Sergio is partially correct. In NGx, while it is true that you can only creat
a single admin
user from the CLI (cpconfig), Checkpoint has a SK that documented to allow
you to create
multiple admin users from the CLI. I can't think of it at the moment.
Basically, you use
dbedit or gui-dbedit to edit a parameter "managed_administrator" or something
like
that and set to "false" I think. After that, it will allow you create
multiple users from the CLI.
I've raised this issue with CP not so long ago because if you have a
standalone CLM and
this CLM does not integrate with Provider-1 and CP gave me this tip.
Unfortunately, it does
not work very well in my environment because I have Provider-1. But it is
definitely doable
if I am not mistaken.
Sergio Alvarez <seralvar AT GMAIL DOT COM> wrote:
Critics used to bang Check Point with the fact that anybody with physical
access to the SmartCenter server could do whatever they wanted to the
adminitrator users of the firewall and considered this a major
vulnerability, therefore starting from NGX, you create a single admin user
from the CLI (cpconfig) and all the rest of administrators and their
permissions are created in the Administrators section of the Users tab on
the GUI.
So you are right.
Consider it a security improvement.
Regards
On 1/25/07, Crist Clark wrote:
>
> We need to change passwords of administrators defined using
> the 'cpconfig' command line interface. In R55, when given
> the choice, you ask to add a new administrator, but chose
> the name of an existing one. You then can change the password
> and other characteristics.
>
> In R60, the only option given by cpconfig is to delete
> administrators. Are they hinting to us that this method of
> maintaining administrators is no longer supported? Do I
> need to move all administrators into the GUI administration
> to change passwords? Anyone have pointers to Check Point
> docs about this?
> --
>
> Crist J. Clark crist.clark AT globalstar DOT com
> Globalstar Communications (408) 933-4387
>
>
> B¼information contained in this e-mail message is confidential, intended
> only for the use of the individual or entity named above. If the reader of
> this e-mail is not the intended recipient, or the employee or agent
> responsible to deliver it to the intended recipient, you are hereby notified
> that any review, dissemination, distribution or copying of this
> communication is strictly prohibited. If you have received this e-mail in
> error, please contact postmaster AT globalstar DOT com
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
--
Sergio Alvarez
(506)8301342
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
Cheap Talk? Check out Yahoo! Messenger's low PC-to-Phone call rates.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
