Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite

Page created by Matthew Pham
 
CONTINUE READING
Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite
Securing VMware Virtual
WHITE PAPER

CENTRIFY CORP.
                          Infrastructure with Centrify's Identity
MARCH 2009                and Access Management Suite

Securing and auditing administrative access to the Virtual Infrastructure leveraging
Active Directory

                         ABSTRACT

                         The VMware ESX Server system has become a popular solution for running
                         multiple virtual operating systems on a single physical server platform. To set
                         up and manage virtual systems on an ESX host machine, an administrator
                         needs to log in to one of the VMware administrative interfaces, which include
                         both traditional command-line and interactive GUI tools. Administrators require
                         superuser privileges for command-line access, while VMware provides a way to
                         define role-based privileges for administrators using the GUI tools. Many
                         organizations use both methods, which means they lack a single, centralized
                         view of all administrative access to their VMware environment and the activity
                         of administrators on those systems. In cases where VMware is used to host
                         business-critical systems, this could represent an increased security risk and
                         the likelihood of failed regulatory compliance audits. Productivity goes down
                         and support costs go up when there is no consolidated way to control system
                         access and privileges.

                         This white paper provides an overview of the features and benefits of using the
                         Centrify Suite to centralize and automate the management of ESX Server
                         systems in order to strengthen security and streamline IT operations and
                         management. It provides an overview of VMware administration and then
                         addresses Centrify’s approach to securing administrative access to these
                         systems, controlling the privileges of administrators, and auditing their activity.
Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                             Information in this document, including URL and other Internet Web site references, is subject to change
                             without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
                             addresses, logos, people, places and events depicted herein are fictitious, and no association with any real
                             company, organization, product, domain name, e-mail address, logo, person, place or event is intended or
                             should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without
                             limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a
                             retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording,
                             or otherwise), or for any purpose, without the express written permission of Centrify Corporation.

                             Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
                             covering subject matter in this document. Except as expressly provided in any written license agreement from
                             Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights,
                             or other intellectual property.

                             © 2005-2009 Centrify Corporation. All rights reserved.

                             Centrify and DirectControl are registered trademarks and DirectAudit and DirectAuthorize are trademarks of
                             Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows,
                             Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in
                             the United States and/or other countries.

                             The names of actual companies and products mentioned herein may be the trademarks of their respective
                             owners.

                             WP-003-2009-03-12

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                                 PAGE II
Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

Contents

                             1    Introduction ................................................................................................ 1

                                  1.1 Account Management Challenges in VMware ................................................ 1

                                  1.2 Administrative Access to VMware Virtual Infrastructure Servers ..................... 3

                                  1.3 Centralizing Identity and Access Management with Centrify Suite................... 4

                             2    Controlling Administrator Access to the Virtual Infrastructure.................... 5

                                  2.1 Centralized Account Administration via Active Directory ................................ 6

                                  2.2 Centralized Access Control Management within Active Directory ..................... 8

                                  2.3 Installing and Setting Up DirectControl on ESX Server ................................ 10

                                  2.4 Comparing Centrify for Active Directory Integration with VMware Native Active
                                        Directory Integration .............................................................................. 11

                                  2.5 Addressing the Authentication Challenges with Centrify DirectControl ........... 13

                             3    Managing Privileges with DirectAuthorize’s Role-Based Authorization
                                  Rights ........................................................................................................ 16

                                  3.1 Centrally Managing Sudo Using Group Policy ............................................. 16

                                  3.2 Centralized Management of User Privileges with DirectAuthorize .................. 19

                                  3.3 Benefits of Centralized Role-Based Authorization through DirectAuthorize ..... 20

                             4    Auditing Interactive Administrative Access Using DirectAudit................... 22

                                  4.1 Integrating DirectAudit into the Virtual Infrastructure ................................. 23

                             5    Hardening the VMware Infrastructure with Centrify Suite......................... 23

                                  5.1 Security Hardening of the Service Console and VIMA .................................. 24

                             6    Benefits of the Centrify Suite for Virtualized Environments....................... 26

                             7    Summary ................................................................................................... 26

                             8    How to Contact Centrify ............................................................................ 27

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                                     PAGE III
Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

1    Introduction

                             Computer operating system virtualization has become a popular way for customers to
                             address their needs for server workload management. Virtualization allows a customer to
                             use a single host computer to run multiple operating systems, each in its own protected
                             virtual machine environment.

                             There are two major approaches to running operating system virtualization software. The
                             first allows a user with an existing operating system platform (such as Windows, Linux
                             or Mac) to install the virtualization software as a standard application that runs side by
                             side with other applications on that system. For example, a Windows desktop user could
                             run a virtualization product with a Linux virtual machine enabled and thereby give the
                             user the ability to access both Windows and Linux applications from a single Windows-
                             based computer. The second approach is to dedicate a single physical computer to host
                             only virtual machines and no other applications. This approach could be used, for
                             example, by an Internet Service Provider to allow a single large computer to run isolated
                             web sites for multiple customers.

                             VMware is one of the leading providers of virtualization software. They offer solutions
                             for both desktops and servers, and support a wide range of operating systems used as
                             hosts and as virtual machines. One of their popular products is VMware ESX Server,
                             which runs on Intel x86-based systems. ESX Server leverages the second approach
                             referred to above. It has a Linux kernel as the host operating system and is tuned to run
                             only other independently managed virtualized operating systems. This Linux kernel
                             provides for service console access to the ESX host for machine-level software and
                             hardware maintenance.

