SOLUTION BRIEF
Protect PCI Data
from Domain Admins
ADMIN
You’re handed a mandate from management — restrict access to the PCI and SOX servers in order pass to
the upcoming audit. On Windows Servers, there’s a problem. Every member of the Domain Admin group has
access to the PCI and SOX servers — access that they shouldn’t have. How do you solve the problem and
restrict access by your domain administrators to those servers?
Meet Compliance Goals for Administrative
Access with Centrify Server Suite®
One of the realities of Windows domain administration is that
virtually every organization of any size can run afoul of the principle
of separation of duties (also called segregation of duties). This
principle manifests in multiple ways; for example, it could mean that
an employee who can create an invoice in a billing system should
never have the ability to audit the creation of said invoice. Or, in
what is probably the single most common violation of this principle
in Windows domain administration today, it could mean that a very
high percentage of your domain admins who have zero business
justification for access to sensitive and regulated data do, in fact, have
access to your sensitive and regulated data.
This is a near-perfect example of why the “least access” privilege
model is required by regulatory compliance acts designed to protect
consumers and businesses from exposing sensitive information such
as credit card (PCI) data, health care (HIPAA) records, or financial
(MAS) data.
Let’s look at a simple use case for a financial organization. The
organization has, for simplicity’s sake, two types of Windows servers:
domain controllers and member servers that hold PCI-regulated data.
Members of the Windows Domain Admins group have full ownership
over every computer in the domain, including servers that hold
PCI-regulated data. This is not what the organization wants. It wants
the DBAs and owners of the PCI data to own those computers.
There’s nothing on those computers that must be administered by
a domain admin.
servers, while enabling your domain administration team to manage
your Active Directory deployment using their standard tools, such as
ADUC, the DNS management console, and so on.
In the scenario illustrated below, Centrify helped a major financial
organization separate domain administration from access to
regulated PCI/SOX data on domain member servers. In Figure 1, we
see the way it used to be — the way that it failed regulatory audit. All
domain admins have access to the servers holding regulated data.
Figure 1. No separation of duties
All domain admins have full control
over all servers, including servers with
regulated data.
© 2015 C E NT R I F Y C O R PO R A T I O N . AL L R I G H T S R ES ER V ED . Matt
Admin Privileges
Admin Privileges
Admin Privileges
Admin Privileges
PCI Server
HIPAA Server
MAS Server
Domain Controller
Figure 2. Separation of duties enforced
Matt has domain admin privileges on
the domain controller, but no access
to servers with regulated data.
But everyone in that Domain Admins group has full ownership of
those PCI servers in a native Windows environment — unless you
deploy Centrify Server Suite.
Server Suite enables you to restrict your domain administrators from
having access to your PCI servers, while giving them full privileges on
your domain controllers. This protects your PCI data from internal
employees who have no business justification for access to the PCI
Domain Users
Domain Users
Matt
No Access
No Access
No Access
Admin Privileges
PCI Server
HIPAA Server
MAS Server
Domain Controller
WWW.C EN T RIFY.C OM
+1 (669) 444- 5200
SOLUTION BRIEF
In Figure 2, the problem was solved by using the Server Suite Agent to
enable Matt to be a domain administrator when he logs into a domain
controller, but a domain user everywhere else. This denies Matt any
access to the regulated data on the PCI/SOX servers, since he has no
administrative privileges on those servers.
Another approach supported by Server Suite is to restrict login
privileges — local and/or remote — to a subset of the administrator
population. The Centrify Agent can deny login privileges to anyone
you specify, even if that user is a domain administrator.
In effect, you have a choice to implement whitelist or blacklist
approaches using Server Suite for this type of problem: the former
denies access everywhere except where you allow it, and the latter
enables access everywhere except where you deny it.
Centrify Server Suite
Server Suite helps you securely leverage your existing Active
Directory infrastructure to centrally manage authentication, access
control, privilege management, policy enforcement and compliance
across on-premise and cloud deployments. In addition, Centrify’s
patented Zone technology accelerates deployment and provides
unique, granular access controls.
To Learn More
Please visit www.centrify.com/products/server-suite
The whitelist approach has the added benefit of eliminating domain
administrator login credentials in-memory on these Windows servers,
which eliminates one attack vector that an advanced persistent threat
(APT) such as pass the hash might otherwise use to gain control over
the network and its resources.
Summary
There are multiple ways that Server Suite can help protect regulated
data from domain administrators and enforce the separation of
duties required by regulations and auditors.
Centrify strengthens enterprise security by securing identities from
S A N T A C L A R A , C A L I F OR N I A cyberthreats. Centrify uniquely unifies identity for privileged and end users
EMEA across cloud, mobile and data center. Centrify improves security, compliance,
+1 (669) 444 5200
+44 (0) 1344 317950
agility and productivity for over 5000 customers, including over half of the
ASIA PACIFIC
+61 1300 795 789
Fortune 50 and over 80 federal agencies. www.centrify.com.
BRAZIL
+55 11 3958 4876
Centrify and Centrify Server Suite are registered trademarks of Centrify
L A T I N A MER I C A Corporation. Other trademarks mentioned herein are the property
of their respective owners.
BRF0000
9 8 E N-0
202
01
© 2015 CENTRI
F Y9CO
RP
O4RAT ION. ALL RIGHT S RESERVED.
+1 305 900 5354
EMA I L [email protected]
WEB www.centrify.com
W W W . C EN TR I FY. C O M
+1 (669) 444- 5200