Managing Group Policies for Non-Windows Computers through Microsoft Active Directory

(1)

Managing Group Policies for

Non-Windows Computers through

Microsoft Active Directory

Abstract

Administrators currently have the option either to use Open Source tools or implement professional, scalable, and supported solutions like PowerBroker Identity Services Enterprise when standardizing identity management on Windows. The present paper discusses the advantages and disadvantages of both approaches.

www.beyondtrust.com

(2)

Executive Summary

Currently, midsize and large enterprises have to manage identities and policies uniformly across a heterogeneous platform base. This need arises from increasing node management costs, the desire to improve security posture, and industry regulatory requirements. The most efficient way to manage policies and identities on non‐Windows platforms in these environments is to choose Windows as a common ground for the storage,

management, and enforcement of such policies. Windows is chosen as a common ground, because it is a scalable and reliable platform with excellent, intuitive management tools. Administrators can use Open Source tools or professional, scalable, and supported solutions like PowerBroker Identity Services Enterprise when standardizing identity management on Windows. The present paper discusses the advantages and disadvantages of both approaches.

This white paper discusses how PowerBroker Identity Services Enterprise enables organizations to integrate and manage their UNIX, Linux, and Mac computers using Microsoft Active Directory tools.

The paper briefly describes the proliferation of Windows and then moves on to describe how Active Directory features, such as Group Policy and extensions to Active Directory schemas, enable the management of UNIX‐like systems.

The paper then discusses why Windows well-known ease‐of‐use advantages make management of non‐Windows systems through Active Directory an attractive alternative. The remainder of the white paper provides a more technical discussion of UNIX

management complexity and why incorporating a Windows Policy‐based management alternative provides organizations with a uniform use and management model for their computing environments.

Finally, the paper describes how PowerBroker Identity Services Enterprise works to bring together Active Directory and UNIX management under Windows Group Policies.

(4)

Managing Group Policies

Predominance of Windows Platform

Microsoft Windows Server and Active Directory have come to dominate business computing. This has resulted in the need for non‐Windows devices and applications to interoperate with and even be managed within a Microsoft Windows Active Directory environment. Besides being one of (if not the) most widely deployed scalable directory solutions, Active Directory is also the widest deployed and most robust commercial implementation of Kerberos.

Over the years, Microsoft has been successfully able to deliver a scalable computing solution from the server to the client, particularly because of the ease of use of its graphical user interface. Besides addressing the operating system, directory, and storage markets, Microsoft’s enterprise‐class applications such as Exchange and SQL Server depend upon directory‐based authentication. In addition, many third‐party applications such as PeopleSoft and SAP incorporate AD authentication. Given the roadmap offered by Microsoft, this interconnection of the directory side and the application side will only increase.

The following sections describe the advantages of Microsoft Windows marketplace success from a heterogeneous environment perspective.

Group Policy Management

Unlike the other directory vendors, Microsoft has delivered profile and desktop management on a large scale. Unlike vendors such as Novell or Sun Microsystems who only have partial solutions, Microsoft is able to automatically push policies through the domain from the server to the client. The enhanced group policy implementation in Windows Vista and Windows Server 2008 have allowed administrators to centrally manage a greater number of features and component behaviors than were possible in the previous versions. With the continuing consolidation of IT vendors, the enterprise computing landscape will be undoubtedly be geared more and more toward Windows platforms.

Schema Extension

Over the years, Microsoft has lessened its aggressive stance toward UNIX, starting with adding some interoperability in Microsoft Services for UNIX 3.0 (SFU 3.0), and extending that in SFU 3.5. Most recently, in Windows 2003 Server R2, Microsoft has incorporated most of the features of SFU 3.5, adding the ability to extend AD schema with UNIX compliant attributes in accordance with RFC 23071. This simplified the integration of

cross‐platform identity management by eliminating the need to choose between the storing of UNIX object credentials in the existing classes (so‐called non‐schema mode) and the non‐supported extension of the AD schema. Now administrators can take advantage of RFC 2307 by using UNIX‐ and Linux‐specific attributes that are built into the AD schema.

