Managing UNIX Generic and Service Accounts with Active Directory



Similar documents
How To Use Directcontrol With Netapp Filers And Directcontrol Together

Using Apple Remote Desktop to Deploy Centrify DirectControl

Centrify Identity and Access Management for Cloudera

Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite

Automating Cloud Security with Centrify Express and RightScale

Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory

Active Directory and DirectControl

Centralized Mac Home Directories with ExtremeZ-IP

Google Apps Deployment Guide

Windows Least Privilege Management and Beyond

Macintosh Printer Management using Centrify DirectControl Group Policies

Centrify-Enabled Samba

Windows Security and Directory Services for UNIX using Centrify DirectControl

An Overview of Samsung KNOX Active Directory and Group Policy Features

How to Secure a Groove Manager Web Site

Pipeliner CRM Phaenomena Guide Getting Started with Pipeliner Pipelinersales Inc.

An Overview of Samsung KNOX Active Directory-based Single Sign-On

Virtualization Case Study

Centrify Suite 2012 Express

Improving Performance of Microsoft CRM 3.0 by Using a Dedicated Report Server

How To Set Up A Load Balancer With Windows 2010 Outlook 2010 On A Server With A Webmux On A Windows Vista V (Windows V2) On A Network With A Server (Windows) On

Using Likewise Enterprise to Boost Compliance with Sarbanes-Oxley

Pipeliner CRM Phaenomena Guide Sales Pipeline Management Pipelinersales Inc.

Overview of Microsoft Office 365 Development

Lab Answer Key for Module 6: Configuring and Managing Windows SharePoint Services 3.0. Table of Contents Lab 1: Configuring and Managing WSS 3.

Likewise Security Benefits

Pipeliner CRM Phaenomena Guide Opportunity Management Pipelinersales Inc.

Active Directory Provider User s Guide

Centrify Mobile Authentication Services for Samsung KNOX

Redeploying Microsoft CRM 3.0

The 2007 R2 Version of Microsoft Office Communicator Mobile for Windows Mobile: Frequently Asked Questions

Pipeliner CRM Phaenomena Guide Sales Target Tracking Pipelinersales Inc.

Active Directory and Linux Identity Management

Hyper-V Server 2008 Setup and Configuration Tool Guide

Windows Scheduled Tasks Management Pack Guide for System Center Operations Manager. Published: 07 March 2013

Privileged Account Access Management: Why Sudo Is No Longer Enough

Centrify Mobile Authentication Services

Pipeliner CRM Phaenomena Guide Administration & Setup Pipelinersales Inc.

What s New in Centrify Server Suite 2013 Update 2

Step-by-Step Guide for Microsoft Advanced Group Policy Management 4.0

Lab Answer Key for Module 9: Active Directory Domain Services. Table of Contents Lab 1: Exploring Active Directory Domain Services 1

Microsoft Corporation. Status: Preliminary documentation

UPGRADE. Upgrading Microsoft Dynamics Entrepreneur to Microsoft Dynamics NAV. Microsoft Dynamics Entrepreneur Solution.

Using Centrify s DirectControl with Mac OS X

MBAM Self-Help Portals

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac

Update and Installation Guide for Microsoft Management Reporter 2.0 Feature Pack 1

Deploying the Workspace Application for Microsoft SharePoint Online

Microsoft Dynamics GP. Electronic Signatures

AD RMS Step-by-Step Guide

Windows BitLocker Drive Encryption Step-by-Step Guide

Creating and Deploying Active Directory Rights Management Services Templates Step-by-Step Guide

Pipeliner CRM Phaenomena Guide Add-In for MS Outlook Pipelinersales Inc.

Centrify's Solution for Migrating UNIX Directories to Active Directory

SmoothWall Virtual Appliance

Enforcing Enterprise-out Security for Cloud Servers

What s New in Centrify Server Suite 2014

Microsoft Business Solutions Navision 4.0 Development I C/SIDE Introduction Virtual PC Setup Guide. Course Number: 8359B

Windows Server Update Services 3.0 SP2 Step By Step Guide

Centrify Server Suite 2014

Windows Small Business Server 2003 Upgrade Best Practices

Best Practices for Adding Macs to Microsoft Networks

Configuring IBM Cognos Controller 8 to use Single Sign- On

Connector for Microsoft Dynamics Configuration Guide for Microsoft Dynamics SL

Office Language Interface Pack for Farsi (Persian) Content

Hands-On Lab: WSUS. Lab Manual Expediting WSUS Service for XP Embedded OS

Lab Answer Key for Module 11: Managing Transactions and Locks

Centralized Identity and Access Management of Cross-Platform Systems and Applications with Active Directory and the Centrify Suite

RedBlack CyBake Online Customer Service Desk

Overview of Active Directory Rights Management Services with Windows Server 2008 R2

Enterprise Knowledge Platform

Microsoft Lync Server 2010

Single Sign-On for Kerberized Linux and UNIX Applications

Integrating Business Portal 3.0 with Microsoft Office SharePoint Portal Server 2003: A Natural Fit

