Home Products DirectAuthorize Comparing DirectAuthorize & Sudo
Side by Side

Comparing Centrify DirectAuthorize with Sudo

DirectAuthorize offers more security features, is easier to use, and integrates tightly with centrally managed identity information

Sudo is a UNIX program that lets users run programs with the security privileges of another user. Sudo will prompt for a user's password, but it can be configured to require the root user's password or no password at all.

Many organizations have tried to use sudo to authorize users to run commands under a privileged account without knowing the account password. IT administrators in these organizations have encountered major drawbacks with sudo that make it difficult to adopt enterprisewide, namely:

  • Sudo requires administrators to understand the complexities of the sudoers policy language. As a result, many organizations have used sudo only lightly; for example, they may use sudo to enable a user to switch to a privileged account, but find it too difficult to limit what the user can then do, which results in relatively weak security. By contrast, Centrify DirectAuthorize provides a familiar Windows management interface that simplifies the creation of fine-grained, stringent privilege grants.
  • Sudo privileges are managed through config files on each machine where the policy must be applied, making it difficult to ensure a consistent policy is being enforced across the enterprise. With DirectAuthorize, administrators can centrally and securely apply policies from Active Directory.
  • While expert sudo scripters can create group-based policies, these management groups represent additional identity information that must be separately managed. DirectAuthorize provides easy-to-use graphical tools for modeling role-based policies that can be associated with Active Directory users and groups. Leveraging Active Directory identity information not only streamlines the management of policies but also provides unambiguous accountability and reporting for compliance purposes.

In addition, DirectAuthorize goes well beyond the privilege management capabilities of sudo, enabling administrators to control not only how and when a user can access a computer but also what commands he or she is allowed to run.

  • DirectAuthorize lets administrators control users' access to secured systems via PAM-enabled applications and interfaces (SSH, FTP, etc.).
  • DirectAuthorize's unique Restricted Environment feature lets administrators control which commands the user is allowed to run, in addition to the privileged commands he is authorized to execute.
  • DirectAuthorize lets administrators define time-based restrictions around the privilege grant for both time of day and day of week. They can also set the start and end date for each person the rights have been granted to, making it easy to grant privileges on a temporary basis.
  • DirectAuthorize enables users to run commands with privilege automatically, making it easier to adopt this technology and a more stringent security policy without requiring IT to retrain staff.

Taken together, DirectAuthorize's ease of use and its advanced features make it an enterprise-ready solution for fine-grained control over user access and privileges on UNIX and Linux systems.

It is worth noting that DirectControl provides a Group Policy that administrators can use to apply a common sudoers policy file across systems within an organizational unit, or they can filter the distribution of the policy on a specific Active Directory object such as a computer or group of computers. While this a more reliable and secure method of distributing a sudoers file than most organizations have in place, administrators will still find it far simpler and effective to use DirectAuthorize to apply policies across systems in a DirectControl Zone, with the ability to finetune by defining additional policies for individual machines. And adopting DirectAuthorize also brings with it the additional benefits already discussed.