(5)

Ease of Use

It is generally accepted that Windows’ management tools are easier to use that their UNIX and Linux counterparts. This is one of the major reasons that Microsoft has won the desktop client and server enterprise management battle. Administrators today very infrequently must be involved with the error‐prone manual editing of configuration files or rely on writing scripts and executing them from the command line. In fact, creating and pushing the enterprise policy across thousands of clients can be performed with few mouse clicks from one of the policy management plug‐ins for the Microsoft Management Console.

Uniformity of Management

The various vendors’ UNIX and Linux platforms are notoriously different from one another: they have different management tools and different desktop interfaces. Looking at a number of popular Linux distributions from Red Hat, SUSE, and Ubuntu, it becomes clear that Linux did not deliver the uniformity hoped for. Since it is clear that UNIX and Linux must inevitably interoperate with Windows, there is a heightened need for standardized authentication and management tools. Fortunately, Microsoft now offers such common ground: the combination of an Active Directory framework and Group Policy management. This is where UNIX administrators can take a lazy approach, since both the framework and the management tools have been already written, scaled, tested, and delivered to the enterprise. All it takes is to tap into this offered technology and use AD for uniform policy management.

Policy Management Features Available through Active Directory

Windows policy management allows administrators to automatically and intuitively enforce a large number of end‐node parameters across the domain in a hierarchical fashion. These parameters include security settings, wired and wireless settings, startup and shutdown scripts, software restrictions, QoS, IPSec, remote software installation settings, access restrictions to local hardware, and many more. Increased group policy settings appearing in Microsoft Vista and the upcoming Windows 7clearly indicates that this is the desktop management approach that Microsoft has chosen.

All these policies are edited and enforced from the Microsoft Group Policy Management Console (GPMC), a comprehensive and intuitive suite of policy management tools available as a Microsoft Management Console (MMC) snap‐in. GPMC allows administrators to launch the Active Directory Users and Computers (ADUC) console to apply policy objects to the desired OU (Organizational Unit) level and launch Group Policy Object Editor (GPOE) to modify group‐policy settings within group policy objects. Overall, the above-described suite of tools allows administrators to easily create multiple group policies and enforce them at different OU levels.

(6)

Management Complexities in the UNIX Environment

Interoperability between Windows and UNIX has always been a problem repeatedly addressed with limited success from both OSs. While porting applications across platforms is often impractical, cross‐platform authentication allows administrators to deliver UNIX applications (particularly Web‐based applications) to the Windows realm, providing a faster and more convenient solution. By the same token, allowing Windows users to authenticate and manage UNIX systems simplifies tracking identities, making the overall UNIX user experience more pleasant.

Some attempts to have Windows and UNIX interoperate have met with moderate success. Microsoft Services for UNIX (most features of SFU have been incorporated into Windows Server 2003 R2 and Windows Server 2008) offers limited interoperability between AD and NIS, plus a password‐synchronization utility. Specifically, SFU offered a service that would synchronize UNIX UIDs/GIDs and Windows user and group identities (SID) bi-directionally in one‐to‐one and many‐to‐one mode. Additionally, SFU offered bidirectional

Windows‐to‐UNIX and UNIX‐to‐Windows password synchronization that supports both local and domain account Windows password synchronization. However, these features did not support very many UNIX flavors while requiring a fair amount of manual

configuration work to be implemented.

Documents for UNIX and Linux platforms also offer limited interoperability at the cost of extensive manual labor associated with editing configuration files, sometimes on each participating host. This is a tedious and error‐prone procedure. Several how‐to documents of this kind have been maintained since the year 2000, particularly addressing

authentication through pluggable authentication modules. Unfortunately, not all the UNIX and Linux flavors are supported and the implementation requires laborious manual configuration and extensive testing.

An incorrect configuration can not only result in failed user authentication but also make the UNIX host less secure. There are similar documents for Samba, Apache, and SSH authentication. Additionally, the recommendations and implementations change from application to application, particularly in the versions of supported tools and the location and format of the configuration files. Frequently, the recommended modifications are not supported by either the UNIX or Linux vendors or Microsoft, which makes it difficult to implement these changes in a production environment. Therefore, should the particular platforms need to be supported, administrators need to have extensive knowledge of both platforms and rely on often untimely free technical advice from Internet forums.

Supporting cross‐platform authentication in such a manner is stressful and counterproductive.

(7)

Cross‐platform Challenges

The following sections describe the cross‐platform challenges administrators must face.

