Privileged Account Management

er!
g Everything Easi Makin
dition Quest Software E
d Account Privilege nagement Ma
Compliments of
Kevin Beaver Jackson Shaw
Privileged Account Management

FOR
DUMmIES
QUEST SOFTWARE EDITION
by Kevin Beaver and Jackson Shaw
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Privileged Account Managment For Dummies Quest Software Edition ,

Published by Wiley Publishing, Inc. 111 River Street Hoboken, NJ 07030-5774 www.wiley.com Copyright 2011 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. For general information on our other products and services, please contact our Business Development Department in the U.S. at 317-572-3205. For details on how to create a custom For Dummies book for your business or organization, contact info@dummies.biz. For information about licensing the For Dummies brand for products or services, contact BrandedRights&Licenses@Wiley.com. ISBN: 978-1-118-12842-8 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Chapter 1: Privileged Account Management . . . . . . . . . .3
Seeing How Privileged Account Management Works ............ 3 Discovering why privileged accounts can be dangerous ................................................................ 4 Knowing why privileged accounts are necessary ....... 5 Managing privileged accounts ....................................... 6 Looking at Traditional Solutions .............................................. 9 Do nothing ........................................................................ 9 Go open source ................................................................ 9 Use a manual process ..................................................... 9 Managing Privileged Accounts the Quest One Way ............ 10 Controlling Unix root access ........................................ 11 Augmenting existing tools with audit and policy-based control .................................................. 12 ActiveRoles Server .............................................. 12 Logging and activity analysis ............................. 12 Third-party policies ............................................ 13 Influencing everything with unified roles ................... 13 Recognizing the Benefits of the Quest One Approach ........ 13
Chapter 2: Ten Benefits of Quest One for Identity and Access Management . . . . . . . . . . . . . . . .15
Getting to One Password ........................................................ 15 Getting to One Identity ............................................................ 16 Managing Privileged Accounts Securely ............................... 16 Achieving Single Sign-on ......................................................... 18 Streamlining Provisioning ....................................................... 18 Improving Role Management.................................................. 19 Using Multifactor Authentication .......................................... 19 Making Users Happy ................................................................ 20 Handling Identity Administration More Efficiently ................ 21 Knowing What Users are Doing.............................................. 22
Publishers Acknowledgments
Were proud of this book and of the people who worked on it. For details on how to create a custom For Dummies book for your business or organization, contact info@ dummies.biz. For details on licensing the For Dummies brand for products or services, contact BrandedRights&Licenses@Wiley.com. Some of the people who helped bring this book to market include the following: Acquisitions, Editorial, and Media Development Project Editor: Linda Morris Editorial Manager: Rev Mengle Business Development Representative: Melody Layne Custom Publishing Project Specialist: Michael Sullivan Composition Services Project Coordinator: Kristie Rees Layout and Graphics: Sean Decker Proofreader: Susan Moritz Special Help: Brian Underdahl
Publishing and Editorial for Technology Dummies Richard Swadley, Vice President and Executive Group Publisher Andy Cummings, Vice President and Publisher Mary Bednarek, Executive Director, Acquisitions Mary C. Corder, Editorial Director Publishing and Editorial for Consumer Dummies Diane Graves Steele, Vice President and Publisher, Consumer Dummies Composition Services Debbie Stailey, Director of Composition Services Business Development Lisa Coleman, Director, New Market and Brand Development
Introduction
re you ready to tackle identity and access management for your enterprise? Would you like to improve efficiency, enhance security, and also tackle thorny compliance issues? If so, youve come to the right place. Privileged Account Management For Dummies, Quest Software Edition, shows you how to use Quest One Identity Solution to manage administrative access. Youll see how the right identity and access management solution can save you money, improve your security, and result in happier users.
How This Book Is Organized

This book is divided into two chapters: Chapter 1, Privileged Account Management, discusses how the need for certain users to have privileged access causes problems for organizations. You see how the lack of granularity in root access controls on Unix and Linux systems presents a real security challenge and understand how the Quest solution deals with this challenge in a very effective and secure manner. Chapter 2, Ten Benefits of Quest One for Identity and Access Management, presents ten different ways that Quest can benefit your enterprise.
Icons Used in This Book

