Quest One Privileged Account Appliance



Similar documents
An Introduction to Toad Extension for Visual Studio. Written By Thomas Klughardt Systems Consultant Quest Software, Inc.

10.2. Auditing Cisco PIX Firewall with Quest InTrust

Direct Migration from SharePoint 2003 to SharePoint 2010

Secure and Efficient Log Management with Quest OnDemand

Migrating Your Applications to the Cloud

Go Beyond Basic Up/Down Monitoring

Taking Unix Identity and Access Management to the Next Level

Eight Best Practices for Identity and Access Management

Using Stat with Custom Applications

Foglight for SQL Server

Quest Management Agent for Forefront Identity Manager

Quest ChangeAuditor 5.0. For Windows File Servers. Events Reference

Key Methods for Managing Complex Database Environments

Toad for Oracle Compatibility with Windows 7 Revealed

Proactive Performance Management for Enterprise Databases

Six Steps to Achieving Data Access Governance. Written By Quest Software

An Innovative Approach to SOAP Monitoring. Written By Quest Software

2007 Quest Software, Inc. ALL RIGHTS RESERVED. TRADEMARKS. Disclaimer

The Case for Quest One Identity Manager

Achieving ISO/IEC Compliance with Quest One Solutions for Privileged Access. Written By Quest Software, Inc.

How to Use Custom Site Templates and Definitions supporting Corporate look-and-feel

Top Seven Tips and Tricks for Group Policy in Windows 7

Enterprise Single Sign-On 8.0.3

6.0. Planning for Capacity in Virtual Environments Reference Guide

How to Use Custom Site Templates and Definitions supporting Corporate look-and-feel

Quest Application Performance Monitoring Implementation Methodology

Enterprise Single Sign-On Installation and Configuration Guide

The Active Directory Recycle Bin: The End of Third-Party Recovery Tools?

Are You Spending More than You Realize on Active Directory Management?

Quest Support: vworkspace Troubleshooting Guide. Version 1.0

Protecting and Auditing Active Directory with Quest Solutions

The Quest Cloud Automation Platform

Exchange 2010 and Your Audit Strategy

2009 Quest Software, Inc. ALL RIGHTS RESERVED. Trademarks. Disclaimer

Controlling & Managing Super User Access

6.5. Web Interface. User Guide

Top Five Reasons to Choose Toad Over SQL Developer

Foglight Foglight Experience Viewer (FxV) Upgrade Field Guide

Moving to the Cloud : Best Practices for Migrating from Novell GroupWise to Microsoft Exchange Online Standard

Best Practices for SharePoint Development and Customization

Quest SQL Optimizer 6.5. for SQL Server. Installation Guide

4.0. Offline Folder Wizard. User Guide

Quest One Password Manager

Using Self Certified SSL Certificates. Paul Fisher. Quest Software. Systems Consultant. Desktop Virtualisation Group

Data Center Consolidation Strategies for the Federal CIO

Benchmark Factory for Databases 6.5. User Guide

Foglight Managing SQL Server Database Systems Getting Started Guide. for SQL Server

Foglight. Managing Java EE Systems Supported Platforms and Servers Guide

Migrating Lotus Notes Applications to Microsoft Office 365 and SharePoint Online

Unified and Intelligent Identity and Access Management

Foglight. Foglight for Virtualization, Free Edition Installation and Configuration Guide

Quest Solutions for PCI Compliance

Choosing the Right Active Directory Bridge Solution

Foglight for Oracle. Managing Oracle Database Systems Getting Started Guide

Defender Delegated Administration. User Guide

Quest vworkspace Virtual Desktop Extensions for Linux

Foglight Managing SQL Server Database Systems Getting Started Guide. for SQL Server

System Requirements and Platform Support Guide

Authentication Services 4.1. Authentication Services Single Sign-on for SAP Integration Guide

formerly Help Desk Authority Quest Free Network Tools User Manual

Quest ActiveRoles Server

Foglight. Foglight for Virtualization, Enterprise Edition 7.2. Virtual Appliance Installation and Setup Guide

Data center and cloud management. Enabling data center modernization and IT transformation while simplifying IT management