Limitations of sudo

sudo is used as an alternative to the extensive use of the root account for management purposes. sudo allows non‐privileged accounts to execute privileged commands. While a great idea, as typically implemented sudo has a number of drawbacks. Among these are the need to manually apply and maintain the sudoers file across all the managed systems, test each configuration change, and make modifications to each node when a new administrator joins or leaves the company.

Limitations of NIS/NIS+

While NIS is still widely used for domain authentication, the technology has known security limitations (a client can retrieve the entire NIS password database for offline inspection), is not very scalable, and has inefficient replication processes. While NIS+ has fixed a number of NIS drawbacks, by being hierarchical, requiring server authentication, and allowing permissions on operations, NIS+ is difficult to administer, requires special backup procedures, and has limited scalability ‐ particularly with multiple domains and over 1,000 clients. In this regard, the scalability and robustness of Active Directory offers a far better alternative.

Limitations of RBAC

Role‐based access control (RBAC) is another approach at restricting system access to authorized users. RBAC is based on roles that are created for various job functions. The operations permissions are assigned to roles rather than users. Rights management is simplified by assigning a user to a particular role, simplifying operations. However, in large heterogeneous environments management of RBAC memberships becomes extremely complex as it lacks hierarchical creation of roles and privilege assignments. Additionally, not all the users have the same role on different systems, which further complicates the administration process.

Kerberos Authentication

Kerberos configuration requires running a daemon, synchronizing time between the server and the client via NTP, installation of the pam_krb5 module, and making applicable changes to the sample configuration files provided with the distribution.

Administrators, therefore, have to rely on an extensive knowledge of both platforms and on the not always timely third‐party help from the Internet forums to get Kerberos implemented within a UNIX or Linux environment. Obviously, handling domain authentication in such a manner is time‐consuming and prone to error.

(8)

Limitations of File Permissions in UNIX

In UNIX, a file has three classes of permissions: the owner, the group, and everyone. Each class has three levels of access rights: read, write, and execute. This offers far less flexibility than a Windows environment, where multiple local and domain‐based file permissions can be granted for users and groups. Linux Security Modules (LSM), which are included with the SELinux 2 security framework, offer more granular file access but at the cost of CPU overhead.

Managing Policies Across Different Flavors of UNIX/Linux

In heterogeneous environments, administrators have to enforce standard policy settings across multiple flavors of UNIX, each often using different desktop environments (GNOME, KDE, Sun Java Desktop System, etc). These desktop environments differ in the parameters that can be modified and in the format and location of the configuration files. Thus, when pushing policies, administrators have to manually filter the enforced settings on a per‐target platform basis requiring either polling the system OS or maintaining lists containing the systems and corresponding OSs. This is another time-consuming and error‐prone process.

(9)

Advantages of Managing UNIX Policies with

BeyondTrust

PowerBroker Identity Services Enterprise is capable of solving all the above problems in a simple and intuitive fashion. The technology offers seamless integration of over a hundred different UNIX/Linux operating systems with Active Directory for both authentication and policy management needs. PowerBroker Identity Services Enterprise offers centralized management of identities, desktop environments (including 2500‐plus Gnome policy parameters), credential caching for off‐line connection, OS‐based client policy filtering, NIS and user migration tools, as well as auditing and reporting functionality. With PowerBroker Identity Services Enterprise technology, administrators can easily deliver Kerberos‐based single sign‐on for such applications as telnet, FTP, SSH, rlogin, rsh, LDAP queries against AD, and Apache HTTP server.

BeyondTrust simplifies account management by assigning each user a unique ID, which is provisioned and centrally managed through Active Directory. BeyondTrust’s unique cell technology can map users to different UIDs and GIDs for different computers, eliminating the need for multiple local user accounts. The BeyondTrust extension to the Microsoft Active Directory User and Computers MMC snap‐in allows administrators to create an associated cell for an OU and then use the cell to manage UID‐GID numbers. This allows AD user to access non‐Windows node in selected BeyondTrust cells:

(10)

The above features let administrators integrate non‐Widows nodes into a Windows AD authentication and management framework with adequate policy management, user provisioning, and reporting tools.