This book uses the following icons to call your attention to information you might find helpful in particular ways. The information in paragraphs marked by the Remember icon is important and therefore repeated for emphasis. This way, you can easily spot the information when you refer to the book later.
Privileged Account Management For Dummies

The Tip icon indicates extra-helpful information.
Paragraphs marked with the Warning icon call attention to common pitfalls that you may encounter.
Need more?
This book was excerpted from Identity & Access Management For Dummies, Quest Software Edition, done on behalf of Quest. If youd like a copy of the full book, which describes the Quest One Identity Solution in greater detail, please contact your Quest representative or contact Quest directly at www.quest.com/IAMbook registration or 1-800-306-9329.
Chapter 1
Privileged Account Management

In This Chapter
Seeing how privileged account management works Looking at traditional solutions Managing privileged accounts the Quest One way
ithin any organization, certain individuals need privileged access to computer systems in order to perform administrative-level tasks. Providing this access carries certain risks to the enterprise because of the vast powers that come with privileged access. In this chapter, see how the Quest One Identity Solution can help you manage privileged accounts within your organization and reduce the associated risks to acceptable levels.
Seeing How Privileged Account Management Works

Privileged accounts serve important purposes within organizations. This type of account grants a person special rights so that they can perform a number of powerful administrative functions such as preparing disks for use, backing up files, and installing applications, to name a few. But privileged access also means that the user can do things that might not be in the organizations best interests. You need to carefully control and manage privileged account

access to strike a balance between enabling users to perform needed tasks and allowing people to cause harm (either maliciously or unintentionally). Just because someone requires privileged access on your network to do his or her job doesnt mean he or she should have the keys to the kingdom. Likewise, just because someone appears trustworthy and seems to have the best interests of the business in mind doesnt mean he or she does.
Discovering why privileged accounts can be dangerous

Organizations rely on their computer systems in so many ways that its hard to imagine how they would get along if a major problem struck. And yet, its not uncommon to have security weaknesses that increase the chances for unscrupulous or incompetent administrators to cause major problems. Take the example of allowing people to have root access privileges on a Unix system. Root access pretty much allows a person to do anything on the system, so incidents can and do happen. In many cases, these well-publicized incidents involve Unixbased servers, where a malicious or less-than-careful administrator was given the keys to the kingdom unrestricted access to the entire system and with the access provided by those keys caused severe damage. For example, in January 2009, a disgruntled contractor used Unix root privileges to plant malicious computer code, also known as a logic bomb, inside Fannie Maes servers and programmed it for activation several months later. It would have completely wiped out Fannie Maes 4,000 servers, causing millions of dollars in damage and shutting down Fannie Mae operations for a considerable amount of time. The contractor implemented this logic bomb in fewer than three hours after being informed that his contract was being terminated. That organization was easily and quickly damaged by a single person with Unix root privileges. Unfortunately, because of the way Unix works, the contractor would have needed those root privileges to do his job and acquired them simply by
Chapter 1: Privileged Account Management

knowing the root password something that couldnt have been easily changed across 4,000 servers. Its smart to take the trust but verify approach to information security. Unlimited trust on critical business systems can create not only headaches but also serious business liabilities. The disaster at Fannie Mae was averted only because a senior Unix engineer stumbled across the logic bomb before it exploded. The odds of such situations being diffused every time they crop up are very low. Are you ready to leave your organizations future to such random chance?
Knowing why privileged accounts are necessary

