Microsoft Windows is the most widely adopted server operating system on the market
today. Driven by security concerns and regulatory compliance, organizations are under
increasing pressure to protect the sensitive data and applications residing on their Windows
servers. Using native tools like Active Directory and Group Policies, effectively combining
security and IT management within a single framework, presents security concerns
regarding separation of duties, as well as manageability and auditing. Additionally, many
administrators share accounts, which are not managed by a central policy presenting
separation of duties and audit reporting issues. This lack of a central policy also impacts
the ability for administrators to manage diverse environments including Windows, LINUX
and UNIX servers.
A separate, independent security system is required to protect mission-critical server
resources. This solution must operate at the system level to avoid interference with IT
administration groups and provide a trusted and reliable security administration system. As
most organizations have deployed a variety of operating systems, this solution must enable
efficient management and enforcement of these security policies across all systems —
including Windows, but also UNIX, Linux and virtualized environments.
CA Access Control provides additional protection for server resources, which complements
the native Windows operating system (OS) model and enables a strong defense-in-depth
security practice while reducing the complexity and cost of managing access and reaching
compliance. As a complete access management solution for mission-critical servers, CA
Access Control achieves these goals through:
• Fine-grained access control and segregation of duties to prevent internal access abuses
• Advanced policy management to enable efficient centralized management of security
policies across the enterprise
• Policy-based compliance reporting of user entitlements and policy compliance
• Operating system hardening to reduce external security risks and ensure operating
• Granular, high-integrity auditing for compliance fulfillment
TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT 1
Windows Servers in Today’s Security Management Environment
Servers are essential components to IT infrastructures as they support critical applications
and sensitive corporate, customer and partner data. These servers must be continuously
protected from a variety of threats, both external and internal. To date, many organizations
have taken steps to protect their servers from external threats by deploying firewalls, anti-virus
or anti-spyware solutions. However, a commonly overlooked threat is the threat from within
an organization. This vulnerability presents itself in the form of over-privileged administrators
and weak levels of accountability. Providing adequate internal controls to protect these host
systems is critical to risk mitigation as well as meeting regulatory compliance.
This is often a complicated issue considering the number of different kinds of administrators
that are involved in keeping servers up and running on a daily basis. Technically, many of these
workers have access to more resources than they require to perform their job function. This
also results from shared local administrator accounts typically used for emergency situations.
Unfortunately, native Windows operating systems lack the ability to appropriately segregate
administrative duties or trace audit records back to the original user. This issue is further
complicated when there are a variety of servers involved such as UNIX, Linux or virtualized
operating systems and consistent security policies must be managed across the extended
enterprise. Enterprise-wide host access management solutions are important investments to
protect critical data, fulfill compliance needs and enable cost-effective administration.
Fine-grained Access Control
In an Active Directory forest system, the domain administrator is the equivalent of a superuser.
While their primary role is as owner of IT infrastructure setup and management, they also have
unlimited power to create, modify, copy or disable any security resources and services within
the forest, sub-domains and systems. Unfortunately, this account may not be well protected by
default and login information is often informally shared amongst employees in various adminis-
trative roles. This creates a security management nightmare when it comes to separation of
duties and maintaining full accountability.
CA Access Control is an independent security enforcement solution which does not rely on the
Windows OS or Group Policy. Operation at the system level enables monitoring and regulation
of any access to system resources, including those originating from domain or local system
administrators. CA Access Control provides fine-grained access enforcement capabilities to
regulate, delegate and contain domain administrators or any other account within the forest,
domain and servers. These access rights are granted by defined roles and enforced separately
from native Windows access controls.
2 TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT
Role-based Access Control
A major Windows security risk is the potential for an unauthorized person to gain control of a
user account in the local or domain administrators groups. Should this happen, the unauthorized
user can cause enormous damage by changing critical registry keys, stopping auditing services,
modifying audit logs or tampering with other critical services. CA Access Control reduces
Windows vulnerability risks by limiting the rights granted to administrator accounts and groups
to the minimum permissions needed for each to perform their job function.
FIGURE A SEGREGATION OF DUTIES
CA Access Control enforces
appropriate access to resources and
granular audit of sensitive activity.
Group Policy is based on the definition of an access permission hierarchy. Permission changes
are propagated to subsequent files and folders based on an inheritance mechanism. This static
permission system updates all file permissions at the time of command issue time, meaning
propagation of changes can take a long time, especially in a large server environment. It is also
difficult to predict the impact of permission change making it very hard to control.
CA Access Control employs a dynamic permission system that determines access permissions
at request execution time. Protection can be defined on generic resources using wildcards (*).
This provides real-time protection while simplifying policy deployment and allowing more
flexible rules to be implemented.
