Windows Host Access Management with CA Access Control

TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT

Windows Host AccessManagement withCA Access Control

Copyright © 2008 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document “As Is” without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or noninfringement. In no event will CA beliable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages.

Table of Contents

Executive Summary

SECTION 1 2Windows Servers in Today’s SecurityManagement Environment

SECTION 2 2Fine-grained Access Control

SECTION 3 5Advanced Policy Management and Reporting

SECTION 4 8Operating System Hardening

SECTION 5 9Secure Auditing

SECTION 6 11Cross-platform Protection

SECTION 7 11CA Access Control Architecture

SECTION 8 12CA Access Control — Part of a Bigger Identityand Access Management Solution

SECTION 9: CONCLUSIONS 13

TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT 1

Executive SummaryChallenge

Microsoft Windows is the most widely adopted server operating system on the markettoday. Driven by security concerns and regulatory compliance, organizations are underincreasing pressure to protect the sensitive data and applications residing on their Windowsservers. Using native tools like Active Directory and Group Policies, effectively combiningsecurity and IT management within a single framework, presents security concernsregarding separation of duties, as well as manageability and auditing. Additionally, manyadministrators share accounts, which are not managed by a central policy presentingseparation of duties and audit reporting issues. This lack of a central policy also impactsthe ability for administrators to manage diverse environments including Windows, LINUXand UNIX servers.

Opportunity

A separate, independent security system is required to protect mission-critical serverresources. This solution must operate at the system level to avoid interference with ITadministration groups and provide a trusted and reliable security administration system. Asmost organizations have deployed a variety of operating systems, this solution must enableefficient management and enforcement of these security policies across all systems —including Windows, but also UNIX, Linux and virtualized environments.

Benefits

CA Access Control provides additional protection for server resources, which complementsthe native Windows operating system (OS) model and enables a strong defense-in-depthsecurity practice while reducing the complexity and cost of managing access and reachingcompliance. As a complete access management solution for mission-critical servers, CAAccess Control achieves these goals through:

• Fine-grained access control and segregation of duties to prevent internal access abuses

• Advanced policy management to enable efficient centralized management of securitypolicies across the enterprise

• Policy-based compliance reporting of user entitlements and policy compliance

• Operating system hardening to reduce external security risks and ensure operatingenvironment reliability

• Granular, high-integrity auditing for compliance fulfillment

Windows Servers in Today’s Security Management EnvironmentServers are essential components to IT infrastructures as they support critical applicationsand sensitive corporate, customer and partner data. These servers must be continuouslyprotected from a variety of threats, both external and internal. To date, many organizationshave taken steps to protect their servers from external threats by deploying firewalls, anti-virusor anti-spyware solutions. However, a commonly overlooked threat is the threat from withinan organi zation. This vulnerability presents itself in the form of over-privileged administratorsand weak levels of accountability. Providing adequate internal controls to protect these hostsystems is critical to risk mitigation as well as meeting regulatory compliance.

This is often a complicated issue considering the number of different kinds of administratorsthat are involved in keeping servers up and running on a daily basis. Technically, many of theseworkers have access to more resources than they require to perform their job function. Thisalso results from shared local administrator accounts typically used for emergency situations.

Unfortunately, native Windows operating systems lack the ability to appropriately segregateadministrative duties or trace audit records back to the original user. This issue is furthercomplicated when there are a variety of servers involved such as UNIX, Linux or virtualizedoperating systems and consistent security policies must be managed across the extendedenterprise. Enterprise-wide host access management solutions are important investments toprotect critical data, fulfill compliance needs and enable cost-effective administration.

Fine-grained Access ControlIn an Active Directory forest system, the domain administrator is the equivalent of a superuser.While their primary role is as owner of IT infrastructure setup and management, they also haveunlimited power to create, modify, copy or disable any security resources and services withinthe forest, sub-domains and systems. Unfortunately, this account may not be well protected bydefault and login information is often informally shared amongst employees in various adminis -trative roles. This creates a security management nightmare when it comes to separation ofduties and maintaining full accountability.