It may seem a little strange that you have to provide what is essentially limitless power to any user, but thats one of the quirks of dealing with Unix- or Linux-based computers. Natively it is the only way administrative activities can be performed. Its actually very easy for someone with root access to do major damage unlike in Windows and most other types of operating systems, where the designers devised methods of better protecting the system and data. However, all systems have credentials that hold limitless power. Its just the lack of lesser credentials in Unix that make it such a severe case. Within the Unix and Linux world, only one account, root, can perform administrative activities. The root account cant be delegated natively, so it is generally shared by a number of administrators, which results in inferior security and the inability to audit access. In addition, even the most common administrative tasks, for example, clearing a printer queue, need root access. This means that a highly paid IT administrator must perform traditional help desk tasks, creating inefficiencies, or help desk staff must be given far too many privileges, reducing security. With Unix and Linux servers hosting many mission-critical applications, as well as housing sensitive data, inferior security and auditing can quickly turn into security and compliance nightmares. Because all administrative tasks require root permissions, Unix makes it easy for administrators to execute commands

or launch processes using roots privileges. Root can change ownership of files, bind well-known TCP/IP ports to specific applications, kill running processes, and more. Root has default access to every operating system command and is the only user by default who can modify the top-level directory in the Unix file system, where all other file system security originates. Root is, in fact, so powerful that some Unix distributions disable it by default, forcing businesses to choose a strong password before enabling and using the account. Unfortunately, most Unix variants provide no granularity to super-user security. In other words, if you need to perform some task that requires root privileges, you must know the root password. All basic administrative commands on Unix and Linux systems require root permissions and inherently lack a scalable and simple model for administrative delegation. This results in the proliferation of an extremely weak set of security practices: Organizations tend to configure every Unix server with the same root password. That root password, by necessity, tends to be widely known among the organizations administrators. In other words, too many people have the keys to the kingdom and are able to through maliciousness or accident damage it. In fact, root grants its user the ability to actually cover his tracks by editing system logs. Root has access to anything and everything on Unix and Linux systems. Hand it out and use it sparingly.
Managing privileged accounts

In an ideal world, you would avoid using root entirely and delegate permissions in a much more granular, auditable fashion to administrators who need to perform specific tasks. In the real world, this isnt as easy as it sounds because of the decades-old Unix design principles and decisions, and theres not much you can do to solve it manually. Many organizations simply try to change root passwords frequently a timeconsuming task that only partially ensures that discharged employees dont gain root access.

Unfortunately, that will do little to stop the problem of a current employee or contractor maliciously or accidentally misusing root privileges. In fact, changing passwords would have been of little help to Fannie Mae because the risk was created in a short period of time. Many organizations implement an open-source tool called Sudo (it stands for super user do) that provides the ability to delegate activities typically performed with the root login. Sudo enables organizations to restrict administrators from overstepping their bounds. Unfortunately, Sudo must be implemented and managed separately on each and every Unix server and there is no audit or centralized policy control across those deployments.
Case study: Privileged account management

Take a look at this before-and-after scenario showing the benefits of an effective privileged account management process. Remember when our employee John needed access to the Unix systems and needed help resetting his Unix passwords? David, the head of the Unix department, was annoyed because he has more important things to do and doesnt have very many people with the access rights to do these types of things. He has to do them himself or give the root password to Mary so that she can do it. Heres how they got in this predicament: Once upon a time (before compliance was such a big deal), the company would issue the Unix root password to all of the Unix administrators who needed elevated rights to do their job. That means that the guy who resets passwords and backs up data has just as much access rights as David, who is really the only one who is supposed to view the logs and install software. In Unix, the root account gives all-or-nothing access, so the password reset-guy has the same rights as David and there is nothing you can do about it. One day, the company had to fire a Unix administrator who wasnt pulling his weight. Because the guy had root access so he could back up the systems, he also had the access rights to do things he wasnt supposed to do. Suspecting that his job was in jeopardy and none too happy about it, the administrator logged on to some Unix systems as root and installed a time bomb to destroy data at a later date. Because he was logged in as root, he could go into the
(continued)