2010 Quest Software, Inc. ALL RIGHTS RESERVED. Trademarks. Third Party Contributions

Foglight. Dashboard Support Guide

for Oracle User Guide

Quick Connect Express for Active Directory

Quest ChangeAuditor 4.8

FOR WINDOWS FILE SERVERS

Quest Migration Manager 3.2

ChangeAuditor 5.6. For Windows File Servers Event Reference Guide

Dell One Identity Cloud Access Manager How to Configure vworkspace Integration

Quest Collaboration Services How it Works Guide

Web Portal Installation Guide 5.0

ChangeAuditor 6.0 For Windows File Servers. Event Reference Guide

vranger Version 5.5 Installation and Setup Guide

Extending Native Active Directory Capabilities to Unix and Linux

Enterprise Single Sign-On Getting Started with SSOWatch

Transcription:

Quest One Privileged Account Appliance Security Architecture Written By Quest Software, Inc.

Contents Abstract... 2 Introduction... 3 Enhanced Privileged Account Management with Quest One... 3 About this Document... 3 Layers of Protection in the Quest One Privileged Account Appliance... 4 Appliance Hardening... 4 Operating System Hardening... 4 Application Protection Techniques... 5 Certificates, Keys and Key Management... 5 Backup Protection... 7 Security for Patches and Software Updates... 7 About Quest One Identity Solutions... 8 1

Abstract This document describes the security architecture of the Quest One Privileged Account Appliance, developed by e-dmz and now part of the Quest One Identity Solutions. 2

Introduction Enhanced Privileged Account Management with Quest One Quest One Identity Solutions deliver privileged account management by providing powerful tools that delegate access to exactly what an administrator should be allowed to access nothing more, nothing less eliminating the keys to the kingdom problem. Previously, this included privileged account management for AD and Unix/Linux administrators only. Quest s recent acquisition of e-dmz Security LLC, however, as enabled Quest One to extend privileged account management to Windows, applications, and even mainframes, with the addition of the Quest One Privileged Account Appliance, formerly known as eguardpost and PAR. The Quest One Privileged Account Appliance offers integrated modules designed specifically to meet the compliance and security requirements associated with privileged identity management and privileged access control: Privileged Password Manager Enables secure storage, release control, and change control of privileged passwords across a heterogeneous deployment of systems and applications. Privileged Password Manager also replaces embedded passwords that are hardcoded in scripts, procedures and programs with simple CLI/API calls. Privileged Session Manager Offers control, auditing, and replay of sessions of high risk users, including administrator and remote vendors. Privileged Command Manager Provides the ability to granularly delegate user access to specific programs, tasks and commands across both Windows and Unix/Linux hosts. Privileged Command Manager is an add-on module to Privileged Session Manager. About this Document The appliance uses multiple defense mechanisms to thwart potential attacks and security breaches. This document describes the layers of protection employed in the Quest One Privileged Account Appliance. 3

Layers of Protection in the Quest One Privileged Account Appliance Appliance Hardening The Quest One Privileged Account Appliance outermost layer of protection consists of measures to protect the physical appliance itself. These measures include the following: Full disk encryption with pre-boot authentication The hard drive for the appliance is protected via full disk encryption (AES-256) provided by Guardian Edge s Encryption Plus Hard Disk. This ensures that even if the appliance is lost or stolen, the disk cannot be accessed outside the appliance. The pre-boot authentication prevents attempts to remotely mount the drive to bypass access controls, since the device remains locked until the boot process is complete, at which time all internal controls are enabled. Firewall Appliances are protected via an internal firewall. The firewall provides packet inspection and filtering and is configured with the following rules: HTTPS (443/tcp) is permitted inbound. Optional HTTPS over port 8443 may be user-enabled for remote access to the appliance configuration interface. SSH2 (22/tcp) is permitted inbound to PAR for CLI/API access. Connections from the appliance and their responses are permitted. Other traffic directed to the appliance is dropped with the details recorded in the firewall log in the application. Operating System Hardening The next layer of protection involves hardening the operating system and system-level software, such as the internal database management system (DBMS). These measures include the following: Prevent console access and restrict network access Console access is not permitted by any user. A large percentage of security breaches are accomplished by convincing a privileged user to access a malicious web site or open an infected file; preventing access to underlying operating system completely mitigates these risks. Disable or remove unused services Any services that are not specifically required by the appliance are disabled or removed, which tremendously reduces potential attack vectors. Some of the most frequently exploited services that are disabled are the server service, terminal services, remote administration, routing, and remote access. While the appliance runs on a server operating system, it does that act as a server in any way except to perform its dedicated purpose. Disable or remove unused programs and operating system components All unnecessary operating system components or applications are removed or disabled. Examples include disabling all unused Internet Information Service components and removing all email client software. Implement highly restrictive ACLs Access control lists (ACLs) throughout the file system ensure that no individual can gain access to any sensitive file for which they have not been specifically granted access. This measure helps to ensure that and error or oversight in an application or web page will not allow and 4