1.1 Account Management Challenges in VMware

                             To set up and manage each of the virtual systems on an ESX host machine, an
                             administrator needs to log in to one of the VMware administrative interfaces. Since the
                             ESX Server runs on a version of Linux, the standard method for logging in to the host
                             system via the Service Console is very similar to logging in to a Linux system: There is a
                             root user, and additional users and groups can be configured and stored on the local host
                             system using the same /etc/passwd and /etc/group method that standard Linux uses.
                             Administrators with the appropriate set of privileges, called “roles” in VMware
                             Infrastructure, can create or delete virtual machines, control various functions associated
                             with each machine, dynamically provision and manage the computing capacity available
                             to each machine, as well as monitor individual machine’s performance. Additionally, to
                             perform system-level operations, an administrator needs root-level privileges within the
                             Linux kernel operating environment in order to carry out several operational commands
                             via the Service Console. VMware provides other administrative interfaces, including the
                             Virtual Infrastructure Client, the Web Management User Interface, and the VMware
                             Infrastructure Management Agent; all these interfaces require the user to log in with a

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     1
Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                             credential that is recognized by the ESX host and authorized to perform the actions being
                             requested.

                             Although ESX by default uses a local store of users and passwords for authentication, it
                             is also possible to use other methods to validate user logins since its authentication
                             framework is PAM (Pluggable Authentication Modules). PAM can be configured to
                             support other authentication mechanisms and use a central directory service for
                             authentication and user information storage.

                             Centralized directory services offer numerous benefits to the administrator, including:

                             ƒ    User accounts can be stored in a single, secure database available to many different
                                  systems as opposed to being stored and managed on each system.

                             ƒ    Managing permissions and policies can be centralized, resulting in better security for
                                  each system.

                             ƒ    Password management can be centralized and consistent user names applied.

                             ƒ    Provisioning and de-provisioning user accounts can be done very quickly from a
                                  single administrative system.

                             Since most enterprise organizations use Active Directory, have existing processes, and
                             have trained staff for the administration of accounts and security policies, Centrify has
                             developed an identity and access management solution, the Centrify Suite, to integrate
                             non-Windows systems into Active Directory. Centrify Suite provides an agent which
                             enables ESX systems to leverage Active Directory for centralized directory services,
                             authentication, role-based privilege management, and policy controls.

                             Given the benefits of virtualized computing as well as the distributed and ubiquitous
                             nature of Active Directory as a centralized directory service, the question emerges: can
                             these technologies be combined to secure and simplify the administration for a virtual
                             machine environment with central control for user access? The simple answer is yes.

                             This paper focuses on the easiest method of accomplishing this task – using the Centrify
                             Suite.

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     2
Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

1.2 Administrative Access to VMware Virtual Infrastructure Servers

                             There are many different ways for administrators to log in and manage the VMware
                             Virtual Infrastructure, which increases the value of a solution that centralizes identity
                             management and access controls for administrators.

                             Figure 1. VMware management interfaces

                             The interfaces provided by VMware include the following:

                             ƒ    SSH to the Service Console. The most basic form of administrative access is via
                                  command line on the ESX server directly which can be accessed via SSH.

                             ƒ    VMware Infrastructure Management Assistant. An ESXi system does not
                                  provide a service console for normal access except when directed by a VMware
                                  Support Engineer. For this reason, VMware provides a specially configured virtual
                                  machine, called the VMware Infrastructure Management Assistant (VIMA), which
                                  hosts remote management functions. This host allows administrators or developers
                                  who have logged into the system to run commands and scripts to remotely perform
                                  many of the administrative tasks that would have normally been done directly on the
                                  service console of individual ESX hosts. VIMA is capable of managing multiple
                                  ESX or ESXi hosts.

                             ƒ    VMware vCenter Server. vCenter Server can centrally manage hundreds of ESX
                                  hosts with thousands of virtual machine guests. This server can be accessed either by
                                  VMware’s Virtual Infrastructure Client or Virtual Infrastructure Web Access
                                  interface.

                             ƒ    VMware Virtual Infrastructure Client. The Virtual Infrastructure Client provides
                                  administrators with a native Windows graphic administrative interface for managing

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     3
Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                                  multiple ESX or ESXi hosts either directly or via the VMware vCenter Server
                                  (previously known as VMware Virtual Center).

                             ƒ    VMware Virtual Infrastructure Web Access. From any client system,
                                  administrators can use this web interface to access either the vCenter Server or a
                                  given ESX host directly.

                             All of these interfaces require the administrator to log in. The Virtual Infrastructure
                             Client and web interfaces grant the user rights to perform tasks based on the user’s role as
                             defined in either vCenter or locally on the ESX host; however, administrative access to
                             the command line requires that the user be granted root permissions to carry out typical
                             administrative tasks. To simplify the management of administrators’ access and their
                             associated rights, Centrify leverages Active Directory to control access and permissions
                             with the Centrify Suite.

1.3 Centralizing Identity and Access Management with Centrify Suite

                             The Centrify Suite is an integrated family of Active Directory-based auditing, access
                             control and identity management solutions that provide the security requires to ensure
                             that only authorized admins can access and manage your Virtual Infrastructure satisfying
                             auditors working on regulatory compliance initiatives. DirectControl secures UNIX,
                             Linux and Mac platforms using the same authentication and Group Policy services
                             deployed on Windows environments. DirectAuthorize centrally manages and enforces
                             role-based entitlements for fine-grained control of user access and privileges on UNIX
                             and Linux systems. DirectAudit audits user activity in near real-time, providing a
                             centralized and correlated view of all activity on UNIX/Linux systems based on users or
                             machines. These products are all built on a common architecture to help you centrally
                             secure your Virtual Infrastructure.

                             The Centrify Suite provides many of the controls for both access and privilege
                             management that are typically required by auditors. The solution enables you to:

                             ƒ    Centrally manage access controls to ensure that the appropriate administrators have
                                  access only to the Virtual Infrastructure Servers needed to fulfill their job role.
                                  Centrify supports further segregation between administrative staff based on access
                                  controls managed within Active Directory.

