Centrify Resource Center

Home  |  Centrify Resource Center
Tom Kemp's Centrify Blog

Managing VMware Roles and Privileges with DirectAuthorize

Wednesday, June 24, 2009

Recently I discussed the richness of our enhanced support for securing heterogeneous virtualization platforms and in my last blog post I discussed how DirectControl provides significantly greater Active Directory integration capability then what comes out-of-the-box from VMware. In this blog post I am going to discuss how the second product in our suite, DirectAuthorize, complements vCenter Server by providing additional ways to manage roles and privileges in a VMware ESX environment. Big-time kudos go out to David McNeely, our Director of Product Management, for helping me out on this series of blog posts on securing VMware environments and authoring the majority of this blog post.

Before I drill into this topic, quick reminder regarding a few great resources we have on securing VMware environments including:

Now on to the topic!

Managing Privileges with DirectAuthorize's Role-Based Authorization Rights

VMware provides an authorization environment that relies on roles which are defined within VMware vCenter Server. These roles are also defined within the ESX server to manage users who access the server using the Virtual Infrastructure Client. The role that a user or administrator is assigned determines what operations that user is allowed to execute.

However, when administrators access the Service Console - either directly on the ESX server or via the Virtual Infrastructure Management Assistant (VIMA) - their rights can be assigned only by the underlying operating system. Managing rights is important in this case because several ESX command-line utilities require privilege within the Linux environment in order to operate properly. Many times administrators will either

  1. use the root account to log in to the service console of the ESX server or to the VIMA, or
  2. use their own account to log in and then switch to the root user with the su command in order to execute these commands.

Unfortunately, both methods of running commands with privilege require the administrators to know the root account password, which is one of the first things that security best practices would prohibit.

The challenge is to grant administrators the right to execute the privileged commands required to perform their duties, but to do so without knowledge of the root account's password. The following sections discuss two ways to centrally manage privileges by either leveraging

  1. Group Policy to centrally manage the Linux sudo command, or
  2. Centrify's centralized privilege management solution called DirectAuthorize

Centrally Managing Sudo Using Group Policy

The first method of centrally managing privileges involves using the Linux operating system's sudo command. After logging in with their own account, administrators can run privileged commands by using the command sudo in front of the privileged command. Sudo looks up the current user's Linux identity or local group in the sudoers configuration file to see if the user has been granted rights to execute the command and, if so, executes the command as if root had requested its execution. This command is supported in most UNIX and Linux operating systems as well as ESX systems, making it a common way to address the need to lock down privileged accounts such as root.


Example of a local sudo policy configuration file

Caption: Example of a local sudo policy configuration file

One of the primary challenges to deploying sudo broadly throughout an enterprise is managing and maintaining a consistent configuration file across a large population of systems, such as ESX servers, VIMA systems and UNIX/Linux guest VMs. The example in the figure above shows a typical ESX server's default sudoers configuration file, which simply grants the root account the ability to run any command as root. To deploy sudo to manage privileges, IT security managers need to add, for each administrator or group of administrators, an entry that grants them specific rights.

In this example

%esxadmin ALL=(ALL) NOPASSWD: /usr/bin/esxtop, /usr/sbin/vdf, /usr/sbin/esxcfg-info

the group esxadmin has been granted the rights to execute three commands - esxtop, vdf and esxcfg-info - as the root account without being challenged for their own password.

With DirectControl, we can use Windows Group Policy tools to centrally and securely distribute this sudoers file to ESX servers. There are several advantages to leveraging Group Policy to centrally enforce policies on UNIX and Linux systems, including ESX servers. First, we can use Active Directory group management to control UNIX/Linux group membership; in this example, individual Active Directory accounts can be added or removed to esxadmin group from Active Directory without having to redistribute the sudoers file. The Group Policy Object Editor, which is a familiar interface for Windows admins, can be used to control the contents of the sudoers config file and to define distribution settings. A single, consistent sudoers file can be pushed to every DirectControl-managed ESX server over an authenticated and encrypted connection. Or, different policies can be defined for different groups or Zones of ESX systems based on your needs.

Group Policy for UNIX/Linux can also be used to manage many common configuration files in UNIX, including the sudoers file, crontab file, SSHD settings, IP tables, firewall settings and screen lock settings. Group Policies are also available to set DirectControl configuration options on the managed systems.