(continued)
system logs and actually edit them to cover his tracks. When he was fired, everything was already set up to enable him to get his revenge on the company. It happened, and the company spent a lot of money and time restoring the lost data. In response, David decided that no one could use the root password except him. Anytime someone needed to do something, David would go to the safe and pull out a binder where he wrote all of the root passwords from all of the Unix servers. He would issue the password, and then when the administrator was done with his work, David would log in and change the password, write it down in the binder, and lock it back in the safe. That prevented people from doing things they werent supposed to, but it also was a management nightmare, and David spent more time managing the root passwords than actually managing his team. So they implemented an opensource tool called Sudo (which stands for super user do) that allows David to define which root commands individual administrators can execute and which ones they cant. The problem with Sudo is it has to be implemented individually on each server and the policy file (called a sudoer) is written for each server. It solves some of the problems but still doesnt give David the visibility he wants.
How does an effective privileged account management strategy help this scenario? With Unix/Linux systems joined to Active Directory (AD), the company can use Group Policy to get a little more control on the Sudo installation and can base what people can do on AD-defined roles. For some systems with more sensitive data and more restricted access needs, the company implements a delegation and audit tool that provides centralized policy and full audit of all activities performed with root. This means that users, situations, and time/day parameters can actually be used to predefine what an individual administrator can and cant do, as well as the approval processes necessary to grant that access. The solution also audits the entire process, from what rights individual administrators have to the keystroke level logging of what they do with those rights. But some systems dont need such a robust solution. For these, the company has augmented its Sudo installation with plug-ins that give more control over Sudo policy and the audit trail that open-source Sudo lacks. As a result, David has the confidence that all administrators are doing their jobs (nothing more and nothing less) and has the ability to find out who, what, when, where, and how it happened if someone violates policy.
Looking at Traditional Solutions

Clearly, privileged account access must be controlled and managed to protect the organization. So the question is: How do enterprises traditionally address this problem?
Do nothing
Probably the most common approach to privileged account management is simply to do nothing. This bury your head in the sand approach likely stems from an incomplete understanding of the problem. After all, thats how Unix and Linux systems were designed. Never mind that this presents a serious security problem its just the way its always been done. Short-sighted approaches to managing IT and security, including the assumption that nothing will go wrong or that problems will just go away on their own, are a recipe for disaster.
Go open source
In most other cases, organizations have implemented open source solutions (such as Sudo) to address the lack of granularity in Unix and Linux root access. One problem with this approach is that you need considerable technical skills and deep understanding in order to apply these open source solutions successfully. Not only that, but you need to search out and research to find open source solutions that you can trust,and Sudo must be installed and individually managed on each and every affected server. Free solutions hardly ever are.
Use a manual process

Often, organizations attempt to control the problem through manual processes such as frequently changing the root password. But in reality, simply changing the root password does not address the problem that is inherent in Unix and Linux systems the lack of a fine-grained, policy-based access control. In addition, you still need to provide that root password
10

to employees and contractors who need to perform tasks that require root privileges.
Managing Privileged Accounts the Quest One Way

Quest One, not surprisingly, offers a multipronged approach to privileged account management that actually solves the problem. Rather than simply restricting access to the root account, Quest One leverages AD to augment the missing capabilities that are lacking in Linux and Unix systems. The Quest One approach to IAM delivers powerful solutions for managing administrative access and the authorization and control required of them. Whether you are dealing with the AD administrative account, the Unix root account, or any of the multitude of application and platform elevated privilege credentials, Quest One enables granular control, more secure access, and role-based authentication. Quest One solutions for privileged account management include Privilege Manager for Unix helps organizations define a security policy that stipulates who has access to which root function, as well as when and where individuals can perform those functions. It also provides a full audit trail of those rights and the activities performed with those rights. ActiveRoles Server delivers flexible, granular access controls with role-based delegation to ensure that every AD administrative action taken is consistent with your organizations security standards. Business rules can be created to enable approvals or constraints on role-based controls. Authentication Services integrates with both ActiveRoles Server and Privilege Manager to enable organizations to leverage the built-in role-based authorization power of Active Directory for non-Windows systems. It also empowers organizations to centrally control delegation

through Windows Group policy extended to nonWindows systems. Quest Defender adds an additional layer of authentication security to administrative tasks requiring elevated privileges and restricted credentials.
11
Controlling Unix root access

