Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite

Transcription

1 WHITE PAPER CENTRIFY CORP. MARCH 2009 Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite Securing and auditing administrative access to the Virtual Infrastructure leveraging Active Directory ABSTRACT The VMware ESX Server system has become a popular solution for running multiple virtual operating systems on a single physical server platform. To set up and manage virtual systems on an ESX host machine, an administrator needs to log in to one of the VMware administrative interfaces, which include both traditional command-line and interactive GUI tools. Administrators require superuser privileges for command-line access, while VMware provides a way to define role-based privileges for administrators using the GUI tools. Many organizations use both methods, which means they lack a single, centralized view of all administrative access to their VMware environment and the activity of administrators on those systems. In cases where VMware is used to host business-critical systems, this could represent an increased security risk and the likelihood of failed regulatory compliance audits. Productivity goes down and support costs go up when there is no consolidated way to control system access and privileges. This white paper provides an overview of the features and benefits of using the Centrify Suite to centralize and automate the management of ESX Server systems in order to strengthen security and streamline IT operations and management. It provides an overview of VMware administration and then addresses Centrify s approach to securing administrative access to these systems, controlling the privileges of administrators, and auditing their activity.

2 Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation. Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property Centrify Corporation. All rights reserved. Centrify and DirectControl are registered trademarks and DirectAudit and DirectAuthorize are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. WP CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE II

3 Contents 1 Introduction Account Management Challenges in VMware Administrative Access to VMware Virtual Infrastructure Servers Centralizing Identity and Access Management with Centrify Suite Controlling Administrator Access to the Virtual Infrastructure Centralized Account Administration via Active Directory Centralized Access Control Management within Active Directory Installing and Setting Up DirectControl on ESX Server Comparing Centrify for Active Directory Integration with VMware Native Active Directory Integration Addressing the Authentication Challenges with Centrify DirectControl Managing Privileges with DirectAuthorize s Role-Based Authorization Rights Centrally Managing Sudo Using Group Policy Centralized Management of User Privileges with DirectAuthorize Benefits of Centralized Role-Based Authorization through DirectAuthorize Auditing Interactive Administrative Access Using DirectAudit Integrating DirectAudit into the Virtual Infrastructure Hardening the VMware Infrastructure with Centrify Suite Security Hardening of the Service Console and VIMA Benefits of the Centrify Suite for Virtualized Environments Summary How to Contact Centrify CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE III

4 1 Introduction Computer operating system virtualization has become a popular way for customers to address their needs for server workload management. Virtualization allows a customer to use a single host computer to run multiple operating systems, each in its own protected virtual machine environment. There are two major approaches to running operating system virtualization software. The first allows a user with an existing operating system platform (such as Windows, Linux or Mac) to install the virtualization software as a standard application that runs side by side with other applications on that system. For example, a Windows desktop user could run a virtualization product with a Linux virtual machine enabled and thereby give the user the ability to access both Windows and Linux applications from a single Windowsbased computer. The second approach is to dedicate a single physical computer to host only virtual machines and no other applications. This approach could be used, for example, by an Internet Service Provider to allow a single large computer to run isolated web sites for multiple customers. VMware is one of the leading providers of virtualization software. They offer solutions for both desktops and servers, and support a wide range of operating systems used as hosts and as virtual machines. One of their popular products is VMware ESX Server, which runs on Intel x86-based systems. ESX Server leverages the second approach referred to above. It has a Linux kernel as the host operating system and is tuned to run only other independently managed virtualized operating systems. This Linux kernel provides for service console access to the ESX host for machine-level software and hardware maintenance. 1.1 Account Management Challenges in VMware To set up and manage each of the virtual systems on an ESX host machine, an administrator needs to log in to one of the VMware administrative interfaces. Since the ESX Server runs on a version of Linux, the standard method for logging in to the host system via the Service Console is very similar to logging in to a Linux system: There is a root user, and additional users and groups can be configured and stored on the local host system using the same /etc/passwd and /etc/group method that standard Linux uses. Administrators with the appropriate set of privileges, called roles in VMware Infrastructure, can create or delete virtual machines, control various functions associated with each machine, dynamically provision and manage the computing capacity available to each machine, as well as monitor individual machine s performance. Additionally, to perform system-level operations, an administrator needs root-level privileges within the Linux kernel operating environment in order to carry out several operational commands via the Service Console. VMware provides other administrative interfaces, including the Virtual Infrastructure Client, the Web Management User Interface, and the VMware Infrastructure Management Agent; all these interfaces require the user to log in with a CENTRIFY CORPORATION ALL RIGHTS RESERVED. 1

