Taking Unix Identity and Access Management to the Next Level

Similar documents
10.2. Auditing Cisco PIX Firewall with Quest InTrust

An Introduction to Toad Extension for Visual Studio. Written By Thomas Klughardt Systems Consultant Quest Software, Inc.

Direct Migration from SharePoint 2003 to SharePoint 2010

Eight Best Practices for Identity and Access Management

Go Beyond Basic Up/Down Monitoring

Secure and Efficient Log Management with Quest OnDemand

Migrating Your Applications to the Cloud

Quest ChangeAuditor 5.0. For Windows File Servers. Events Reference

Using Stat with Custom Applications

Key Methods for Managing Complex Database Environments

Foglight for SQL Server

Proactive Performance Management for Enterprise Databases

Quest Management Agent for Forefront Identity Manager

Quest One Privileged Account Appliance

The Case for Quest One Identity Manager

2007 Quest Software, Inc. ALL RIGHTS RESERVED. TRADEMARKS. Disclaimer

Six Steps to Achieving Data Access Governance. Written By Quest Software

Toad for Oracle Compatibility with Windows 7 Revealed

An Innovative Approach to SOAP Monitoring. Written By Quest Software

Enterprise Single Sign-On 8.0.3

Top Seven Tips and Tricks for Group Policy in Windows 7

How to Use Custom Site Templates and Definitions supporting Corporate look-and-feel

6.0. Planning for Capacity in Virtual Environments Reference Guide

Quest Application Performance Monitoring Implementation Methodology

Enterprise Single Sign-On Installation and Configuration Guide

Choosing the Right Active Directory Bridge Solution

How to Use Custom Site Templates and Definitions supporting Corporate look-and-feel

The Active Directory Recycle Bin: The End of Third-Party Recovery Tools?

Are You Spending More than You Realize on Active Directory Management?

Achieving ISO/IEC Compliance with Quest One Solutions for Privileged Access. Written By Quest Software, Inc.

2009 Quest Software, Inc. ALL RIGHTS RESERVED. Trademarks. Disclaimer

Protecting and Auditing Active Directory with Quest Solutions

Unified and Intelligent Identity and Access Management

6.5. Web Interface. User Guide

Moving to the Cloud : Best Practices for Migrating from Novell GroupWise to Microsoft Exchange Online Standard

Extending Native Active Directory Capabilities to Unix and Linux

Quest Support: vworkspace Troubleshooting Guide. Version 1.0

The Quest Cloud Automation Platform

Exchange 2010 and Your Audit Strategy

Quest Solutions for PCI Compliance

Top Five Reasons to Choose Toad Over SQL Developer

Foglight Foglight Experience Viewer (FxV) Upgrade Field Guide

Best Practices for SharePoint Development and Customization

Controlling & Managing Super User Access

Defender Delegated Administration. User Guide

Migrating Lotus Notes Applications to Microsoft Office 365 and SharePoint Online

4.0. Offline Folder Wizard. User Guide

Authentication Services 4.1. Authentication Services Single Sign-on for SAP Integration Guide

ChangeAuditor 5.6. For Windows File Servers Event Reference Guide

formerly Help Desk Authority Quest Free Network Tools User Manual

Benchmark Factory for Databases 6.5. User Guide

Quest ActiveRoles Server

ChangeAuditor 6.0 For Windows File Servers. Event Reference Guide

Foglight. Managing Java EE Systems Supported Platforms and Servers Guide

Quest SQL Optimizer 6.5. for SQL Server. Installation Guide

How the Quest One Identity Solution Products Enhance Each Other

Data Center Consolidation Strategies for the Federal CIO

System Requirements and Platform Support Guide

Defender 5.7. Remote Access User Guide

Enterprise Single Sign-On Getting Started with SSOWatch

Foglight for Oracle. Managing Oracle Database Systems Getting Started Guide

2.0. Quick Start Guide

Foglight Managing SQL Server Database Systems Getting Started Guide. for SQL Server