Through the Windows superuser account, any permission can be delegated to any user,
regardless of whether it is an IT or security function. CA Access Control regulates privileges
that can be delegated to non-administrative users. In this manner, necessary access can be
delegated to perform IT or application administration tasks while CA Access Control scopes
security privileges for security-related staff.
TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT 3
CA Access Control also controls surrogate user delegation capabilities to reduce the exposure
that Windows provides through programs like Run-As. For example, an administrator could use
Run-As to surrogate to another person’s profile to change a file’s access control list (ACL)
attributes without any accountability for their actions. CA Access Control protects on multiple
levels by first limiting those who use Run-As and subsequently tracking back to the true
identity of those who do.
Shared Resource Access
On critical Windows servers, files and resources are often defined as shared resources to
provide open access to users. This makes auditing each access to these shared resources a
daunting task. CA Access Control provides full shared access monitoring and control on
mission-critical servers. Preservation of full user access trails makes it easy to build accurate
history reports for forensic or compliance requirements.
Generic Resource Protection
Group Policy is a static enforcement algorithm that sets all file permissions to each specific
physical file. This presents a challenge for controlling resources that do not currently exist, but
may come in the future. CA Access Control allows the creation of security policies governing
storage of specific types of files, such as .mp3, .jpg, .mpg or files similar to the existing files
that have not yet been created.
CA Access Control also provides name pattern protection for files regardless of whether they
currently exist or not. Wild cards can be incorporated for resource naming patterns to create
an ACL for a type of resource on a system. For example, a policy can disable read and write
execution of all .bat script files for users that are not in the SysAdmin or SecAdmin groups.
Suspend on Inactivity
Security violations can occur from unauthorized access through accounts whose owners are
away or no longer employed by the organization. CA Access Control can protect systems by
proactively identifying accounts that have been inactive for a specified number of days and
preventing those accounts from being used to log in.
CA Access Control provides APIs that can be used by user applications to check authorization
permissions. It is also possible to use the authorization APIs to protect user-defined entities
such as database records or fields, reports or screens. Programmers can place CA Access
Control API function calls directly in programs to check authorization before performing tasks.
CA Access Control can enforce policies to limit the ability of administrators to perform
Windows services operations such as start, stop or modify services properties. This capability
allows the enforcement of Separation of Duties at the application level and protects these
services from unauthorized system administrators.
4 TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT
Windows lacks the ability for organizations to examine the behavior of certain resource access
restrictions without actually enforcing the restriction. CA Access Control Warning Mode is
commonly used by organizations to determine if proposed security policies are too strict or
too lenient so they can be modified accordingly. If a restriction is suspected to have an adverse
effect on the execution of a system application CA Access Control allows them to specify
restrictions and substitute a warning message for the enforcement of the restrictions.
CA Access Control provides the ability to instantly validate the effects of a security policy
without enforcing the restriction. After selecting a user and resource, the validation check
command determines whether or not the user has permission to access the resource given
the current security policy. CA Access Control also includes a password validation function,
which instantly determines if a proposed password qualifies with specified policy. These
features allow effective policy validation without impacting production systems.
The openness of a TCP/IP network is one of its most appealing features. But in terms of
security, this is a major deficiency. CA Access Control provides the functionality of a host-
based firewall without requiring a dedicated device for that purpose. CA Access Control can
require that specific clients send specific TCP/IP services to specific hosts, while only certain
hosts can send specific TCP/IP services to the local host.
By limiting outgoing connections within the network based on the user’s identity, CA Access
Control minimizes the risk of allowing external access through a firewall. Legitimate Internet
visitors can also be confined to a specific set of services and systems within the network. For
example, an organization might choose to allow external contractors to access specific servers
via VPN, but restrict them from propagating to additional servers on the network.
Advanced Policy Management and Reporting*
CA Access Control’s enterprise-class scalability results from a distributed model of distributing
policies to all managed servers. This Advanced Policy Distribution Architecture uses a central
Deployment Map Server (DMS) and Distribution Hosts (DH) to distribute policy deployments
to endpoints, and send back deployment information from the endpoints to the DMS. This
infrastructure is decoupled from the logical assignment of the policies and is easy to set up,
extend and configure for high availability, failover and disaster recovery.
CA Access Control supports running the DH in a clustered environment (server farms), which
increases the number of endpoints nodes that can be supported. The policy architecture relies
on the following server components:
DEPLOYMENT MAP SERVER Sits at the core of advanced policy management. The purpose of
the DMS is to store policy management data. You manage a single database (the DMS), which
then sends events to distribution hosts.