5 credential that is recognized by the ESX host and authorized to perform the actions being requested. Although ESX by default uses a local store of users and passwords for authentication, it is also possible to use other methods to validate user logins since its authentication framework is PAM (Pluggable Authentication Modules). PAM can be configured to support other authentication mechanisms and use a central directory service for authentication and user information storage. Centralized directory services offer numerous benefits to the administrator, including: User accounts can be stored in a single, secure database available to many different systems as opposed to being stored and managed on each system. Managing permissions and policies can be centralized, resulting in better security for each system. Password management can be centralized and consistent user names applied. Provisioning and de-provisioning user accounts can be done very quickly from a single administrative system. Since most enterprise organizations use Active Directory, have existing processes, and have trained staff for the administration of accounts and security policies, Centrify has developed an identity and access management solution, the Centrify Suite, to integrate non-windows systems into Active Directory. Centrify Suite provides an agent which enables ESX systems to leverage Active Directory for centralized directory services, authentication, role-based privilege management, and policy controls. Given the benefits of virtualized computing as well as the distributed and ubiquitous nature of Active Directory as a centralized directory service, the question emerges: can these technologies be combined to secure and simplify the administration for a virtual machine environment with central control for user access? The simple answer is yes. This paper focuses on the easiest method of accomplishing this task using the Centrify Suite. CENTRIFY CORPORATION ALL RIGHTS RESERVED. 2

6 1.2 Administrative Access to VMware Virtual Infrastructure Servers There are many different ways for administrators to log in and manage the VMware Virtual Infrastructure, which increases the value of a solution that centralizes identity management and access controls for administrators. Figure 1. VMware management interfaces The interfaces provided by VMware include the following: SSH to the Service Console. The most basic form of administrative access is via command line on the ESX server directly which can be accessed via SSH. VMware Infrastructure Management Assistant. An ESXi system does not provide a service console for normal access except when directed by a VMware Support Engineer. For this reason, VMware provides a specially configured virtual machine, called the VMware Infrastructure Management Assistant (VIMA), which hosts remote management functions. This host allows administrators or developers who have logged into the system to run commands and scripts to remotely perform many of the administrative tasks that would have normally been done directly on the service console of individual ESX hosts. VIMA is capable of managing multiple ESX or ESXi hosts. VMware vcenter Server. vcenter Server can centrally manage hundreds of ESX hosts with thousands of virtual machine guests. This server can be accessed either by VMware s Virtual Infrastructure Client or Virtual Infrastructure Web Access interface. VMware Virtual Infrastructure Client. The Virtual Infrastructure Client provides administrators with a native Windows graphic administrative interface for managing CENTRIFY CORPORATION ALL RIGHTS RESERVED. 3

7 multiple ESX or ESXi hosts either directly or via the VMware vcenter Server (previously known as VMware Virtual Center). VMware Virtual Infrastructure Web Access. From any client system, administrators can use this web interface to access either the vcenter Server or a given ESX host directly. All of these interfaces require the administrator to log in. The Virtual Infrastructure Client and web interfaces grant the user rights to perform tasks based on the user s role as defined in either vcenter or locally on the ESX host; however, administrative access to the command line requires that the user be granted root permissions to carry out typical administrative tasks. To simplify the management of administrators access and their associated rights, Centrify leverages Active Directory to control access and permissions with the Centrify Suite. 1.3 Centralizing Identity and Access Management with Centrify Suite The Centrify Suite is an integrated family of Active Directory-based auditing, access control and identity management solutions that provide the security requires to ensure that only authorized admins can access and manage your Virtual Infrastructure satisfying auditors working on regulatory compliance initiatives. DirectControl secures UNIX, Linux and Mac platforms using the same authentication and Group Policy services deployed on Windows environments. DirectAuthorize centrally manages and enforces role-based entitlements for fine-grained control of user access and privileges on UNIX and Linux systems. DirectAudit audits user activity in near real-time, providing a centralized and correlated view of all activity on UNIX/Linux systems based on users or machines. These products are all built on a common architecture to help you centrally secure your Virtual Infrastructure. The Centrify Suite provides many of the controls for both access and privilege management that are typically required by auditors. The solution enables you to: Centrally manage access controls to ensure that the appropriate administrators have access only to the Virtual Infrastructure Servers needed to fulfill their job role. Centrify supports further segregation between administrative staff based on access controls managed within Active Directory. Centrally control privileges of administrators when they access the service console. You can grant privileges where needed and lock down the root account, preventing login with this privileged account. Provide administrators with single sign-on for access to the service console through an Active Directory-integrated terminal. Enforce centrally defined security policies on ESX hosts, such as sudo permissions and SSH settings. CENTRIFY CORPORATION ALL RIGHTS RESERVED. 4

