PowerBroker for Windows



Similar documents
PowerBroker for Windows Desktop and Server Use Cases February 2014

How To Manage A Privileged Account Management

October Application Control: The PowerBroker for Windows Difference

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Privilege Gone Wild: The State of Privileged Account Management in 2015

Privilege Gone Wild: The State of Privileged Account Management in 2015

Retina CS: Using Strong Certificates

Windows Least Privilege Management and Beyond

How To Achieve Pca Compliance With Redhat Enterprise Linux

PCI DSS Compliance: The Importance of Privileged Management. Marco Zhang

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

PCI DSS COMPLIANCE DATA

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Need to be PCI DSS compliant and reduce the risk of fraud?

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

IBM Tivoli Endpoint Manager for Lifecycle Management

SWOT Assessment: BeyondTrust Privileged Identity Management Portfolio

PCI Data Security Standards (DSS)

Disaster Recovery. Websense Web Security Web Security Gateway. v7.6

Understanding Enterprise Cloud Governance

BeyondTrust Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

Secret Server Qualys Integration Guide

Introduction. PCI DSS Overview

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Defender Delegated Administration. User Guide

IBM Tivoli Netcool Configuration Manager

Complying with Payment Card Industry (PCI-DSS) Requirements with DataStax and Vormetric

Payment Card Industry Data Security Standard

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

The Impact of HIPAA and HITECH

Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Complying with PCI Data Security

Applying the Principle of Least Privilege to Windows 7

How To Comply With The Pci Ds.S.A.S

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

Mobile Admin Architecture

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access

Netop Remote Control Security Server

IBM Tivoli Endpoint Manager for Lifecycle Management

Administration Guide NetIQ Privileged Account Manager 3.0.1

Improving PCI Compliance with Network Configuration Automation

PCI DSS Reporting WHITEPAPER

Privileged Session Management Suite: Solution Overview

Netwrix Auditor. Сomplete visibility into who changed what, when and where and who has access to what across the entire IT infrastructure

Application Monitoring for SAP

ISO COMPLIANCE WITH OBSERVEIT

Active Directory Change Notifier Quick Start Guide

Vormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

Vistara Lifecycle Management

Proven LANDesk Solutions

The Comprehensive Guide to PCI Security Standards Compliance

An Oracle White Paper January Oracle Database Firewall

Did you know your security solution can help with PCI compliance too?

Real-Time Security for Active Directory

Dell One Identity Manager Scalability and Performance

White paper December IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview

Why PCI DSS Compliance is Impossible without Privileged Management

IBM Security Privileged Identity Manager helps prevent insider threats

Drawbacks to Traditional Approaches When Securing Cloud Environments

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Integrated Citrix Servers

Remote Access Platform. Architecture and Security Overview

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems

Privileged Account Access Management: Why Sudo Is No Longer Enough

PCI Requirements Coverage Summary Table

Security and HIPAA Compliance

IBM Endpoint Manager for Lifecycle Management

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Compliance and Security Challenges with Remote Administration

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Solving the Security Puzzle

CorreLog Alignment to PCI Security Standards Compliance

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Desktop Authority vs. Group Policy Preferences

Active Directory and DirectControl

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

By the Citrix Publications Department. Citrix Systems, Inc.

Transcription:

PowerBroker for Windows Desktop and Server Use Cases February 2014 1

Table of Contents Introduction... 4 Least-Privilege Objectives... 4 Least-Privilege Implementations... 5 Sample Regulatory Requirements... 9 Conclusion... 13 About BeyondTrust... 13 2

2014 Beyond Trust. All Rights Reserved. Warranty This document is supplied on an "as is" basis with no warranty and no support. This document contains information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of BeyondTrust. Limitations of Liability In no event shall BeyondTrust be liable for errors contained herein or for any direct, indirect, special, incidental or consequential damages (including lost profit or lost data) whether based on warranty, contract, tort, or any other legal theory in connection with the furnishing, performance, or use of this material. The information contained in this document is subject to change without notice. No trademark, copyright, or patent licenses are expressly or implicitly granted (herein) with this white paper. For the latest updates to this document, please visit: http://www.beyondtrust.com Disclaimer All brand names and product names used in this document are trademarks, registered trademarks, or trade names of their respective holders. BeyondTrust is not associated with any other vendors or products mentioned in this document. 3