CA Access Control is an independent security enforcement solution which does not rely on theWindows OS or Group Policy. Operation at the system level enables monitoring and regulationof any access to system resources, including those originating from domain or local systemadministrators. CA Access Control provides fine-grained access enforcement capabilities toregulate, delegate and contain domain administrators or any other account within the forest,domain and servers. These access rights are granted by defined roles and enforced separatelyfrom native Windows access controls.

SECTION 1

2 TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT

SECTION 2

Role-based Access ControlA major Windows security risk is the potential for an unauthorized person to gain control of auser account in the local or domain administrators groups. Should this happen, the unauthorizeduser can cause enormous damage by changing critical registry keys, stopping auditing services,modifying audit logs or tampering with other critical services. CA Access Control reducesWindows vulnerability risks by limiting the rights granted to administrator accounts and groupsto the minimum permissions needed for each to perform their job function.

SEGREGATION OF DUTIES

Dynamic ControlGroup Policy is based on the definition of an access permission hierarchy. Permission changesare propagated to subsequent files and folders based on an inheritance mechanism. This staticpermission system updates all file permissions at the time of command issue time, meaningpropagation of changes can take a long time, especially in a large server environment. It is alsodifficult to predict the impact of permission change making it very hard to control.

CA Access Control employs a dynamic permission system that determines access permissionsat request execution time. Protection can be defined on generic resources using wildcards (*).This provides real-time protection while simplifying policy deployment and allowing moreflexible rules to be implemented.

Granular DelegationThrough the Windows superuser account, any permission can be delegated to any user,regardless of whether it is an IT or security function. CA Access Control regulates privilegesthat can be delegated to non-administrative users. In this manner, necessary access can bedelegated to perform IT or application administration tasks while CA Access Control scopessecurity privileges for security-related staff.


FIGURE A

CA Access Control enforcesappropriate access to resources andgranular audit of sensitive activity.


CA Access Control also controls surrogate user delegation capabilities to reduce the exposurethat Windows provides through programs like Run-As. For example, an administrator could useRun-As to surrogate to another person’s profile to change a file’s access control list (ACL)attributes without any accountability for their actions. CA Access Control protects on multiplelevels by first limiting those who use Run-As and subsequently tracking back to the trueidentity of those who do.

Shared Resource AccessOn critical Windows servers, files and resources are often defined as shared resources toprovide open access to users. This makes auditing each access to these shared resources adaunting task. CA Access Control provides full shared access monitoring and control onmission-critical servers. Preservation of full user access trails makes it easy to build accuratehistory reports for forensic or compliance requirements.

Generic Resource ProtectionGroup Policy is a static enforcement algorithm that sets all file permissions to each specificphysical file. This presents a challenge for controlling resources that do not currently exist, butmay come in the future. CA Access Control allows the creation of security policies governingstorage of specific types of files, such as .mp3, .jpg, .mpg or files similar to the existing filesthat have not yet been created.

CA Access Control also provides name pattern protection for files regardless of whether theycurrently exist or not. Wild cards can be incorporated for resource naming patterns to createan ACL for a type of resource on a system. For example, a policy can disable read and writeexecution of all .bat script files for users that are not in the SysAdmin or SecAdmin groups.

Suspend on InactivitySecurity violations can occur from unauthorized access through accounts whose owners areaway or no longer employed by the organization. CA Access Control can protect systems byproactively identifying accounts that have been inactive for a specified number of days andpreventing those accounts from being used to log in.

Authorization APIsCA Access Control provides APIs that can be used by user applications to check authorizationpermissions. It is also possible to use the authorization APIs to protect user-defined entitiessuch as database records or fields, reports or screens. Programmers can place CA AccessControl API function calls directly in programs to check authorization before performing tasks.

Services ControlCA Access Control can enforce policies to limit the ability of administrators to performWindows services operations such as start, stop or modify services properties. This capabilityallows the enforcement of Separation of Duties at the application level and protects theseservices from unauthorized system administrators.

SECTION 3

Warning ModeWindows lacks the ability for organizations to examine the behavior of certain resource accessrestrictions without actually enforcing the restriction. CA Access Control Warning Mode iscommonly used by organizations to determine if proposed security policies are too strict ortoo lenient so they can be modified accordingly. If a restriction is suspected to have an adverseeffect on the execution of a system application CA Access Control allows them to specifyrestrictions and substitute a warning message for the enforcement of the restrictions.