                             ƒ    Centrally control privileges of administrators when they access the service console.
                                  You can grant privileges where needed and lock down the root account, preventing
                                  login with this privileged account.

                             ƒ    Provide administrators with single sign-on for access to the service console through
                                  an Active Directory-integrated terminal.

                             ƒ    Enforce centrally defined security policies on ESX hosts, such as sudo permissions
                                  and SSH settings.

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     4
Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                             ƒ    Audit administrative activity on the ESX hosts to ensure that security policies are
                                  being properly enforced.

                             ƒ    Oversee administrative access and activity on all audited systems, enabling faster
                                  root cause analysis.

                             Once the ESX and VIMA servers are integrated into Active Directory, administrators can
                             use their existing Active Directory user ID and password to log in to any of the
                             management interfaces for the Virtual Infrastructure. This provides the security officer
                             and IT manager with the peace of mind that all access and privileges can be controlled
                             from a single place, Active Directory, enabling an account to be disabled centrally for all
                             systems if an administrator were to leave the organization.

                             Figure 2. Active Directory-integrated login with the Centrify Suite.

2    Controlling Administrator Access to the Virtual Infrastructure

                             Centrify DirectControl supports the most complex of environments and at the same time
                             can be deployed quickly without requiring costly or intrusive changes to existing
                             systems. It was designed to uniquely support multiple administrative and security
                             boundaries once a system has been integrated into Active Directory as required in order
                             to support delegated administration. By using DirectControl, administrators no longer
                             need to manage accounts on each individual system, but instead can use Active Directory
                             for identity, access and policy management.

                             For administration, DirectControl provides a Microsoft Management Console (MMC)
                             application that allows administrators to manage UNIX-specific data for user, group and
                             computer objects in Active Directory as well as to perform tasks such as centralized
                             reporting and license management. These DirectControl attributes are also integrated into

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     5
Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                             the Active Directory Users and Computers (ADUC) MMC through property page
                             extensions. There is also a web-based console that provides cross-platform access to
                             essential administrative operations.

                             DirectControl integrates into the Linux OS of the ESX host through a daemon service
                             that controls login authentication and directory lookup services, vectoring those calls
                             back to the Active Directory system; thus effectively turning the host system into an
                             Active Directory client. Additionally, command-line utilities are included to join the
                             UNIX system to the Active Directory domain and perform various administrative and
                             diagnostic tasks such as managing users and groups. The Centrify Suite is also supported
                             on most of the popular UNIX, Linux and Mac platforms in use today in addition to
                             VMware’s ESX Server, which can be valuable in managing other Virtual Machine
                             guests.

                             Controlling administrator access involves both a) controlling which administrators can
                             manage the account management system (in this case, Active Directory) and b)
                             controlling which users or administrators are authorized to log in to specific ESX hosts.
                             The first issue to deal with is how to effectively manage administration in a centralized
                             directory while controlling which administrators – Active Directory admins or various
                             groups of UNIX admins – can perform these account management functions. The second
                             issue deals with actually enabling specific Active Directory users to log in to a given host
                             or set of host systems. Let’s first take a look at the centralized account administration
                             system that Active Directory provides and how it can be used to manage administrative
                             access to ESX hosts.

2.1 Centralized Account Administration via Active Directory

                             DirectControl enables ESX servers to join to an Active Directory domain, thus becoming
                             a managed computer object within the directory. These computer objects can be pre-
                             created before the host is joined to the domain depending on the desired computer
                             management process within the organization. By default, once a computer has joined
                             Active Directory, any user with a valid Active Directory account can potentially log in to
                             that host, which is not what is desired for access controls to ESX or UNIX hosts. For this
                             reason, Centrify developed its unique Zone technology, which enables logically grouping
                             hosts along geographic, departmental or functional boundaries. The hosts within a Zone
                             share common UNIX/Linux identity attributes such as UNIX userid or group
                             memberships.

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     6
Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                             Figure 3. Delegated administration through Centrify Zones

                             Additionally, since users must be granted permissions to log in to hosts within a Zone,
                             account administrators must be granted permissions to manage UNIX user profiles within
                             these Zones in order to control which Active Directory user has permissions to log in to
                             an ESX host within a given Zone. Zones are created within Active Directory as a
                             container or organizational unit (OU) in order to support native Active Directory ACL-
                             based enforcement for administrative delegation. The result is an environment where
                             UNIX account administrators for a given Zone can be defined independently for each
                             Zone, thus segregating administrative duties on a Zone-by-Zone basis. Another benefit is
                             that the UNIX account administrator does not need to be granted Active Directory
                             administrator privileges since he only needs to manage these UNIX user profiles for an
                             Active Directory user and not the user object itself. This protects the segregation of duties
                             typically required in an Active Directory environment. This also means that a UNIX
                             profile admin for a given Zone can grant user access permissions to his Zone only and
                             will not require permissions that would enable him to define new user accounts within
                             Active Directory, a privilege that is typically highly protected. As shown in Figure 3
                             above, the VMware administrator has permissions to manage the access controls to the
                             ESX systems within the HR and VM Server Zones, but does not have rights to create or
                             manage Active Directory users.

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     7
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                             Figure 4. Zone-based user access controls

                             Zones can be a powerful way to separate both the account administrative duties between
                             various departments as well as between administrators serving different roles. As shown
                             in Figure 4 above, you see that a Zone can be defined for a department such as HR to
                             manage all their own servers, including both ESX servers as well as any Linux guest
                             VMs. However, the administrator for the VM Server Zone can only manage access to the
                             ESX hosts while different administrators have the appropriate rights to manage access to
                             the Dev and Finance Zones. Since a Zone is simply a logical collection of systems based
                             on either administrative or access control boundaries, it provides a very flexible
                             mechanism to control user access or, in the case of ESX servers, admin access to the
                             virtualized environment.