*Some features listed are only available in CA Access Control Premium Edition
TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT 5
DISTRIBUTION HOST Is responsible for distributing policy deployments, made on the DMS, to
endpoints, and for receiving deployment status from endpoints to send to the DMS.
Modeled after the time-tested method of distributing anti-virus definitions, CA Access Control
endpoint agents check regularly for new deployments on the DH, and download and apply
these as necessary. Execution results are then sent back to the DH, which sends them to the
DMS for centralized auditing. Also, a heartbeat lets the DMS (through a DH) know that the
endpoint agent is operational and the host is running.
FIGURE B CA ACCESS CONTROL POLICY MANAGEMENT ARCHITECTURE
The architecture distributes policies
to all managed services via a
distributed advanced policy
Managing security across Windows servers typically involves using the same tools that IT
administrators use. This proximity of functions for system and security administrators often
presents security control and authorization delegation complications and ambiguity.
CA Access Control’s centralized Web-based interface is simple, intuitive and lets you perform
advanced policy management and also provide a worldview that lets you view and manage
your entire CA Access Control environment of servers. The Web-based interface also allows
you to manage individual endpoints or Policy Models.
CA Access Control can also manage native Windows resources including shares, files, disks,
COM ports, registry keys and values, domains, users, groups, printers, processes, services,
devices, user sessions, Windows password policy and Windows audit policy settings.
Additionally, the user interface is consistent across all CA IAM offerings (CA SiteMinder, CA
Identity Manager and CA Access Control) utilizing the common CA framework for look and
feel and administrative scoping and task delegation, further reducing the time to value for
administrators already familiar with CA’s management tools.
6 TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT
Logical Host Grouping
CA Access Control allows you to group endpoints into logical host groups and then assign
policies based on this host group membership, regardless of how your endpoints are organized
in the Policy Model hierarchy. Hosts can be members of a number of logical host groups
depending on their properties and policy demands. For example, if you have hosts running
Windows Server 2008 and Oracle, these can be members of a Windows Server logical host
group to get the baseline Windows access control policy, and also members of the Oracle
logical host group to get the Oracle access control policy.
Logical host groups decouple policy assignment from policy distribution. This simplifies policy
management as it does not require you to change your hierarchy to fit policy assignment require-
ments and lets you manage smaller, more specific policies, and more focused host groups
Policy Deviation Reports
It is naïve to think that monolithic policies can be deployed across a large server environment
without allowing exceptions. These exceptions might be imposed due to legitimate business
or legacy requirements but they must be managed properly and done with accountability. CA
Access Control provides a reporting feature to let you measure the compliance of your entire
environment to specified policies and allows you to compare policies that should be active on
a particular machine to policies actually deployed. This ability to quickly identify policy gaps
supports your efforts to continuously meet compliance standards.
Policy and Entitlements Reports
CA Access Control simplifies security assessment tasks through reports about compliance
exposures associated with operating systems, databases and applications. This report data is
stored in a standard RDBMS and can also be leveraged by other data analysis tools. CA Access
Control host reports present system-centric information such as configuration, security and
Policy-based reports are based on the effective policy being enforced and provide proactive
views of who has access to what resources across your distributed and virtual server environ-
ment. These reports allow you to generate reports required by your auditors, such as User and
Group Entitlement Reports, Policy Compliance Reports, Orphan Account Reports, among
others. These proactive reports complement existing event-based auditing by allowing you to
monitor compliance requirements and highlight existing discrepancies before incidents occur.
CA Access Control comes with over 30 sample reports for common compliance needs such as
user and group entitlements, inactive accounts, password aging, policy compliance etc.
Event-based reports are also supported through integration with the CA Audit product.
TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT 7
Operating System Hardening
A critical layer to the defense-in-depth strategy is protecting the OS against unauthorized
external access or penetration. CA Access Control offers several external security measures
including stack overflow protection, firewall network control and Trojan Horse defense. This
additional layer of security allows organizations to buffer the time requirements on OS patch
deployment when new attacks are discovered. Reducing the number of emergency patch
operations reduces server downtime and saves production costs.
Stack Overflow Protection
Stack Overflow Protection is a CA Access Control technology that prevents hackers from
exploiting an application's specific memory space to inject malicious code inside the system.
CA Access Control carefully monitors and protects applications, such as mail servers, by
guarding memory space and program tracking information, so that even in the event of
memory overflow, the malicious code cannot be activated by the system. In this manner,
hackers have no way to target application memory stack vulnerabilities.
CA Access Control records all malicious actions in both the standard audit log and in-memory
overflow log, with detailed code descriptions for further investigation. This is relevant to all
Windows servers, especially those in perimeter network zones.
