Professional Documents
Culture Documents
Compliments of
DUMmIES
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Chapter 1: Privileged Account Management . . . . . . . . . .3
Seeing How Privileged Account Management Works ............ 3 Discovering why privileged accounts can be dangerous ................................................................ 4 Knowing why privileged accounts are necessary ....... 5 Managing privileged accounts ....................................... 6 Looking at Traditional Solutions .............................................. 9 Do nothing ........................................................................ 9 Go open source ................................................................ 9 Use a manual process ..................................................... 9 Managing Privileged Accounts the Quest One Way ............ 10 Controlling Unix root access ........................................ 11 Augmenting existing tools with audit and policy-based control .................................................. 12 ActiveRoles Server .............................................. 12 Logging and activity analysis ............................. 12 Third-party policies ............................................ 13 Influencing everything with unified roles ................... 13 Recognizing the Benefits of the Quest One Approach ........ 13
Chapter 2: Ten Benefits of Quest One for Identity and Access Management . . . . . . . . . . . . . . . .15
Getting to One Password ........................................................ 15 Getting to One Identity ............................................................ 16 Managing Privileged Accounts Securely ............................... 16 Achieving Single Sign-on ......................................................... 18 Streamlining Provisioning ....................................................... 18 Improving Role Management.................................................. 19 Using Multifactor Authentication .......................................... 19 Making Users Happy ................................................................ 20 Handling Identity Administration More Efficiently ................ 21 Knowing What Users are Doing.............................................. 22
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Publishers Acknowledgments
Were proud of this book and of the people who worked on it. For details on how to create a custom For Dummies book for your business or organization, contact info@ dummies.biz. For details on licensing the For Dummies brand for products or services, contact BrandedRights&Licenses@Wiley.com. Some of the people who helped bring this book to market include the following: Acquisitions, Editorial, and Media Development Project Editor: Linda Morris Editorial Manager: Rev Mengle Business Development Representative: Melody Layne Custom Publishing Project Specialist: Michael Sullivan Composition Services Project Coordinator: Kristie Rees Layout and Graphics: Sean Decker Proofreader: Susan Moritz Special Help: Brian Underdahl
Publishing and Editorial for Technology Dummies Richard Swadley, Vice President and Executive Group Publisher Andy Cummings, Vice President and Publisher Mary Bednarek, Executive Director, Acquisitions Mary C. Corder, Editorial Director Publishing and Editorial for Consumer Dummies Diane Graves Steele, Vice President and Publisher, Consumer Dummies Composition Services Debbie Stailey, Director of Composition Services Business Development Lisa Coleman, Director, New Market and Brand Development
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Introduction
re you ready to tackle identity and access management for your enterprise? Would you like to improve efficiency, enhance security, and also tackle thorny compliance issues? If so, youve come to the right place. Privileged Account Management For Dummies, Quest Software Edition, shows you how to use Quest One Identity Solution to manage administrative access. Youll see how the right identity and access management solution can save you money, improve your security, and result in happier users.
Paragraphs marked with the Warning icon call attention to common pitfalls that you may encounter.
Need more?
This book was excerpted from Identity & Access Management For Dummies, Quest Software Edition, done on behalf of Quest. If youd like a copy of the full book, which describes the Quest One Identity Solution in greater detail, please contact your Quest representative or contact Quest directly at www.quest.com/IAMbook registration or 1-800-306-9329.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1
ithin any organization, certain individuals need privileged access to computer systems in order to perform administrative-level tasks. Providing this access carries certain risks to the enterprise because of the vast powers that come with privileged access. In this chapter, see how the Quest One Identity Solution can help you manage privileged accounts within your organization and reduce the associated risks to acceptable levels.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
system logs and actually edit them to cover his tracks. When he was fired, everything was already set up to enable him to get his revenge on the company. It happened, and the company spent a lot of money and time restoring the lost data. In response, David decided that no one could use the root password except him. Anytime someone needed to do something, David would go to the safe and pull out a binder where he wrote all of the root passwords from all of the Unix servers. He would issue the password, and then when the administrator was done with his work, David would log in and change the password, write it down in the binder, and lock it back in the safe. That prevented people from doing things they werent supposed to, but it also was a management nightmare, and David spent more time managing the root passwords than actually managing his team. So they implemented an opensource tool called Sudo (which stands for super user do) that allows David to define which root commands individual administrators can execute and which ones they cant. The problem with Sudo is it has to be implemented individually on each server and the policy file (called a sudoer) is written for each server. It solves some of the problems but still doesnt give David the visibility he wants.