The following figure shows the interface in Group Policy Object Editor to enable setting the sudo file for the ESX servers.


The sudo rights property page within the Group Policy Object Editor

Caption: The sudo rights property page within the Group Policy Object Editor

While using Group Policy to manage sudo rights will work much better than any manual method, it can still be difficult to define a policy file that grants narrowly restricted rights to meet stringent security needs. Additionally, distributing static policy files is inadequate as a security model due to the very dynamic nature of day-to-day IT challenges, which may require privileges on a specific system to be disabled on short notice or to be extended for a short amount of time in order to address an issue. To meet these challenges and to simplify the adoption of a higher security model, Centrify set out to deliver a product that would make it easier to define and enforce a more stringent security policy: Centrify DirectAuthorize.

Centralized Management of User Privileges with DirectAuthorize

Centrify DirectAuthorize provides an alternative method of controlling user privileges by leveraging Active Directory to centrally manage and enforce role-based entitlements. DirectAuthorize provides fine-grained control over user access and privileges on UNIX and Linux systems, including ESX. By controlling which methods users access systems and what they can do once logged in, DirectAuthorize enables organizations to lock down sensitive systems and eliminate uncontrolled use of root accounts and passwords.

DirectAuthorize simplifies privilege management by enabling administrators to define privileged commands and then grant the right to use those commands to specific roles. Using a Windows MMC console, administrators define each command along with the available options. This eliminates the need for administrators to have detailed knowledge of sudoers file syntax. The data is stored centrally in Active Directory and retrieved upon login when needed by the dzdo policy enforcer, DirectAuthorize's equivalent for sudo.


Privileged command definition in DirectAuthorize

Caption: Privileged command definition in DirectAuthorize

This model for defining privileged commands has its advantages beyond the simplicity of the policy definition. DirectAuthorize always reads the policy at user login from Active Directory, ensuring that the most accurate policy is properly enforced. Obviously there will be situations where the user may need to log in while disconnected from the network or while offline, and in these situations the policy is retrieved from a local cache.

DirectAuthorize also simplifies the user's experience by making it easier to execute an explicit list of commands with the appropriate privileges for each. In many environments, administrators log in to a system, switch to the root or other superuser account, and then execute various commands as that privileged user. With DirectAuthorize, once they log in using their own account, they can simply precede commands with dzdo, and those commands are executed with the correct privileges.

To further control exactly which commands a user can run, DirectAuthorize provides a Restricted Environment. A Restricted Environment restricts a user in a role to a specific "whitelist" of commands. Users only need to learn the exact commands they need to execute.

A Restricted Environment can be defined for ESX administrators or help desk personnel so that they can easily log in to perform specific sets of tasks, such as vdf or esxtop, as if they were root. They can simply log in using their own account and run these commands without having to know the root password. The benefit is that IT can now grant the appropriate permissions to enable lower-level administrators to perform their duties without exposing the password of privileged accounts.


Restricted Environment definition in DirectAuthorize

Caption: Restricted Environment definition in DirectAuthorize

As you can see DirectAuthorize adds significant value to an ESX environment when customers use the Service Console or VIMA to directly access ESX and is a great complement to the roles management capability found within VMware vCenter Server. In my next blog post I am going to discuss auditing interactive administrative access using DirectAudit.

Categories: Centrify, Centrify Suite, DirectAuthorize, All
Bookmarks: del.icio.usDiggFurlNetscapeYahoo! My WebStumbleUponGoogle BookmarksTechnoratiBlinkListNewsvinema.gnoliaRedditWindows LiveTailrank

< Previous Article: VMware Virtual Security and Compliance
> Next Article: Auditing VMware ESX with DirectAudit and Hardening the VMware Infrastructure with the Centrify Suite


View a 5-Minute Demo
3-Part Webinar Series What Gartner Says About Using Active Directory for Centralized Authentication, Auditing and SSO
White Paper Centralized Identity and Access Management with Active Directory View
Now
Video Chalktalk Library Detailed overviews of Centrify solutions and technology

[W]ith the provision of a logical and intuitive administrator console and integral reporting facilities, a wealth of information is readily available around access permissions and zones, ensuring that you are always up to date with the access control position within your organization.

Julian Ashbourn
SC Magazine
UK
October 2006