Managing User Accounts

A user account is an object that represents a user that generates traffic in a Check Point environment. The Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. administrators create, manage and monitor user accounts. The Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. lets you control access privileges for authenticated users. The administrator uses the Security Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. to restrict or give users access to specified resources. Users are unaware of the groups to which they belong. Limitation of access to sensitive information and resources only to authorized users ensures the security of the organization's network and data.

Users authenticate to Security Gateways. Check Point supports different Authentication Methods for users.

All users are configured directly in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. (in contrast to users configured on external servers, such as Active Directory), and are stored on the Management Server in the management database.

When an administrator installs a policy, the Management Server copies the applicable user data to the managed Security Gateway.

When an administrator installs a database (Menu > Install Database), the Management Server copies the applicable user data to the managed servers (for example, the Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs.).

Creating a User Account

When you create a user account through SmartConsole, you can select one of these authentication methods:

Authentication Method

Description

Check Point Password

Check Point password is a static password that is configured in SmartConsole.The local database on the Security Gateway stores the password. No additional software is required.

See Creating a User Account with Check Point Password Authentication.

OS Password

OS Password is stored on the operating system of the computer on which the Security Gateway is installed. You can also use passwords that are stored in a Windows domain. No additional software is required.

See Creating a User Account with OS Password Authentication

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is an external authentication method that provides security and scalability by separating the authentication function from the access server.

With RADIUS, the Security Gateway lets you control access privileges for authenticated RADIUS users, based on the administrator's assignment of users to RADIUS groups. These groups are used in the Security RuleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Base to restrict or give users access to specified resources. Users are unaware of the groups to which they belong.

The Security Gateway forwards authentication requests by remote users to the RADIUS server. The RADIUS server, which stores user account information, does the authentication.

The RADIUS protocol uses UDP to communicate with the Security Gateway.

To use RADIUS groups, you must define a return attribute in the RADIUS user profile of the RADIUS server. This attribute is returned to the Security Gateway and contains the group name (for example, RAD_<group to which the RADIUS users belong>) to which the users belong.

For the GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems.operating system, use the attribute "Vendor-Specific" (26) - refer to RFC 2865.

See Creating a User Account with RADIUS Server Authentication.

TACACS

Terminal Access Controller Access Control System (TACACS) provides access control for routers, network access servers and other networked devices through one or more centralized servers.

TACACS is an external authentication method that provides verification services. With TACACS, the forwards authentication requests by remote users to the TACACS server. The TACACS server, which stores user account information, authenticates users. The system supports physical card key devices or token cards and KerberosClosed An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). secret key authentication. TACACS encrypts the user name, password, authentication services and accounting information of all authentication requests to make sure communication is secure.

SeeCreating a User Account with TACACS Server Authentication

SecurID

SecurID requires users to both possess a token authenticator and to supply a PIN or password. Token authenticators generate one-time passwords that are synchronized to an RSA Authentication Manager (AM) and may come in the form of hardware or software. Hardware tokens are key-ring or credit card-sized devices. Software tokens reside on the PC or device from which the user wants to authenticate. All tokens generate a random, one-time use access code that changes approximately every minute. When a user attempts to authenticate to a protected resource, the one-time use code must be validated by the AM.

The Security Gateway forwards authentication requests by remote users to the AM. The AM manages the database of RSA users and their assigned hard or soft tokens. The Security Gateway acts as an AM agent and directs all access requests to the AM for authentication. For more information on agent configuration, refer to RSA Authentication Manager documentation. There are no specific parameters required for the SecurID authentication method. Authentication requests can be sent over SDK-supported API or through REST API.

See .Creating a User Account with SecurID Authentication

Important - If you do not select an authentication method, the user cannot log in or use network resources.

After you configure authentication with one of the Check Point authentication methods, you can, in addition, create a certificate file for the user. The user can authenticate to the Security Gateway with one of the Check Point authentication methods or with a certificate file.

You create the certificate file in SmartConsole, and the user can log in to the Security Gateway with the certificate file in two ways:

  • Log in to Security Gateway with the Certificate File option. The user must provide the password to use the certificate file.

  • You can import the certificate file to the Windows Certificate Store on the Microsoft Windows SmartConsole computer. The user can use this stored certificate to log in to the Security Gateway with the CAPI Certificate option. The user does not need to provide a password to log in.

Changing an Existing User

  1. In the Object Explorer, click User/Identity > Users.

  2. Double-click a user.

    The User window opens.

  3. Change the properties as necessary.

  4. Click OK.

Deleting a User

  1. n the Object Explorer, click User/Identity > Users.

  2. Right-click the account and select Delete.

    The confirmation window opens.

  3. Click Yes.

Managing User Groups

User groups are collections of user accounts. Add the user group to the Source or Destination of a rule. You cannot add individual users to a rule.

You can also edit user groups, and delete user groups that are not used in the Rule Base.

  1. In the Object Explorer (F11), click New > More > User/Identity > User Group.

    The New User Group window opens.

  2. Enter a name for the new group.

  3. For each user or a group of users, click the [+] sign and select the object from the list.

  4. Configure the optional settings:

    • Mailing List Address

    • Comment

    • Tag

    • Color

  5. Click OK.

  1. In the Object Explorer (F11), select Object Categories > Users/Identities > User Groups

  2. Right-click the user group and click Edit.

    The User Group window opens.

  3. Click +

  4. Select users or user groups.

  5. Click OK.

Configuring Default Expiration Settings for Users

If a user account is about to expire, notifications show when you open the properties of the user in SmartConsole.

  1. From the main Menu, select Global Properties.

    The Global Properties window opens.

  2. Click User Accounts.

  3. Select Expire at or Expire after.

    • Expire at - Select the expiration date from the calendar control.

    • Expire after - Enter the number of days (from the day the account is made) before user accounts expire.

  4. Select Show accounts expiration indication, and enter the number of days.

    Expiration warnings in the SmartConsole user object show this number of days before an account expires. During this time, if the user account is to be active for longer, you can edit the user account expiration configuration. This prevents loss of working time.