Introduction to IBM Security software

This section provides an overview of IBM Security software features for Windows computers and how you can use IBM Security software to temporarily elevate your privileges to perform administrative tasks locally on your computer or remotely on a network server.

What is Verify Privilege Server Suite?

Verify Privilege Server Suite is a multi-tier software solution that enables administrators to centrally manage access to on-premise servers and workstation, mobile devices, and applications across a broad range of platforms. With Verify Privilege Server Suite, administrators can accomplish the following:

  • Manage local and remote access to computers with Linux, UNIX, Mac OS X, and

    Windows operating systems.

  • Enforce security policies and control access to applications on mobile

    devices such as iPhone and Android smart phones and tablets.

  • Enable single sign-on and role-based rights for on-site and cloud-based

    applications.

  • Capture detailed information about user activity and the use of

    administrative privileges.

Using IBM Security software, an Active Directory administrator creates zones to organize the enterprise’s on-premise computers, mobile devices, and applications into groups. For each group, the administrator then defines rights, roles, and group policies to control access to the computers and applications in that zone. By using zones and role assignments, the administrator can establish fine-grain control over who is authorized to perform administrative tasks and when user activity should be audited.

With IBM Security software, your organization can reduce the risk of unauthorized access to critical resources, ensure accountability and regulatory compliance for users with access to privileged accounts or sensitive information, and simplify the management of shared accounts and role-based access rights.

Using IBM Security Software to Manage Access to Windows Computers

IBM Security provides a cross-platform solution that relies on the deployment of an Agent. To manage access to Windows servers and workstations, an administrator installs the Agent for Windows and identifies the zone the computer should use. If an administrator has installed the agent and added your computer to a zone, the computer is a managed computer. When you log on, the agent will check that you have been assigned a role that allows a local or remote logon. As long as you have a role assignment that allow you to log on, logging on proceeds normally. If you have not been assigned a role that allows you to log on, you will be denied access to the computer.

In most cases, an Active Directory administrator or another delegated administrator will also define rights and roles that enable you to run as another account that has elevated privileges. For example, the administrator might create a role that allows you to manage a Microsoft SQL Server instance using administrative privileges and another role that enables you to run an Exchange management tool using a shared service account.

The administrator is responsible for defining the specific rights that are available in different roles and for assigning those roles to the appropriate Active Directory users and groups. The administrator can also assign selected roles to local Windows users and groups.

As a user logging on to a IBM Security-managed computer, you have the option to select from and switch between the roles you have been assigned. For example, you begin the day by logging on to your computer using your Active Directory credentials. In most cases, this account does not have elevated privileges. In your work queue, you find that you need to add a new database to the SQL Server instance you manage. Because this change requires administrative privileges not available in your logon account, you select the role that has elevated privileges that you have been assigned for managing SQL Server instances. When you are done adding the database in Microsoft SQL Server Management Studio, you switch back to your default logon account.

The administrator determines whether the elevated privileges in your role are limited to a specific application, for example, Microsoft SQL Server Management Studio, any application on your desktop, or only allowed on a remote server. You are responsible for selecting the appropriate role to do the work required from the list of roles available to you.

Auditing Role-based Activity

The administrator can also define an auditing requirement for each role. If you switch to a role that is audited, the switch is recorded in the local Windows event log. If the computer you are using is configured to audit session activity, all of the actions you take during the session are captured in a video recording until you end the session or log out. If session activity is audited, the agent on your computer captures everything displayed on the screen, including your keystrokes and the windows you have open while you are using an audited role on an audited computer. If you switch from a role that requires auditing to one that has no audit requirement, the recording stops until you resume the role that requires auditing.

The administrator determines which roles and computers require auditing of user activity and can enable auditing notification to inform you if your actions might be audited.

Roles Grant Different Types of Access Rights

There are three types of access rights that an administrator can add to any role you might be assigned:

Type of access right What a role with this type of right allows you to do
Desktop If you have been assigned a role that grants a desktop right, you can create a separate desktop on your computer to run applications as yourself but with the elevated privileges associated with a specific Active Directory or built-in group. In most cases, an administrator assigns you a role with a desktop right if you have more than one local application for which you need elevated privileges and you need to use those privileges frequently. For example, if you use several administrative applications on a daily basis, you are likely to be assigned a role that has a desktop right. Note: On Windows 10 and Windows Server 2016 systems, task bar menus are not available in an Elevated Desktop.
Application If you have been assigned a role that grants an application right, you can run a specific application with the elevated privileges associated with a specific user account or as yourself but with the elevated privileges associated with a specific Active Directory or built-in group. In most cases, an administrator assigns you a role with an application right if you have only occasional administrative responsibilities for a specific application or only need temporary use of the elevated privileges.
Network access If you have been assigned a role that grants a network access right, you can connect to a remote computer as an account with privileges on that computer. In most cases, an administrator assigns you a role with a network access right if you need to take administrative action on a remote server. This access right does not change any of your privileges on your local computer.

Every role includes one or more rights. Depending on the roles you have been assigned, you might have one or more of these access rights available.

