Managing Group Policies for Non-Windows Computers through Microsoft Active Directory

Transcription

1 White Paper Managing Group Policies for Non-Windows Computers through Microsoft Active Directory Abstract Administrators currently have the option either to use Open Source tools or implement professional, scalable, and supported solutions like PowerBroker Identity Services Enterprise when standardizing identity management on Windows. The present paper discusses the advantages and disadvantages of both approaches. BeyondTrust 2173 Salk Avenue Carlsbad, California Phone:

2 Contents Executive Summary... 3 Managing Group Policies... 4 Predominance of Windows Platform... 4 Group Policy Management... 4 Schema Extension... 4 Ease of Use... 5 Uniformity of Management... 5 Policy Management Features Available through Active Directory... 5 Management Complexities in the UNIX Environment... 6 Cross platform Challenges... 7 Limitations of sudo... 7 Limitations of NIS/NIS Limitations of RBAC... 7 Kerberos Authentication... 7 Limitations of File Permissions in UNIX... 8 Managing Policies Across Different Flavors of UNIX/Linux... 8 Advantages of Managing UNIX Policies with BeyondTrust... 9 Complexities of Managing Policies in Mac OS X Environment BeyondTrust Solution for Mac Desktop Policy Management Summary Contact Information Managing Group Policies for Non-Windows Computers through AD BeyondTrust Software, Inc.

3 Executive Summary Currently, midsize and large enterprises have to manage identities and policies uniformly across a heterogeneous platform base. This need arises from increasing node management costs, the desire to improve security posture, and industry regulatory requirements. The most efficient way to manage policies and identities on non Windows platforms in these environments is to choose Windows as a common ground for the storage, management, and enforcement of such policies. Windows is chosen as a common ground, because it is a scalable and reliable platform with excellent, intuitive management tools. Administrators can use Open Source tools or professional, scalable, and supported solutions like PowerBroker Identity Services Enterprise when standardizing identity management on Windows. The present paper discusses the advantages and disadvantages of both approaches. This white paper discusses how PowerBroker Identity Services Enterprise enables organizations to integrate and manage their UNIX, Linux, and Mac computers using Microsoft Active Directory tools. The paper briefly describes the proliferation of Windows and then moves on to describe how Active Directory features, such as Group Policy and extensions to Active Directory schemas, enable the management of UNIX like systems. The paper then discusses why Windows well-known ease of use advantages make management of non Windows systems through Active Directory an attractive alternative. The remainder of the white paper provides a more technical discussion of UNIX management complexity and why incorporating a Windows Policy based management alternative provides organizations with a uniform use and management model for their computing environments. Finally, the paper describes how PowerBroker Identity Services Enterprise works to bring together Active Directory and UNIX management under Windows Group Policies. 3 Managing Group Policies for Non-Windows Computers through AD BeyondTrust Software, Inc.

4 Managing Group Policies Predominance of Windows Platform Microsoft Windows Server and Active Directory have come to dominate business computing. This has resulted in the need for non Windows devices and applications to interoperate with and even be managed within a Microsoft Windows Active Directory environment. Besides being one of (if not the) most widely deployed scalable directory solutions, Active Directory is also the widest deployed and most robust commercial implementation of Kerberos. Over the years, Microsoft has been successfully able to deliver a scalable computing solution from the server to the client, particularly because of the ease of use of its graphical user interface. Besides addressing the operating system, directory, and storage markets, Microsoft s enterprise class applications such as Exchange and SQL Server depend upon directory based authentication. In addition, many third party applications such as PeopleSoft and SAP incorporate AD authentication. Given the roadmap offered by Microsoft, this interconnection of the directory side and the application side will only increase. The following sections describe the advantages of Microsoft Windows marketplace success from a heterogeneous environment perspective. Group Policy Management Unlike the other directory vendors, Microsoft has delivered profile and desktop management on a large scale. Unlike vendors such as Novell or Sun Microsystems who only have partial solutions, Microsoft is able to automatically push policies through the domain from the server to the client. The enhanced group policy implementation in Windows Vista and Windows Server 2008 have allowed administrators to centrally manage a greater number of features and component behaviors than were possible in the previous versions. With the continuing consolidation of IT vendors, the enterprise computing landscape will be undoubtedly be geared more and more toward Windows platforms. Schema Extension Over the years, Microsoft has lessened its aggressive stance toward UNIX, starting with adding some interoperability in Microsoft Services for UNIX 3.0 (SFU 3.0), and extending that in SFU 3.5. Most recently, in Windows 2003 Server R2, Microsoft has incorporated most of the features of SFU 3.5, adding the ability to extend AD schema with UNIX compliant attributes in accordance with RFC This simplified the integration of cross platform identity management by eliminating the need to choose between the storing of UNIX object credentials in the existing classes (so called non schema mode) and the non supported extension of the AD schema. Now administrators can take advantage of RFC 2307 by using UNIX and Linux specific attributes that are built into the AD schema. 4 Managing Group Policies for Non-Windows Computers through AD BeyondTrust Software, Inc.