Introduction PowerBroker for Windows provides fine-grained, policy-based privileged delegation capabilities for the Microsoft Windows environment. The solution allows organizations to remove local admin rights from end users and server administrators without hampering productivity. PowerBroker selectively elevates privileges for applications, software installs, system tasks, scripts, control panel applets, management functions, and other application and system operations. Additionally, PowerBroker for Windows provides Session Monitoring, Risk Compliance, and File Integrity Monitoring capabilities for granular tracking of privileged user activity across Windows desktop and server environments. Least-Privilege Objectives The concept of least privilege states that asset users should have the lowest level of access privileges required to effectively conduct their jobs. However, many basic operating system, management, application and software functions (e.g., configuration utilities) require more than basic privileges. This traditionally requires end user to possess elevated privileges in the form of an administrative username and password. PowerBroker for Windows mitigates the need to distribute and maintain administrative credentials or reveal these credentials to end users at all. Administrative tasks, even in modern versions of Windows, are not limited to either servers or desktops. Common tasks like user administration, software updates, and operating system and application maintenance can be broken out for desktops and servers by common use case. For example, an administrator on a server may need access to Microsoft SQL Server Management Studio to perform maintenance, and a desktop user may need access to ODBC to setup a connection to a new or test database. While both cases require providing distributed access to a client/server database, the least-privilege permissions required for each are distinctly different. These examples, and many others, provide the context for this document. 4

Least-Privilege Implementations PowerBroker for Windows is most commonly used for managing Windows desktop privileges, as desktop users are generally not considered trusted administrators with elevated privileges. However, the need to secure privileged accounts on servers is escalating in response to recent security breaches at the U.S. National Security Agency (NSA), major retailers, and other organizations. Rules for removing administrative privileges from end users can easily be translated back to servers once the complete use case for a rule is mapped out. For example, creating a rule to allow Java to automatically update on a desktop can easily be mapped to a server application or website that provides content for the end-user application. The transition to implementing least privilege from desktops to servers, or from servers to desktops, starts with gaining an understanding of what job functions must be accomplished. Desktop Implementations Operating within the BeyondInsight IT Risk Management Platform, PowerBroker for Windows provides a unique set of tools to help identify which applications require administrative access. For instance, administrators can select events directly within the BeyondInsight Management Console and seamlessly create PowerBroker rules that provide proper permissions to end users and applications without any end user intervention or interruption to their workflow. Use cases for these rules generally fall into very simple categories: Operating system tasks that require administrative access, such as time and date or ODBC Application installation and automated application updates, such as Java, Adobe, VMware, etc. Applications that require administrative access, such as AutoCad, VMware workstation configuration utilities, or Internet Explorer browser plugins for tools like Salesforce.com. PowerBroker for Windows also includes a sample rules library that simplifies rule creation by providing samples and best practices for a typical implementation. This type of implementation provides the foundation for the vast majority of least-privilege implementations and provides the structured server implementation guidance required by many organizations. Server Implementations When implemented on servers, PowerBroker for Windows is structured around use cases related to which administrative functions are required to maintain the server and fulfill its mission. This is much more straightforward than a desktop implementation since servers generally have targeted roles, and server applications and users are normally less diverse. For example, the vast majority of operating system functions are contained within Microsoft Management Console (MMC). PowerBroker for Windows users can create rules for individual www.beyondtrust.com 1.800.234.9072 sales@beyondtrust.com 5