Quest One Password Manager

Foglight Managing SQL Server Database Systems Getting Started Guide. for SQL Server

Quest Software Product Guide

for Oracle User Guide

Enterprise Single Sign-On User Guide

Quest ChangeAuditor 4.8

Quest vworkspace Virtual Desktop Extensions for Linux

FOR WINDOWS FILE SERVERS

Data center and cloud management. Enabling data center modernization and IT transformation while simplifying IT management

Foglight. Foglight for Virtualization, Enterprise Edition 7.2. Virtual Appliance Installation and Setup Guide

Quest Collaboration Services 3.5. How it Works Guide

Quest Migration Manager 3.2

2010 Quest Software, Inc. ALL RIGHTS RESERVED. Trademarks. Third Party Contributions

Quest ChangeAuditor 5.1 FOR ACTIVE DIRECTORY. User Guide

Transcription:

Taking Unix Identity and Access Management to the Next Level Now that you ve taken care of local users and groups what s next? Written by Quest Software, Inc. TECHNICAL BRIEF

2010 Quest Software, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Quest Software, Inc. ( Quest ). The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com E-mail: legal@quest.com Refer to our Web site for regional and international office information. Trademarks Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, ChangeManager, Defender, DeployDirector, Desktop Authority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, itoken, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, Quest Central, Quest vtoolkit, Quest vworkspace, ReportADmin, RestoreADmin, ScriptLogic, Security Lifecycle Map, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vautomator, vcontrol, vconverter, vfoglight, voptimizer, vranger, Vintela, Virtual DBA, VizionCore, Vizioncore vautomation Suite, Vizioncore vbackup, Vizioncore vessentials, Vizioncore vmigrator, Vizioncore vreplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners. Technical Brief: Taking Unix Identity and Access Management to the Next Level 1

Contents Abstract... 3 The Problem with Unix... 4 Quest Identity Manager for Unix and Quest Authentication Services... 5 Local User and Group Management... 5 Authentication and Single Sign-on... 5 Group Policy... 5 NIS Migration... 6 Strong Authentication... 6 Audit, Alerting, and Change Tracking... 6 Conclusion... 8 Technical Brief: Taking Unix Identity and Access Management to the Next Level 2

Abstract One of the biggest challenges facing administrators of Unix and Linux systems is the management of local users and groups. Typically these accounts must be managed individually, on a box-by-box basis, or by using cumbersome and limited tools. Quest Identity Manager for Unix overcomes these deficiencies by providing a web-based console that enables administrators to remotely manage all Unix/Linux users and groups from a single, centralized interface. The benefits of centralized management are obvious, but Identity Manager for Unix extends these benefits to truly simplify identity and access management for Unix systems. This technical brief explains how you can not only move to centralized management of local Unix users and groups, but to full identity and access management without adding infrastructure, relying on obsolete and non-compliant technologies (such as NIS), or deploying cumbersome and limited synchronization solutions. Identity Manager for Unix provides the path to:. Full Kerberos authentication and single sign-on for Unix, Linux, and Mac systems Group Policy-based management of Unix, Linux, and Mac Complete migration from NIS Centralization and consolidation of identities Strong authentication Reporting on Unix-related identity and access information Auditing, alerting, and change tracking Streamlining of identity administration tasks around a single identity and a single administrator action Security and compliance for Unix, Linux, and Mac systems Technical Brief: Taking Unix Identity and Access Management to the Next Level 3

The Problem with Unix None of us can survive without our Unix and Linux systems. They host critical data and applications, and the diversity they bring insulates our businesses from being held hostage by any one platform vendor. Unfortunately, Unix systems pose significant challenges when it comes to correlating a single physical user s access with the dozens, hundreds, or even thousands of individual Unix systems that he must access. Typically n an organization with 100 Unix servers, each user could have 100 local accounts (one on each box) and be a member of hundreds of locally-managed groups. This means there could be 100 passwords to be managed, 100 separate provisioning actions, and 100 trips to servers to manually audit the rights and specifics of each user s 100 accounts. Who does all this work? You do. But is that really where you should be spending your time? Or even where you want to be spending your time? Technical Brief: Taking Unix Identity and Access Management to the Next Level 4

