By using Access Manager and deploying the Centrify Agent for Windows, you can develop fine-grained control over who has access to the Windows computers in your organization. You can also limit the use of administrative accounts and passwords. For example, you can restrict access to computers that host administrative applications or data center services and ensure that users accessing those computers can log on locally or connect remotely only when appropriate.
In a Windows environment without Centrify, the primary way you secure access to Windows computers is by granting a limited number of users or groups local or domain administrator privileges. The main drawback of this approach is that the rights associated with group membership don’t change. A user who has domain administrator rights has those rights on any computer in the domain at all times. In other cases, users who aren’t administrators or members of an administrative group need administrative privileges to perform specific tasks that would require them to have an administrator and service account password. Shared passwords reduce accountability and are often flagged by auditors as a security issue.
Through the use of zones and roles, Centrify provides granular control over who can do what, and over where and when those users should be granted elevated privileges.
One way trust environments
Windows agent supports one-way trust in the following scenarios:
- When the zone belongs to the resource forest.
When the logon account belongs to the account forest.
When the RunAs account or group belongs to the resource forest (RunAs group can be a built-in group).
When the role assignment is at the zone, computer, or computer role level.