Hyper-V Server 2008 Getting Started Guide

SB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

Management Reporter Integration Guide for Microsoft Dynamics AX

Centrify Server Suite, Standard Edition Design Service

Microsoft Solutions for Security. Delivering the Windows Server 2003 Security Guide

Managing Linux Servers with System Center 2012 R2

Deploying Remote Desktop IP Virtualization Step-by-Step Guide

Centrify Identity Service and Mac - Online Training

Using Microsoft Active Directory to Address Payment Card Industry (PCI) Data Security Standard Requirements in Heterogeneous Environments

White Paper. Software version: 5.0

What s New in Centrify Privilege Service Centrify Identity Platform 15.4

Implementing and Supporting Windows Intune

Module 1: Introduction to Designing Security

Active Directory Compatibility with ExtremeZ-IP. A Technical Best Practices Whitepaper

Management Reporter Integration Guide for Microsoft Dynamics GP

Transcription:

APPLICATION NOTE Managing UNIX Generic and Service Accounts with Active Directory Published: June 2007 Abstract Generic accounts are commonly used to enable UNIX administrative staff to log on to a computer system and perform specific operations using the account identity and permissions of the generic account. While using generic accounts is a simple way to manage specific services, they represent a significant risk in terms of both access control and IT auditing. There is no easy way to manage who can access these accounts or to provide an audit trail showing which administrator used the account to take a specific action. This application note uses an example generic account to show how Centrify DirectControl and Active Directory can be used to control both the password of generic accounts and an administrator s access to a specific computer system or group of systems. It shows how administrators can be granted the appropriate permissions to execute the privileged operations normally run by the generic account without requiring generic accounts to exist. Contents 1 Introduction...1 2 Our Example Environment... 2 3 Enforcing Password Policies for Generic Accounts... 4 4 Replacing Generic Accounts with Role-Based Privileges... 4 5 Summary... 7 5.1 For More Information... 8 5.2 Legal Notices... 8 1 Introduction There are several different ways to address the risk that generic accounts represent. This document show two methods: Centrally controlling the generic account s password and enforcing a common password policy Locking down the computer system and granting specific privileges to the administrator 2007 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. AN010-2007-06-14

The password control solution shows how to enable Active Directory to take control of the generic account s password and enforce Active Directory password policy on those generic accounts. This is the simplest solution because it leaves the generic accounts and the administrator s current practices in place while still enabling centralized control over the password for common generic accounts across several systems; it also ensures that password policies are being enforced properly across the enterprise. The lock-down solution shows how to eliminate the generic account by replacing it with a set of rights that are granted to the administrator based on membership in a group that is managed within Active Directory. In this scenario, the administrator authenticates to the computer system using his account (typically via an SSO connection from a Windows workstation running PuTTY to eliminate the initial login) and then runs the privileged command directly using sudo without having to su to the generic account. This lock-down solution enables organizations to more tightly control which specific administrator has privileges to execute privileged operations on specific computers throughout the enterprise. Additionally, organizations will be able to lock down or remove these generic accounts since the privileges that were previously granted to these generic accounts will now be granted to individual system administrators on an as-needed basis. Further, Centrify DirectAudit can also be used to provide full visibility into the actual session activity of the administrator who is running these privileged commands, including not only what the administrator typed but what he saw as a response on the display as well. This level of detail satisfies an IT auditor s need to know which person accessed specific systems or specific data on those systems. 2 Our Example Environment For the purposes of this document, let s look at a typical example environment in which a common generic account, called hpov, is used to access multiple computer systems. Administrators log in to any of these systems using the hpov account, or they su to the account in order to run one of the following commands: $ opcacta -- Run opcacta command $ opcagt -- Run opcagt command $ opcagtreg -- Run opcagtreg command $ opcapm -- Run opcapm command $ opcclustns -- Run opcclustns command $ opccma -- Run opccma command $ opcctla -- Run opcctla command $ opcdista -- Run opcdista command $ opceca -- Run opceca command $ opcecaas -- Run opcecaas command $ opcle -- Run opcle command $ opcmack -- Run opcmack command $ opcmon -- Run opcmon command $ opcmona -- Run opcmona command $ opcmsg -- Run opcmsg command $ opcmsgi -- Run opcmsgi command $ opcskm -- Run opcskm command $ opcsubagt -- Run opcsubagt command $ opctemplate -- Run opctemplate command $ opctrapi -- Run opctrapi command 2007 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 2

A sudo policy is used to control the rights granted to this generic account. As you can see in the following screen, the sudoers file grants the generic account hpov the rights to execute a specific set of commands with root privilege. In this example, a command alias is used to make the management of the sudoers file simpler, which may or may not be used in production. For an administrator to execute one of these privileged commands, he must log in with the generic account or su to the account; both of these actions require the administrator to know the password to the generic account. Once he has gained proper privileged access to the account, the administrator can run any of the privileged commands by typing sudo followed by the name of the command along with any required parameters. A log entry is written to /var/log/messages for the administrator when he su d to the generic account, and a log entry is written to /var/log/secure for each command executed using sudo. This is a typical scenario in many organizations. The use of a generic account represents a security risk in terms of both access control and auditing. From an access control perspective, anyone who knows the generic account s password can execute privileged commands as root on these systems. From an auditing perspective, it is impossible to directly associate a specific command with a specific user. 2007 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 3