Validation ModeCA Access Control provides the ability to instantly validate the effects of a security policywithout enforcing the restriction. After selecting a user and resource, the validation checkcommand determines whether or not the user has permission to access the resource giventhe current security policy. CA Access Control also includes a password validation function,which instantly determines if a proposed password qualifies with specified policy. Thesefeatures allow effective policy validation without impacting production systems.

Network ProtectionThe openness of a TCP/IP network is one of its most appealing features. But in terms ofsecurity, this is a major deficiency. CA Access Control provides the functionality of a host-based firewall without requiring a dedicated device for that purpose. CA Access Control canrequire that specific clients send specific TCP/IP services to specific hosts, while only certainhosts can send specific TCP/IP services to the local host.

By limiting outgoing connections within the network based on the user’s identity, CA AccessControl minimizes the risk of allowing external access through a firewall. Legitimate Internetvisitors can also be confined to a specific set of services and systems within the network. Forexample, an organization might choose to allow external contractors to access specific serversvia VPN, but restrict them from propagating to additional servers on the network.

Advanced Policy Management and Reporting*

CA Access Control’s enterprise-class scalability results from a distributed model of distributingpolicies to all managed servers. This Advanced Policy Distribution Architecture uses a centralDeployment Map Server (DMS) and Distribution Hosts (DH) to distribute policy deploymentsto endpoints, and send back deployment information from the endpoints to the DMS. Thisinfrastructure is decoupled from the logical assignment of the policies and is easy to set up,extend and configure for high availability, failover and disaster recovery.

CA Access Control supports running the DH in a clustered environment (server farms), whichincreases the number of endpoints nodes that can be supported. The policy architecture relieson the following server components:

DEPLOYMENT MAP SERVER Sits at the core of advanced policy management. The purpose ofthe DMS is to store policy management data. You manage a single database (the DMS), whichthen sends events to distribution hosts.*Some features listed are only available in CA Access Control Premium Edition


DISTRIBUTION HOST Is responsible for distributing policy deployments, made on the DMS, toendpoints, and for receiving deployment status from endpoints to send to the DMS.

Modeled after the time-tested method of distributing anti-virus definitions, CA Access Controlendpoint agents check regularly for new deployments on the DH, and download and applythese as necessary. Execution results are then sent back to the DH, which sends them to theDMS for centralized auditing. Also, a heartbeat lets the DMS (through a DH) know that theendpoint agent is operational and the host is running.

CA ACCESS CONTROL POLICY MANAGEMENT ARCHITECTURE

Centralized AdministrationManaging security across Windows servers typically involves using the same tools that ITadministrators use. This proximity of functions for system and security administrators oftenpresents security control and authorization delegation complications and ambiguity.

CA Access Control’s centralized Web-based interface is simple, intuitive and lets you performadvanced policy management and also provide a worldview that lets you view and manageyour entire CA Access Control environment of servers. The Web-based interface also allowsyou to manage individual endpoints or Policy Models.

CA Access Control can also manage native Windows resources including shares, files, disks,COM ports, registry keys and values, domains, users, groups, printers, processes, services,devices, user sessions, Windows password policy and Windows audit policy settings.

Additionally, the user interface is consistent across all CA IAM offerings (CA SiteMinder, CAIdentity Manager and CA Access Control) utilizing the common CA framework for look andfeel and administrative scoping and task delegation, further reducing the time to value foradministrators already familiar with CA’s management tools.


FIGURE B

The architecture distributes policiesto all managed services via adistributed advanced policymanagement architecture.

Logical Host GroupingCA Access Control allows you to group endpoints into logical host groups and then assignpolicies based on this host group membership, regardless of how your endpoints are organizedin the Policy Model hierarchy. Hosts can be members of a number of logical host groupsdepending on their properties and policy demands. For example, if you have hosts runningWindows Server 2008 and Oracle, these can be members of a Windows Server logical hostgroup to get the baseline Windows access control policy, and also members of the Oraclelogical host group to get the Oracle access control policy.