Quest Identity Manager for Unix and Quest Authentication Services Local User and Group Management Quest Identity Manager for Unix overcomes many of these challenges by providing a centralized, webbased console that makes the management of local Unix users and groups intuitive, convenient, and more cost-effective. But Identity Manager for Unix doesn t stop at the local user and group level. While you were using the tool, you may have noticed its capacity to assess Unix systems for Active Directory bridge readiness. But what does that mean? Active Directory (AD) bridge solutions, such as Quest Authentication Services, enable Unix systems to take advantage of the Kerberos authentication, Group Policy, and centralized identity management capabilities of Microsoft Active Directory. When Unix systems become full citizens in Active Directory through Authentication Services, many, if not all, of the most pressing Unix identity and access management challenges disappear. Recall our example above of the user who has 100 Unix identities, one on each box. Using Authentication Services, these 100 Unix identities can be retired the user s single Active Directory account can provide the necessary access, authentication, and authorization services to all Unix systems. Imagine the relief that this will provide to your Unix administrators, not to mention your Unix users! No longer will a user have 100 passwords that need 100 individual resets from the Unix administration team. When a new user comes on board, Unix administrators no longer need to physically go to 100 Unix boxes and provision 100 user accounts and grant membership to all necessary groups. And even more important, when a user leaves the organization, a single AD-based deprovisioning action terminates access across all 100 Unix systems eliminating the security holes and compliance violations that typically accompany these events. In addition to providing these local user and group management capabilities, Identity Manager for Unix acts as the management console that unlocks the full Authentication Services functionality that truly simplifies identity and access management. The most important of those capabilities are discussed below. Authentication and Single Sign-on Quest Authentication Services provides the necessary integration to enable Unix, Linux, and Mac systems to act as full citizens in Active Directory. The heart of this functionality is centralized authentication and single sign-on for Unix systems. The solution provides the integration between Unix s native PAM and NSS components with the Kerberos and LDAP provided by AD. From within Identity Manager for Unix, the Join Unix System to AD command moves authentication from native Unix protocols to the more secure, efficient, and compliant Kerberos capabilities of Active Directory. This join functionality extends from simple mapping of a Unix account to a corresponding AD account for authentication and password policy, to full migration from Unix identity to an entirely ADbased, consolidated identity scenario. For more information, visit us on the web for a deeper discussion of single sign-on through Authentication Services. Group Policy One of the biggest benefits of making Unix systems full citizens in Active Directory is streamlining management through Group Policy principles leveraging the Active Directory Group Policy framework. Quest Authentication Services provides the industry s most powerful extension of Windows Group Policy to Unix, Linux, and Mac, including: Technical Brief: Taking Unix Identity and Access Management to the Next Level 5

