I wanted to tie up my series of blog posts on least privilege for Windows by drilling into a bit of architectural detail on how DirectAuthorize for Windows — an integrated component of the Centrify Suite — lets IT organizations securely delegate and manage privileged access across your entire Windows infrastructure. As a reminder, Centrify DirectAuthorize for Windows eliminates the problem of too many users having broad and unmanaged administrative powers by delivering secure delegation of privileged access and granularly enforcing who can perform what administrative functions. DirectAuthorize also delivers seamless integration with Centrify DirectAudit to enable IT to achieve stronger security and governance by enforcing least-privilege access and detailed monitoring of privileged user sessions.
DirectAuthorize for Windows is comprised of three main components that install quickly and easily with guided wizards for deployment.
These components are:
- Centrify DirectManage Console — a Windows-based console to configure roles with specific roles and rights. Roles grant privileged users limited capabilities over a subset of resources. This enables least-privilege access to systems, services and applications that make up your Windows environments. These roles and rights are then assigned to Active Directory users and groups making the management of granular access simple and straightforward.
- Centrify DirectAuthorize Agent — a Windows service that enforces privileged access to systems, services and applications using the roles and rights defined in the Centrify DirectManage Console and centrally stored in Active Directory. The DirectAuthorize Agent works with the server’s authentication and access management processes to examine all of the actions performed by users on a system. The DirectAuthorize Agent also includes a command line option to enable privilege elevation within PowerShell or VB scripts. In addition, the DirectAuthorize Agent can trigger auditing of user-sessions by user, role, system or privilege elevation. This audit trail feature sends requests to the Centrify DirectAudit Agent, which starts and stops session recording for defined actions by capturing session events, meta data and optionally video for search and playback. The Centrify DirectAudit Agent is easily installed alongside the DirectAuthorize Agent.
- Centrify Elevation Tool — a Windows tool available in the desktop system tray of every system that you install the DirectAuthorize Agent on. The Elevation Tool provides a fast, one-click interface to elevate privilege to specific roles enabled through the Centrify DirectManage Console and enforced on the local server by the DirectAuthorize Agent. The Elevation Tool supports customized settings for one-touch keyboard shortcuts making switching between multiple privileged desktops quick and easy.
The operation of DirectAuthorize begins with defining roles and rights using the DirectManage Console, with the end goal being to set up a least-privilege environment so that users only have specific privileges to perform their jobs and revert to normal user access during other times and always authenticate with their unique AD credential. You can also turn on auditing to verify users are not misusing privileges granted to them.
For example, you can define a role called “SQL Developer” that can create and modify SQL Server-based applications, but cannot start, stop or reset the server — a different role called “SQL Server Admin” grants these privileges. Another role can be defined for management of Active Directory Group of Exchange Server administrators for the company’s Exchange Servers, but only a subset of the Exchange administrators are permitted to configure the Exchange Servers of the company that was just acquired. Centrify even enforces who can elevate privilege into a Windows system across the network which is not possible with native Windows tools.
Once roles are defined, they are assigned to Active Directory users and groups. For example, you may assign Jane the “SQL Developer” role and the “SQL Server Admin” role. Provisioning is easy — just associate each role with the relevant Active Directory groups.
DirectAuthorize for Windows also supports time limiting of roles. You can easily configure time limits by hour of the day or day of the week in order to improve control and visibility of temporary workers, contractors, partners and offshore staff who require access your company’s important IT assets.
Time limiting is just one of the powerful features in DirectAuthorize for Windows that is hard to achieve with Windows native controls. Another example is DirectAuthorize’s Zones capability. You can use Zones to define delegated administration for specific users and computers, assign roles and rights and link audit triggers to users, roles, servers and privilege elevation. Zones can also be used to create consistent access and privilege management across platforms, applications and databases. For example, a “Database Admin” Zone can include Oracle Administrators responsible for databases running on Solaris and SQL Server Administrators using Windows systems — common access rules and privileges are defined and managed centrally.
Once roles and rights are defined and assigned to Active Directory users and groups, the DirectAuthorize Agent enforces these roles and rights on the managed systems. If a user is granted multiple roles on a given system or application, they can use the DirectAuthorize Elevation Tool to quickly and easily switch roles. DirectAuthorize’s one-click privilege elevation and privilege desktop switching improves user productivity by eliminating the need to re-enter passwords, check out temporary passwords or submit help desk requests for access while maintaining least-access security.
Finally, you can also use DirectAuthorize to enable session auditing and replay via DirectAuthorize’s seamless integration with DirectAudit. With DirectAudit detailed sessions and events can be captured whenever users elevate privilege, access high-value IT assets or perform day-to-day tasks that require tracking for compliance and corporate governance. Triggering DirectAudit only requires adding auditing as property to any user, role, system or privilege. This is supplemented by DirectAuthorize’s own audit logging capabilities that sends privileged user events to the Windows event log. Native Windows management tools do not have user-session capture and replay to monitor user actions and meet stringent compliance requirements.