8 Audit administrative activity on the ESX hosts to ensure that security policies are being properly enforced. Oversee administrative access and activity on all audited systems, enabling faster root cause analysis. Once the ESX and VIMA servers are integrated into Active Directory, administrators can use their existing Active Directory user ID and password to log in to any of the management interfaces for the Virtual Infrastructure. This provides the security officer and IT manager with the peace of mind that all access and privileges can be controlled from a single place, Active Directory, enabling an account to be disabled centrally for all systems if an administrator were to leave the organization. Figure 2. Active Directory-integrated login with the Centrify Suite. 2 Controlling Administrator Access to the Virtual Infrastructure Centrify DirectControl supports the most complex of environments and at the same time can be deployed quickly without requiring costly or intrusive changes to existing systems. It was designed to uniquely support multiple administrative and security boundaries once a system has been integrated into Active Directory as required in order to support delegated administration. By using DirectControl, administrators no longer need to manage accounts on each individual system, but instead can use Active Directory for identity, access and policy management. For administration, DirectControl provides a Microsoft Management Console (MMC) application that allows administrators to manage UNIX-specific data for user, group and computer objects in Active Directory as well as to perform tasks such as centralized reporting and license management. These DirectControl attributes are also integrated into CENTRIFY CORPORATION ALL RIGHTS RESERVED. 5

9 the Active Directory Users and Computers (ADUC) MMC through property page extensions. There is also a web-based console that provides cross-platform access to essential administrative operations. DirectControl integrates into the Linux OS of the ESX host through a daemon service that controls login authentication and directory lookup services, vectoring those calls back to the Active Directory system; thus effectively turning the host system into an Active Directory client. Additionally, command-line utilities are included to join the UNIX system to the Active Directory domain and perform various administrative and diagnostic tasks such as managing users and groups. The Centrify Suite is also supported on most of the popular UNIX, Linux and Mac platforms in use today in addition to VMware s ESX Server, which can be valuable in managing other Virtual Machine guests. Controlling administrator access involves both a) controlling which administrators can manage the account management system (in this case, Active Directory) and b) controlling which users or administrators are authorized to log in to specific ESX hosts. The first issue to deal with is how to effectively manage administration in a centralized directory while controlling which administrators Active Directory admins or various groups of UNIX admins can perform these account management functions. The second issue deals with actually enabling specific Active Directory users to log in to a given host or set of host systems. Let s first take a look at the centralized account administration system that Active Directory provides and how it can be used to manage administrative access to ESX hosts. 2.1 Centralized Account Administration via Active Directory DirectControl enables ESX servers to join to an Active Directory domain, thus becoming a managed computer object within the directory. These computer objects can be precreated before the host is joined to the domain depending on the desired computer management process within the organization. By default, once a computer has joined Active Directory, any user with a valid Active Directory account can potentially log in to that host, which is not what is desired for access controls to ESX or UNIX hosts. For this reason, Centrify developed its unique Zone technology, which enables logically grouping hosts along geographic, departmental or functional boundaries. The hosts within a Zone share common UNIX/Linux identity attributes such as UNIX userid or group memberships. CENTRIFY CORPORATION ALL RIGHTS RESERVED. 6

10 Figure 3. Delegated administration through Centrify Zones Additionally, since users must be granted permissions to log in to hosts within a Zone, account administrators must be granted permissions to manage UNIX user profiles within these Zones in order to control which Active Directory user has permissions to log in to an ESX host within a given Zone. Zones are created within Active Directory as a container or organizational unit (OU) in order to support native Active Directory ACLbased enforcement for administrative delegation. The result is an environment where UNIX account administrators for a given Zone can be defined independently for each Zone, thus segregating administrative duties on a Zone-by-Zone basis. Another benefit is that the UNIX account administrator does not need to be granted Active Directory administrator privileges since he only needs to manage these UNIX user profiles for an Active Directory user and not the user object itself. This protects the segregation of duties typically required in an Active Directory environment. This also means that a UNIX profile admin for a given Zone can grant user access permissions to his Zone only and will not require permissions that would enable him to define new user accounts within Active Directory, a privilege that is typically highly protected. As shown in Figure 3 above, the VMware administrator has permissions to manage the access controls to the ESX systems within the HR and VM Server Zones, but does not have rights to create or manage Active Directory users. CENTRIFY CORPORATION ALL RIGHTS RESERVED. 7