How does an effective privileged account management strategy help this scenario? With Unix/Linux systems joined to Active Directory (AD), the company can use Group Policy to get a little more control on the Sudo installation and can base what people can do on AD-defined roles. For some systems with more sensitive data and more restricted access needs, the company implements a delegation and audit tool that provides centralized policy and full audit of all activities performed with root. This means that users, situations, and time/day parameters can actually be used to predefine what an individual administrator can and cant do, as well as the approval processes necessary to grant that access. The solution also audits the entire process, from what rights individual administrators have to the keystroke level logging of what they do with those rights. But some systems dont need such a robust solution. For these, the company has augmented its Sudo installation with plug-ins that give more control over Sudo policy and the audit trail that open-source Sudo lacks. As a result, David has the confidence that all administrators are doing their jobs (nothing more and nothing less) and has the ability to find out who, what, when, where, and how it happened if someone violates policy.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Do nothing
Probably the most common approach to privileged account management is simply to do nothing. This bury your head in the sand approach likely stems from an incomplete understanding of the problem. After all, thats how Unix and Linux systems were designed. Never mind that this presents a serious security problem its just the way its always been done. Short-sighted approaches to managing IT and security, including the assumption that nothing will go wrong or that problems will just go away on their own, are a recipe for disaster.
Go open source
In most other cases, organizations have implemented open source solutions (such as Sudo) to address the lack of granularity in Unix and Linux root access. One problem with this approach is that you need considerable technical skills and deep understanding in order to apply these open source solutions successfully. Not only that, but you need to search out and research to find open source solutions that you can trust,and Sudo must be installed and individually managed on each and every affected server. Free solutions hardly ever are.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
10
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
11
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
12
ActiveRoles Server
Quest ActiveRoles Server helps you manage, automatically provision, re-provision, and then de-provision users quickly, efficiently, and securely in Active Directory (and any nonWindows system that has joined AD), the task of assigning the roles, including administrator roles, is made much easier. With ActiveRoles Server, you can automate all aspects of the account management process. This simplifies user and group provisioning, policy enforcement, segregation of duties, and delegation of administrative privileges. ActiveRoles Server automates user and group provisioning life cycle tasks to reduce your administrative workload and increases user access control. ActiveRoles Server provides the ability to deprovision users and groups rather than just delete or disable accounts. ActiveRoles Server permits all provisioning policies to be tailored to an organizations specific needs.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
13
Third-party policies
It is important to be able to leverage existing policies and tools if you want the most efficient and economical solution. For this reason, Privilege Manager for Unix enables you to import policies created by third-party solutions. You can also build new policies based on user, groups, commands, hosts, and day, and test the effect those policies will have on the systems. This ensures that the policies behave as intended.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
14
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2
n this chapter, we look at ten benefits your organization will discover by following the Quest One Identity Solution approach to identity and access management all of which can lead to more efficient IT management and reduce business risks.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
16
17
challenges. These accounts are typically shared between several users, which can lead to mismanagement or worse, abuse of privileges. On Windows systems, administrators have much greater control over the access that is granted to individual users. Quite simply, Windows systems offer a granularity of control that is lacking in Unix and Linux systems. On Windows systems, you can use Quest ActiveRoles Server to implement strictly enforced role-based security or granular control over exactly what administrative users are able to do and which resources they can access. ActiveRoles Server helps you achieve and sustain regulatory compliance by implementing secure, automated, and auditable internal controls over granting and revoking access to network resources. Quest also empowers you to have the same level of control in Unix and Linux systems. Quest Privilege Manager for Unix enhances security by protecting the full power of root access from potential misuse or abuse through fine-grained, policy-based control. Unix systems pose a special risk to the enterprise because of the virtually unlimited power that root access gives an administrator. You need a way to control this power while still enabling users to have the access they need. Privilege Manager helps you to define a security policy that stipulates who has access to which root function as well as when and where individuals can perform those functions. It controls access to existing programs as well as any purposebuilt utilities used for common system administration tasks. With Privilege Manager, you dont need to worry about someone deleting critical files, modifying file permissions or databases, reformatting disks, or damaging Unix systems in more subtle ways. By enabling administrators to define fine-grained security policies, delegating common management tasks and logging all Unix root activities down to the keystroke level, Privilege Manager for Unix reduces security risks, increases IT productivity, and enables organizations to achieve and sustain compliance in a cost-effective manner.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
18
Streamlining Provisioning
Quest One helps you control your identity management universe and creates a single point of administration for identities across the enterprise, eliminates redundant efforts, reduces errors, and saves time. For example, a single provisioning action in AD can take care of users in Unix, Linux, and Mac systems that have become unified with AD through Quest One solutions. Similarly, turning off that single user account in AD immediately terminates access across the same wide range of non-Windows systems. Quest One also offers solutions that
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
19
are not centered around AD. Enterprise-wide provisioning capabilities are available through Quest One Identity Manager and implement a foundation for all provisioning actions without requiring heavy amounts of custom coding. The bottom line is that with fewer places to perform provisioning actions (as well as re-provisioning and de-provisioning), you can benefit from increased efficiency in your identity administration, a higher level of security as human error is reduced, and elevated compliance as de-provisioning is accelerated and more securely controlled.
20
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
21
For example, self-service password reset helps improve productivity for users who are on a different schedule than your help desk or those calling during off hours. By having access to an automated, 24x7x365 password reset and account unlock interface, users can continue to be productive, rather than being locked out until the help desk opens up in the morning.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
22
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.