Logical host groups decouple policy assignment from policy distribution. This simplifies policymanagement as it does not require you to change your hierarchy to fit policy assignment require-ments and lets you manage smaller, more specific policies, and more focused host groups

Policy Deviation ReportsIt is naïve to think that monolithic policies can be deployed across a large server environmentwithout allowing exceptions. These exceptions might be imposed due to legitimate businessor legacy requirements but they must be managed properly and done with accountability. CAAccess Control provides a reporting feature to let you measure the compliance of your entireenvironment to specified policies and allows you to compare policies that should be active ona particular machine to policies actually deployed. This ability to quickly identify policy gapssupports your efforts to continuously meet compliance standards.

Policy and Entitlements ReportsCA Access Control simplifies security assessment tasks through reports about complianceexposures associated with operating systems, databases and applications. This report data isstored in a standard RDBMS and can also be leveraged by other data analysis tools. CA AccessControl host reports present system-centric information such as configuration, security andpolicy status.

Policy-based reports are based on the effective policy being enforced and provide proactiveviews of who has access to what resources across your distributed and virtual server environ -ment. These reports allow you to generate reports required by your auditors, such as User andGroup Entitlement Reports, Policy Compliance Reports, Orphan Account Reports, amongothers. These proactive reports complement existing event-based auditing by allowing you tomonitor compliance requirements and highlight existing discrepancies before incidents occur.

CA Access Control comes with over 30 sample reports for common compliance needs such asuser and group entitlements, inactive accounts, password aging, policy compliance etc.

Event-based reports are also supported through integration with the CA Audit product.


Operating System Hardening A critical layer to the defense-in-depth strategy is protecting the OS against unauthorizedexternal access or penetration. CA Access Control offers several external security measuresincluding stack overflow protection, firewall network control and Trojan Horse defense. Thisadditional layer of security allows organizations to buffer the time requirements on OS patchdeployment when new attacks are discovered. Reducing the number of emergency patchoperations reduces server downtime and saves production costs.

Stack Overflow ProtectionStack Overflow Protection is a CA Access Control technology that prevents hackers fromexploiting an application's specific memory space to inject malicious code inside the system.CA Access Control carefully monitors and protects applications, such as mail servers, byguarding memory space and program tracking information, so that even in the event ofmemory overflow, the malicious code cannot be activated by the system. In this manner,hackers have no way to target application memory stack vulnerabilities.

CA Access Control records all malicious actions in both the standard audit log and in-memoryoverflow log, with detailed code descriptions for further investigation. This is relevant to allWindows servers, especially those in perimeter network zones.

Trusted Program ExecutionTo prevent the operating environment from being tainted by malware, particularly TrojanHorses, CA Access Control provides first-line trusted program protection. Through CA AccessControl, sensitive resources can be marked as trusted. These files and programs are monitoredand CA Access Control will block execution should the program be modified by malware. TheCA Access Control administrator can choose from various algorithms to apply to each trustedresource, ensuring that executed programs have not been inappropriately replaced or modified.

In addition to periodic checking of trusted resources, checks are made at run-time when theprogram or file is opened. Changes to trusted resources can be limited to specific users or usergroups to further reduce the likelihood of unexpected change.

Context ControlExploits can gain privileges through Windows services, which frequently run under the“SYSTEM” account. This account is very powerful on Windows because changing servicessecurity context to another user different from the SYSTEM user can lead to service failure.

CA Access Control has the ability to protect applications like Exchange Server, SQL Serveror IIS by limiting these applications’ behavior in accessing resources. The goal is to protectsensitive resources from SYSTEM account access without changing the original securitycontext of services.

Registry ProtectionThe Windows registry is a clear target for hackers and malicious users as the centralizeddatabase containing operating system parameters including those that control device drivers,configuration details and hardware, environment and security settings.

SECTION 4


CA Access Control provides registry protection through the support of generic rules inside theregistry. These rules can block administrators from changing or tampering with the registrysettings. CA Access Control registry protection can also ensure system processes have accessonly to specific keys within the registry. CA Access control can also define separate accessrights to specific registry values.

Application JailingWindows servers are a prime target as a springboard for extended network attacks, especiallywhen popular Windows server applications are involved. The application jailing feature allowsaccepted actions to be defined for high-risk applications. Any behavior that exceeds thesebounds will be restricted by CA Access Control.