2.2 Centralized Access Control Management within Active Directory

                             Using DirectControl and Active Directory, account administrators can identify users
                             (ESX admins) who need to have access to the virtual machine management consoles on
                             ESX servers and then easily enable access for those users with their Active Directory-
                             managed credentials.

                             The whole process of setting up a new user and establishing their credentials and access
                             rights for the ESX server is a very straightforward process with DirectControl. Active
                             Directory users who need access to the ESX server are simply added as members of a
                             Centrify Zone of ESX servers, each with his or her own profile of settings for login shell,
                             primary group and home directory. This is done from one of the DirectControl

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     8
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                             management tools such as the MMC-based DirectControl Administrator Console. Once
                             users have been added to the ESX Server Zone, they simply log in to the ESX server
                             using their Active Directory username and password. If this is the first time that a user
                             has logged in, DirectControl automatically provisions their default shell and home
                             directory. Individual accounts no longer need to be created and managed on each ESX
                             server. Not only are ESX Service Console logins enabled with DirectControl, the Active
                             Directory identity is leveraged across other VMware management interface options,
                             including the Virtual Infrastructure Client (VI Client) and Virtual Infrastructure Web
                             Access (VI Web Access).

                             By centralizing user and computer access rights into Active Directory, administrators
                             now have much tighter control over who uses their ESX Server systems. With Centrify
                             DirectControl, numerous options exist for securing access, including:

                             ƒ    Restricted user entry based on membership in an ESX Server Zone. The Zone thus
                                  defines the security boundary that controls access to systems contained in it.

                             ƒ    Ability to centrally manage group memberships based on users’ roles.

                             ƒ    Ability to leverage Active Directory account controls for password strength and
                                  aging, computer access hours and disabling as well as terminating accounts.

                             ƒ    Ability to leverage Group Policy to further control system and application
                                  configuration such as SSHD and sudoers.

                             ƒ    Ability to map root user accounts on ESX servers to an Active Directory user
                                  account leveraging an Active Directory-managed password, instead of managing
                                  root access on each individual server as shown in Figure 5 below.

                             Figure 5. Mapping ESX root account on two hosts within a Zone to an Active Directory
                             account

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     9
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                             DirectControl provides the infrastructure on the ESX server to control which user can log
                             in to specific systems or Zones of systems. The rights a user has upon login can also be
                             centrally controlled through Centrify DirectAuthorize, which is described further in the
                             next section. But first let’s see how easy it is to install and set up DirectControl on ESX
                             servers.

2.3 Installing and Setting Up DirectControl on ESX Server

                             Complete instructions on installing and configuring DirectControl can be found in the
                             documentation that comes with DirectControl, but essentially the installation and
                             configuration process consists of three high-level tasks.

                             First, the DirectControl Administrator Console needs to be installed on a Windows
                             system that is joined to the domain you wish to use. This can be Windows XP, Vista, or
                             Windows Server 2000, 2003 or 2008. Active Directory administrator permission is
                             required in order to install DirectControl. Once the Administrator Console is installed on
                             Windows, you need to set up a Centrify Zone that can be used while joining the ESX
                             server to the domain. Zones are collections of systems, users and groups that share
                             similar access profiles, functions, or common attributes. The ESX server can join the
                             default Zone that gets set up when you install DirectControl, or you can set up a new
                             Zone.

                             Next, install the DirectControl Agent on the ESX server you wish to use and join it to the
                             Active Directory domain and the appropriate Zone using the adjoin command.

                             Once the ESX server has been joined to the Active Directory domain, use any one of the
                             DirectControl management tools to grant access to the ESX server for the appropriate
                             Active Directory users. The ESX root user ID can be mapped to an Active Directory user
                             account if you chose. Keep in mind that it is necessary to enable only the users who
                             actually need access to the ESX Service Console for the purpose of administering the
                             ESX server. DirectControl has the ability to allow access for users in the defined Zone as
                             opposed to granting access to all Active Directory users (which of course would not be
                             desirable).

                             That’s it. The whole installation process takes a matter of minutes. Once this has been
                             completed, the ESX server can be used in exactly the same way as before for all
                             functions, but now user and authentication credentials are stored in Active Directory
                             instead of local system files. It is important to note that authentication through Active
                             Directory and DirectControl is supported for all VMware Infrastructure administrative
                             modes, including:

                             ƒ    Local Service Console logins

                             ƒ    Remote Console sessions such as via the SSH protocol

                             ƒ    Remote command line on a VIMA system

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     10
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                             ƒ    VI Client

                             ƒ    VI Web Access

                             DirectControl becomes even more useful as the number of ESX servers increase, since
                             account control for all these platforms can be done from a single DirectControl console
                             tied into Active Directory. Centralizing account administration enables rapid deployment
                             and de-commissioning of users and administrators from your virtual infrastructure.

2.4 Comparing Centrify for Active Directory Integration with VMware Native Active
    Directory Integration

                             VMware published a technical note titled Enabling Active Directory Authentication with
                             ESX Server (http://www.vmware.com/pdf/esx3_esxcfg_auth_tn.pdf). This paper
                             discusses using the esxcfg-auth tool to set up Kerberos authentication through Active
                             Directory. The command syntax of this tool is as follows:

                             esxcfg-auth --enabled –addomain= --addc=

                             This tool configures PAM and modifies the ESX server configuration to do login
                             authentication from the specified Active Directory domain controller. After executing the
                             preceding command, you then create a local account for each user who requires access to
                             the ESX server, making sure that the user ID is exactly the same as his Active Directory
                             user name.

