Centrify Server Suite, Standard Edition

Group Policy for Linux and UNIX

Centrify Server Suite delivers the industry's most comprehensive support for extending Group Policy to non-Windows systems. It is the only solution to provide both user and computer policies, and advanced features such as group filtering and loopback processing. Group Policy functionality is seamlessly integrated into the all-in-one Centrify UNIX Agent; there’s nothing else to buy, nothing else to install. The Server Suite provides the only solution that manages authentication, access control, and Group Policy for non-Microsoft systems through a single agent.

Benefits of Using Group Policy for non-Windows Systems

Enabling [Group Policy] support in our tests was as simple as adding the centrifydc.adm template to a new GPO. We were surprised by just how many options you can configure, including password policies and UNIX login settings.

Darren Ehmke & Eric B. Rux, Windows IT Pro Magazine

With Server Suite’s DirectControl feature set you can use Active Directory Group Policy to centrally enforce security and configuration policies across your Linux and UNIX systems.

  • Strengthen security with automated, consistent management of configuration files for individual computers or groups of computers. For example:
  • Centrally configure the policies that the Centrify UNIX Agent uses to enforce authentication and authorization to that system.
  • Apply consistent updates to the sudoers file, defining privileged commands that specific users can execute.
  • Efficiently control crontab files, firewall settings, screensaver password lock, and other properties.
  • Reduce IT infrastructure costs and complexity by eliminating point products used to manage diverse Linux and UNIX platforms, and streamline operations by using your current Active Directory tools and processes for enterprise-wide policy management.
  • Enable security managers to define consistent global policies for diverse systems without requiring specific information on each specific operating system and system version.
  • Server Suite provides more ready-to-use Group Policies for Linux and UNIX systems than any other solution, and you can create your own through standard administrative templates for policy definition and Perl scripts for client side processing.

Zone-Based Management

When combined with Centrify’s patented Zone technology, Group Policy gives you granular control over Zones of related Linux and UNIX systems. By adding a Zone to an Active Directory Computer Group, you can strengthen security by ensuring all computers in that Zone share a consistent configuration and that updates propagate securely to every computer in that Zone.

How It Works: Server Suite’s Group Policy Architecture

On Windows computers, Group Policy works by forcibly setting user and computer registry keys. Since almost all of a Windows system is configured through registry settings, this is a very natural and simple way to enforce almost any policy.

On Linux and UNIX systems, there is no equivalent to the Windows registry. The de-facto standard for configuration is through text-based configuration files. To enforce Active Directory's Group Policies on these non-Microsoft platforms, the DirectControl feature set creates a “virtual registry” to hold the Group Policy configuration settings that apply to that managed system and the users logging in to it. For each configurable application that a policy applies to, the DirectControl feature set provides a specific mapping program that translates these virtual registry settings and updates the appropriate configuration file for that application with the settings defined by the policy.

On each Server Suite-managed computer, the Centrify UNIX Agent is responsible for contacting Active Directory to determine the relevant policies and copying them down to a set of virtual registry files. These policy files are refreshed in the same way they are on Windows systems: when a user logs in, on computer restart, and at periodic intervals defined by Group Policy. Administrators can also update Group Policy on demand.

Working with Policies

Server Suite's Group Policy feature has been designed so that it integrates seamlessly with existing Group Policy features in Active Directory. Your policies for Linux and UNIX systems and users will work just like Windows policies do in terms of how they are linked to targets (sites, domains, organizational units, groups and individual users or computers), how these settings are inherited, and so on within Active Directory. The Windows default administrative template even has some settings, particularly those that specify refresh intervals for policy updates that the DirectControl component will apply to the Linux and UNIX systems it manages for a consistent global policy.

Just like Windows policies, the DirectControl feature set’s policies are used in two ways:

  • Computer configuration policies apply to the computer regardless of the user account that logs on to it.
  • User configuration policies apply to the user account regardless of the computer he or she logs in to. These policies ensure users can move from computer to computer with a consistent profile.
Server Suite Standard Edition delivers a streamlined Group Policy Object Editor interface that makes it easy to create and edit Group Policies within the standard GPO Editor. It provides a rich editing environment for many policies where multiple lines of text need to be entered or edited after initial entry, such as the sudo or firewall policies.

  

Free-form editing, a syntax checker, and the ability to insert all standard commands and Active Directory object names make it easy to manage Sudo Group Policies for fine-grained privilege management.