Pre-built policies for critical operations (such as configuring and administering elevated privilege delegation) A full management interface for Group Policy management of the complete set of Mac preferences and settings Management of strong authentication All the flexibility to leverage Group Policy for virtually any task that may be required All of the full-featured power of Group Policy is launched, controlled, monitored, and audited through Identity Manager for Unix on Authentication Services-enabled Unix, Linux, and Mac systems. To learn more about the powerful Group Policy capabilities of Authentication Services, read the technical brief Enterprise Group Policy. NIS Migration Quest Authentication Services provides all the tools to migrate Unix identity and access management from Network Information Service (NIS) into the more secure and compliant Active Directory infrastructure. The process of migrating from NIS to unified, AD-based IAM requires significant planning, careful system and identity assessment, and reconciliation of NIS data with the newly-unified AD identity namespace. Identity Manager for Unix provides intuitive access and powerful control over the entire process of NIS migration, as well as access to all of the Authentication Services capabilities needed to execute the migration in a controlled, transparent, and safe manner. These capabilities include: Mapping and editing existing NIS maps for AD-based IAM Alignment of Unix ownerships Reconciliation of disparate identity information Reporting on identity, access, and migration progress, including what if pre-assessment of planned migration activities Roll-back to previous states For a complete discussion of Authentication Services s tools and capabilities for NIS migration, read the technical brief Quest Authentication Services: A Comprehensive Solution for NIS Migration. Strong Authentication Every installation of Authentication Services 4.0 includes strong authentication through Quest Defender (25 user licenses and 25 one-time password tokens). This empowers organizations to add a deeper level of security to Unix authentication. You can use Identity Manager for Unix to configure and manage the two-factor solution for Authentication Services-enabled Unix systems, and control it through Group Policy. To learn more about Quest Defender and its strong authentication capabilities, visit http://www.quest.com/defender/. Audit, Alerting, and Change Tracking In addition to the local Unix user and group reporting and AD-bridge readiness assessments available in Identity Manager for Unix, Authentication Services provides full auditing, alerting, and change tracking for Unix systems that participate as full citizens in Active Directory. This expanded audit functionality is available through Quest ChangeAuditor, which is included with each Authentication Services 4.0 installation. Available information includes: NIS object settings and changes Personality object settings and changes Technical Brief: Taking Unix Identity and Access Management to the Next Level 6

Computer object and attribute settings and changes GPO settings and changes The state of Unix GECOS, User, Group, Name, Directory, Login, ID, Shell, etc., as well as changes to all of these To learn more about Quest ChangeAuditor, visit http://www.quest.com/changeauditor-for-activedirectory/. Technical Brief: Taking Unix Identity and Access Management to the Next Level 7

Conclusion Integrating Unix, Linux, and Mac systems with AD has quickly become mainstream since Quest introduced the first AD bridge solution with Authentication Services in 2004. In fact, more than 2,000 companies have adopted Active Directory-bridge technologies, according to a 2009 Burton Group report. But today s Unix organization demands more than simple AD-based authentication. With Identity Manager for Unix, Quest brings the path to AD bridge to the masses. This freeware web console provides powerful, centralized management of local Unix users and groups and readiness assessments for moving to AD bridge through Authentication Services. Identity Manager for Unix also provides a simple path to a full AD bridge by launching the full range of Authentication Services capabilities to Authentication Services-enabled systems. To try Authentication Services for yourself, download a free trial, watch a recorded demo, or take the solution for a QuestDrive. Technical Brief: Taking Unix Identity and Access Management to the Next Level 8

TECHNICAL BRIEF About Quest Software, Inc. Now more than ever, organizations need to work smart and improve efficiency. Quest Software creates and supports smart systems management products helping our customers solve everyday IT challenges faster and easier. Visit www.quest.com for more information. Contacting Quest Software PHONE 800.306.9329 (United States and Canada) If you are located outside North America, you can find your local office information on our Web site. E-MAIL MAIL sales@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA WEB SITE www.quest.com Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around-the-clock coverage with SupportLink, our Web self-service. Visit SupportLink at https://support.quest.com. SupportLink gives users of Quest Software products the ability to: Search Quest s online Knowledgebase Download the latest releases, documentation, and patches for Quest products Log support cases Manage existing support cases View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policies and procedures. 5 Polaris Way, Aliso Viejo, CA 92656 PHONE 800.306.9329 WEB www.quest.com E-MAIL sales@quest.com If you are located outside North America, you can find your local office information on our Web site 2010 Quest Software, Inc. ALL RIGHTS RESERVED. Quest Software is a registered trademark of Quest Software, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. TBW_UnixIAM_Peterson_US_MJ-20100604

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information