authenticated user (non-authenticated users have no access to anything) to retrieve information that they are not authorized to access. Use Local Security Policy As a starting point, the appliances are configured following best practices for Local Security Policy settings, and then are extended to further restrict and remove any authority that is not required for the appliance s dedicated purpose. Application Protection Techniques Further protection comes from the following application protection techniques: Web server security The Web server is secured in accordance with Microsoft s guidelines for IIS security, and then further hardened by disabling unnecessary services, even though the firewall assures that these services are unavailable. Access to the Web server permitted via HTTPS only, ensuring that no clear text information is ever communicated between the appliance and a client across the network. Database security Communication between the Web application and the database is secured by permitting the execution of the pre-compiled stored procedures only to the appropriate operating system groups. There is no access whatsoever to the underlying database structures or data, and the stored procedure parameters are validated upon execution. This eliminates and possibility of SQL injection exploits. Additional validation is performed within ever stored procedure to ensure that the user is authorized to access the specific data or perform the specific action in the request. Service broker architecture The appliance employs a service broker architecture to perform the various tasks, such as decrypting a password or changing the password on a remote system. This architecture ensures that the users have no ability to perform any tasks or access any sensitive data outside of the application. Instead, the user submits a request for an action to be performed, and after confirming that that user is permitted to request that action against the specific object, the broker will perform the task and return the results to the user. Protection of passwords Passwords for managed systems and accounts reside in tables in the database, but are never stored as clear text. Instead they are AES-256 encrypted before storage, and the key used for this encryption is an x.509 certificate that is not accessible to users in any way. (This is discussed in further detail in the next section.) Since no unencrypted password information, nor any of the keys used to encrypt or decrypt the password, are stored in the appliance, no additional encryption (beyond the full disk encryption) of the database data files is performed. File system ACLs however, do protect the files from access by unauthorized individuals. Certificates, Keys and Key Management The Quest One Privileged Account Appliance stores, manages and uses numerous keys and certificates for protecting application components and communicating to external devices. Protection of these components fall within the measures described above but merits the following additional discussion: SSH private keys The appliance components use SSH and SCP extensively, whether it is to communicate with a partner appliance in a high availability environment; to transfer backups, data extracts, or session logs to a remote storage location; or to communicate with a managed system to perform password management tasks. 5

These key pairs are OpenSSH-format, 1024-bit DSA keys that are typically generated inside the appliance. The only private keys that can be imported are for managing systems. Our recommendation is NOT to do this, but to let the appliance generate the key pairs instead. This way, only the appliance has access to the private key, with no means for anyone to gain access to them. This option exists for companies whose policy dictates that the private key must be escrowed at some other location. In that case, we will generate public keys based on the imported private key. If this is successful, then the public key for the uploaded private key is made available for download from the appliance. Private keys are placed into and ACL protected folder on the encrypted hard disk and are accessible only to the internal account. The appliances allow the creation of multiple system-wide key pairs with configurable start and end dates or a single key pair for every system. The use of system-wide keys allow for greatly simplified deployment and facilitates key rotation, whereas the use of system-specific keys greatly reduces the exposure of a key that becomes compromised. Encryption keys In most cases, an X.509 certificate is used as the key for encryption. The exception to this rule is for encryption of the session recording logs, which are stored outside of the database. For these session logs, a unique, random, strong password is used as the key for encryption and is stored in the database. This facilitates recording and replay of recorded sessions through Distributed Processing Appliances (DPAs). Certificates Certificates are used for several purposes: Web server certificates (HTTPS) Two SSL certificates exist for the distinct Web servers on the appliances. The first is for the standard application interface. This can and should be changed at initial install, and then changed periodically based on internal company policy. The second is for the configuration interface. At present, this certificate cannot be changed, because 1) access to the configuration interface can be limited to a crossover connection to the configuration port of the appliance only, and 2) a failure to update this certificate correctly would completely disable the configuration interface, potentially making the appliance unreachable and irreparable. A planned enhancement will soon remove this restriction. Encryption keys Several different X.509 v3 certificates are used for encrypting and decrypting files or data on the appliance. These certificates are stored in the personal key store of an internal account and protected by Microsoft DPAPI; that is, the master key for the store is encrypted using a hash of the current password for the account and can be updated only via a change password, which decrypts the master key with the old password hash and then re-encrypts with the new password hash. If a forced password change occurs, the key trail is permanently destroyed. The master password can be rotated at any time by the customer by performing a Reset Internal Password command from the System Configuration interface of the application, which resets the internal password for this account to a randomly generated strong password, and as a result, resets the DPAPI master key. For mutual certificate authentication between a Privileged Account Appliance and a Virtual Cache Appliance Communication with a Virtual Cache Appliance is performed by consuming or invoking secure Web services, and certificates are used for bi-directional authentication. 6