11 Figure 4. Zone-based user access controls Zones can be a powerful way to separate both the account administrative duties between various departments as well as between administrators serving different roles. As shown in Figure 4 above, you see that a Zone can be defined for a department such as HR to manage all their own servers, including both ESX servers as well as any Linux guest VMs. However, the administrator for the VM Server Zone can only manage access to the ESX hosts while different administrators have the appropriate rights to manage access to the Dev and Finance Zones. Since a Zone is simply a logical collection of systems based on either administrative or access control boundaries, it provides a very flexible mechanism to control user access or, in the case of ESX servers, admin access to the virtualized environment. 2.2 Centralized Access Control Management within Active Directory Using DirectControl and Active Directory, account administrators can identify users (ESX admins) who need to have access to the virtual machine management consoles on ESX servers and then easily enable access for those users with their Active Directorymanaged credentials. The whole process of setting up a new user and establishing their credentials and access rights for the ESX server is a very straightforward process with DirectControl. Active Directory users who need access to the ESX server are simply added as members of a Centrify Zone of ESX servers, each with his or her own profile of settings for login shell, primary group and home directory. This is done from one of the DirectControl CENTRIFY CORPORATION ALL RIGHTS RESERVED. 8

12 management tools such as the MMC-based DirectControl Administrator Console. Once users have been added to the ESX Server Zone, they simply log in to the ESX server using their Active Directory username and password. If this is the first time that a user has logged in, DirectControl automatically provisions their default shell and home directory. Individual accounts no longer need to be created and managed on each ESX server. Not only are ESX Service Console logins enabled with DirectControl, the Active Directory identity is leveraged across other VMware management interface options, including the Virtual Infrastructure Client (VI Client) and Virtual Infrastructure Web Access (VI Web Access). By centralizing user and computer access rights into Active Directory, administrators now have much tighter control over who uses their ESX Server systems. With Centrify DirectControl, numerous options exist for securing access, including: Restricted user entry based on membership in an ESX Server Zone. The Zone thus defines the security boundary that controls access to systems contained in it. Ability to centrally manage group memberships based on users roles. Ability to leverage Active Directory account controls for password strength and aging, computer access hours and disabling as well as terminating accounts. Ability to leverage Group Policy to further control system and application configuration such as SSHD and sudoers. Ability to map root user accounts on ESX servers to an Active Directory user account leveraging an Active Directory-managed password, instead of managing root access on each individual server as shown in Figure 5 below. Figure 5. Mapping ESX root account on two hosts within a Zone to an Active Directory account CENTRIFY CORPORATION ALL RIGHTS RESERVED. 9

13 DirectControl provides the infrastructure on the ESX server to control which user can log in to specific systems or Zones of systems. The rights a user has upon login can also be centrally controlled through Centrify DirectAuthorize, which is described further in the next section. But first let s see how easy it is to install and set up DirectControl on ESX servers. 2.3 Installing and Setting Up DirectControl on ESX Server Complete instructions on installing and configuring DirectControl can be found in the documentation that comes with DirectControl, but essentially the installation and configuration process consists of three high-level tasks. First, the DirectControl Administrator Console needs to be installed on a Windows system that is joined to the domain you wish to use. This can be Windows XP, Vista, or Windows Server 2000, 2003 or Active Directory administrator permission is required in order to install DirectControl. Once the Administrator Console is installed on Windows, you need to set up a Centrify Zone that can be used while joining the ESX server to the domain. Zones are collections of systems, users and groups that share similar access profiles, functions, or common attributes. The ESX server can join the default Zone that gets set up when you install DirectControl, or you can set up a new Zone. Next, install the DirectControl Agent on the ESX server you wish to use and join it to the Active Directory domain and the appropriate Zone using the adjoin command. Once the ESX server has been joined to the Active Directory domain, use any one of the DirectControl management tools to grant access to the ESX server for the appropriate Active Directory users. The ESX root user ID can be mapped to an Active Directory user account if you chose. Keep in mind that it is necessary to enable only the users who actually need access to the ESX Service Console for the purpose of administering the ESX server. DirectControl has the ability to allow access for users in the defined Zone as opposed to granting access to all Active Directory users (which of course would not be desirable). That s it. The whole installation process takes a matter of minutes. Once this has been completed, the ESX server can be used in exactly the same way as before for all functions, but now user and authentication credentials are stored in Active Directory instead of local system files. It is important to note that authentication through Active Directory and DirectControl is supported for all VMware Infrastructure administrative modes, including: Local Service Console logins Remote Console sessions such as via the SSH protocol Remote command line on a VIMA system CENTRIFY CORPORATION ALL RIGHTS RESERVED. 10