Computers Must be in a Zone for Roles to be Available

The administrator can define different rights and different roles for every zone. Your computer must be joined to a zone for those rights and roles to be available. In addition, a computer can be joined to only one zone at a time. The rights you have in any zone are based on the roles assigned to you in that zone and its parent zone. If the administrator has not added your computer to a zone, no local or network roles will be available for you to use.

After a computer is added to a zone, it is possible that your role assignments might enable you to access remote computers in zones other than the local computer’s zone. Roles that enable access to remote computers do not require you to have any local roles available in your local computer’s zone.

In most cases, the administrator should add your computer to the appropriate zone. Changing the zone assignment requires local administrative privileges. If you have administrative privileges on your local computer, you can use the Privilege Elevation Service Settings to view information about your current configuration and perform administrative tasks, if required. For example, if the administrator notifies you that you should join a zone they have prepared, you can use the Privilege Elevation Service Settings to complete the operation for your local computer.

Using the dzjoin Command

The dzjoin command line program enables you to automatically join users to the zone in which their roles and rights are assigned, or to join them to a specific zone by zone name, when they log on to their computer. The dzjoin command line program is particularly useful for organizations that use non-persistent virtual desktop infrastructures.

The syntax for the dzjoin command is:

dzjoin [/c <domain controller>] [/d] [/u <username>] [/f] [/h] [/r [yZZ_BAR_ZZnZZ_BAR_ZZyesZZ_BAR_ZZno]] {/z <zonename> ZZ_BAR_ZZ /s ZZ_BAR_ZZ /v]

If the u option is specified but no password is found in the redirected input, you will be prompted for a password.
Use this option To do this
/c Specify a domain controller to connect to.
/d Retrieve zone data before restarting
/u Specify the user name to join zone using custom credentials. The user name must be in the format: USER@DOMAIN or DOMAIN\USER. The credentials are for remote access only. For the password, you can specify by redirected input. Otherwise, this tool will prompt user for password.
/f Suppress any warnings and/or questions.
/h Displays the command help.
/r Suppress the restart warning and specify to restart machine, if required, after joining zone. If no restart is required, this option is ignored. If no argument is provided, e.g. '/r', the default is to restart (example: '/r yes').
/z Join a zone using the zone name. If the zone name is not unique, use the canonical name instead.
/s Join to the zone where this computer is already pre-created in the zone or had previously been joined to the zone (but remotely left in a disconnected situation).
/v Display the agent version.
You can also use the PowerShell command Join-CdmZone to join a zone.

Using the dzleave Command

To leave a zone, use the dzleave command. The syntax for the dzleave command is:

dzleave [/c <domain controller>] [/u <username>] [/a|/f] [/r [yZZ_BAR_ZZnZZ_BAR_ZZyesZZ_BAR_ZZno]] [/v] [/h]

Use this option To do this
/a Remove the role assignment from the computer zone.
/c Specify a domain controller to connect to.
/u Specify the user name to leave zone using custom credentials. The user name must be in the format: USER@DOMAIN or DOMAIN\USER. The credentials are for remote access only. For the password, you can specify by redirected input. Otherwise, this tool will prompt user for password.
/f Suppress any warning and/or question(s). In case the domain cannot be contacted, this tool will perform a local zone leave automatically.
/h Displays the command help.
/r Specify whether to restart machine, if required, after leaving zone without prompt. If no restart is needed, this option is ignored. If no argument is provided, example: '/r', the default is to restart ('/r yes').
/v Show the agent version.
You can also use the PowerShell command Exit-CdmZone to leave a zone.

Why You Should Use Roles for Administrative Tasks

Roles give the administrator complete flexibility for delegating control and limiting risk. For example, the administrator can define a role that lets you do specific administrative functions on your local or a remote computer without giving you the administrator’s password. By eliminating the use of a shared password for the administrator’s account, you can prevent an audit finding that could be costly for your organization. Using a role also limits your authority on the computer, ensuring appropriate accountability, and limits the potential damage a compromised password might cause.

In addition, roles enable targeted auditing of user activity, so that only the actions when you have elevated privileges or access certain computers are recorded. In many cases, these activities must be recorded for regulatory or industry compliance. With roles, you can go about your normal activity, such as reading and responding to email, without auditing, then capture detailed information about the use of SQL Server Management Studio or the Exchange Management Console.

What Gets Installed on a Managed Computer

The Agent for Windows package contains software to support auditing, access control, and privilege management on Windows computers. These features must be installed together on any supported Windows computer. Depending on the services to be enabled, your computer might include the following:

  • Privilege Elevation Service manages your access rights, including

    your ability to log on locally, connect to a remote server, and access

    applications using administrative privileges.

  • Privilege Elevation Service desktop applet that enables you to

    select roles, open new desktops, switch between open desktops, and view

    details about our role assignments. The applet is visible on your computer

    as the IBM Security icon in the system tray.

  • Privilege Elevation Service Settings that enable an administrator

    to join, change, or leave the zone, run diagnostics, and configure and view

    logged activity.

  • Identity Platform Settings that enable multi-factor authentication

    (MFA) login, enable RADIUS authentication, and other identity services.

If you are assigned roles that define application and desktop rights on your local computer, or access rights on remote computers, the Agent for Windows must be installed on your local computer and on the remote computer.

The administrator can deploy the Agent for Windows from a central location on the network to your computer or you can install it directly on your local computer.