On Windows systems, administrators have much greater control over the access that is granted to individual users. Quite simply, Windows systems offer a granularity of control that is lacking in Unix and Linux systems. On Windows systems, you can use Group Policy to set fine-grained controls over exactly what users are able to do and which resources they can access. With Quest One, you can now have the same level of control in Unix and Linux systems. Quest Privilege Manager for Unix is based on the premise that you simply avoid sharing the root password. You should create a complex root password, write it down, and lock it in a physical safe. You then can manage that password as you would any other, changing it routinely and only share it with administrators when absolutely necessary. Instead, Privilege Manager for Unix offers the fine-grained, policy-based access control that Unix natively lacks. You define a top-level security policy that stipulates which users have access to which root functions, as well as when and where they can perform those functions, for example, only during normal business hours. Privilege Manager for Unix controls access to existing programs as well as any purpose-built utilities used for systems administration. Privilege Manager for Unix also ensures that Unix root account usage is fully logged right down to the keystroke level if desired, for security and auditing purposes. This helps organizations meet legal or industry compliance requirements. Using the proper tools for managing information security is about managing risks and adhering to all the regulations your business is up against. Its up to you to ensure that both sides of the equation are being adequately addressed.
12

Privilege Manager for Unix enables you to delegate specific administrative privileges of the root account based on roles of your IT organization without revealing the root account credentials.
Augmenting existing tools with audit and policy-based control

With Quest Ones privileged account management tools, you are building upon your existing investments to make them even more powerful. Take a look at how Quest One augments your existing infrastructure.
ActiveRoles Server
Quest ActiveRoles Server helps you manage, automatically provision, re-provision, and then de-provision users quickly, efficiently, and securely in Active Directory (and any nonWindows system that has joined AD), the task of assigning the roles, including administrator roles, is made much easier. With ActiveRoles Server, you can automate all aspects of the account management process. This simplifies user and group provisioning, policy enforcement, segregation of duties, and delegation of administrative privileges. ActiveRoles Server automates user and group provisioning life cycle tasks to reduce your administrative workload and increases user access control. ActiveRoles Server provides the ability to deprovision users and groups rather than just delete or disable accounts. ActiveRoles Server permits all provisioning policies to be tailored to an organizations specific needs.
Logging and activity analysis

As we mentioned previously, another problem with Unix or Linux root access is the difficulty of logging who has had access and what they did. Relying on out-of-the-box solutions is an exercise in futility at best. Privilege Manager for Unix tracks who has been accessing what systems, what commands they executed, what changes they attempted to make to key files and data, and whether they were successful. These built-in auditing capabilities provide you with the information that you need without loading you down with thousands of pages of useless information.
13
Third-party policies
It is important to be able to leverage existing policies and tools if you want the most efficient and economical solution. For this reason, Privilege Manager for Unix enables you to import policies created by third-party solutions. You can also build new policies based on user, groups, commands, hosts, and day, and test the effect those policies will have on the systems. This ensures that the policies behave as intended.
Influencing everything with unified roles

Your organization has, no doubt, already defined various roles for users and groups of users. Quest Authentication Services enables you to extend the security and compliance of AD to Unix, Linux, and Mac platforms as well as to many enterprise applications. Authentication Services integrates with both ActiveRoles Server and Privilege Manager for Unix to enable you to leverage the built-in role-based authorization power of AD for non-Windows systems and AD management principles to manage and secure the use of delegated Unix root access. Authentication Services addresses the compliance need for cross-platform access control and the operational need for centralized authentication and single sign-on and enables the unification of identities and consolidation of directories for simplified identity and access management.
Recognizing the Benefits of the Quest One Approach

The Quest One approach to privileged account management offers several distinct benefits over traditional options, namely:
14

The granular delegation of administrative access that operating systems natively lack. This means that administrators only have the permissions they need to do their jobs, nothing more, nothing less. A forensics ready audit trail that ensures that administrators have the correct permissions and are using them in the correct manner. Centralized administration of privileged access through extending AD management principles to non-Windows systems. Augmentation of the widely deployed Sudo solution with centralized policy and keystroke logging. A unified and intelligent approach to role management that ensures that the definitions used to determine who has what role and what they can do with that role are consistently applied enterprise-wide.
Chapter 2
Ten Benefits of Quest One for Identity and Access Management