14 VI Client VI Web Access DirectControl becomes even more useful as the number of ESX servers increase, since account control for all these platforms can be done from a single DirectControl console tied into Active Directory. Centralizing account administration enables rapid deployment and de-commissioning of users and administrators from your virtual infrastructure. 2.4 Comparing Centrify for Active Directory Integration with VMware Native Active Directory Integration VMware published a technical note titled Enabling Active Directory Authentication with ESX Server ( This paper discusses using the esxcfg-auth tool to set up Kerberos authentication through Active Directory. The command syntax of this tool is as follows: esxcfg-auth --enabled addomain=<domain name> --addc=<domain controller name> This tool configures PAM and modifies the ESX server configuration to do login authentication from the specified Active Directory domain controller. After executing the preceding command, you then create a local account for each user who requires access to the ESX server, making sure that the user ID is exactly the same as his Active Directory user name. This process would then need to be repeated for every ESX server in your environment. While these steps do enable authentication from an Active Directory system for an ESX Server, it does not leverage Active Directory for authorization, centralized directory services or policy management. Specifically, the methods outlined in this paper have the following serious shortcomings (most of which are discussed in the paper): This is not a truly integrated solution as it does not offer a single source for defining, managing and authenticating user accounts. While the esxcfg-auth tool allows you to use Active Directory to authenticate users, you cannot use Active Directory to define and manage user accounts for ESX. User accounts are still created and maintained on each ESX server. The process to enable Active Directory authentication for every user who requires access to the ESX server is clumsy. For each individual user, you must also create a corresponding user account on the ESX host server. Authorized users can log in under two scenarios: (a) if they have a valid Active Directory password associated with the user name they provided and if they have a local account in /etc/passwd that also matches this user name, or (b) if they have a local user name and password on the system. This means that the administrator must manually synchronize the user account information between authorized Active Directory users and each ESX server, and carefully map intended user access to actual possibilities for user access. CENTRIFY CORPORATION ALL RIGHTS RESERVED. 11

15 If the network goes down or the Active Directory system is unavailable, users who use Active Directory for authentication will not be able log in to the ESX server. Credentials are not cached, and there is no provision for the underlying Kerberos authentication session to fail over to a backup system. Given the issues with the previous point, the paper recommends not using Active Directory authentication for the root account. This means that there are few controls over who has access to the superuser account on each ESX server and also means that the root user password needs to be set manually for every ESX server. There is also more network traffic with each Kerberos transaction since this method does not support any type of caching. The machine name for the Active Directory / Kerberos server is hard-coded in the system files for each ESX server. If the name of the closest domain controller changes, the administrator needs to manually update this information in each system file on each ESX server. The ESX server is not joined to the domain, so Active Directory has no knowledge of the system or any control over the ESX server. This means that if the administrator wanted to temporarily restrict access to an ESX server or a whole set of ESX servers, he or she would have no way to accomplish this from Active Directory. The paper does not provide guidance on how to set up FTP or SSH for accessing the ESX server. Typically, having access to these services is essential for system administrators. Also, there is no guidance on setting up this new authentication method for all management session types (Remote Console, VMware Management Interface, etc.). The paper acknowledges that this method for authentication will fail if the user is a member of more than 15 Active Directory groups, which in a large enterprise is quite common. There is no guidance on how to track access to the ESX server using this implementation. Given all of these challenges, the proposed solution in the VMware paper will be untenable for many organizations. VMware offers another product, VirtualCenter, which provides centralized administration and management for ESX servers connected on a network. It acts as a control node for configuring, provisioning and managing a virtualized IT environment consisting of ESX servers. For a VI Client that is connected to a VirtualCenter server, authentication and authorization are performed via an Active Directory service. Authorized VirtualCenter users are selected from the Windows domain list referenced in VirtualCenter or are local Windows users on the VirtualCenter host. Similarly, VirtualCenter groups are derived from Active Directory in the connected Windows domain. Both Active Directory-based users and groups are then granted CENTRIFY CORPORATION ALL RIGHTS RESERVED. 12