CA Access Control includes a Special Program (SPECIALPGM) class to classify certainmission-critical programs. SPECIALPGM protects specified programs by associating a logicaluser name with the Windows user name required to run the program, authorizing only thelogical user to run the program. This mitigates security risk associated with functional IDs. Forexample, an ACL can be built based on a logical ID which owns Oracle processes and servicesso its jailed behavior prohibits it from any actions besides starting Oracle DBMS services.

Program PathingProgram pathing is the ability to require that a specific resource be accessed by a user onlythrough a specific program. Combining these application specifications with user, file andcalendar parameters allows flexible and granular access policies to be built. For example, theaccounting team can only access the file “employee_data” using specific payroll applications.

Secure AuditingWindows logging capabilities are shared by all system tools and applications on the system.This creates a large auditing pool for all types of data, without a clear, security-specific auditingand reporting distinction. Meanwhile, security requirements and compliance mandates thatun-tampered security audit logs cannot be shared with other application logs or viewed bynon-security administration personnel.

CA Access Control provides independent audit logs that cannot be modified by unauthorizedusers, including domain or system administrators. Delivered to CA Audit or CA SecurityCommand Center, CA Access Control security events can be collected, filtered and consolidatedfor reporting and analysis. In addition, combinations of security events, which represent asignificant threat can be correlated in real time and made to trigger security alerts.

Multi-level GranularityWindows auditing capabilities are global in nature and do not allow for specific auditingthresholds to be set on individual resources. CA Access Control provides granular auditingcapabilities on any defined resource. Different auditing thresholds can be set for any user,group or resource depending on the criticality of the resource.

SECTION 5


CA Access Control has three auditing settings: “Success” generates an event anytime anaudited resource is successfully accessed, “Failure” tracks anytime access is denied and“Warning” generates an audit record anytime an access policy is violated, although CA AccessControl does not deny access. Organizations can define the auditing mode or combination ofmodes that should be enforced for each user, group or resource. For example, the auditing forthe security administrators group and general audit level for Files may be set to Failure, butspecifically for the system configuration files, auditing events will be generated for bothSuccess and Failure.

Granular AuditCA Access Control provides an independent audit log solely for security events pertainingto users or resources. These audits detail the exact denial or permit stage encounteredwhile accessing a resource and trace back to a definitive user. Audit settings can be adjustedto fine tune the volume and granularity of audit events to the appropriate level for anorganization’s needs.

Reporting and CA Audit IntegrationWindows audit logs track access on a single machine basis, making audit log consolidation ortrending a time consuming task. CA Access Control is fully integrated with CA Audit. Events inAccess Control are sent to CA Audit for further handling, enabling aggregation of log files andcreation of policy specific reports, which facilitates the audit process, provides detailedinvestigations and validates key compliance metrics. Features of CA Audit include:

CROSS-PLATFORM DATA COLLECTION CA Audit collects event data from an extensive variety ofsources, including: operating systems, business applications, network devices, security devices,mainframes, access control systems and web services.

REAL-TIME TOOLS FOR COLLECTION, VIEWING AND REPORTING CA Audit provides customizableviewers and reports available to users that are relative to their role.

ALERT MANAGEMENT CA Audit logs, filters and monitors critical events and execute alerts andother actions based on established policies.

CENTRAL SECURITY DATA REPOSITORY CA Audit stores audit data in a central repository, builtaround a scalable relational database for easy access, provides reporting for historical andpost-event analysis.


Cross-platform ProtectionMany organizations deploy a heterogeneous server infrastructure including both Windows andUNIX systems. CA Access Control enables consistent, integrated management and enforcementof access security policies across both of these environments. The Policy Manager provides asingle interface through which policies can be administered and the advanced policy manage -ment architecture ensures these policies are distributed and enforced on all Windows andUNIX servers. Consolidated management of UNIX and Windows decreases the amount ofadministrative work required and improves the system administrator efficiency, savingsignificant management cost.

