Introduction to Verify Privilege Server Suite
Verify Privilege Server Suite is an IT management solution that provides three main services:
- Access control, provided through the Authentication Service.
-
Privilege management, provided through the Privilege Elevation
Service.
- Auditing, provided through Audit & Monitoring Service.
These services can be used together or independently, depending on the requirements of your organization.
Managing Windows Computers Using IBM Security software
Verify Privilege Server Suite is a security platform that includes multiple components for managing Windows computers. The components fall into two broad categories of features:
-
Access-related components for managing access, including administrative
privileges.
- Audit-related components for managing and analyzing audited activity.
Access-Related Features
Access-related features are provided by the Authentication Service and the Privilege Elevation Service. Together, these services enable you to manage access and administrative privileges for the computers in your organization. The primary tool for managing access-related features is Access Manager.
Access Manager provides a central console for defining and managing role-based access control rules and applying them to specific users, groups, or computers. For example, you can use Access Manager to delegate specific administrative tasks to a particular user or group. As an administrator, you can also use Access Manager to configure roles with start and expiration dates or limit the availability of a role to specific days of the week or hours of the day.
Verify Privilege Server Suite treats gMSA accounts (group Managed Service Accounts) as Active Directory users.
Audit-Related Features
Audit-related features are provided by the Audit & Monitoring Service. This service enables you to collect and store audit trails that capture detailed information about user activity. The primary tool for managing audit-related features is Audit Manager.
Audit Manager provides a central console for configuring and managing audited computers, audit store databases, and the permissions granted to specific auditors. There is also a separate Audit Analyzer console for searching and replaying captured activity.
Choosing Access and Auditing Features
In addition to the management tools for access-related or auditing-related features, each computer you want to manage must have a Agent installed. After you install the agent, you choose whether to enable access features, auditing features, or both feature sets.
If you enable access features, the agent enforces the role-based privileges that enable users to run applications locally with administrative privileges without using the Administrator password and with their activity traceable to their own account credentials. You can also use role-based privileges to secure access to network services on remote computers.
If you enable auditing features, the agent captures detailed information about what users do when they access applications or network resources with administrative privileges.
You can use access features and components without auditing if you aren’t interested in collecting and storing information about session activities. You can also deploy auditing features and components without access control and privilege elevation features if you are only interested in auditing activity on Windows computers. However, the real value of using IBM Security software to manage Windows computers comes from using all of the services as an integrated solution for managing elevated privileges and ensuring accountability and regulatory compliance across all platforms in your organization.
Access Control for Windows Computers
By using Access Manager and deploying the Agent for Windows, you can develop fine-grained control over who has access to the Windows computers in your organization. You can also limit the use of administrative accounts and passwords. For example, you can restrict access to computers that host administrative applications or data center services and ensure that users accessing those computers can log on locally or connect remotely only when appropriate.
In a Windows environment without IBM Security software, the primary way you secure access to Windows computers is by granting a limited number of users or groups local or domain administrator privileges. The main drawback of this approach is that the rights associated with group membership don’t change. A user who has domain administrator rights has those rights on any computer in the domain at all times. In other cases, users who aren’t administrators or members of an administrative group need administrative privileges to perform specific tasks that would require them to have an administrator and service account password. Shared passwords reduce accountability and are often flagged by auditors as a security issue.
Through the use of zones and roles, IBM Security software provides granular control over who can do what, and over where and when those users should be granted elevated privileges.
One way trust environments
Windows agent supports one-way trust in the following scenarios:
- When the zone belongs to the resource forest.
- When the logon account belongs to the account forest.
-
When the RunAs account or group belongs to the resource forest (RunAs group
can be a built-in group).
- When the role assignment is at the zone, computer, or computer role level.
How Zones Organize Access Rights and Roles
One of the most important aspects of managing computers with IBM Security software is the ability to organize computers, users, groups and other information about your organization into zones. A zone is a logical object created using Access Manager that is stored in Active Directory. You use zones to organize computers, rights, roles, security policies, and other information into logical groups. These logical groups can be based on any organizing principle you find useful. For example, you can use zones to describe natural administrative boundaries within your organization, such as different lines of business, functional departments, or geographic locations.