In This Chapter
Getting to one password and one identity Managing privileged accounts securely Streamlining provisioning Unifying roles with identity intelligence Using multifactor authentication Handling identity administration more efficiently Knowing what users are doing
n this chapter, we look at ten benefits your organization will discover by following the Quest One Identity Solution approach to identity and access management all of which can lead to more efficient IT management and reduce business risks.
Getting to One Password

Quest One starts to address the managing strong passwords doesnt have to be complicated issue with Quest Password Manager. Quest Password Manager enables end users to reset their own password and synchronizes that password across multiple platforms and applications.
16

Quest Password Manager supports a broad range of platforms and applications in addition to Microsoft Active Directory (AD) to create a unified approach to password management. Through Quest Authentication Services, organizations can actually reduce the number of passwords to manage and centralize self-service password resets on Unix, Linux, Mac, and Java systems through a single AD password. Quest Enterprise Single Sign-on provides a single point of user login/authentication to virtually any system and application that cannot be joined to AD. This includes standard username/password logins as well as the entire range of strong authentication options such as smart cards, biometrics, or one-time passwords (OTP). The result of the Quest One approach to password management is improved efficiency, increased security, and enhanced compliance.
Getting to One Identity

Quest Authentication Services enables a high number of nonWindows systems (specifically Unix, Linux, and Mac) to participate as full citizens in AD. As a result, those systems are no longer required to use individual user identities for authentication and can instead authenticate with the single identity that already exists in AD. For Java applications, the same benefit can be achieved through Quest Single Sign-on for Java. This approach to unifying identities in an already deployed directory results in dramatic gains in efficiency as user accounts need only be provisioned and managed in one place for multiple systems. Security and compliance also increase as stricter policy, and more secure practices can be implemented in one innately secure directory instead of across multiple, disparate systems.
Managing Privileged Accounts Securely

Privileged accounts that is, user accounts with a high level of authority present a unique set of management
Chapter 2: Ten Benefits of Quest One for IAM
17
challenges. These accounts are typically shared between several users, which can lead to mismanagement or worse, abuse of privileges. On Windows systems, administrators have much greater control over the access that is granted to individual users. Quite simply, Windows systems offer a granularity of control that is lacking in Unix and Linux systems. On Windows systems, you can use Quest ActiveRoles Server to implement strictly enforced role-based security or granular control over exactly what administrative users are able to do and which resources they can access. ActiveRoles Server helps you achieve and sustain regulatory compliance by implementing secure, automated, and auditable internal controls over granting and revoking access to network resources. Quest also empowers you to have the same level of control in Unix and Linux systems. Quest Privilege Manager for Unix enhances security by protecting the full power of root access from potential misuse or abuse through fine-grained, policy-based control. Unix systems pose a special risk to the enterprise because of the virtually unlimited power that root access gives an administrator. You need a way to control this power while still enabling users to have the access they need. Privilege Manager helps you to define a security policy that stipulates who has access to which root function as well as when and where individuals can perform those functions. It controls access to existing programs as well as any purposebuilt utilities used for common system administration tasks. With Privilege Manager, you dont need to worry about someone deleting critical files, modifying file permissions or databases, reformatting disks, or damaging Unix systems in more subtle ways. By enabling administrators to define fine-grained security policies, delegating common management tasks and logging all Unix root activities down to the keystroke level, Privilege Manager for Unix reduces security risks, increases IT productivity, and enables organizations to achieve and sustain compliance in a cost-effective manner.
18
Achieving Single Sign-on

