Windows and Active Directory are amazing enterprise-grade technologies, but they don’t do everything that IT security and architecture teams need in order to meet regulatory compliance goals for privilege management and monitoring (or auditing) on Windows Server. Here are four good reasons to look beyond native Windows controls.
1. Local Admins can see everything on a machine. Domain Admins can see everything on every machine.
When you have high-value data residing on your Windows Servers, there’s almost certainly a regulatory act that requires limiting access to that data based on business roles. Windows admins are operational roles and are highly unlikely to have a business need to “own the PCI/HIPAA/NERC/MAS/SOX data”; yet, Windows has no way to restrict access by admins.
2. Audit and event logs only tell you what the OS or application are programmed to tell you.
There are always gaps in audit and event logs at the application level. Windows itself does an outstanding job at this, but even so there are gaps in what it will log. You can tell that an admin launched a management console, but you probably can’t tell exactly what they did within the console. And if the action in question was taken by a Windows admin, they could have used their highly-privileged account to hide something from the audit and event logs, or even edit the logs themselves.
3. Admins can create other admins.
If you’re a Local Admin, you can create as many additional Local Admin accounts on the machine as you like. Same with Domain Admins. It’s an open invitation to create ‘backdoor’ accounts that render the standard Windows security controls useless because it is, after all, an admin account.
4. Nothing is permanent except Windows admin accounts.
There’s no native Windows control in local or group policy to automatically expire membership in the Local Admin or Domain Admin security groups. Once an admin account is created, it takes deliberate action to delete the account. If an account is “forgotten” or “lost”, that administrative user will have that account forever.
Centrify Server Suite squarely addresses each of these issues. It extends Windows privilege management and monitoring (auditing) controls to enable IT teams to:
1. Restrict computers from access by admins.
DirectAuthorize for Windows can prevent Local and Domain Admins from logging into Windows Server on a per-machine basis. IT can protect its sensitive data from admins who have no business need to own the data.
2. Monitor and audit with perfect detail.
In addition to the rich privileged access event and audit logs created by the DirectAuthorize and DirectAudit for Windowsagent, DirectAudit can capture perfect detail with “over the shoulder” video capture of admin sessions. Authorized viewers of audited sessions can see every mouse movement, every check box toggled, every keystroke, and every action taken by the user.
3. Privilege to get work done without the privilege to create additional admin accounts.
DirectAuthorize for Windows enables IT to grant administrative users the privileges they need to do their jobs without the privilege to create additional Local or Domain Admins, eliminating the possibility of rogue admin accounts proliferating across machines and domains.
4. Automatically expire account privileges.
When IT assigns a DirectAuthorize role to a user or security group, the role will enable the users to perform specific actions with privileges that can run all the way up to Domain Admin. And every role assignment can be set to automatically expire on a specific day and time. It’s “set and forget”. Roles can be time-boxed both ways, in fact, with a specific day and time to begin availability as well as end.
These are four good reasons for IT teams to look beyond native Windows controls to meet their audit and regulatory compliance goals, and Centrify Server Suite for Windows addresses all four.
You can trial Centrify Server Suite by going here:
You can find DirectAuthorize and DirectAudit for Windows here: http://www.centrify.com/windows/windows-privilege-management.asp