5 Ease of Use It is generally accepted that Windows management tools are easier to use that their UNIX and Linux counterparts. This is one of the major reasons that Microsoft has won the desktop client and server enterprise management battle. Administrators today very infrequently must be involved with the error prone manual editing of configuration files or rely on writing scripts and executing them from the command line. In fact, creating and pushing the enterprise policy across thousands of clients can be performed with few mouse clicks from one of the policy management plug ins for the Microsoft Management Console. Uniformity of Management The various vendors UNIX and Linux platforms are notoriously different from one another: they have different management tools and different desktop interfaces. Looking at a number of popular Linux distributions from Red Hat, SUSE, and Ubuntu, it becomes clear that Linux did not deliver the uniformity hoped for. Since it is clear that UNIX and Linux must inevitably interoperate with Windows, there is a heightened need for standardized authentication and management tools. Fortunately, Microsoft now offers such common ground: the combination of an Active Directory framework and Group Policy management. This is where UNIX administrators can take a lazy approach, since both the framework and the management tools have been already written, scaled, tested, and delivered to the enterprise. All it takes is to tap into this offered technology and use AD for uniform policy management. Policy Management Features Available through Active Directory Windows policy management allows administrators to automatically and intuitively enforce a large number of end node parameters across the domain in a hierarchical fashion. These parameters include security settings, wired and wireless settings, startup and shutdown scripts, software restrictions, QoS, IPSec, remote software installation settings, access restrictions to local hardware, and many more. Increased group policy settings appearing in Microsoft Vista and the upcoming Windows 7clearly indicates that this is the desktop management approach that Microsoft has chosen. All these policies are edited and enforced from the Microsoft Group Policy Management Console (GPMC), a comprehensive and intuitive suite of policy management tools available as a Microsoft Management Console (MMC) snap in. GPMC allows administrators to launch the Active Directory Users and Computers (ADUC) console to apply policy objects to the desired OU (Organizational Unit) level and launch Group Policy Object Editor (GPOE) to modify group policy settings within group policy objects. Overall, the above-described suite of tools allows administrators to easily create multiple group policies and enforce them at different OU levels. 5 Managing Group Policies for Non-Windows Computers through AD BeyondTrust Software, Inc.

6 Management Complexities in the UNIX Environment Interoperability between Windows and UNIX has always been a problem repeatedly addressed with limited success from both OSs. While porting applications across platforms is often impractical, cross platform authentication allows administrators to deliver UNIX applications (particularly Web based applications) to the Windows realm, providing a faster and more convenient solution. By the same token, allowing Windows users to authenticate and manage UNIX systems simplifies tracking identities, making the overall UNIX user experience more pleasant. Some attempts to have Windows and UNIX interoperate have met with moderate success. Microsoft Services for UNIX (most features of SFU have been incorporated into Windows Server 2003 R2 and Windows Server 2008) offers limited interoperability between AD and NIS, plus a password synchronization utility. Specifically, SFU offered a service that would synchronize UNIX UIDs/GIDs and Windows user and group identities (SID) bi-directionally in one to one and many to one mode. Additionally, SFU offered bidirectional Windows to UNIX and UNIX to Windows password synchronization that supports both local and domain account Windows password synchronization. However, these features did not support very many UNIX flavors while requiring a fair amount of manual configuration work to be implemented. Documents for UNIX and Linux platforms also offer limited interoperability at the cost of extensive manual labor associated with editing configuration files, sometimes on each participating host. This is a tedious and error prone procedure. Several how to documents of this kind have been maintained since the year 2000, particularly addressing authentication through pluggable authentication modules. Unfortunately, not all the UNIX and Linux flavors are supported and the implementation requires laborious manual configuration and extensive testing. An incorrect configuration can not only result in failed user authentication but also make the UNIX host less secure. There are similar documents for Samba, Apache, and SSH authentication. Additionally, the recommendations and implementations change from application to application, particularly in the versions of supported tools and the location and format of the configuration files. Frequently, the recommended modifications are not supported by either the UNIX or Linux vendors or Microsoft, which makes it difficult to implement these changes in a production environment. Therefore, should the particular platforms need to be supported, administrators need to have extensive knowledge of both platforms and rely on often untimely free technical advice from Internet forums. Supporting cross platform authentication in such a manner is stressful and counterproductive. 6 Managing Group Policies for Non-Windows Computers through AD BeyondTrust Software, Inc.

