Using Centrify's DirectControl with Mac OS X - Cerberis

More documents

Recommendations

Info

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS X• Each DirectControl-managed UNIX, Linux or Mac system can be placed into aDirectControl Zone, typically directly mapping to an existing logical securityboundary or administrative grouping such an organizational department or lab.• A user (Joan Smith in Figure 3) is configured in Active Directory with her normalWindows information, such as name, password, group membership and so on. Inaddition, the “Centrify Profiles” that Centrify adds to her Active Directory accountindicates which Zones she can access.• For each Zone, Joan’s UNIX/Mac profile in Active Directory stores accountinformation specific to that Zone: UNIX user name, user ID, shell, and homedirectory for example. Thus, a single Active Directory account can be mapped to anynumber of UNIX/Mac identities.• Joan can log in to computers only in the Zones to which she has been granted access.Whereas Joan has access to several Zones, another user – for example, a student in auniversity setting – could be given rights to access only Macs in a Zone set up for aclassroom lab, and not be given access to Macs or other systems in Zones set up forcomputers used in administrative or research departments.• As Figure 3 illustrates, Joan authenticates through Active Directory regardless ofwhich system she logs in to. The Zones are part of the same Active Directory domainwhere Joan’s account exists.Delegation and separation of duties is a critical component of any centralizedadministration solution where security is a concern. DirectControl Zones provide anenvironment with Active Directory that leverages native access control rules withinActive Directory to delegate UNIX profile management as well as UNIX/Mac systemaccess rights management to UNIX administrators without requiring domainadministrator rights. With DirectControl, UNIX and Mac administrators do not needrights to modify or create user objects, which is typically a privileged operation withinthe enterprise.Additionally, each Zone can have its own set of administrators, each with specificprivileges within the Zone. In our university example, Joan may be an IT administratorwho has the right to create and modify user accounts in Active Directory for students andemployees, and the right to create Zones and add users to Zones. However, a graduatestudent who runs a Macintosh lab could be given rights only to add or remove existinguser accounts to the Mac lab Zone. This added security feature means not only can usersand computers be compartmentalized into logical secure groups, but the administratorswho manage those systems can also be segregated. For many organizations, the ability tofinely control the elevated privileges for administrators is essential for maintainingappropriate levels of confidentiality and for complying with regulatory controls.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 9
CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS X2.3 Key Differences between DirectControl and Apple’s ActiveDirectory Plug-inDirectControl is designed to provide what seems on the surface as an equivalent solutionto the Active Directory plug-in that Apple provides with Mac OS X out of the box;however, there are several key differences between the solutions. Fundamentally,DirectControl is designed to provide the centralized administration staff with the toolsrequired to centrally manage heterogeneous computing environments from existingWindows administrative tools. Here are some of the key differences:• DirectControl provides consistent Active Directory integration across multipleplatforms. DirectControl provides a single integration solution not only for Mac OSX but for popular UNIX and Linux platforms as well.• DirectControl Zones can be used to further control user access as well as to segregatethe Macintosh user population and administrative staff and keep their rights at aminimum within Active Directory.• Offline login is provided with locally cached account profiles for users with localhome directories. However, if the user has a network home directory he will beprompted to create a mobile account to take advantage of the synchronizationbetween the local and network-based home directories.• DirectControl enables common account administration of both Windows andMacintosh systems leveraging tools such as Active Directory Users and Computers.• UID and GID assignment is managed centrally within Active Directory as additionalattribute information about these objects versus a local configuration within theDirectory Services configuration interfaces.• There are many security-related benefits to using DirectControl for Active Directoryintegration. For example, the machine account password is periodically changed, allcommunications to Active Directory are Kerberized, and user access to Windowsprint queues is authenticated in a single sign-on fashion.• DirectControl provides a reporting facility to enable generation of several reports onActive Directory information such as computer access reports.• DirectControl provides delegated administration with separation of duties betweenActive Directory and Macintosh administrators as well as between groups ofMacintosh administrators.Additionally, the DirectControl Agent that provides user authentication and authorizationservices also provides Group Policy enforcement to enable centralized configurationmanagement. Centralized configuration and Group Policy services are described in moredetail in the next section.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 10
Page 1 and 2: WHITE PAPERCENTRIFY CORP.OCTOBER 20
Page 3 and 4: CENTRIFY WHITE PAPERUSING CENTRIFY
Page 11: CENTRIFY WHITE PAPERUSING CENTRIFY
Page 31: CENTRIFY WHITE PAPERUSING CENTRIFY

Using Centrify's DirectControl with Mac OS X - Cerberis

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?