                             This process would then need to be repeated for every ESX server in your environment.
                             While these steps do enable authentication from an Active Directory system for an ESX
                             Server, it does not leverage Active Directory for authorization, centralized directory
                             services or policy management. Specifically, the methods outlined in this paper have the
                             following serious shortcomings (most of which are discussed in the paper):

                             ƒ    This is not a truly integrated solution as it does not offer a single source for defining,
                                  managing and authenticating user accounts. While the esxcfg-auth tool allows
                                  you to use Active Directory to authenticate users, you cannot use Active Directory to
                                  define and manage user accounts for ESX. User accounts are still created and
                                  maintained on each ESX server.

                             ƒ    The process to enable Active Directory authentication for every user who requires
                                  access to the ESX server is clumsy. For each individual user, you must also create a
                                  corresponding user account on the ESX host server. Authorized users can log in
                                  under two scenarios: (a) if they have a valid Active Directory password associated
                                  with the user name they provided and if they have a local account in /etc/passwd
                                  that also matches this user name, or (b) if they have a local user name and password
                                  on the system. This means that the administrator must manually synchronize the user
                                  account information between authorized Active Directory users and each ESX
                                  server, and carefully map intended user access to actual possibilities for user access.

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     11
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                             ƒ    If the network goes down or the Active Directory system is unavailable, users who
                                  use Active Directory for authentication will not be able log in to the ESX server.
                                  Credentials are not cached, and there is no provision for the underlying Kerberos
                                  authentication session to fail over to a backup system.

                             ƒ    Given the issues with the previous point, the paper recommends not using Active
                                  Directory authentication for the root account. This means that there are few controls
                                  over who has access to the superuser account on each ESX server and also means
                                  that the root user password needs to be set manually for every ESX server.

                             ƒ    There is also more network traffic with each Kerberos transaction since this method
                                  does not support any type of caching.

                             ƒ    The machine name for the Active Directory / Kerberos server is hard-coded in the
                                  system files for each ESX server. If the name of the closest domain controller
                                  changes, the administrator needs to manually update this information in each system
                                  file on each ESX server.

                             ƒ    The ESX server is not joined to the domain, so Active Directory has no knowledge
                                  of the system or any control over the ESX server. This means that if the
                                  administrator wanted to temporarily restrict access to an ESX server or a whole set
                                  of ESX servers, he or she would have no way to accomplish this from Active
                                  Directory.

                             ƒ    The paper does not provide guidance on how to set up FTP or SSH for accessing the
                                  ESX server. Typically, having access to these services is essential for system
                                  administrators. Also, there is no guidance on setting up this new authentication
                                  method for all management session types (Remote Console, VMware Management
                                  Interface, etc.).

                             ƒ    The paper acknowledges that this method for authentication will fail if the user is a
                                  member of more than 15 Active Directory groups, which in a large enterprise is quite
                                  common.

                             ƒ    There is no guidance on how to track access to the ESX server using this
                                  implementation.

                             Given all of these challenges, the proposed solution in the VMware paper will be
                             untenable for many organizations. VMware offers another product, VirtualCenter, which
                             provides centralized administration and management for ESX servers connected on a
                             network. It acts as a control node for configuring, provisioning and managing a
                             virtualized IT environment consisting of ESX servers. For a VI Client that is connected to
                             a VirtualCenter server, authentication and authorization are performed via an Active
                             Directory service. Authorized VirtualCenter users are selected from the Windows domain
                             list referenced in VirtualCenter or are local Windows users on the VirtualCenter host.
                             Similarly, VirtualCenter groups are derived from Active Directory in the connected
                             Windows domain. Both Active Directory-based users and groups are then granted

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     12
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                             permissions (“roles”) within VirtualCenter. However, on the back end, VirtualCenter still
                             uses the standard Linux authentication mechanism. Whenever an ESX server host is
                             added to it, VirtualCenter creates a Linux user account (vpxuser) that has root
                             privileges. This account is used only to authenticate the connection between the host and
                             VirtualCenter.

                             Although VirtualCenter resolves the issue of separate password management and account
                             management in the esxcfg-auth tool, it has a number of shortcomings in its integration
                             with Active Directory:

                             ƒ    VirtualCenter serves as a central point to manage multiple virtual machines and
                                  resources that are distributed over many ESX server hosts. Therefore, it is not cost-
                                  effective for small deployments.

                             ƒ    This is still not a seamlessly integrated solution. You cannot use VirtualCenter to
                                  manually create and remove ESX users or groups, or to view and modify their
                                  properties such as passwords. You will have to use the Microsoft tools for user
                                  account and password management.

                             ƒ    There are still occasions when you need to access an ESX server host via other
                                  mechanisms; for example, when VirtualCenter is unavailable or has lost its
                                  connection to the domain controller. In addition, there are still a few administrative
                                  tasks that must be performed directly on the ESX host and not through
                                  VirtualCenter.

                             Can Centrify DirectControl provide a better integration with Active Directory? Yes it
                             can, as described in the next section.

2.5 Addressing the Authentication Challenges with Centrify DirectControl

                             Centrify DirectControl is engineered not only to be easy to use but also to be a
                             completely integrated authentication, authorization, directory and policy solution. As a
                             result, the issues highlighted in the previous section are fully resolved with DirectControl.
                             Specifically:

                             ƒ    Unlike the esxcfg-auth tool, DirectControl provides unified account and password
                                  management. There is no need to create a local user and map it to the Active
                                  Directory account for every user that you want to grant access to the ESX Server
                                  host.