16 permissions ( roles ) within VirtualCenter. However, on the back end, VirtualCenter still uses the standard Linux authentication mechanism. Whenever an ESX server host is added to it, VirtualCenter creates a Linux user account (vpxuser) that has root privileges. This account is used only to authenticate the connection between the host and VirtualCenter. Although VirtualCenter resolves the issue of separate password management and account management in the esxcfg-auth tool, it has a number of shortcomings in its integration with Active Directory: VirtualCenter serves as a central point to manage multiple virtual machines and resources that are distributed over many ESX server hosts. Therefore, it is not costeffective for small deployments. This is still not a seamlessly integrated solution. You cannot use VirtualCenter to manually create and remove ESX users or groups, or to view and modify their properties such as passwords. You will have to use the Microsoft tools for user account and password management. There are still occasions when you need to access an ESX server host via other mechanisms; for example, when VirtualCenter is unavailable or has lost its connection to the domain controller. In addition, there are still a few administrative tasks that must be performed directly on the ESX host and not through VirtualCenter. Can Centrify DirectControl provide a better integration with Active Directory? Yes it can, as described in the next section. 2.5 Addressing the Authentication Challenges with Centrify DirectControl Centrify DirectControl is engineered not only to be easy to use but also to be a completely integrated authentication, authorization, directory and policy solution. As a result, the issues highlighted in the previous section are fully resolved with DirectControl. Specifically: Unlike the esxcfg-auth tool, DirectControl provides unified account and password management. There is no need to create a local user and map it to the Active Directory account for every user that you want to grant access to the ESX Server host. The DirectControl integration with Active Directory is seamless from a user interface perspective. You cannot create or manage Active Directory users and groups via VirtualCenter, but Centrify extends the native ADUC MMC with UNIX properties for user, group and computer objects, which enables you to use the same tool to manage not only ESX users and groups but also the Active Directory account information associated with them. In addition, Centrify provides the DirectControl CENTRIFY CORPORATION ALL RIGHTS RESERVED. 13

17 Administrator Console so you can view and modify all the attributes of Active Directory s user, group and computer objects, including the DirectControl ones. With the Centrify solution, authorization is handled from one central place using the DirectControl Administrator Console. The administrator has the ability to create an explicit access list of users for each ESX server. Through the use of Centrify Zones, ESX administrators can be members of their own Zone of ESX servers, further simplifying the access control for those systems. In addition, users can be further restricted based on policies such as authorized access times. Authorized users can also be placed in Active Directory groups that are visible from ESX as though they were local groups. This allows a high level of fine-grained access control for each ESX server. If changes need to be made, they can be done from a single point of administration, the DirectControl Administrator Console. DirectControl fully supports the caching of login credentials. If a user has logged in to the ESX server at least once, then he or she can continue to log in to that system even if the network is down. Or, the administrator can configure users or groups for pre-validation so that they can access offline machines using their Active Directory credentials without having logged in previously. Also, when a user logs in for the first time, DirectControl automatically creates a home directory environment for the user if one does not already exist. DirectControl can also automatically find the closest available Active Directory domain controller, so that if one domain controller is taken offline, another can be automatically used without the need to reconfigure the ESX server. Since login credentials are cached, network traffic is reduced. This is an important consideration where multiple virtual machines are sharing the same network interface with the host ESX server. Login credentials can also be pre-cached for those administrators who must always be able to log in with their account regardless of the state of the network connectivity, such as at a remote location with a down WAN link where the ESX system requires administrative access for maintenance. DirectControl includes a feature for root user mapping. This means the root account for every machine can be mapped to an Active Directory user, and password control is maintained in a central place. With support for offline caching, the root user can still log in to ESX server even if the Active Directory system is unavailable. As mentioned in a previous point, DirectControl manages the interactions with the Active Directory domain controller and automatically finds the closest controller for each controller request. With DirectControl, the ESX server is joined to the Active Directory domain. As with other systems in the domain, the administrator has full control over access to the ESX server, including temporarily disabling logins for example, during a maintenance period. CENTRIFY CORPORATION ALL RIGHTS RESERVED. 14

