Understanding and Using Credential Auditor on SonicWall Firewalls

Description

Credential Auditor is a built-in security feature that helps organizations reduce credential-based risks. It validates user passwords against industry-recognized lists of compromised credentials and provides actionable insights for administrators.  

Key Capabilities  

  • Automated Credential Checks: Compares user passwords against known compromised credential databases.  

  • Risk Identification: Flags accounts with exposed or weak credentials for immediate attention.  

  • Administrative Actions: Enables administrators to enforce security measures, such as issuing warnings to affected users and requiring password changes. 

 Key Features:  

  • Provides proactive protection against leaked credentials, securing both local and externally authenticated accounts.  

  • Improves password hygiene across the network.  

  • Reduces the risk of credential-based attacks.  

  • Simplifies compliance with security best practices 

Applies To 

  • GEN 7 Firewalls with Firmware 7.3.1 and above. 

Note: NSM 3.3 supports management of devices running SonicOS 7.3.1. Credential Auditor support is planned for NSM 3.4, scheduled for release in December. 

Workaround: Please login to the local UI to Configure the Credential Auditor feature. 

 Configuring Credential Auditor 

The Credential Auditor feature is disabled by default and must be manually enabled through the appliance interface.  

Functionality When Enabled  

  • Validates user passwords against known compromised credential databases during authentication.   

  • If a compromised password is detected, the default action is to allow the password but issue a warning to the admin in system logs .  

  • Performs periodic credential checks once per day to proactively identify compromised credentials. 

 Up2Date Server Interaction  

  • The firewall periodically contacts SonicWall Up2Date servers to check for updated compromised credential files.  

  • Default Interval: Once every 24 hours. Administrators can change the interval for periodic checks and enforce stricter actions 

To configure the Credential Auditor:  

1. Navigate to Device | Users | Settings | Credential Auditor.  

2. Turn on the Enable Credential Auditor toggle button.  

3. In the Periodic Checking section, set the Periodic Check Frequency.  

You can set the periodic check frequency in minutes, hours, or days. For example, if you set the periodic check frequency as 5 minutes, the system checks for compromised passwords every 5 minutes. 

NOTE: During periodic checks, if a compromised password is detected, the access to the appliance is restricted for local users and the built-in administrator. This restriction applies to web login, VPN client login, and CLI access via SSH. However, it does not block administrator access through the console port, nor does it block users who are authenticated via Single Sign-On (SSO).
 

 

4. To restrict access to the appliance when a compromised password is detected during periodic checks, 

For local users and for the built-in Admin, select one of the following actions from the dropdown menu:  

  • Block remote access: The user is only allowed to log in from the trusted locations. A user can restore remote access by resetting password but only if they can access from within the LAN network. Otherwise, the user must contact a firewall administrator.
    NOTE: The trusted locations include the LAN zone, the MGMT zone, and any other zones with security type 'Trusted', and remote locations connected through a site-to site VPN tunnel including GMS.

    • Block remote access except GMS/NSM: The user is not allowed to login from any location except GMS/NSM. To restore remote access, a user must contact a firewall administrator.

    • Block all but console access: The user is not allowed to login from any locations apart from the admins on the console port. To restore remote access, a user must contact a firewall administrator.

    • Block all but console and GMS/NSM: The user is not allowed to login from any locations apart from the admins on the console port and GMS/NSM. To restore remote access, a user must contact a firewall administrator.

  • For an LDAP bind password, select one of the following actions from the drop-down menu:

    • Only issue a warning: The Admin is notified about the compromised password, and no change is enforced in the system logs.

    • Disable LDAP Server: All LDAP servers bound to the compromised account are disabled.  

5. In the Setting New Passwords section, to restrict the use of compromised passwords while setting new passwords, turn on the toggle button. 

  • For local users  

  • For the built-in Admin  

  • For a LDAP bind password  

6. In the During Login section, to block externally authenticated users from signing in with a compromised password, turn on the Block login of externally authenticated users with a compromised password toggle button.

NOTE: This setting applies only to externally authenticated users such as those authenticated via RADIUS, LDAP, and so on. To block a local user from signing in with a compromised password, you must enable periodic checking and select an action from the drop-down.  

7. Click Accept to save the settings 

Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
NSa Series
Firewalls
TZ Series
not finding your answers?
Ask the Community