Implementing Windows Privilege Management

DirectAuthorize for Windows
One of the major new enhancements to our recently announced Centrify Suite 2013 is actually an entirely brand new product: DirectAuthorize for Windows. In my last blog post I discussed the need for a product such as DirectAuthorize in the context of the need in a Windows environment to restrict and protect both high privileged domain accounts as well as local accounts with administrative privilege in order to mitigate the risks of security attacks such as “Pass the Hash.” In this blog post I want to drill down a bit more on DirectAuthorize and discuss how it can help you implement Windows Privilege Management.

But first what is DirectAuthorize for Windows? Centrify DirectAuthorize for Windows is a software solution that eliminates the problem of too many users having broad and unmanaged administrative powers by delivering secure delegation of privileged access and granularly enforcing who can perform what administrative functions. It is an integrated component of the Centrify Suite, and organizations can easily also extend DirectAuthorize to UNIX and Linux systems as well as enable user level auditing across Windows and non-Windows systems. The net result is organizations can more easily meet compliance requirements and improve security.

At the heart of DirectAuthorize is the implementation of the concept of “least privilege.” As Gartner notes in its 2012 report entitled “Hype Cycle for Identity and Access Management Technologies” organizations should:

“Adopt a “least privilege” model for granting privileges, including superuser privileges. It is not good practice for administrators to use a privileged account for mundane activities… there is a need for the organization to have more granular control over and visibility into the way that these [administrator] privileges are granted and used.”

Implementing privilege management is important in the Windows environment for a number of reasons. First off the top of my head is for compliance reasons. If you dig into SOX, FISMA, NERC, PCI DSS etc. you will see that common to every major compliance regulation and industry mandate are requirements to ensure users authenticate with a unique identity (and not share accounts) and privileges are limited to only ones needed to perform job functions. In addition, user activity must be track and monitored with enough detail to determine the effectiveness of the security controls the organization has put in place. For example as PCI DSS section 7.2 states:

“Establish an access control system for systems components with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.”

[In a future blog post I will drill down more into compliance requirements vis a vis least privilege as I think more needs to be discussed there.]

Another obvious reason is for security. For example, mitigating the risk of insider attacks that can lead to a data breach or system outage remains a key concern for IT security managers. Several factors have led to an increase in insider incidents including the sharing privileged account credentials and assignment of privileges that are overly broad with respect to the job responsibilities of the user.

Finally another reason for implementing privilege management solutions is limiting access granted to temporary workers, contractors and other third parties. Today’s business environment is driving enterprises to find cost efficiencies at every level of their operations. Temporary workers, contractors and cloud computing are giving organizations agility, flexibility and the cost control they require to remain competitive but, organizations are still responsible for the security and compliance of their IT systems.

Given that Windows is the most prevalent desktop out there and Windows Server represents well over half of servers shipped on an annual basis, and given the large number of attack tools freely available for the Windows platform, it seems that every organization needs a solution for Windows privilege management to address the compliance, security and third-party access requirements described above. Common requirements for the Windows platform include:

  • Restrict and protect high privileged domain accounts
  • Restrict and protect local accounts with administrative privileges
  • Remove standard users from the local administrators group
  • Limit the number and use of privileged domain accounts

So doesn’t the underlying operating system or the management tools you get with Windows address these needs? While some of the features found in DirectAuthorize for Windows may be performed natively without it, the processes to recreate those features are very convoluted and may not scale for most organizations. What Centrify has done is simplified and removed the need for an organization to go down the path of the convoluted Windows/Active Directory role based access control implementation. Below are some of things that DirectAuthorize does that cannot be performed easily or natively:

  • Allows an organization to restrict an admin to more role centric privileges without making them a full Domain or Enterprise Active Directory admin
  • Permits a standard non admin user to elevate their rights to run legacy Windows applications that require local system admin privileges
  • Provides an easy and expedited way to limit standard user and admin user access to particular Windows systems and applications via a single pane of glass
  • Ties into DirectAudit for Windows to allow for role based session auditing on standard and admin user sessions
  • Also provides support for UNIX and Linux

In my next blog post I will talk a bit more about the differences between the native tools and DirectAuthorize as that is a topic I want to drill down a bit more on.

So hopefully you can see that DirectAuthorize addresses a real pain point that can’t be addressed by what is provided in the box. Let me leave you with some of the top capabilities in my mind that DirectAuthorize gives you that I think will be of interest to any organization with a decent Windows server and desktop population:

  • No more shared Active Directory admin accounts. Administrative users can use their standard (non admin) Active Directory accounts to manage domain systems and applications by elevating their account based on organization roles.

  • Use the DirectAuthorize Run as Role feature to elevate privilege in order to run specific applications

    Use the DirectAuthorize “Run as Role…” feature to elevate privilege in order to run specific applications.

  • DirectAuthorize for Windows allows an organization to control what systems an Active Directory admin can access, regardless if the admin account is a Domain or Enterprise admin.
  • Provides the facility to easily control what administrative tasks an Active Directory admin is allowed to perform once on a DirectAuthorize protected system.
  • Allows an organization to easily group together computers, users, groups and role based privileges according to job function and duties in an organization.
  • Role based session auditing when admins elevate to their administrative privileges.
  • Protect end point Windows workstations from malicious viruses and malware by removing local admin privileges for users, but provide the ability for users to manage printers and install software if they elevate to a privileged role.

For more information on DirectAuthorize for Windows please check out a 5 minute video of DirectAuthorize here or request a free trial here.