18 DirectControl automatically configures access to popular services such as FTP, Telnet and SSH to use secured authentication via Kerberos to Active Directory. For example, Centrify provides a compiled version of the latest OpenSSH distribution that is linked with the DirectControl Kerberos libraries to automatically support PAM and Kerberos for single sign-on access. DirectControl ensures that a single authentication method is used across all supported VMware management session types, including the local Service Console, VMware Management Interface (VI Client and VI Web Access) as well as Remote Console sessions such as via the SSH protocol. DirectControl does not impose any limits on group membership. DirectControl s integration with Active Directory has proven to work in complex environments for example, in a topology with multiple forests that requires one- or two-way trusts. In addition, Centrify DirectControl has other advantages beyond providing identity management: DirectControl fully supports Microsoft Group Policy and includes an extensive set of policies out-of-the-box for security and configuration management. You can use DirectControl s built-in Group Policy engine to distribute computer and user policies to a set of ESX servers. Such policies can copy configuration files to target systems, manage various configuration parameters such as login settings, password prompts, password caching and Kerberos settings, as well as define sudo permissions. For added flexibility, you can even create your own custom policies specifically tailored for your virtualized IT infrastructure. Through the deployment of policies to your ESX servers, you ensure consistent machine configuration and further control the ESX session behavior. As a result you streamline your IT operations and reduce administrative costs. In addition, since ESX administration can be performed through a remote connection via the SSH protocol, you can also use the Centrify SSH Group Policies to configure who can connect to the host using SSH, such as only users of a specific group or to prevent root login via SSH. DirectControl is supported on most of the UNIX and Linux platforms available today, plus Mac OS X, so customers can have a consistent Active Directory integration solution across their non-microsoft platforms. This integration can also be extended to the Linux and UNIX virtual machines running inside ESX server. Each virtual machine, or groups of machines, can be managed within a dedicated Zone. This is particularly useful when ESX server is used for outsourcing environments where identity groups from different organizations need to be managed individually and isolated from each other. CENTRIFY CORPORATION ALL RIGHTS RESERVED. 15

19 The DirectControl identity management solution extends beyond validating login sessions. DirectControl can also support applications that take advantage of LDAP, Kerberos, GSSAPI or SPNEGO APIs for directory services and authentication. This means customers could design custom applications for ESX (such as a customer billback system for virtual machine usage) based on validated identities stored in Active Directory. 3 Managing Privileges with DirectAuthorize s Role-Based Authorization Rights VMware provides an authorization environment that relies on roles which are defined within VMware vcenter Server. These roles are also defined within the ESX server to manage users who access the server using the Virtual Infrastructure Client. The role that a user or administrator is assigned determines what operations that user is allowed to execute. However, when administrators access the Service Console either directly on the ESX server or via the Virtual Infrastructure Management Assistant (VIMA) their rights can be assigned only by the underlying operating system. Managing rights is important in this case because several ESX command-line utilities require privilege within the Linux environment in order to operate properly. Many times administrators will either a) use the root account to log in to the service console of the ESX server or to the VIMA, or b) use their own account to log in and then switch to the root user with the su command in order to execute these commands. Unfortunately, both methods of running commands with privilege require the administrators to know the root account password, which is one of the first things that security best practices would prohibit. The challenge is to grant administrators the right to execute the privileged commands required to perform their duties, but to do so without knowledge of the root account s password. The following sections discuss two ways to centrally manage privileges: by leveraging a) Group Policy to centrally manage the Linux sudo command or b) Centrify s centralized privilege management solution called DirectAuthorize. 3.1 Centrally Managing Sudo Using Group Policy The first method of centrally managing privileges involves using the Linux operating system s sudo command. After logging in with their own account, administrators can run privileged commands by using the command sudo in front of the privileged command. Sudo looks up the current user s Linux identity or local group in the sudoers configuration file to see if the user has been granted rights to execute the command and, if so, executes the command as if root had requested its execution. This command is supported in most UNIX and Linux operating systems as well as ESX systems, making it a common way to address the need to lock down privileged accounts such as root. CENTRIFY CORPORATION ALL RIGHTS RESERVED. 16