User logins and the associated problems with multiple logins across many diverse systems is a major source of inefficiency and insecurity for most organizations. Quest One helps address these challenges through a comprehensive suite of single sign-on (SSO) solutions that increase efficiency, enhance security, and help you to achieve compliance. Quest Authentication Services and Single Sign-on for Java enable a high number of systems and applications to authenticate with a users AD password and the AD credential and are controlled through AD security policy. This true single sign-on approach covers Unix, Linux, Mac, Java, SAP, Siebel, DB2, any application that uses pluggable authentication application programming interfaces (GSSAPI), any application that is Kerberos-enabled, and applications that are LDAP-aware (lightweight directory access protocol). For systems that are not equipped to leverage AD authentication for true single sign-on, Quest offers an AD-based enterprise single sign-on solution. Quest Enterprise Single Sign-on empowers users to log on to any system or application with only a single password entered into AD. With Enterprise Single Sign-on, all subsequent, non-AD logons are performed automatically under the covers by the solution. Only Quest One offers the best of both worlds: true single sign-on and enterprise single sign-on for the ideal blended approach to perhaps the most prominent challenge in identity and access management.
Streamlining Provisioning
Quest One helps you control your identity management universe and creates a single point of administration for identities across the enterprise, eliminates redundant efforts, reduces errors, and saves time. For example, a single provisioning action in AD can take care of users in Unix, Linux, and Mac systems that have become unified with AD through Quest One solutions. Similarly, turning off that single user account in AD immediately terminates access across the same wide range of non-Windows systems. Quest One also offers solutions that
19
are not centered around AD. Enterprise-wide provisioning capabilities are available through Quest One Identity Manager and implement a foundation for all provisioning actions without requiring heavy amounts of custom coding. The bottom line is that with fewer places to perform provisioning actions (as well as re-provisioning and de-provisioning), you can benefit from increased efficiency in your identity administration, a higher level of security as human error is reduced, and elevated compliance as de-provisioning is accelerated and more securely controlled.
Improving Role Management

Quest One helps you unify roles to arrive at a single, authoritative set that can affect the entire enterprise. This approach infused with identity intelligence means that roles and how they impact access can be implemented and controlled based on your business needs not the capabilities (or lack of capabilities) built into your existing identity and access management solutions. With roles unified, the associated critical concepts of rules, policy, workflow, and approvals can also be unified. Similarly, the intelligence offered by the Quest One approach ensures that each of these controlling factors does the right thing for user access without custom coding. This approach also provides dynamic adjustment and the ability for those on the front lines end users and line-of-business personnel to drive identity management.
Using Multifactor Authentication

Quest One Defender leverages the ubiquity of AD and its scalability, security, and compliance to provide a multifactor authentication solution that takes advantage of the corporate directory already in place. Defender has been architected to integrate fully with AD. This integration leverages all the advantages of the centralized management of directory information through a common
20

user-familiar interface. User token assignment is simply an additional attribute to a users properties within the directory, which makes the security administrator more efficient. Defender authentication can be used by your employees, business partners, and customers, whether they are local, remote, or mobile. Whether they require remote access through VPN to key applications, wireless access points, network operating systems, intranets, extranets, or Web servers, Defenders strong multifactor authentication ensures that only authorized users are permitted access. With integration with Quest Authentication Services, a single Defender token secures access not only for Windows systems but for Unix, Linux, and Mac as well. Defender offers self-registration: Hardware tokens can be distributed to individuals without the need for identity association and tracking. Self-registration significantly lowers deployment and administration costs. Defenders ZeroIMPACT migration strategy allows organizations to undertake a gradual migration to Defender from an incumbent strong authentication solution. Defender supports a unique security proxy feature that enables you to deploy it alongside your existing one-time password (OTP) solution. Quest Defender authentication tokens are shipped to customers ready to use and have no preprogrammed expiration they last as long as the battery lasts (typically five to seven years). Once again, you save time and money because less work is required and replacement tokens can be purchased less frequently.
Making Users Happy

Users hate waiting on the phone to talk to the help desk. Heck, many dont even like calling the help desk at all! Quest One can help by providing a variety of self-service capabilities. From password resets to updating personal information, and from requesting system access to approving requests from staff members, the Quest One approach to identity and access management is optimized to accelerate efficiency, relieve IT from unnecessary and tedious involvement, and get the work

in the hands of those who understand the objectives of what they are trying to accomplish.
21
For example, self-service password reset helps improve productivity for users who are on a different schedule than your help desk or those calling during off hours. By having access to an automated, 24x7x365 password reset and account unlock interface, users can continue to be productive, rather than being locked out until the help desk opens up in the morning.
Handling Identity Administration More Efficiently