Complexities of Managing Policies in Mac OS X Environment

Over the years, the Apple Macintosh computer has maintained a small but stable share of the computing environment. While being used primarily for audio, video, and graphics editing, the Macintosh offers extreme ease of use compared to Windows (not to mention UNIX) coupled with a plethora of high‐end graphics applications designed and compiled for the Macintosh platform. Apple’s marketing effort is maintaining and somewhat expanding the OS X market share, which has now surpassed 8 percent. Part of this success can be attributed to the use of a stable UNIX kernel in OS X and more standard PC components, such as Intel microprocessors, PCI‐E slots, and DDR memory.

This introduced Apple to a pool of hardware that is more reliable, less expensive, and comes in wider variety than the components in older RISC processor‐based Macintoshes.

Unfortunately, from an enterprise computing perspective, Apple does not have robust enterprise management tools. There are a number of reasons for this. First, the Macintosh has never been a widespread enterprise‐class platform, so Apple never needed to address the issues of scalable directory service, terabytes of storage, or centralized computational facilities. Thus enterprise messaging and data management applications such as Microsoft Exchange, Lotus Notes, SQL Server, and so forth have never been ported to Apple’s Macintosh servers.

Even now few enterprise‐class products are available for the OS X platform. Secondly, the primary use of Macintoshes is in the graphics departments, a technologically and

organizationally secluded group that requires sharing among Macintosh users only and interoperating with the rest of the IT infrastructure via sharing printers, storage, and Internet access. This situation certainly did not call for provisioning and identity solutions to the depth and scalability of its Windows counterparts. On the bright side, since Apple did not excel in enterprise management tools, others such as Microsoft, Novel, and Sun have created the infrastructure allowing Macintosh users to tap into a reliable framework of user and desktop provisioning.

The Macintosh platform uses a recently added Workgroup Manager (WGM) to manage users, groups, shares (with access permissions), and client preferences. The application allows administrators to modify accounts (including users, groups, and computer lists), assign privileges, manage share points, and modify desktop preferences that define the user experience for clients bound to Apple’s Open Directory domain. WGM requires an OS X Server as a centralized repository of user information. While being a big step for Macintosh management, the product pales in comparison with widely recognized enterprise user provisioning solutions.

(11)

BeyondTrust Solution for Mac Desktop Policy

Management

The BeyondTrust solution for managing Macintosh desktops allows administrators to store settings in Active Directory rather than on a Macintosh OS X Server. Besides decreasing the cost of the solution and offloading AD maintenance to Window administrators, Macintosh user settings are now stored in a more robust and scalable directory. Since storing third‐party data in Active Directory requires either irreversible schema changes (which may not be agreeable with Windows administrators) or using non‐standard fields (which is cumbersome); initially non‐Windows vendors were reluctant to store user credentials in AD. This is where BeyondTrust comes to the rescue.

By taking advantage of RFC 2307, PowerBroker Identity Services Enterprise integrates user authentication with Active Directory (in the same way as Macintosh Active Directory Plug‐In allows Macs to authenticate to Macintosh OS X Open Directory) offering a mechanism that allows Workgroup Manager settings to be stored in Active Directory Group Policy Objects. PowerBroker Identity Services Enterprise contains a utility to join Macs to Active Directory, letting them participate in AD‐based user authentication and in group policy processing. From that point on, administrators can connect to Active Directory from the Workgroup Manager interface and store settings in the GPO. From the Windows side, administrators can use GPMC to store and manage Mac policy settings.

(12)

As a result, PowerBroker Identity Services Enterprise brings together the advantages of the Macintosh Workgroup Manager with the robustness and uniform policy management tools of Active Directory in a seamless and intuitive fashion.

Summary

PowerBroker Identity Services Enterprise allows for seamless enforcement of group policies from Windows Active Directory Group Policy Manager across UNIX, Linux, and Macintosh platforms. It does this with Windows GUI‐based policy management interfaces for authentication of non‐Windows users and applications against Microsoft Active Directory. Additionally, PowerBroker Identity Services Enterprise offers adequate reporting and troubleshooting tools. All the above, along with a very affordable per‐seat cost, make PowerBroker Identity Services Enterprise indispensible for heterogeneous enterprises that require tight user and policy management.

Contact Information

For more information about this report or if you have any questions, please contact: BeyondTrust

Corporate Headquarters

2173 Salk Avenue Carlsbad, CA 92008 +1 818-575-4000 (tel)