TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT. Windows Host Access Management with CA Access Control

Transcription

1 TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT Windows Host Access Management with CA Access Control

2 Table of Contents Executive Summary SECTION 1 2 Windows Servers in Today s Security Management Environment SECTION 2 2 Fine-grained Access Control SECTION 3 5 Advanced Policy Management and Reporting SECTION 4 8 Operating System Hardening SECTION 5 9 Secure Auditing SECTION 6 11 Cross-platform Protection SECTION 7 11 CA Access Control Architecture SECTION 8 12 CA Access Control Part of a Bigger Identity and Access Management Solution SECTION 9: CONCLUSIONS 13 Copyright 2008 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document As Is without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages.

3 Executive Summary Challenge Microsoft Windows is the most widely adopted server operating system on the market today. Driven by security concerns and regulatory compliance, organizations are under increasing pressure to protect the sensitive data and applications residing on their Windows servers. Using native tools like Active Directory and Group Policies, effectively combining security and IT management within a single framework, presents security concerns regarding separation of duties, as well as manageability and auditing. Additionally, many administrators share accounts, which are not managed by a central policy presenting separation of duties and audit reporting issues. This lack of a central policy also impacts the ability for administrators to manage diverse environments including Windows, LINUX and UNIX servers. Opportunity A separate, independent security system is required to protect mission-critical server resources. This solution must operate at the system level to avoid interference with IT administration groups and provide a trusted and reliable security administration system. As most organizations have deployed a variety of operating systems, this solution must enable efficient management and enforcement of these security policies across all systems including Windows, but also UNIX, Linux and virtualized environments. Benefits CA Access Control provides additional protection for server resources, which complements the native Windows operating system (OS) model and enables a strong defense-in-depth security practice while reducing the complexity and cost of managing access and reaching compliance. As a complete access management solution for mission-critical servers, CA Access Control achieves these goals through: Fine-grained access control and segregation of duties to prevent internal access abuses Advanced policy management to enable efficient centralized management of security policies across the enterprise Policy-based compliance reporting of user entitlements and policy compliance Operating system hardening to reduce external security risks and ensure operating environment reliability Granular, high-integrity auditing for compliance fulfillment TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT 1

4 SECTION 1 Windows Servers in Today s Security Management Environment Servers are essential components to IT infrastructures as they support critical applications and sensitive corporate, customer and partner data. These servers must be continuously protected from a variety of threats, both external and internal. To date, many organizations have taken steps to protect their servers from external threats by deploying firewalls, anti-virus or anti-spyware solutions. However, a commonly overlooked threat is the threat from within an organi zation. This vulnerability presents itself in the form of over-privileged administrators and weak levels of accountability. Providing adequate internal controls to protect these host systems is critical to risk mitigation as well as meeting regulatory compliance. This is often a complicated issue considering the number of different kinds of administrators that are involved in keeping servers up and running on a daily basis. Technically, many of these workers have access to more resources than they require to perform their job function. This also results from shared local administrator accounts typically used for emergency situations. Unfortunately, native Windows operating systems lack the ability to appropriately segregate administrative duties or trace audit records back to the original user. This issue is further complicated when there are a variety of servers involved such as UNIX, Linux or virtualized operating systems and consistent security policies must be managed across the extended enterprise. Enterprise-wide host access management solutions are important investments to protect critical data, fulfill compliance needs and enable cost-effective administration. SECTION 2 Fine-grained Access Control In an Active Directory forest system, the domain administrator is the equivalent of a superuser. While their primary role is as owner of IT infrastructure setup and management, they also have unlimited power to create, modify, copy or disable any security resources and services within the forest, sub-domains and systems. Unfortunately, this account may not be well protected by default and login information is often informally shared amongst employees in various adminis - trative roles. This creates a security management nightmare when it comes to separation of duties and maintaining full accountability. CA Access Control is an independent security enforcement solution which does not rely on the Windows OS or Group Policy. Operation at the system level enables monitoring and regulation of any access to system resources, including those originating from domain or local system administrators. CA Access Control provides fine-grained access enforcement capabilities to regulate, delegate and contain domain administrators or any other account within the forest, domain and servers. These access rights are granted by defined roles and enforced separately from native Windows access controls. 2 TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT

5 Role-based Access Control A major Windows security risk is the potential for an unauthorized person to gain control of a user account in the local or domain administrators groups. Should this happen, the unauthorized user can cause enormous damage by changing critical registry keys, stopping auditing services, modifying audit logs or tampering with other critical services. CA Access Control reduces Windows vulnerability risks by limiting the rights granted to administrator accounts and groups to the minimum permissions needed for each to perform their job function. FIGURE A CA Access Control enforces appropriate access to resources and granular audit of sensitive activity. SEGREGATION OF DUTIES Dynamic Control Group Policy is based on the definition of an access permission hierarchy. Permission changes are propagated to subsequent files and folders based on an inheritance mechanism. This static permission system updates all file permissions at the time of command issue time, meaning propagation of changes can take a long time, especially in a large server environment. It is also difficult to predict the impact of permission change making it very hard to control. CA Access Control employs a dynamic permission system that determines access permissions at request execution time. Protection can be defined on generic resources using wildcards (*). This provides real-time protection while simplifying policy deployment and allowing more flexible rules to be implemented. Granular Delegation Through the Windows superuser account, any permission can be delegated to any user, regardless of whether it is an IT or security function. CA Access Control regulates privileges that can be delegated to non-administrative users. In this manner, necessary access can be delegated to perform IT or application administration tasks while CA Access Control scopes security privileges for security-related staff. TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT 3

6 CA Access Control also controls surrogate user delegation capabilities to reduce the exposure that Windows provides through programs like Run-As. For example, an administrator could use Run-As to surrogate to another person s profile to change a file s access control list (ACL) attributes without any accountability for their actions. CA Access Control protects on multiple levels by first limiting those who use Run-As and subsequently tracking back to the true identity of those who do. Shared Resource Access On critical Windows servers, files and resources are often defined as shared resources to provide open access to users. This makes auditing each access to these shared resources a daunting task. CA Access Control provides full shared access monitoring and control on mission-critical servers. Preservation of full user access trails makes it easy to build accurate history reports for forensic or compliance requirements. Generic Resource Protection Group Policy is a static enforcement algorithm that sets all file permissions to each specific physical file. This presents a challenge for controlling resources that do not currently exist, but may come in the future. CA Access Control allows the creation of security policies governing storage of specific types of files, such as.mp3,.jpg,.mpg or files similar to the existing files that have not yet been created. CA Access Control also provides name pattern protection for files regardless of whether they currently exist or not. Wild cards can be incorporated for resource naming patterns to create an ACL for a type of resource on a system. For example, a policy can disable read and write execution of all.bat script files for users that are not in the SysAdmin or SecAdmin groups. Suspend on Inactivity Security violations can occur from unauthorized access through accounts whose owners are away or no longer employed by the organization. CA Access Control can protect systems by proactively identifying accounts that have been inactive for a specified number of days and preventing those accounts from being used to log in. Authorization APIs CA Access Control provides APIs that can be used by user applications to check authorization permissions. It is also possible to use the authorization APIs to protect user-defined entities such as database records or fields, reports or screens. Programmers can place CA Access Control API function calls directly in programs to check authorization before performing tasks. Services Control CA Access Control can enforce policies to limit the ability of administrators to perform Windows services operations such as start, stop or modify services properties. This capability allows the enforcement of Separation of Duties at the application level and protects these services from unauthorized system administrators. 4 TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT

7 Warning Mode Windows lacks the ability for organizations to examine the behavior of certain resource access restrictions without actually enforcing the restriction. CA Access Control Warning Mode is commonly used by organizations to determine if proposed security policies are too strict or too lenient so they can be modified accordingly. If a restriction is suspected to have an adverse effect on the execution of a system application CA Access Control allows them to specify restrictions and substitute a warning message for the enforcement of the restrictions. Validation Mode CA Access Control provides the ability to instantly validate the effects of a security policy without enforcing the restriction. After selecting a user and resource, the validation check command determines whether or not the user has permission to access the resource given the current security policy. CA Access Control also includes a password validation function, which instantly determines if a proposed password qualifies with specified policy. These features allow effective policy validation without impacting production systems. Network Protection The openness of a TCP/IP network is one of its most appealing features. But in terms of security, this is a major deficiency. CA Access Control provides the functionality of a hostbased firewall without requiring a dedicated device for that purpose. CA Access Control can require that specific clients send specific TCP/IP services to specific hosts, while only certain hosts can send specific TCP/IP services to the local host. By limiting outgoing connections within the network based on the user s identity, CA Access Control minimizes the risk of allowing external access through a firewall. Legitimate Internet visitors can also be confined to a specific set of services and systems within the network. For example, an organization might choose to allow external contractors to access specific servers via VPN, but restrict them from propagating to additional servers on the network. SECTION 3 Advanced Policy Management and Reporting* CA Access Control s enterprise-class scalability results from a distributed model of distributing policies to all managed servers. This Advanced Policy Distribution Architecture uses a central Deployment Map Server (DMS) and Distribution Hosts (DH) to distribute policy deployments to endpoints, and send back deployment information from the endpoints to the DMS. This infrastructure is decoupled from the logical assignment of the policies and is easy to set up, extend and configure for high availability, failover and disaster recovery. CA Access Control supports running the DH in a clustered environment (server farms), which increases the number of endpoints nodes that can be supported. The policy architecture relies on the following server components: DEPLOYMENT MAP SERVER Sits at the core of advanced policy management. The purpose of the DMS is to store policy management data. You manage a single database (the DMS), which then sends events to distribution hosts. *Some features listed are only available in CA Access Control Premium Edition TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT 5

8 DISTRIBUTION HOST Is responsible for distributing policy deployments, made on the DMS, to endpoints, and for receiving deployment status from endpoints to send to the DMS. Modeled after the time-tested method of distributing anti-virus definitions, CA Access Control endpoint agents check regularly for new deployments on the DH, and download and apply these as necessary. Execution results are then sent back to the DH, which sends them to the DMS for centralized auditing. Also, a heartbeat lets the DMS (through a DH) know that the endpoint agent is operational and the host is running. FIGURE B The architecture distributes policies to all managed services via a distributed advanced policy management architecture. CA ACCESS CONTROL POLICY MANAGEMENT ARCHITECTURE Centralized Administration Managing security across Windows servers typically involves using the same tools that IT administrators use. This proximity of functions for system and security administrators often presents security control and authorization delegation complications and ambiguity. CA Access Control s centralized Web-based interface is simple, intuitive and lets you perform advanced policy management and also provide a worldview that lets you view and manage your entire CA Access Control environment of servers. The Web-based interface also allows you to manage individual endpoints or Policy Models. CA Access Control can also manage native Windows resources including shares, files, disks, COM ports, registry keys and values, domains, users, groups, printers, processes, services, devices, user sessions, Windows password policy and Windows audit policy settings. Additionally, the user interface is consistent across all CA IAM offerings (CA SiteMinder, CA Identity Manager and CA Access Control) utilizing the common CA framework for look and feel and administrative scoping and task delegation, further reducing the time to value for administrators already familiar with CA s management tools. 6 TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT

