Username of Admin should be chagable
Currently, the WebAdmin Master-User is fix named as admin. It would be great, if we would have the possibility to change the username. This would be an improvement for brute-force attacks, when the WebGUI is somehow published to the Internet.
This is being considered. The current intention is to add a superadmin role, making the default admin account just a member of that role.
This will allow you to create new superadmin accounts, capable of logging into the shell, adding ssh keys, and any other features limited currently to the named admin account.
Second, you will be able to disable or demote the named admin account.
Please implement this as soon as possible. Its part of our security audit. We may have to look elsewhere if we're not able to do this soon.
I strongly support the implementation of all of these features. As its been 2 years now it would be great to get an update as to where this is on the roadmap.
Parham Pour Khosravy commented
2fa for admin too please, next gen firewall need 2fa guys 😉
Not being able to change the default user name is arguably a violation of PCI-DSS.
Saulius Baužinskas commented
It is hard to believe security product does not have a rudimentary security feature like renaming default admin user. AND, this user is not even listed in general users list! We were ******* heads as to how to change this user after accidentally discovering it works.
@Sophos, what status is this feature request in? Please update.
I am really shocked that these do not seem to possible currently with the XG. Please correct me if I'm wrong.
1. Super admin username cannot be changed
2. Super admin account cannot be disabled
3. 2FA cannot be enabled for the super admin account
4. Email alerts for admin logins cannot be created (I had this on my SG210 UTM)
Cameron Slade commented
I agree whole heartedly. On every device we manage, we always change default the admin account name. This is a must have.
Martin Damgaard commented
And, also the posibility to add more admin users. AND log who have changed what setting!
All of our equipment is configured with the same non "admin" user account.
This is annoying that we can't make it the same as our other equipment.
Access to WebGUI and CLI using Telnet/SSH over WAN can be restricted to certain public IP addresses using WAN-Local firewall rule under the Source Networks and Services
Also user used to access CLI should be different than the one used from Web Admin.