                             ƒ    The DirectControl integration with Active Directory is seamless from a user
                                  interface perspective. You cannot create or manage Active Directory users and
                                  groups via VirtualCenter, but Centrify extends the native ADUC MMC with UNIX
                                  properties for user, group and computer objects, which enables you to use the same
                                  tool to manage not only ESX users and groups but also the Active Directory account
                                  information associated with them. In addition, Centrify provides the DirectControl

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     13
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                                  Administrator Console so you can view and modify all the attributes of Active
                                  Directory’s user, group and computer objects, including the DirectControl ones.

                             ƒ    With the Centrify solution, authorization is handled from one central place using the
                                  DirectControl Administrator Console. The administrator has the ability to create an
                                  explicit access list of users for each ESX server. Through the use of Centrify Zones,
                                  ESX administrators can be members of their own Zone of ESX servers, further
                                  simplifying the access control for those systems. In addition, users can be further
                                  restricted based on policies such as authorized access times. Authorized users can
                                  also be placed in Active Directory groups that are visible from ESX as though they
                                  were local groups. This allows a high level of fine-grained access control for each
                                  ESX server. If changes need to be made, they can be done from a single point of
                                  administration, the DirectControl Administrator Console.

                             ƒ    DirectControl fully supports the caching of login credentials. If a user has logged in
                                  to the ESX server at least once, then he or she can continue to log in to that system
                                  even if the network is down. Or, the administrator can configure users or groups for
                                  pre-validation so that they can access offline machines using their Active Directory
                                  credentials without having logged in previously. Also, when a user logs in for the
                                  first time, DirectControl automatically creates a home directory environment for the
                                  user if one does not already exist. DirectControl can also automatically find the
                                  closest available Active Directory domain controller, so that if one domain controller
                                  is taken offline, another can be automatically used without the need to reconfigure
                                  the ESX server.

                             ƒ    Since login credentials are cached, network traffic is reduced. This is an important
                                  consideration where multiple virtual machines are sharing the same network
                                  interface with the host ESX server.

                             ƒ    Login credentials can also be pre-cached for those administrators who must always
                                  be able to log in with their account regardless of the state of the network
                                  connectivity, such as at a remote location with a down WAN link where the ESX
                                  system requires administrative access for maintenance.

                             ƒ    DirectControl includes a feature for root user mapping. This means the root account
                                  for every machine can be mapped to an Active Directory user, and password control
                                  is maintained in a central place. With support for offline caching, the root user can
                                  still log in to ESX server even if the Active Directory system is unavailable.

                             ƒ    As mentioned in a previous point, DirectControl manages the interactions with the
                                  Active Directory domain controller and automatically finds the closest controller for
                                  each controller request.

                             ƒ    With DirectControl, the ESX server is joined to the Active Directory domain. As
                                  with other systems in the domain, the administrator has full control over access to the
                                  ESX server, including temporarily disabling logins – for example, during a
                                  maintenance period.

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     14
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                             ƒ    DirectControl automatically configures access to popular services such as FTP,
                                  Telnet and SSH to use secured authentication via Kerberos to Active Directory. For
                                  example, Centrify provides a compiled version of the latest OpenSSH distribution
                                  that is linked with the DirectControl Kerberos libraries to automatically support
                                  PAM and Kerberos for single sign-on access.

                             ƒ    DirectControl ensures that a single authentication method is used across all
                                  supported VMware management session types, including the local Service Console,
                                  VMware Management Interface (VI Client and VI Web Access) as well as Remote
                                  Console sessions such as via the SSH protocol.

                             ƒ    DirectControl does not impose any limits on group membership.

                             ƒ    DirectControl’s integration with Active Directory has proven to work in complex
                                  environments – for example, in a topology with multiple forests that requires one- or
                                  two-way trusts.

                             In addition, Centrify DirectControl has other advantages beyond providing identity
                             management:

                             ƒ    DirectControl fully supports Microsoft Group Policy and includes an extensive set of
                                  policies out-of-the-box for security and configuration management. You can use
                                  DirectControl’s built-in Group Policy engine to distribute computer and user policies
                                  to a set of ESX servers. Such policies can copy configuration files to target systems,
                                  manage various configuration parameters such as login settings, password prompts,
                                  password caching and Kerberos settings, as well as define sudo permissions. For
                                  added flexibility, you can even create your own custom policies specifically tailored
                                  for your virtualized IT infrastructure. Through the deployment of policies to your
                                  ESX servers, you ensure consistent machine configuration and further control the
                                  ESX session behavior. As a result you streamline your IT operations and reduce
                                  administrative costs.

                             ƒ    In addition, since ESX administration can be performed through a remote connection
                                  via the SSH protocol, you can also use the Centrify SSH Group Policies to configure
                                  who can connect to the host using SSH, such as only users of a specific group or to
                                  prevent root login via SSH.

                             ƒ    DirectControl is supported on most of the UNIX and Linux platforms available
                                  today, plus Mac OS X, so customers can have a consistent Active Directory
                                  integration solution across their non-Microsoft platforms.

                             ƒ    This integration can also be extended to the Linux and UNIX virtual machines
                                  running inside ESX server. Each virtual machine, or groups of machines, can be
                                  managed within a dedicated Zone. This is particularly useful when ESX server is
                                  used for outsourcing environments where identity groups from different
                                  organizations need to be managed individually and isolated from each other.

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     15
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                             ƒ    The DirectControl identity management solution extends beyond validating login
                                  sessions. DirectControl can also support applications that take advantage of LDAP,
                                  Kerberos, GSSAPI or SPNEGO APIs for directory services and authentication. This
                                  means customers could design custom applications for ESX (such as a customer bill-
                                  back system for virtual machine usage) based on validated identities stored in Active
                                  Directory.

3    Managing Privileges with DirectAuthorize’s Role-Based Authorization Rights

                             VMware provides an authorization environment that relies on roles which are defined
                             within VMware vCenter Server. These roles are also defined within the ESX server to
                             manage users who access the server using the Virtual Infrastructure Client. The role that
                             a user or administrator is assigned determines what operations that user is allowed to
                             execute.