9 Logical Host Grouping CA Access Control allows you to group endpoints into logical host groups and then assign policies based on this host group membership, regardless of how your endpoints are organized in the Policy Model hierarchy. Hosts can be members of a number of logical host groups depending on their properties and policy demands. For example, if you have hosts running Windows Server 2008 and Oracle, these can be members of a Windows Server logical host group to get the baseline Windows access control policy, and also members of the Oracle logical host group to get the Oracle access control policy. Logical host groups decouple policy assignment from policy distribution. This simplifies policy management as it does not require you to change your hierarchy to fit policy assignment requirements and lets you manage smaller, more specific policies, and more focused host groups Policy Deviation Reports It is naïve to think that monolithic policies can be deployed across a large server environment without allowing exceptions. These exceptions might be imposed due to legitimate business or legacy requirements but they must be managed properly and done with accountability. CA Access Control provides a reporting feature to let you measure the compliance of your entire environment to specified policies and allows you to compare policies that should be active on a particular machine to policies actually deployed. This ability to quickly identify policy gaps supports your efforts to continuously meet compliance standards. Policy and Entitlements Reports CA Access Control simplifies security assessment tasks through reports about compliance exposures associated with operating systems, databases and applications. This report data is stored in a standard RDBMS and can also be leveraged by other data analysis tools. CA Access Control host reports present system-centric information such as configuration, security and policy status. Policy-based reports are based on the effective policy being enforced and provide proactive views of who has access to what resources across your distributed and virtual server environ - ment. These reports allow you to generate reports required by your auditors, such as User and Group Entitlement Reports, Policy Compliance Reports, Orphan Account Reports, among others. These proactive reports complement existing event-based auditing by allowing you to monitor compliance requirements and highlight existing discrepancies before incidents occur. CA Access Control comes with over 30 sample reports for common compliance needs such as user and group entitlements, inactive accounts, password aging, policy compliance etc. Event-based reports are also supported through integration with the CA Audit product. TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT 7

10 SECTION 4 Operating System Hardening A critical layer to the defense-in-depth strategy is protecting the OS against unauthorized external access or penetration. CA Access Control offers several external security measures including stack overflow protection, firewall network control and Trojan Horse defense. This additional layer of security allows organizations to buffer the time requirements on OS patch deployment when new attacks are discovered. Reducing the number of emergency patch operations reduces server downtime and saves production costs. Stack Overflow Protection Stack Overflow Protection is a CA Access Control technology that prevents hackers from exploiting an application's specific memory space to inject malicious code inside the system. CA Access Control carefully monitors and protects applications, such as mail servers, by guarding memory space and program tracking information, so that even in the event of memory overflow, the malicious code cannot be activated by the system. In this manner, hackers have no way to target application memory stack vulnerabilities. CA Access Control records all malicious actions in both the standard audit log and in-memory overflow log, with detailed code descriptions for further investigation. This is relevant to all Windows servers, especially those in perimeter network zones. Trusted Program Execution To prevent the operating environment from being tainted by malware, particularly Trojan Horses, CA Access Control provides first-line trusted program protection. Through CA Access Control, sensitive resources can be marked as trusted. These files and programs are monitored and CA Access Control will block execution should the program be modified by malware. The CA Access Control administrator can choose from various algorithms to apply to each trusted resource, ensuring that executed programs have not been inappropriately replaced or modified. In addition to periodic checking of trusted resources, checks are made at run-time when the program or file is opened. Changes to trusted resources can be limited to specific users or user groups to further reduce the likelihood of unexpected change. Context Control Exploits can gain privileges through Windows services, which frequently run under the SYSTEM account. This account is very powerful on Windows because changing services security context to another user different from the SYSTEM user can lead to service failure. CA Access Control has the ability to protect applications like Exchange Server, SQL Server or IIS by limiting these applications behavior in accessing resources. The goal is to protect sensitive resources from SYSTEM account access without changing the original security context of services. Registry Protection The Windows registry is a clear target for hackers and malicious users as the centralized database containing operating system parameters including those that control device drivers, configuration details and hardware, environment and security settings. 8 TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT

11 CA Access Control provides registry protection through the support of generic rules inside the registry. These rules can block administrators from changing or tampering with the registry settings. CA Access Control registry protection can also ensure system processes have access only to specific keys within the registry. CA Access control can also define separate access rights to specific registry values. Application Jailing Windows servers are a prime target as a springboard for extended network attacks, especially when popular Windows server applications are involved. The application jailing feature allows accepted actions to be defined for high-risk applications. Any behavior that exceeds these bounds will be restricted by CA Access Control. CA Access Control includes a Special Program (SPECIALPGM) class to classify certain mission-critical programs. SPECIALPGM protects specified programs by associating a logical user name with the Windows user name required to run the program, authorizing only the logical user to run the program. This mitigates security risk associated with functional IDs. For example, an ACL can be built based on a logical ID which owns Oracle processes and services so its jailed behavior prohibits it from any actions besides starting Oracle DBMS services. Program Pathing Program pathing is the ability to require that a specific resource be accessed by a user only through a specific program. Combining these application specifications with user, file and calendar parameters allows flexible and granular access policies to be built. For example, the accounting team can only access the file employee_data using specific payroll applications. SECTION 5 Secure Auditing Windows logging capabilities are shared by all system tools and applications on the system. This creates a large auditing pool for all types of data, without a clear, security-specific auditing and reporting distinction. Meanwhile, security requirements and compliance mandates that un-tampered security audit logs cannot be shared with other application logs or viewed by non-security administration personnel. CA Access Control provides independent audit logs that cannot be modified by unauthorized users, including domain or system administrators. Delivered to CA Audit or CA Security Command Center, CA Access Control security events can be collected, filtered and consolidated for reporting and analysis. In addition, combinations of security events, which represent a significant threat can be correlated in real time and made to trigger security alerts. Multi-level Granularity Windows auditing capabilities are global in nature and do not allow for specific auditing thresholds to be set on individual resources. CA Access Control provides granular auditing capabilities on any defined resource. Different auditing thresholds can be set for any user, group or resource depending on the criticality of the resource. TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT 9

12 CA Access Control has three auditing settings: Success generates an event anytime an audited resource is successfully accessed, Failure tracks anytime access is denied and Warning generates an audit record anytime an access policy is violated, although CA Access Control does not deny access. Organizations can define the auditing mode or combination of modes that should be enforced for each user, group or resource. For example, the auditing for the security administrators group and general audit level for Files may be set to Failure, but specifically for the system configuration files, auditing events will be generated for both Success and Failure. Granular Audit CA Access Control provides an independent audit log solely for security events pertaining to users or resources. These audits detail the exact denial or permit stage encountered while accessing a resource and trace back to a definitive user. Audit settings can be adjusted to fine tune the volume and granularity of audit events to the appropriate level for an organization s needs. Reporting and CA Audit Integration Windows audit logs track access on a single machine basis, making audit log consolidation or trending a time consuming task. CA Access Control is fully integrated with CA Audit. Events in Access Control are sent to CA Audit for further handling, enabling aggregation of log files and creation of policy specific reports, which facilitates the audit process, provides detailed investigations and validates key compliance metrics. Features of CA Audit include: CROSS-PLATFORM DATA COLLECTION CA Audit collects event data from an extensive variety of sources, including: operating systems, business applications, network devices, security devices, mainframes, access control systems and web services. REAL-TIME TOOLS FOR COLLECTION, VIEWING AND REPORTING CA Audit provides customizable viewers and reports available to users that are relative to their role. ALERT MANAGEMENT CA Audit logs, filters and monitors critical events and execute alerts and other actions based on established policies. CENTRAL SECURITY DATA REPOSITORY CA Audit stores audit data in a central repository, built around a scalable relational database for easy access, provides reporting for historical and post-event analysis. 10 TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT

13 SECTION 6 Cross-platform Protection Many organizations deploy a heterogeneous server infrastructure including both Windows and UNIX systems. CA Access Control enables consistent, integrated management and enforcement of access security policies across both of these environments. The Policy Manager provides a single interface through which policies can be administered and the advanced policy manage - ment architecture ensures these policies are distributed and enforced on all Windows and UNIX servers. Consolidated management of UNIX and Windows decreases the amount of administrative work required and improves the system administrator efficiency, saving significant management cost. FIGURE C CA Access Control elevates the collective level of access security across platforms and enables consistent administration. COMPLIANCE REQUIRES CONSISTENT ACCESS SECURITY SECTION 7 CA Access Control Architecture Effective security software needs to be implemented as an integral part of a computer s operating environment. CA Access Control intercepts system requests for access to various system resources before they arrive at the operating system, verifies if the requests are allowed by the defined security policy and enforces the appropriate behavior. All CA Access Control components benefit from a strong self-protection mechanism. This means that it is virtually impossible for users to intentionally or unintentionally bring down, change or erase CA Access Control files, services or data. Should a CA Access Control service fail, regardless of the reason, the CA Access Control in-memory monitoring service immediately restarts it. This ensures that CA Access Control provides all-time services and ensures security is never compromised due to unavailability of critical services. TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT 11

14 The essential components of CA Access Control include: DATABASE The Database maintains all the users and groups in the organization, the system resources that need protection and the rules governing user and group access to system resources. The highly optimized Database interacts with the Engine to provide real-time authorization information. CA Access Control continuously protects database information and services against unauthorized access or sabotage. ENGINE The Engine receives access requests to determine whether or not they are permissible. Upon receiving a request, the Engine consults the Database, accesses the relevant access policies and decides whether or not access should be allowed. POLICY MODEL The Policy Model administers the PMDB. It is responsible for managing the list of subscriber databases and propagating all updates from the PMDB to its subscribers. ENTERPRISE MANAGEMENT SERVER* The enterprise management service includes a central Web management server for managing the policies and logical host groups as well as the policy-based reporting. It runs on standard J2EE application servers and utilizes a relational database. While the enterprise management server enables enterprise scale management of thousands of hosts, CA Access Control endpoints remain self-sufficient and do not rely on the central manage ment server for enforcing access and can also be managed directly through a lightweight Web UI or command line. SECTION 8 CA Access Control Part of a Bigger Identity and Access Management Solution CA Access Control can be installed independently and provide full server access protection without dependencies on other CA or third-party products. However, all products in the CA Identity & Access Management solution share common approaches and components for Web user interface, administration concepts, delegation of responsibilities and reporting to ensure a consistent administrative experience. Given that operating system access protection may be a single component of a defense-indepth strategy, CA Access Control provides integration with CA security products including: CA Identity Manager As a provisioning target for CA Identity Manager, the CA Access Control user base can be managed from and automatically kept in sync with CA Identity Manager. CA Security Command Center CA Access Control security events can be collected by or automatically routed to any remote server defined by CA Security Command Center. CA ACF2 Security and CA Top Secret Security CA Access Control can leverage the mainframe user store provided by CA ACF2 Security or CA Top Secret Security as a trusted repository or user passwords can be synchronized with those mainframe user stores. This assists organizations seeking to manage access to critical mainframe resources, privileges and utilities in the same way that CA Access Control provides protection for Windows and UNIX. *Some features listed are only available in CA Access Control Premium Edition 12 TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT

15 SECTION 9 Conclusions During the course of regular operations, administrators of all roles operate in close proximity to sensitive data, processes or applications running on a Windows infrastructure. In the standard structure of a Windows and Active Directory deployment, these IT and security administrative functions are tightly coupled with one another. While this may not necessarily affect IT system administration, it can severely impact the integrity of security policy enforcement. Effective separation of these duties requires an independent, fine-grained access enforcement and auditing solution. CA Access Control provides the necessary system-level access control, cross-platform policy management, operating system hardening and secure auditing capabilities for organizations to effectively protect their mission-critical server infrastructure and maintain regulatory compliance. To learn more about the CA Access Control architecture and technical approach, visit ca.com/security/ac. TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT 13

16 CA (NSD: CA), one of the world's leading independent, enterprise management software companies, unifies and simplifies complex information technology (IT) management across the enterprise for greater business results. With our Enterprise IT Management vision, solutions and expertise, we help customers effectively govern, manage and secure IT. MP Learn more about how CA can help you transform your business at ca.com