Providing access control and accountability

In many organizations, most computer users are given very restricted access privileges to minimize the exposure of sensitive services and data to possible compromise. However, there are often a few applications, procedures, or services that require enhanced privileges and to which these users need access. For example, a user might occasionally have to install software or run a restricted internal application. For this purpose, these organizations often provide these users with login information for accounts with enhanced privileges. Unfortunately, this policy substantially undermines security, because there’s no way to tell—even on an audited system—who actually logged on to these accounts, and once logged on, a malicious user is not restricted to the procedures for which he was given the login information in the first place.

Centrify solves this problem by enabling you to assign roles that give a user access to only those services or applications and restricted access privileges only when the user needs them.

For Windows computers, Centrify provides three main services: access control, privilege management, and auditing. These services can be used together or independently.

To provide access control, privilege management, and auditing for Windows computers, Centrify relies on the following:

  • Centrify Authentication Service and Centrify Privilege Elevation Service features enable you to define access control privileges, create roles composed of a set of privileges, and assign users or groups to those roles. You can also use Centrify zone technology to limit the scope of a role to limited sets of computers. You can, also, configure roles with start and expiration dates or to be active on specific days of the week and hours of the day.
  • Centrify Audit & Monitoring Service enables you to collect and store an audit trail of user activity and provides a console for searching and replaying captured sessions.
  • Centrify agent for Windows enables you to deploy access and auditing features on the Windows computers you want to manage.

You can use Centrify Privilege Elevation Service without auditing if you aren’t interested in collecting and storing information about session activities. You can also deploy authentication, privilege elevation, and audit and monitoring services without access and privilege management features if you are only interested in auditing activity on Windows computers. However, the real value of Centrify software for Windows computers comes from using the services together as an integrated solution for managing elevated privileges and ensuring regulatory compliance across all platforms in your organization. That way you can restrict access to only those instances when elevated permissions are absolutely necessary, and audit only user activity that merits auditing.