tasks within MMC or a single rule for the entire utility. To ensure that privileges are not abused, PowerBroker for Windows can perform scan capture recordings of the session to document that no malicious activity occurred. The solution can also track file system changes using File Integrity Monitoring to determine if the system has been inappropriately modified. You can identify server use cases via two distinct philosophies: 1. Using documentation already present within an organization for a server s role. Such documentation is frequently available as a result of regulatory standards, such as PCI DSS, which requires determination of which administrative tasks commonly occur, and by whom. Once established, rules and policies can easily be implemented on servers using either passive monitoring in PowerBroker for Windows, in a lab, or through change control. 2. Reverse engineer desktop use cases. While this may sound like a monumental task, it is generally not that difficult with a desktop implementation of PowerBroker for Windows. a. First, consider all the administrative tasks on a server that are not locally applicationbased. These are utilities used to configure a remote system via an installed application. These are typically programs like Altiris and IBM BigFix that need administrative authority to execute but rely on other permission models for administration. b. Identify which users and systems are being accessed based on reports in the BeyondInsight management console. c. Finally, identify which application and operating system functions must be executed directly on the servers rather than via remote clients, such as MMC. It is important to note that administrative access to servers can never be fully removed from any environment. PowerBroker for Windows enables day-to-day operations and common periodic tasks. Administrative access for disaster recovery, server creation, forensics, etc. continue to require administrative authority until suitable security technologies are developed to mitigate these advanced tasks. To address these and similar cases, BeyondTrust provides PowerBroker Password Safe to vault administrative passwords to these systems with full change control and auditing. Privileged Use cases Day-to-Day Administrator Access In the vast majority of organizations, there are typically many system administrators and help desk analysts requiring daily access to servers and workstations. PowerBroker for Windows strengthens security via privileged account management, while also improving user experience for example: Help Desks: PowerBroker for Windows can facilitate help desk support tasks requiring privileged access to end-user workstations for troubleshooting and support. Help desk analysts can directly connect to end users machines via RDP or various remote access tools www.beyondtrust.com 1.800.234.9072 sales@beyondtrust.com 6

(DameWare, VNC, etc.) to assist with support tickets. Analysts can potentially be logged into one or more machines simultaneously, and should have access to these machines without needing any approvals. Server Admins: PowerBroker for Windows can provide controlled administrative access to servers and monitor this access to maintain accountability. Server admins are often logged into multiple servers concurrently and continuously for several days depending on tasks. Interactive use cases include logging into the servers directly, in person, remotely using single or multi-hop RDP jump servers, Citrix connections, SSH, Vmware Console, and/or via scripts (DOS batch / or shell scripts, VBscripts, Powershell, etc). Admins often perform the tasks using RUN-AS or SUDO and may require multiplatform support for UNIX and Linux using the same credentials (Note: BeyondTrust also offers solutions for least-privilege access on UNIX, Linus and Mac platforms.) Administrator Accounts and Shared Accounts Many organizations typically have several legacy administrative accounts used on multiple servers and workstations for service accounts and local backdoors. Security and compliance issues can stem not only from the laborious processes required to manage these accounts and change their passwords, but also from the lack of a privileged account inventory. Managing privileged accounts with PowerBroker for Windows mitigates the risk of administrative account abuse, increases security, and eases administrative burdens. The solution also includes auto-discovery capabilities that identify privileged accounts and audit their usage across all computers reachable on the network. Shared accounts are sometimes needed, such as when an application does not offer rolebased access or when security controls do not allow for delegation of responsibilities. When shared accounts cannot be avoided, PowerBroker for Windows can strictly control permissions to the least privilege needed and log all access via features including keystroke logging and screen captures. Workflow Management PowerBroker for Windows includes robust workflow management capabilities that enable you to define: Workflows for alerting and automated ticket creation when specific, and potentially sensitive applications are launched. Workflows in response to suspicious privileged activities, such as the unauthorized creation of local user accounts or changes in a system s certificates. Workflows when vulnerable applications are launched and given administrative privileges that could introduce risk to the host or violate regulatory compliance initiatives. Operational Continuity and Disaster Recovery Because privileged accounts are sensitive by nature, privileged account management www.beyondtrust.com 1.800.234.9072 sales@beyondtrust.com 7