                             However, when administrators access the Service Console – either directly on the ESX
                             server or via the Virtual Infrastructure Management Assistant (VIMA) – their rights can
                             be assigned only by the underlying operating system. Managing rights is important in this
                             case because several ESX command-line utilities require privilege within the Linux
                             environment in order to operate properly. Many times administrators will either a) use the
                             root account to log in to the service console of the ESX server or to the VIMA, or b) use
                             their own account to log in and then switch to the root user with the su command in order
                             to execute these commands. Unfortunately, both methods of running commands with
                             privilege require the administrators to know the root account password, which is one of
                             the first things that security best practices would prohibit.

                             The challenge is to grant administrators the right to execute the privileged commands
                             required to perform their duties, but to do so without knowledge of the root account’s
                             password. The following sections discuss two ways to centrally manage privileges: by
                             leveraging a) Group Policy to centrally manage the Linux sudo command or b) Centrify’s
                             centralized privilege management solution called DirectAuthorize.

3.1 Centrally Managing Sudo Using Group Policy

                             The first method of centrally managing privileges involves using the Linux operating
                             system’s sudo command. After logging in with their own account, administrators can run
                             privileged commands by using the command sudo in front of the privileged command.
                             Sudo looks up the current user’s Linux identity or local group in the sudoers
                             configuration file to see if the user has been granted rights to execute the command and,
                             if so, executes the command as if root had requested its execution. This command is
                             supported in most UNIX and Linux operating systems as well as ESX systems, making it
                             a common way to address the need to lock down privileged accounts such as root.

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     16
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                             Figure 6. Example of a local sudo policy configuration file

                             One of the primary challenges to deploying sudo broadly throughout an enterprise is
                             managing and maintaining a consistent configuration file across a large population of
                             systems, such as ESX servers, VIMA systems and UNIX/Linux guest VMs. The example
                             in Figure 6 shows a typical ESX server’s default sudoers configuration file, which simply
                             grants the root account the ability to run any command as root. To deploy sudo to manage
                             privileges, IT security managers need to add, for each administrator or group of
                             administrators, an entry that grants them specific rights.

                             In the following example, the group esxadmin has been granted the rights to execute
                             three commands – esxtop, vdf and esxcfg-info – as the root account without being
                             challenged for their own password. With DirectControl, we can use Windows Group
                             Policy tools to centrally and securely distribute this sudoers file to ESX servers.

                             %esxadmin ALL=(ALL) NOPASSWD: /usr/bin/esxtop, /usr/sbin/vdf,
                             /usr/sbin/esxcfg-info

                             Figure 7. Example ESX admin rights grant in the /etc/sudoers file

                             There are several advantages to leveraging Group Policy to centrally enforce policies on
                             UNIX and Linux systems, including ESX servers. First, we can use Active Directory
                             group management to control UNIX/Linux group membership; in this example,
                             individual Active Directory accounts can be added or removed to esxadmin group from
                             Active Directory without having to redistribute the sudoers file. The Group Policy Object
                             Editor, which is a familiar interface for Windows admins, can be used to control the
                             contents of the sudoers config file and to define distribution settings. A single, consistent
                             sudoers file can be pushed to every DirectControl-managed ESX server over an
                             authenticated and encrypted connection. Or, different policies can be defined for different
                             groups or Zones of ESX systems based on your needs.

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     17
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                             Group Policy for UNIX/Linux can also be used to manage many common configuration
                             files in UNIX, including the sudoers file, crontab file, SSHD settings, IP tables, firewall
                             settings and screen lock settings. Group Policies are also available to set DirectControl
                             configuration options on the managed systems.

                             The following figure shows the interface in Group Policy Object Editor to enable setting
                             the sudo file for the ESX servers.

                             Figure 8. The sudo rights property page within the Group Policy Object Editor

                             While using Group Policy to manage sudo rights will work much better than any manual
                             method, it can still be difficult to define a policy file that grants narrowly restricted rights
                             to meet stringent security needs. Additionally, distributing static policy files is inadequate
                             as a security model due to the very dynamic nature of day-to-day IT challenges, which
                             may require privileges on a specific system to be disabled on short notice or to be
                             extended for a short amount of time in order to address an issue. To meet these
                             challenges and to simplify the adoption of a higher security model, Centrify set out to
                             deliver a product that would make it easier to define and enforce a more stringent security
                             policy: Centrify DirectAuthorize.

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     18
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

3.2 Centralized Management of User Privileges with DirectAuthorize

                             Centrify DirectAuthorize provides an alternative method of controlling user privileges by
                             leveraging Active Directory to centrally manage and enforce role-based entitlements.
                             DirectAuthorize provides fine-grained control over user access and privileges on UNIX
                             and Linux systems, including ESX. By controlling which methods users access systems
                             and what they can do once logged in, DirectAuthorize enables organizations to lock down
                             sensitive systems and eliminate uncontrolled use of root accounts and passwords.

                             DirectAuthorize simplifies privilege management by enabling administrators to define
                             privileged commands and then grant the right to use those commands to specific roles.
                             Using a Windows MMC console, administrators define each command along with the
                             available options. This eliminates the need for administrators to have detailed knowledge
                             of sudoers file syntax. The data is stored centrally in Active Directory and retrieved upon
                             login when needed by the dzdo policy enforcer, DirectAuthorize’s equivalent for sudo.

                             Figure 9. Privileged command definition in DirectAuthorize

                             This model for defining privileged commands has its advantages beyond the simplicity of
                             the policy definition. DirectAuthorize always reads the policy at user login from Active
                             Directory, ensuring that the most accurate policy is properly enforced. Obviously there
                             will be situations where the user may need to log in while disconnected from the network
                             or while offline, and in these situations the policy is retrieved from a local cache.