3 Enforcing Password Policies for Generic Accounts If the current operating environment requires generic accounts to be defined locally, or if it is not possible to migrate to a role-based authorization method (as described in the next section), then the best alternative is to centrally enforce password policies for these generic accounts using Centrify DirectControl. Passwords for generic accounts are typically stored and managed within the local file system, and sometimes they are stored in a NIS domain. Most administrators for these systems know the password or it is a common password. This means any administrator can log in or su to the generic account in order to perform specific operations with the security permissions or rights of that generic account. In addition, these accounts are typically immune to any form of password policy or access control policies due to the way in which they are used. While generic accounts that are stored within a NIS domain can be migrated into Active Directory through DirectControl, the locally defined generic accounts remain on the individual systems, representing a security exposure. In order to secure the password and to ensure that the Active Directory password policy and authentication controls can be enforced on these local generic accounts, DirectControl s account-mapping feature enables a local account to be linked to an Active Directory user account. To set up this mapping, you can either manually add the mapping the local computer s centrifydc.conf file, or you can use the Group Policy Object Editor to add the mapping to a collection of computers. The entry is formed in the config file as pam.mapuser.<unix_user>: <windows_user> where unix_user is the login name of the local UNIX account and windows_user is the SAMAccount name of the Windows user in Active Directory. This link between the locally defined generic account and the Active Directory account enables DirectControl to require the user to enter his Active Directory account password when trying to log in to or su to the generic account. In addition, because the password is now managed within Active Directory, the password policy can be enforced for all password change events. Once the local account is linked to an Active Directory account, it is then possible to centrally disable logins to the generic account simply by locking the Active Directory account. 4 Replacing Generic Accounts with Role-Based Privileges A better alternative is to replace generic accounts with a role-based authorization solution. In this scenario, when an administrator logs in to the system, he is granted a specific set of privileges based on his Active Directory group. This approach may not work in all environments and may need to be combined with the generic account management model described in the previous section. However, it can be a powerful way to manage privileges for the administrative staff. 2007 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 4

The first step in migrating the privilege that was previously granted to generic accounts is to create an Active Directory group with a similar name. By adding users to this group, we can then control who will be granted the privileges that were previously granted to these generic accounts. In following example, we create an Active Directory group called hpov_group and then UNIX-enable it for a Zone, a logical grouping of computers, called Finance. We also create and UNIX-enable a couple of users, Fred Thomas and Tim Smith. 2007 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 5

Now that we have an Active Directory group that corresponds to the administrative role, we need to assign users as members of this group so that they will get any rights that are granted. Next, we need to grant the hpov_group Active Directory group the same rights that were previously granted to the generic account. To do this, we use DirectControl to define an Active Directory Group Policy to be applied to our UNIX systems. We will grant the members of the Active Directory group hpov_group, known on UNIX as hpov_gro, the same rights to execute the commands contained in the command alias that we had previously defined within the local sudoers file. In this example, we edit the Default Domain Policy so that this sudoers policy applies to members of the hpov_group on all UNIX computers joined to Active Directory within this domain. 2007 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 6

Now that the Group Policy has been defined and applied to the group hpov_group, the policy will be applied to the computer at boot and on the next policy refresh as set by the Group Policy periodic interval (typically every 90 minutes). Now, either of the two users that we defined previously can log in. An additional benefit is that DirectControl eliminates the steps that the administrator previously had to follow in order to gain access to the system. From a Windows computer using a properly Kerberized ssh client (such as the DirectControl-enabled version of PuTTY that Centrify provides free of charge), the administrator can gain single sign-on based on a Kerberos credential validation. When the UNIX administrator who is a member of the hpov_group is logs in to the UNIX system, the sudo policy grants him the right to execute the privileged commands, just as if he had logged in using the generic account or switched to the generic account. 5 Summary This document shows how to leverage your centralized Active Directory infrastructure and Group Policy services to centrally manage an administrator s right to run privileged commands on specific UNIX systems. Group Policy makes it easy to centrally manage the rights that are granted to users and administrators without having to touch each computer individually. Additionally, the sudo Group Policy that grants an administrator the appropriate privileged rights enables the elimination of generic accounts. This also enables auditors to know exactly which user accessed a computer and what privileged commands he executed while logged into that system. 2007 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 7

Many other possible solutions exist based on the ability of DirectControl to centrally manage accounts on UNIX systems, whether it is a generic account or a specific end-user account. It is important to note that DirectAudit can also be combined with this solution in order to provide upper management with full visibility into the activities both individual administrators and generic accounts that log into an audited system. 5.1 For More Information For the latest product information on DirectControl or DirectAudit, check out our web site at: www.centrify.com/products 5.2 Legal Notices Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e- mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation. Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2007 Centrify Corporation. All rights reserved. Centrify is a registered trademark and DirectControl and DirectAudit are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 2007 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information