7 Cross platform Challenges The following sections describe the cross platform challenges administrators must face. Limitations of sudo sudo is used as an alternative to the extensive use of the root account for management purposes. sudo allows non privileged accounts to execute privileged commands. While a great idea, as typically implemented sudo has a number of drawbacks. Among these are the need to manually apply and maintain the sudoers file across all the managed systems, test each configuration change, and make modifications to each node when a new administrator joins or leaves the company. Limitations of NIS/NIS+ While NIS is still widely used for domain authentication, the technology has known security limitations (a client can retrieve the entire NIS password database for offline inspection), is not very scalable, and has inefficient replication processes. While NIS+ has fixed a number of NIS drawbacks, by being hierarchical, requiring server authentication, and allowing permissions on operations, NIS+ is difficult to administer, requires special backup procedures, and has limited scalability particularly with multiple domains and over 1,000 clients. In this regard, the scalability and robustness of Active Directory offers a far better alternative. Limitations of RBAC Role based access control (RBAC) is another approach at restricting system access to authorized users. RBAC is based on roles that are created for various job functions. The operations permissions are assigned to roles rather than users. Rights management is simplified by assigning a user to a particular role, simplifying operations. However, in large heterogeneous environments management of RBAC memberships becomes extremely complex as it lacks hierarchical creation of roles and privilege assignments. Additionally, not all the users have the same role on different systems, which further complicates the administration process. Kerberos Authentication Kerberos configuration requires running a daemon, synchronizing time between the server and the client via NTP, installation of the pam_krb5 module, and making applicable changes to the sample configuration files provided with the distribution. Administrators, therefore, have to rely on an extensive knowledge of both platforms and on the not always timely third party help from the Internet forums to get Kerberos implemented within a UNIX or Linux environment. Obviously, handling domain authentication in such a manner is time consuming and prone to error. 7 Managing Group Policies for Non-Windows Computers through AD BeyondTrust Software, Inc.

8 Limitations of File Permissions in UNIX In UNIX, a file has three classes of permissions: the owner, the group, and everyone. Each class has three levels of access rights: read, write, and execute. This offers far less flexibility than a Windows environment, where multiple local and domain based file permissions can be granted for users and groups. Linux Security Modules (LSM), which are included with the SELinux 2 security framework, offer more granular file access but at the cost of CPU overhead. Managing Policies Across Different Flavors of UNIX/Linux In heterogeneous environments, administrators have to enforce standard policy settings across multiple flavors of UNIX, each often using different desktop environments (GNOME, KDE, Sun Java Desktop System, etc). These desktop environments differ in the parameters that can be modified and in the format and location of the configuration files. Thus, when pushing policies, administrators have to manually filter the enforced settings on a per target platform basis requiring either polling the system OS or maintaining lists containing the systems and corresponding OSs. This is another timeconsuming and error prone process. 8 Managing Group Policies for Non-Windows Computers through AD BeyondTrust Software, Inc.

9 Advantages of Managing UNIX Policies with BeyondTrust PowerBroker Identity Services Enterprise is capable of solving all the above problems in a simple and intuitive fashion. The technology offers seamless integration of over a hundred different UNIX/Linux operating systems with Active Directory for both authentication and policy management needs. PowerBroker Identity Services Enterprise offers centralized management of identities, desktop environments (including 2500 plus Gnome policy parameters), credential caching for off line connection, OS based client policy filtering, NIS and user migration tools, as well as auditing and reporting functionality. With PowerBroker Identity Services Enterprise technology, administrators can easily deliver Kerberos based single sign on for such applications as telnet, FTP, SSH, rlogin, rsh, LDAP queries against AD, and Apache HTTP server. BeyondTrust simplifies account management by assigning each user a unique ID, which is provisioned and centrally managed through Active Directory. BeyondTrust s unique cell technology can map users to different UIDs and GIDs for different computers, eliminating the need for multiple local user accounts. The BeyondTrust extension to the Microsoft Active Directory User and Computers MMC snap in allows administrators to create an associated cell for an OU and then use the cell to manage UID GID numbers. This allows AD user to access non Windows node in selected BeyondTrust cells: 9 Managing Group Policies for Non-Windows Computers through AD BeyondTrust Software, Inc.