                             DirectAuthorize also simplifies the user’s experience by making it easier to execute an
                             explicit list of commands with the appropriate privileges for each. In many environments,

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     19
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                             administrators log in to a system, switch to the root or other superuser account, and then
                             execute various commands as that privileged user. With DirectAuthorize, once they log
                             in using their own account, they can simply precede commands with dzdo, and those
                             commands are executed with the correct privileges.

                             To further control exactly which commands a user can run, DirectAuthorize provides a
                             Restricted Environment. A Restricted Environment restricts a user in a role to a specific
                             “whitelist” of commands. Users only need to learn the exact commands they need to
                             execute.

                             A Restricted Environment can be defined for ESX administrators or help desk personnel
                             so that they can easily log in to perform specific sets of tasks, such as vdf or esxtop, as
                             if they were root. They can simply log in using their own account and run these
                             commands without having to know the root password. The benefit is that IT can now
                             grant the appropriate permissions to enable lower-level administrators to perform their
                             duties without exposing the password of privileged accounts.

                             Figure 10. Restricted Environment definition in DirectAuthorize

3.3 Benefits of Centralized Role-Based Authorization through DirectAuthorize

                             DirectAuthorize is a core component of the Centrify Suite, which provides a single,
                             unified architecture for access control, authentication, authorization and auditing. In
                             working with customers to understand their IT security and compliance challenges, we
                             focused on delivering the following benefits:

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     20
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                             Centralized, role-based management designed for compliance

                             ƒ    Consolidates UNIX and Linux entitlement management in Microsoft Active
                                  Directory, streamlining administration and closing security gaps caused through lax
                                  deprovisioning and change management practices

                             ƒ    Links entitlements to Active Directory accounts and groups, enhancing
                                  accountability and compliance reporting through a global view of users’ entitlements
                                  across the enterprise

                             ƒ    Role-based entitlement model meets regulatory requirements for defining “least
                                  access” controls and administrative privileges delegated according to job duty,
                                  protecting enterprises against both accidental and malicious changes

                             ƒ    Restricted Environment feature permits users to execute only specific “whitelisted”
                                  commands, resulting in unambiguous compliance reporting compared to other
                                  systems that require security managers to pile on “deny” specifications

                             ƒ    Built-in reports for users and computers give auditors a complete view of
                                  authorizations

                             Simplified privilege management that goes beyond sudo and other existing products

                             ƒ    Graphical user interface makes creating roles and rights far easier compared to
                                  scripting complex sudo policy files or learning other solutions’ proprietary scripting
                                  languages that cannot match the rich group-based modeling available in Active
                                  Directory

                             ƒ    Centrally and securely apply and report on policies from Active Directory, as
                                  opposed to trying to manage config files on individual systems

                             ƒ    Unique ability to control users’ access to secured systems via PAM-enabled
                                  applications and interfaces (SSH, FTP, etc.)

                             ƒ    Unique Restricted Environment feature provides the option to restrict users to a
                                  “whitelist” of specific commands, compared to older, cumbersome and error-prone
                                  solutions that permit all actions except those that are put on a “deny” list

                             ƒ    Simplifies users’ workflow, enabling them to execute commands with privilege
                                  without having to change accounts, remember additional passwords, or learn new
                                  commands

                             Single, cost-effective architecture for cross-platform authentication, access control
                             and authorization

                             ƒ    Comprehensive privilege management provided as part of an integrated
                                  authentication, access control and authorization solution that is priced below what
                                  you would expect to pay for a single, older point product that addresses just one of
                                  these areas

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     21
CENTRIFY WHITE PAPER         SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE

                             ƒ    Part of a comprehensive suite designed from the ground up to seamlessly integrate a
                                  wide array of UNIX and Linux systems with existing Active Directory infrastructure,
                                  tools and processes

                             Rapid, non-intrusive deployment and management

                             ƒ    Leverages existing Active Directory domain controller infrastructure; no additional
                                  servers or network infrastructure needed

                             ƒ    No Active Directory schema changes required

                             ƒ    Does not require proprietary changes to UNIX kernel; no reboot required after
                                  installation

                             ƒ    Streamlines IT management by leveraging existing Active Directory tools and
                                  processes

                             ƒ    Management data is stored in Active Directory, a modern LDAP database that has a
                                  rich ecosystem of available administration, provisioning and reporting tools

                             Highly available and fault-tolerant

                             ƒ    Leveraging Active Directory domain controller infrastructure ensures high
                                  availability and fault-tolerant network connection

                             ƒ    Local caching ensures entitlements are enforced even in cases when the computer is
                                  disconnected

4    Auditing Interactive Administrative Access Using DirectAudit

                             ESX servers are typically one of the most crucial components in a virtualized
                             infrastructure, and hence should be protected from security intrusion in the IT
                             environment. Thus, all administrative access and activities on an ESX server should be
                             logged and tracked. Centrify DirectAudit complements DirectControl by providing
                             detailed and non-intrusive recording of UNIX and Linux user sessions, which gives
                             auditors and security officers ad-hoc search and reporting capabilities. By using
                             DirectAudit, the auditor now has an audit trail of which users accessed what systems,
                             what commands they executed, and what changes they made to key files and data. To
                             limit the amount of output, he can further restrict the session auditing to a specific user or
                             a specific shell.

                             When deployed in an ESX environment, DirectAudit strengthens your regulatory
                             compliance reporting and helps you spot suspicious activity and detect deviances from
                             standard usage patterns. You can also perform in-depth troubleshooting by replaying the
                             recorded sessions to detect activities that may have contributed to system failures.

© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED.                                                                     22
You can also read