solutions are usually considered to be mission-critical within the organization. Privileged account management solutions should therefore be extremely robust, resilient, and secure, without a single point of failure. In the case of PowerBroker for Windows, policies are distributed via Active Directory, agents utilize store and forward technology when no manager is present, and database architectures support high availability such as clusters and fault-tolerant appliances. Compliance Logging, Tracking and Auditing One of the most important requirements for any privileged management solution is its ability to log and track all activities that occur when access rules are triggered. PowerBroker for Windows logs privileged account activities in a secure manner and provides tamper-proof audit trails. The solution can also forward logs to an external SIEM system via multiple integration techniques. PowerBroker for Windows audits and logs the following events: Application launches Events matching user-defined rules Windows event logs Applications that have inherent risks (like vulnerabilities) Unauthorized File System changes The solution can also: Perform screen captures when applications are executed Identify where local accounts exist and when unauthorized new accounts are created Track activities associated with the account down to each keystroke and allow searching and sorting on these events 8

Sample Regulatory Requirements PowerBroker for Windows enables customers to remove administrative access for users and administrators without impeding their ability to successfully perform their job functions. Security best practices, as well as SOX, PCI DSS and other regulatory compliance initiatives, mandate this form of privileged account management. This section describes how PowerBroker for Windows can be used for PCI DSS compliance initiatives across servers and desktops. The PCI Security Standards Council (SSC) was established in 2006 by five global payment brands: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa. The payment brands require through their Operating Regulations that any merchant or service provider must be PCI compliant. Merchants and service providers are required to validate their compliance by assessing their environment against nearly 300 specific test controls outlined in the PCI Data Security Standards (DSS). Failure to meet PCI requirements may lead to fines, penalties, or inability to process credit cards in addition to potential reputational loss. The PCI DSS spans six categories with twelve total requirements as outlined below: The following matrix maps PowerBroker for Windows capabilities to the PCI DSS controls. PowerBroker for Windows enables organizations to significantly improve desktop and server security by making it easy to remove administrator privileges from users without impacting productivity. 9

PCI DSS V2.0 APPLICABILITY MATRIX REQUIREMENT Requirement 4: Encrypt transmission of cardholder data across open, public networks CONTROLS ADDRESSED 4.1.b, 4.1.d DESCRIPTION PowerBroker for Windows meets or augments the following specific controls: PowerBroker for Windows directly supports testing procedure 4.1.b by implementing certificate-based SSL V3 encrypted transmission between PowerBroker for Windows and the management console. Any transmission will fail if an incorrect certificate is used. PowerBroker for Windows directly supports testing procedure 4.1.d by using RSA 1024-bit encryption strength for when transmitting between PowerBroker for Windows and the management console. Requirement 7: Restrict access to cardholder data by business need to know 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2.1, 7.2.2 PowerBroker for Windows meets or augments the following specific controls: PowerBroker for Windows directly supports testing procedure 7.1.1 because the concept of least privilege is the very nature of PowerBroker for Windows. PowerBroker for Windows provides fine-grained, policy-based privilege delegation for the Windows environment by removing local admin rights from end users and selectively elevating privileges for things such as applications, software installs, system tasks, scripts, and control panel applets. PowerBroker for Windows augments support for testing procedure 7.1.2 by deploying rules based on the RBAC model in Active Directory. PowerBroker for Windows directly supports testing procedure 7.1.3 because users with specific admin rights are explicitly defined by authorized personnel. PowerBroker for Windows augments support for testing procedures 7.1.4 and 7.2.1 because PowerBroker for Windows uses Active Directory to perform its functions. PowerBroker for Windows directly supports testing procedure 7.2.2 by using user and group information from Active Directory and applies policies to particular users/groups based on job classification. 10