Backup Protection A backup is an archive of the application components and data files, including the databases, keys, user account databases, and web server settings. This archive is AES-256 encrypted with a X.509 certificate dedicated for internal operations, and protected as described in the preceding section, Certificates, Keys, and Key Management. This X.509 certificate exists on all Quest One Privileged Account Appliance devices, since it is what enables us to send a replacement appliance on which you could restore a previous backup to recover all data from a failed appliance. This of course means that a backup from one customer could be restored onto another customer's appliance; however, it would be unusable without knowledge of valid usernames and passwords to gain access to it. To provide added protection, the backup can optionally be encrypted a second time using a customer-supplied password as the key, ensuring that it can be restored only by people with the knowledge of that password. This additional encryption is highly recommended. Security for Patches and Software Updates The only way to apply code changes such as an application update, license change, or an operating system security patch to an application is via a patch provided by Quest Software. These patches are a proprietary format, are AES-256 encrypted using an X.509 certificate as the key, and are further authenticated by the use of a patch key that is uniquely generated based on both hardware and software attributes of the appliance. This ensures that only patches that come from Quest can be applied to an appliance. 7

About Quest One Identity Solutions Quest One Identity Solutions reduce the complexity, cost and risk of managing identities and controlling access to increase your compliance, security and efficiency. Our modular yet integrated approach features a broad portfolio of award-winning solutions that simplify access governance, user activity monitoring, privileged account management and identity administration. Unlike traditional framework solutions, Quest One provides granular enforcement across heterogeneous systems with 360-degree business visibility and incredibly rapid time to value! Whether you are starting from scratch, already have an identity and access management solution or need to address specific IAM objectives on a single system or platform, Quest One enables you to do it more simply and affordably than you can imagine. Learn more about the solutions that earned SC Magazine s highest five-star RECOMMENDED rating by visiting www.quest.com/identity-management. 8

2011 Quest Software, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Quest Software, Inc. ( Quest ). The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com email: legal@quest.com Refer to our Web site for regional and international office information. Trademarks Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, ChangeManager, Defender, DeployDirector, Desktop Authority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, itoken, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, Quest Central, Quest vtoolkit, Quest vworkspace, ReportADmin, RestoreADmin, ScriptLogic, Security Lifecycle Map, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vautomator, vcontrol, vconverter, vfoglight, voptimizer, vranger, Vintela, Virtual DBA, VizionCore, Vizioncore vautomation Suite, Vizioncore vbackup, Vizioncore vessentials, Vizioncore vmigrator, Vizioncore vreplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners. Updated [September, 2011] 9

About Quest Software, Inc. Quest Software (Nasdaq: QSFT) simplifies and reduces the cost of managing IT for more than 100,000 customers worldwide. Our innovative solutions make solving the toughest IT management problems easier, enabling customers to save time and money across physical, virtual and cloud environments. For more information about Quest solutions for administration and automation, data protection, development and optimization, identity and access management, migration and consolidation, and performance monitoring, go to www.quest.com. Contacting Quest Software PHONE 800.306.9329 (United States and Canada) If you are located outside North America, you can find your local office information on our Web site. EMAIL MAIL sales@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around-the-clock coverage with SupportLink, our Web self-service. Visit SupportLink at https://support.quest.com. SupportLink gives users of Quest Software products the ability to: Search Quest s online Knowledgebase Download the latest releases, documentation and patches for Quest products Log support cases Manage existing support cases View the Global Support Guide for a detailed explanation of support programs, online services, contact information and policies and procedures. TBW-Q1P-AccAppliance-US-SW-BODY-102411 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information