Zones provide the first level of refinement for access control, privilege management, and the delegation of administrative authority. For example, you can use zones to create logical groups of Windows computers to achieve these goals:
- Control who can log on to specific computers.
- Grant elevated rights or restrict what users can do on specific computers.
-
Manage role definitions, including availability and auditing rules, and role
assignments on specific computers.
-
Delegate administrative tasks to implement “separation of duties” management
policies.
You can also create zones in a hierarchical structure of parent and child zones to enable the inheritance of rights, roles, and role assignments from one zone to another or to restrict local or remote access to specific computers for specific users or groups.
Because zones enable you to grant specific rights to users in specific roles on specific computers, you can use zones as the first level of refinement for controlling who has access to which computers, where administrative privileges are granted, and time restrictions on when administrative privileges can be used.
You can also use zones to establish an appropriate separation of duties by delegating specific administrative tasks to specific users or groups on a zone-by-zone basis. With zones, administrators can be given the authority to manage a given set of computers and users without granting them permission to perform actions on computers in other zones or giving them access to other Active Directory objects.
How Role-Based Access Rights Can be Used
Role-based access rights are more flexible than Active Directory group membership because Active Directory groups provide static permissions. For example, if Jonah is a member the Active Directory Backup Operators group, he has all of the permissions defined for members of that group regardless of when or where he logs on to computers in the forest. In contrast, role assignments can be scheduled to start and end, apply only during specific hours, or only be available on specific computers. For example, Jonah may only be in the Backup Operators role on a specific computer or only on weekends.
Role-based access rights also prevent password sharing for privileged accounts, helping to ensure accountability. Users who need to be able to launch applications with elevated privileges can log on with their regular account credentials but run the application using an appropriate role without being prompted to provide the administrative password. For example, if Angela is assigned a role that enables her to run Disk Defragmenter using elevated privileges, she can log on with her normal credentials and select the role that enables her to run Disk Defragmenter without being prompted to provide an administrator user name and password.
Auditing User Activity on Windows Computers
Just as it is important to protect assets and resources from unauthorized access, it is equally important to track what users who have permission to access those resources have done. For users who have privileged access to computers and applications with sensitive information, auditing helps ensure accountability and improve regulatory compliance. With the Audit and Monitoring service, you can capture detailed information about user activity and all of the events that occurred while a user was logged on to an audited computer.
If you choose to enable audit and monitoring service on Windows computers, the Agent starts recording user activity when a user selects a role or logs on to a computer. The agent continues recording until the user logs out or the computer is locked because of inactivity. The user activity captured includes an audit trail of the actions a user has taken and a video record of the applications opened, any text that was entered, and the results that were displayed on the screen. Because information about user activity, called a session, is collected as it happens, you can monitor computers for suspicious activity or troubleshoot problems immediately after they occur.
When users start a new session on an audited computer, they can be notified that their session is being audited and they cannot turn off auditing except by logging off. The information recorded is then transferred to a Microsoft SQL Server database so that it is available for querying and playback. You can search the stored user sessions to look for policy violations, user errors, or malicious activity that may have led to a service degradation or outage.
In addition to saving video record of user activity, sessions provide a summary of actions taken so that you can scan for potentially interesting or damaging actions without playing back a complete session. After you select a session of interest in the Audit Analyzer, the console displays an indexed list of actions taken in the order in which they occurred. You can then select any entry in the list to start viewing the session beginning with that action. For example, if a user opened an application that stores credit card information, you can scan the list of actions for the launch of that application and begin reviewing what happened in the session from that time until the user closed that application.
If users change their account permissions to take any action with elevated privileges, the change is recorded as an audit trail event. You can search for these events to find sessions of interest.
Using Access and Auditing Features Together
If you use the Access and Audit and Monitoring service features together, you can define role-based access rights, restrict when and where roles are available, identify roles that should be audited, trace activity when roles with elevated permissions are selected and used, and play back session activity based on the criteria you choose. However, audit and monitoring service requires database storage for the audited sessions and management of network communication for collecting and transferring audited sessions from computers being audited to one or more databases where the sessions are stored. You also need to decide which roles should require audit and monitoring service and the computers you want to audit.