PCI DSS V2.0 APPLICABILITY MATRIX REQUIREMENT Requirement 8: Assign a unique ID to each person with computer access CONTROLS ADDRESSED 8.1, 8.4.a, 8.4.b DESCRIPTION PowerBroker for Windows meets or augments the following specific controls: PowerBroker for Windows augments support for testing procedure 8.1 as it only uses unique user IDs from Active Directory. PowerBroker for Windows directly supports testing procedure 8.4.a and 8.4.b by encrypting transmission using SSL V3 certificates. Requirement 10: Track and monitor all access to network resources and cardholder data 10.1, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5.1, 10.5.3, 10.6.a, 10.6.b 10.7.a, 10.7.b PowerBroker for Windows meets or augments the following specific controls: PowerBroker for Windows directly supports testing procedure 10.1 because audit trails for what applications users are launching are enabled by default. PowerBroker for Windows also allows for the configuration of session monitoring. Session monitoring captures screenshots of what actions a user is performing. PowerBroker for Windows directly supports testing procedures 10.2.1 10.3.6 through the session monitoring feature. Since session monitoring allows you to view the actual screenshots of a user s actions, each session fully describes what a user does. PowerBroker for Windows directly supports testing procedure 10.5.1 because PowerBroker for Windows can be configured to restrict audit trail access solely to people with a job-related need. PowerBroker for Windows directly supports testing procedure 10.5.3 by storing logs in a single database. Several layers of authorization are required for log access. PowerBroker for Windows augments support for testing procedures 10.6.a and 10.6.b by having them accessible on the PowerBroker for Window s web management interface, thus these logs are available for review daily, as would be recommended. PowerBroker for Windows directly supports testing procedures 10.7.a and 10.7.b by storing log data indefinitely, or allowing configuration of the log retention period. 11

PCI DSS V2.0 APPLICABILITY MATRIX REQUIREMENT Requirement 11: Regularly test security systems and processes. CONTROLS ADDRESSED 11.5.a DESCRIPTION PowerBroker for Windows meets or augments the following specific controls: PowerBroker for Windows directly supports testing procedure 11.5.a via its policy-based File Integrity Monitoring capability, which can monitor and prevent changes to directories and files based on application and/or user/group. Requirement A.1: Shared hosting providers must protect the cardholder data environment A.1.2.a, A.1.2.d, A.1.3 PowerBroker for Windows meets or augments the following specific controls: PowerBroker for Windows directly supports testing procedure A.1.2.a because the concept of least privilege is the very nature of PowerBroker for Windows. The primary purpose of PowerBroker for Windows is to allow organizations to remove local admin rights from end users and selectively elevate privileges. PowerBroker for Windows directly supports testing procedure A.1.2.d because you can restrict viewing of logs to authorized parties. PowerBroker for Windows directly supports testing procedure A.1.3 by using session monitoring to see all actions a user performs. The need for removing administrative access to both desktops and servers is complementary. Regulations such as PCI can impact the end-to-end result of any technology implementation and removing privileges from the entire workflow ensures proper compliance with regulations such as PCI. 12

Conclusion PowerBroker for Windows provides fine-grained, policy-based privileged delegation for the Microsoft Windows environment. This patent-pending technology allows organizations to remove local admin rights from end users and server administrators without hampering productivity. PowerBroker selectively elevates privileges for applications, software installs, system tasks, scripts, control panel applets, management functions, and other operations and reports the findings via BeyondTrust s BeyondInsight IT Risk Management Platform. About BeyondTrust BeyondTrust is a global security company that believes preventing data breaches requires the right visibility to enable control over internal and external risks. We give you the visibility to confidently reduce risks and the control to take proactive, informed action against data breach threats. And because threats can come from anywhere, we built a platform that unifies the most effective technologies for addressing both internal and external risk: Privileged Account Management and Vulnerability Management. Our solutions grow with your needs, making sure you maintain control no matter where your organization goes. BeyondTrust's security solutions are trusted by over 4,000 customers worldwide, including over half of the Fortune 100. To learn more about BeyondTrust, please visit www.beyondtrust.com. 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information