10 The above features let administrators integrate non Widows nodes into a Windows AD authentication and management framework with adequate policy management, user provisioning, and reporting tools. Complexities of Managing Policies in Mac OS X Environment Over the years, the Apple Macintosh computer has maintained a small but stable share of the computing environment. While being used primarily for audio, video, and graphics editing, the Macintosh offers extreme ease of use compared to Windows (not to mention UNIX) coupled with a plethora of high end graphics applications designed and compiled for the Macintosh platform. Apple s marketing effort is maintaining and somewhat expanding the OS X market share, which has now surpassed 8 percent. Part of this success can be attributed to the use of a stable UNIX kernel in OS X and more standard PC components, such as Intel microprocessors, PCI E slots, and DDR memory. This introduced Apple to a pool of hardware that is more reliable, less expensive, and comes in wider variety than the components in older RISC processor based Macintoshes. Unfortunately, from an enterprise computing perspective, Apple does not have robust enterprise management tools. There are a number of reasons for this. First, the Macintosh has never been a widespread enterprise class platform, so Apple never needed to address the issues of scalable directory service, terabytes of storage, or centralized computational facilities. Thus enterprise messaging and data management applications such as Microsoft Exchange, Lotus Notes, SQL Server, and so forth have never been ported to Apple s Macintosh servers. Even now few enterprise class products are available for the OS X platform. Secondly, the primary use of Macintoshes is in the graphics departments, a technologically and organizationally secluded group that requires sharing among Macintosh users only and interoperating with the rest of the IT infrastructure via sharing printers, storage, and Internet access. This situation certainly did not call for provisioning and identity solutions to the depth and scalability of its Windows counterparts. On the bright side, since Apple did not excel in enterprise management tools, others such as Microsoft, Novel, and Sun have created the infrastructure allowing Macintosh users to tap into a reliable framework of user and desktop provisioning. The Macintosh platform uses a recently added Workgroup Manager (WGM) to manage users, groups, shares (with access permissions), and client preferences. The application allows administrators to modify accounts (including users, groups, and computer lists), assign privileges, manage share points, and modify desktop preferences that define the user experience for clients bound to Apple s Open Directory domain. WGM requires an OS X Server as a centralized repository of user information. While being a big step for Macintosh management, the product pales in comparison with widely recognized enterprise user provisioning solutions. 10 Managing Group Policies for Non-Windows Computers through AD BeyondTrust Software, Inc.

11 BeyondTrust Solution for Mac Desktop Policy Management The BeyondTrust solution for managing Macintosh desktops allows administrators to store settings in Active Directory rather than on a Macintosh OS X Server. Besides decreasing the cost of the solution and offloading AD maintenance to Window administrators, Macintosh user settings are now stored in a more robust and scalable directory. Since storing third party data in Active Directory requires either irreversible schema changes (which may not be agreeable with Windows administrators) or using non standard fields (which is cumbersome); initially non Windows vendors were reluctant to store user credentials in AD. This is where BeyondTrust comes to the rescue. By taking advantage of RFC 2307, PowerBroker Identity Services Enterprise integrates user authentication with Active Directory (in the same way as Macintosh Active Directory Plug In allows Macs to authenticate to Macintosh OS X Open Directory) offering a mechanism that allows Workgroup Manager settings to be stored in Active Directory Group Policy Objects. PowerBroker Identity Services Enterprise contains a utility to join Macs to Active Directory, letting them participate in AD based user authentication and in group policy processing. From that point on, administrators can connect to Active Directory from the Workgroup Manager interface and store settings in the GPO. From the Windows side, administrators can use GPMC to store and manage Mac policy settings. 11 Managing Group Policies for Non-Windows Computers through AD BeyondTrust Software, Inc.

12 As a result, PowerBroker Identity Services Enterprise brings together the advantages of the Macintosh Workgroup Manager with the robustness and uniform policy management tools of Active Directory in a seamless and intuitive fashion. Summary PowerBroker Identity Services Enterprise allows for seamless enforcement of group policies from Windows Active Directory Group Policy Manager across UNIX, Linux, and Macintosh platforms. It does this with Windows GUI based policy management interfaces for authentication of non Windows users and applications against Microsoft Active Directory. Additionally, PowerBroker Identity Services Enterprise offers adequate reporting and troubleshooting tools. All the above, along with a very affordable per seat cost, make PowerBroker Identity Services Enterprise indispensible for heterogeneous enterprises that require tight user and policy management. Contact Information For more information about this report or if you have any questions, please contact: BeyondTrust Corporate Headquarters 2173 Salk Avenue Carlsbad, CA (tel) info@beyondtrust.com 12 Managing Group Policies for Non-Windows Computers through AD BeyondTrust Software, Inc.