific parameters required for the SecurID authentication method.

• TACACS

  Terminal Access Controller Access Control System (TACACS) provides access control for routers, network access servers and other networked devices through one or more centralized servers.

  TACACS is an external authentication method that provides verification services. Using TACACS, the Security Gateway forwards authentication requests by remote users to the TACACS server. For administrators, it is the Security Management Server that forwards the requests. The TACACS server, which stores user account information, authenticates users. The system supports physical card key devices or token cards and Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). secret key authentication. TACACS encrypts the user name, password, authentication services and accounting information of all authentication requests to ensure secure communication.

If you create an administrator through mdsconfig, the Check Point configuration tool, Check Point password is automatically configured

To create an administrator account using SmartConsole:

1. Click Manage & Settings > Permissions & Administrators.

   The Administrators pane shows by default.

2. Click New Administrator.

   The New Administrators window opens.

3. Enter a unique name for the administrator account.

   Note - This parameter is case-sensitive.

4. Set the Authentication Method, or create a certificate, or the two of them.

   Note - If you do not do this, the administrator will not be able to log in to SmartConsole.

   To define an Authentication Method:

   In the Authentication Method section, select a method and follow the instructions in Configuring Authentication Methods for Administrators.

   To create a Certificate - If you want to use a certificate to log in:

   In the Certificate Information section, click Create, and follow the instructions in Creating a Certificate for Logging in to SmartConsole.

5. Select a Permissions profile for this administrator, or create a new one.

6. Set the account Expiration date:

   • For a permanent administrator - select Never

   • For a temporary administrator - select an Expire At date from the calendar

   The default expiration date shows, as defined in the Default Expiration Settings. After the expiration date, the account is no longer authorized to access network resources and applications.

7. Optional: Configure Additional Info - Contact Details, Email and Phone Number of the administrator.

8. Click OK.

To change an existing administrator account:

1. Click Manage & Settings > Permissions & Administrators.

2. Double-click an administrator account.

   The Administrators properties window opens.