Comparing Approaches to Protecting Administrator Rights on Windows Systems

In my last few blog posts on DirectAuthorize for Windows (“DZWin”) I have discussed the concept of “least privilege” and some of the drivers for Windows privilege management from a compliance and security perspective. In this blog post I want to compare and contrast some of the approaches to enforcing “least privilege” that other solutions take vis a vis DirectAuthorize including what you get natively with Windows itself.

DirectAuthorize for Windows

As a reminder, Centrify DirectAuthorize for Windows is a software solution that eliminates the problem of too many users having broad and unmanaged administrative powers by delivering secure delegation of privileged access and granularly enforcing who can perform what administrative functions. It is an integrated component of the Centrify Suite, and organizations can easily also extend DirectAuthorize to UNIX and Linux systems as well as enable user level auditing across Windows and non-Windows systems. The net result is organizations can more easily meet compliance requirements and improve security.

So how is access typically managed in Windows systems today?

  1. Use the Allow/Deny Logon GPOs. These GPOs allow users to configure which set of users can access systems, however these GPOs don’t control what users can do on these systems. Traditionally, once you’ve been given access to a system, you have full control over the system.
  2. Local group management. When users need access to certain systems, administrators simply add users to the local admin groups on the systems they need access on. This creates a management nightmare since access control is managed at the individual system level. Further reporting is compromised since the access control decisions are defined at the local system level.
  3. Controlling admin access to only certain applications is NOT possible with traditional Windows tools.
  4. Password Wallets/Vaults. Password wallets/vaults are used to check out the administrator password in order to be able to perform privilege operations.
  5. Create X number of groups per system in AD and nest them into the local groups (eg. hostA_localAdmin gets nested into HostA’s local admin group). This creates X number of groups per machine account. In an environment with 500 servers, that’s at least 500 AD groups (probably more like 100 AD groups). This is difficult to manage, creates a lot of groups in AD and adds to the user’s Kerberos ticket PAC (can cause logon delays among other symptoms).

While some of the features found in DirectAuthorize for Windows may be performed natively without the tool, the processes to recreate those features are very convoluted and may not scale for most organizations. What Centrify has done is simplified and removed the need for an organization to go down the path of the convoluted Windows/Active Directory role-based access control implementation. For example, below are some of things that DirectAuthorize does that cannot be performed easily or natively:

  • Allows an organization to restrict an admin to more role centric privileges without making them a full Domain or Enterprise Active Directory admin.
  • Permits a standard non-admin user to elevate their rights to run legacy Windows applications that require local system admin privileges.
  • Provides an easy and expedited way to limit standard user and admin user access to particular Windows systems and applications via a single pane of glass.
  • Ties into DirectAudit for Windows to allow for role based session auditing on standard and admin user sessions.
  • And probably the most interesting feature that is not in native Windows tools is DZWin’s network access rights capability. If the customer wants to grant access to SQL Server, File Server, Domain Controller, Oracle Server, SAP server, etc, it’s not enough to just grant it by “Application Right”. With Centrify’s DirectAuthorize for Windows you can provide users with only network access rights without the need to grant them direct logon rights to systems. In other words, network access rights allow users to access services on remote computers using another user account on the remote computer. Users who are assigned to a role with network access rights are only granted the elevated privileges when accessing the remote computer. This provides customers with the ability to elevate privileges on more than just their local computer. This is often needed for applications like SQLPlus, ADUC & GPMC.

Finally, some of you may know there are a few desktop privilege management solutions out there that are focused on elevating user and administrative rights, removing or eliminating admin rights, securing user and group privileges, etc. Here are some of the drawbacks of those solutions vis a vis DirectAuthorize:

  1. Vendors in this space really in the end focus on the Desktop local admin problem and not the server Admin problem. Centrify addresses both Windows and workstation systems. As we know all too well, the servers is where the data is and the Security and Compliance Officers are equally if not more concerned about the Windows servers in the Enterprise.
  2. Most vendors either use GPO and separate policy servers/consoles to manage the Windows policies. GPOs don’t provide the granularity needed to create and manage an Access control model and GPOs are cumbersome to manage. Further, additional policy servers defeat the purpose of leveraging the already redundant AD infrastructure. Customers do not want to have to worry about making yet another appliance fault tolerant. Further customers want to minimize the number of tools used in the environment. Centrify provides a standard MMC Snap-in that just snaps in to the existing Microsoft Consoles they use today.
  3. Centrify tray tool icon

    Use the Centrify tool tray icon to quickly switch to a new desktop with the privilege to manage applications and services within the assigned role.

  4. The vendors don’t provide DirectAudit like capabilities and if they do, they require you to go through their Proxy and therefore changing the Admin/End User experience in order to be audited.
  5. The vendors don’t provide the same management framework for privilege access across both Windows and UNIX systems.

So hopefully you can see that DirectAuthorize is a powerful solution that provides significant value over native Windows tools as well as desktop-oriented Windows privilege management solutions. For more information on DirectAuthorize for Windows please check out a 5 minute video of DirectAuthorize here or request a free trial here.