Friday, February 22, 2013
I wanted to tie up my series of blog posts on least privilege for Windows by drilling into a bit of architectural detail on how DirectAuthorize for Windows — an integrated component of the Centrify Suite — lets IT organizations securely delegate and manage privileged access across your entire Windows infrastructure. As a reminder, Centrify DirectAuthorize for Windows eliminates the problem of too many users having broad and unmanaged administrative powers by delivering secure delegation of privileged access and granularly enforcing who can perform what administrative functions. DirectAuthorize also delivers seamless integration with Centrify DirectAudit to enable IT to achieve stronger security and governance by enforcing least-privilege access and detailed monitoring of privileged user sessions.
DirectAuthorize for Windows is comprised of three main components that install quickly and easily with guided wizards for deployment.
These components are:
The operation of DirectAuthorize begins with defining roles and rights using the DirectManage Console, with the end goal being to set up a least-privilege environment so that users only have specific privileges to perform their jobs and revert to normal user access during other times and always authenticate with their unique AD credential. You can also turn on auditing to verify users are not misusing privileges granted to them.
For example, you can define a role called "SQL Developer" that can create and modify SQL Server-based applications, but cannot start, stop or reset the server — a different role called "SQL Server Admin" grants these privileges. Another role can be defined for management of Active Directory Group of Exchange Server administrators for the company's Exchange Servers, but only a subset of the Exchange administrators are permitted to configure the Exchange Servers of the company that was just acquired. Centrify even enforces who can elevate privilege into a Windows system across the network which is not possible with native Windows tools.
Once roles are defined, they are assigned to Active Directory users and groups. For example, you may assign Jane the "SQL Developer" role and the "SQL Server Admin" role. Provisioning is easy — just associate each role with the relevant Active Directory groups.DirectAuthorize for Windows also supports time limiting of roles. You can easily configure time limits by hour of the day or day of the week in order to improve control and visibility of temporary workers, contractors, partners and offshore staff who require access your company's important IT assets.
Time limiting is just one of the powerful features in DirectAuthorize for Windows that is hard to achieve with Windows native controls. Another example is DirectAuthorize's Zones capability. You can use Zones to define delegated administration for specific users and computers, assign roles and rights and link audit triggers to users, roles, servers and privilege elevation. Zones can also be used to create consistent access and privilege management across platforms, applications and databases. For example, a "Database Admin" Zone can include Oracle Administrators responsible for databases running on Solaris and SQL Server Administrators using Windows systems — common access rules and privileges are defined and managed centrally.
Once roles and rights are defined and assigned to Active Directory users and groups, the DirectAuthorize Agent enforces these roles and rights on the managed systems. If a user is granted multiple roles on a given system or application, they can use the DirectAuthorize Elevation Tool to quickly and easily switch roles. DirectAuthorize's one-click privilege elevation and privilege desktop switching improves user productivity by eliminating the need to re-enter passwords, check out temporary passwords or submit help desk requests for access while maintaining least-access security.
Finally, you can also use DirectAuthorize to enable session auditing and replay via DirectAuthorize's seamless integration with DirectAudit. With DirectAudit detailed sessions and events can be captured whenever users elevate privilege, access high-value IT assets or perform day-to-day tasks that require tracking for compliance and corporate governance. Triggering DirectAudit only requires adding auditing as property to any user, role, system or privilege. This is supplemented by DirectAuthorize's own audit logging capabilities that sends privileged user events to the Windows event log. Native Windows management tools do not have user-session capture and replay to monitor user actions and meet stringent compliance requirements.