WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL
52
© CENTRIFY CORPORATION 2004-2005. ALL RIGHTS RESERVED.
PAGE 52
To use DirectControl to manage GPOs
1. On a Windows computer with Active Directory Users and Computers and the
DirectControl Administrator Console installed, open Active Directory Users and
Computers.
2. In the left pane, select the domain that you use for the deployment.
3. Right click the domain name, select New, and then click Organizational Unit.
4. In
the
Name dialog box, give the new OU a unique name, such as Finance
Computers.
5. Move each of the UNIX computers that contain financial information used by auditors
into this new Active Directory OU:
a. Right-click the UNIX computer in its current OU.
b. Select
Move
c. Select the name of the new OU, and then click OK.
6. Configure a GPO for this OU to enforce setting the pam.allow.groups attribute with
the value finaudit. This setting restricts access to all UNIX computers in this OU only
to members of the finaudit Active Directory group. For more information, see
"Creating a Centrify DirectControl Group Policy Object" in the Centrify DirectControl
Administrator's Guide.
7. Apply this policy to the OU. This policy now governs all UNIX computers in this OU.
At the same time, you can also configure other policies to implement role-based access
control, for example, for other groups of computers.
For detailed information about how to use Group Policy with DirectControl, see the
Centrify DirectControl Administrator's Guide.
Applying Security Controls
You can use role-based access control for administrators and operators as well as for
end-users. Most organizations restrict access to the Administrator account for security
reasons. For that reason, Centrify has added the capability to delegate administration of
Zones to non-privileged users.
In addition, most organizations restrict access to the root password on critical UNIX
computers. Ideally, you should manage control over root accounts centrally and apply
policies for password complexity, password aging, and other security-oriented policies to
the root account on each UNIX computer or groups of computers.
Assigning management privileges for each Zone
You can use the Centrify DirectControl Administrator Console to give specific users and
groups permission to perform certain types of administrative tasks within each Zone. For
example, assume that you have a Zone called Finance and you want to set up different
types of permissions for the different kinds of administrators who manage computers in
this Zone. Through the Centrify DirectControl Administrator Console, you can assign
specific permissions to individual users and groups. For example, you can assign:
·
The
group
ITStaff full control, which allows members of that group to perform all
administrative tasks.
·
The
group
FinanceManagers permission to read and modify Zone information and
Zone membership.
·
The
group
FinanceUsers permission to read Zone information but perform no other
tasks.
·
The
users
jeff.hay and lori.penor permission to delete Zones.