Quest ActiveRoles Server can help you automatically execute some of the most time-consuming identity administration tasks. It empowers you to provision, re-provision, and deprovision Active Directory users quickly, cost-efficiently, and securely. ActiveRoles Server helps you keep up with requests to create, change, or remove user access to various network resources so that you no longer need to rely on manual provisioning processes to maintain compliance. This is especially important with the advent of compliance regulations like the Sarbanes-Oxley Act and the intense scrutiny they place on access to business-sensitive applications. ActiveRoles Server provides practical user and access life cycle management. ActiveRoles Server automates user and group provisioning life cycle tasks to reduce your administrative workload and increases user access control whether the user is a new hire, intraorganization transfer, or termination. The power of Quest One for identity administration doesnt stop at AD. Synchronization technology, identity intelligence, and consolidation of identities enables Quest One solutions to securely and efficiently perform administrative actions for the entire enterprise beyond AD. The addition of powerful, identity intelligence-driven administration capabilities available through Quest One can enable you to implement the foundation for all identity administration actions (including provisioning, role definition and management, and password
22

management) enterprise-wide without the burden of lots of custom coding and difficult-to-manage connectors.
Knowing What Users are Doing

Understanding user and administrator activity is at the heart of a secure and well-managed infrastructure, but knowing what users do with the access they have to critical network resources has been a challenge to IT organizations. Quests ChangeAuditor addresses all of these concerns in heterogeneous environments. ChangeAuditor enables you to securely collect your event data, keep more data online, report intelligently, and improve system security and performance. ChangeAuditor alerts you in real-time to unusual user, administrator, and system activity. ChangeAuditor also offers alerts that can be sent directly to you by e-mail or to third-party monitoring applications. Quest Reporter provides automated discovery and comparison of configuration-related items to support planning, securing, and auditing. Reporter enables you to collect, compare, report on, and resolve Active Directory and Windows-based configurations. Armed with this information, you can quickly make strategic and tactical security decisions that involve your Active Directory and Windows environment. Reporter supports effective knowledge management and informed decision making, ensures proactive security, improved standards and policy compliance, and improves migration planning. The capabilities of ChangeAuditor and Reporter extend beyond AD to Unix, Linux, and Mac systems that have become full citizens in Active Directory through Quest Authentication Services.

Privileged Account Management

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Privileged Account Management

Uploaded by

Copyright:

Available Formats

er!

g Everything Easi Makin

dition Quest Software E

d Account Privilege nagement Ma

Kevin Beaver Jackson Shaw

Privileged Account Management

QUEST SOFTWARE EDITION

by Kevin Beaver and Jackson Shaw

Privileged Account Managment For Dummies Quest Software Edition ,

How This Book Is Organized

Icons Used in This Book

Privileged Account Management For Dummies

Privileged Account Management

Seeing How Privileged Account Management Works

Privileged Account Management For Dummies

Discovering why privileged accounts can be dangerous

Chapter 1: Privileged Account Management

Knowing why privileged accounts are necessary

Privileged Account Management For Dummies

Managing privileged accounts

Chapter 1: Privileged Account Management

Case study: Privileged account management

Privileged Account Management For Dummies

Chapter 1: Privileged Account Management

Looking at Traditional Solutions

Use a manual process

Privileged Account Management For Dummies

Managing Privileged Accounts the Quest One Way

Chapter 1: Privileged Account Management

Controlling Unix root access

Privileged Account Management For Dummies

Augmenting existing tools with audit and policy-based control

Logging and activity analysis

Chapter 1: Privileged Account Management

Influencing everything with unified roles

Recognizing the Benefits of the Quest One Approach

Privileged Account Management For Dummies

Ten Benefits of Quest One for Identity and Access Management

Getting to One Password

Privileged Account Management For Dummies

Getting to One Identity

Managing Privileged Accounts Securely

Chapter 2: Ten Benefits of Quest One for IAM

Privileged Account Management For Dummies

Achieving Single Sign-on

Chapter 2: Ten Benefits of Quest One for IAM

Improving Role Management

Using Multifactor Authentication

Privileged Account Management For Dummies

Making Users Happy

Chapter 2: Ten Benefits of Quest One for IAM

Handling Identity Administration More Efficiently

Privileged Account Management For Dummies

Knowing What Users are Doing

You might also like