20 Figure 6. Example of a local sudo policy configuration file One of the primary challenges to deploying sudo broadly throughout an enterprise is managing and maintaining a consistent configuration file across a large population of systems, such as ESX servers, VIMA systems and UNIX/Linux guest VMs. The example in Figure 6 shows a typical ESX server s default sudoers configuration file, which simply grants the root account the ability to run any command as root. To deploy sudo to manage privileges, IT security managers need to add, for each administrator or group of administrators, an entry that grants them specific rights. In the following example, the group esxadmin has been granted the rights to execute three commands esxtop, vdf and esxcfg-info as the root account without being challenged for their own password. With DirectControl, we can use Windows Group Policy tools to centrally and securely distribute this sudoers file to ESX servers. %esxadmin ALL=(ALL) NOPASSWD: /usr/bin/esxtop, /usr/sbin/vdf, /usr/sbin/esxcfg-info Figure 7. Example ESX admin rights grant in the /etc/sudoers file There are several advantages to leveraging Group Policy to centrally enforce policies on UNIX and Linux systems, including ESX servers. First, we can use Active Directory group management to control UNIX/Linux group membership; in this example, individual Active Directory accounts can be added or removed to esxadmin group from Active Directory without having to redistribute the sudoers file. The Group Policy Object Editor, which is a familiar interface for Windows admins, can be used to control the contents of the sudoers config file and to define distribution settings. A single, consistent sudoers file can be pushed to every DirectControl-managed ESX server over an authenticated and encrypted connection. Or, different policies can be defined for different groups or Zones of ESX systems based on your needs. CENTRIFY CORPORATION ALL RIGHTS RESERVED. 17

21 Group Policy for UNIX/Linux can also be used to manage many common configuration files in UNIX, including the sudoers file, crontab file, SSHD settings, IP tables, firewall settings and screen lock settings. Group Policies are also available to set DirectControl configuration options on the managed systems. The following figure shows the interface in Group Policy Object Editor to enable setting the sudo file for the ESX servers. Figure 8. The sudo rights property page within the Group Policy Object Editor While using Group Policy to manage sudo rights will work much better than any manual method, it can still be difficult to define a policy file that grants narrowly restricted rights to meet stringent security needs. Additionally, distributing static policy files is inadequate as a security model due to the very dynamic nature of day-to-day IT challenges, which may require privileges on a specific system to be disabled on short notice or to be extended for a short amount of time in order to address an issue. To meet these challenges and to simplify the adoption of a higher security model, Centrify set out to deliver a product that would make it easier to define and enforce a more stringent security policy: Centrify DirectAuthorize. CENTRIFY CORPORATION ALL RIGHTS RESERVED. 18

22 3.2 Centralized Management of User Privileges with DirectAuthorize Centrify DirectAuthorize provides an alternative method of controlling user privileges by leveraging Active Directory to centrally manage and enforce role-based entitlements. DirectAuthorize provides fine-grained control over user access and privileges on UNIX and Linux systems, including ESX. By controlling which methods users access systems and what they can do once logged in, DirectAuthorize enables organizations to lock down sensitive systems and eliminate uncontrolled use of root accounts and passwords. DirectAuthorize simplifies privilege management by enabling administrators to define privileged commands and then grant the right to use those commands to specific roles. Using a Windows MMC console, administrators define each command along with the available options. This eliminates the need for administrators to have detailed knowledge of sudoers file syntax. The data is stored centrally in Active Directory and retrieved upon login when needed by the dzdo policy enforcer, DirectAuthorize s equivalent for sudo. Figure 9. Privileged command definition in DirectAuthorize This model for defining privileged commands has its advantages beyond the simplicity of the policy definition. DirectAuthorize always reads the policy at user login from Active Directory, ensuring that the most accurate policy is properly enforced. Obviously there will be situations where the user may need to log in while disconnected from the network or while offline, and in these situations the policy is retrieved from a local cache. DirectAuthorize also simplifies the user s experience by making it easier to execute an explicit list of commands with the appropriate privileges for each. In many environments, CENTRIFY CORPORATION ALL RIGHTS RESERVED. 19

23 administrators log in to a system, switch to the root or other superuser account, and then execute various commands as that privileged user. With DirectAuthorize, once they log in using their own account, they can simply precede commands with dzdo, and those commands are executed with the correct privileges. To further control exactly which commands a user can run, DirectAuthorize provides a Restricted Environment. A Restricted Environment restricts a user in a role to a specific whitelist of commands. Users only need to learn the exact commands they need to execute. A Restricted Environment can be defined for ESX administrators or help desk personnel so that they can easily log in to perform specific sets of tasks, such as vdf or esxtop, as if they were root. They can simply log in using their own account and run these commands without having to know the root password. The benefit is that IT can now grant the appropriate permissions to enable lower-level administrators to perform their duties without exposing the password of privileged accounts. Figure 10. Restricted Environment definition in DirectAuthorize 3.3 Benefits of Centralized Role-Based Authorization through DirectAuthorize DirectAuthorize is a core component of the Centrify Suite, which provides a single, unified architecture for access control, authentication, authorization and auditing. In working with customers to understand their IT security and compliance challenges, we focused on delivering the following benefits: CENTRIFY CORPORATION ALL RIGHTS RESERVED. 20