COMPLIANCE REQUIRES CONSISTENT ACCESS SECURITY

CA Access Control ArchitectureEffective security software needs to be implemented as an integral part of a computer’soperating environment. CA Access Control intercepts system requests for access to varioussystem resources before they arrive at the operating system, verifies if the requests areallowed by the defined security policy and enforces the appropriate behavior.

All CA Access Control components benefit from a strong self-protection mechanism. Thismeans that it is virtually impossible for users to intentionally or unintentionally bring down,change or erase CA Access Control files, services or data. Should a CA Access Control servicefail, regardless of the reason, the CA Access Control in-memory monitoring serviceimmediately restarts it. This ensures that CA Access Control provides all-time services andensures security is never compromised due to unavailability of critical services.

SECTION 7


SECTION 6

FIGURE C

CA Access Control elevates thecollective level of access securityacross platforms and enablesconsistent administration.

The essential components of CA Access Control include:

DATABASE The Database maintains all the users and groups in the organization, the systemresources that need protection and the rules governing user and group access to systemresources. The highly optimized Database interacts with the Engine to provide real-timeauthorization information. CA Access Control continuously protects database informationand services against unauthorized access or sabotage.

ENGINE The Engine receives access requests to determine whether or not they are permissible.Upon receiving a request, the Engine consults the Database, accesses the relevant accesspolicies and decides whether or not access should be allowed.

POLICY MODEL The Policy Model administers the PMDB. It is responsible for managing the listof subscriber databases and propagating all updates from the PMDB to its subscribers.

ENTERPRISE MANAGEMENT SERVER* The enterprise management service includes a centralWeb management server for managing the policies and logical host groups as well as thepolicy-based reporting. It runs on standard J2EE application servers and utilizes a relationaldatabase. While the enterprise management server enables enterprise scale management ofthousands of hosts, CA Access Control endpoints remain self-sufficient and do not rely on thecentral manage ment server for enforcing access and can also be managed directly through alightweight Web UI or command line.

CA Access Control — Part of a Bigger Identity and AccessManagement SolutionCA Access Control can be installed independently and provide full server access protectionwithout dependencies on other CA or third-party products. However, all products in the CAIdentity & Access Management solution share common approaches and components for Webuser interface, administration concepts, delegation of responsibilities and reporting to ensure aconsistent administrative experience.

Given that operating system access protection may be a single component of a defense-in-depth strategy, CA Access Control provides integration with CA security products including:

• CA Identity Manager As a provisioning target for CA Identity Manager, the CA AccessControl user base can be managed from and automatically kept in sync with CA IdentityManager.

• CA Security Command Center CA Access Control security events can be collected by orautomatically routed to any remote server defined by CA Security Command Center.

• CA ACF2™ Security and CA Top Secret® Security CA Access Control can leverage themainframe user store provided by CA ACF2 Security or CA Top Secret Security as a trustedrepository or user passwords can be synchronized with those mainframe user stores. Thisassists organizations seeking to manage access to critical mainframe resources, privilegesand utilities in the same way that CA Access Control provides protection for Windowsand UNIX.

*Some features listed are only available in CA Access Control Premium Edition

SECTION 8


ConclusionsDuring the course of regular operations, administrators of all roles operate in close proximity tosensitive data, processes or applications running on a Windows infrastructure. In the standardstructure of a Windows and Active Directory deployment, these IT and security administrativefunctions are tightly coupled with one another. While this may not necessarily affect IT systemadministration, it can severely impact the integrity of security policy enforcement. Effectiveseparation of these duties requires an independent, fine-grained access enforcement andauditing solution.

CA Access Control provides the necessary system-level access control, cross-platform policymanagement, operating system hardening and secure auditing capabilities for organizations toeffectively protect their mission-critical server infrastructure and maintain regulatory compliance.

To learn more about the CA Access Control architecture and technical approach, visitca.com/security/ac.

SECTION 9


http://www.ca.com/security/ac

CA (NSD: CA), one of the world's leading independent,enterprise management software companies, unifies andsimplifies complex information technology (IT) managementacross the enterprise for greater business results. With ourEnterprise IT Management vision, solutions and expertise,we help customers effectively govern, manage and secure IT.

MP307660608

Learn more about how CA can help you transform your business at ca.com

Documents

Windows Host Access Management with CA Access Control