Trusted Program Execution
To prevent the operating environment from being tainted by malware, particularly Trojan
Horses, CA Access Control provides first-line trusted program protection. Through CA Access
Control, sensitive resources can be marked as trusted. These files and programs are monitored
and CA Access Control will block execution should the program be modified by malware. The
CA Access Control administrator can choose from various algorithms to apply to each trusted
resource, ensuring that executed programs have not been inappropriately replaced or modified.
In addition to periodic checking of trusted resources, checks are made at run-time when the
program or file is opened. Changes to trusted resources can be limited to specific users or user
groups to further reduce the likelihood of unexpected change.
Exploits can gain privileges through Windows services, which frequently run under the
“SYSTEM” account. This account is very powerful on Windows because changing services
security context to another user different from the SYSTEM user can lead to service failure.
CA Access Control has the ability to protect applications like Exchange Server, SQL Server
or IIS by limiting these applications’ behavior in accessing resources. The goal is to protect
sensitive resources from SYSTEM account access without changing the original security
context of services.
The Windows registry is a clear target for hackers and malicious users as the centralized
database containing operating system parameters including those that control device drivers,
configuration details and hardware, environment and security settings.
8 TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT
CA Access Control provides registry protection through the support of generic rules inside the
registry. These rules can block administrators from changing or tampering with the registry
settings. CA Access Control registry protection can also ensure system processes have access
only to specific keys within the registry. CA Access control can also define separate access
rights to specific registry values.
Windows servers are a prime target as a springboard for extended network attacks, especially
when popular Windows server applications are involved. The application jailing feature allows
accepted actions to be defined for high-risk applications. Any behavior that exceeds these
bounds will be restricted by CA Access Control.
CA Access Control includes a Special Program (SPECIALPGM) class to classify certain
mission-critical programs. SPECIALPGM protects specified programs by associating a logical
user name with the Windows user name required to run the program, authorizing only the
logical user to run the program. This mitigates security risk associated with functional IDs. For
example, an ACL can be built based on a logical ID which owns Oracle processes and services
so its jailed behavior prohibits it from any actions besides starting Oracle DBMS services.
Program pathing is the ability to require that a specific resource be accessed by a user only
through a specific program. Combining these application specifications with user, file and
calendar parameters allows flexible and granular access policies to be built. For example, the
accounting team can only access the file “employee_data” using specific payroll applications.
Windows logging capabilities are shared by all system tools and applications on the system.
This creates a large auditing pool for all types of data, without a clear, security-specific auditing
and reporting distinction. Meanwhile, security requirements and compliance mandates that
un-tampered security audit logs cannot be shared with other application logs or viewed by
non-security administration personnel.
CA Access Control provides independent audit logs that cannot be modified by unauthorized
users, including domain or system administrators. Delivered to CA Audit or CA Security
Command Center, CA Access Control security events can be collected, filtered and consolidated
for reporting and analysis. In addition, combinations of security events, which represent a
significant threat can be correlated in real time and made to trigger security alerts.
Windows auditing capabilities are global in nature and do not allow for specific auditing
thresholds to be set on individual resources. CA Access Control provides granular auditing
capabilities on any defined resource. Different auditing thresholds can be set for any user,
group or resource depending on the criticality of the resource.
TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT 9
CA Access Control has three auditing settings: “Success” generates an event anytime an
audited resource is successfully accessed, “Failure” tracks anytime access is denied and
“Warning” generates an audit record anytime an access policy is violated, although CA Access
Control does not deny access. Organizations can define the auditing mode or combination of
modes that should be enforced for each user, group or resource. For example, the auditing for
the security administrators group and general audit level for Files may be set to Failure, but
specifically for the system configuration files, auditing events will be generated for both
Success and Failure.
CA Access Control provides an independent audit log solely for security events pertaining
to users or resources. These audits detail the exact denial or permit stage encountered
while accessing a resource and trace back to a definitive user. Audit settings can be adjusted
to fine tune the volume and granularity of audit events to the appropriate level for an
Reporting and CA Audit Integration
Windows audit logs track access on a single machine basis, making audit log consolidation or
trending a time consuming task. CA Access Control is fully integrated with CA Audit. Events in
Access Control are sent to CA Audit for further handling, enabling aggregation of log files and
creation of policy specific reports, which facilitates the audit process, provides detailed
investigations and validates key compliance metrics. Features of CA Audit include:
CROSS-PLATFORM DATA COLLECTION CA Audit collects event data from an extensive variety of
sources, including: operating systems, business applications, network devices, security devices,
mainframes, access control systems and web services.
REAL-TIME TOOLS FOR COLLECTION, VIEWING AND REPORTING CA Audit provides customizable
viewers and reports available to users that are relative to their role.
ALERT MANAGEMENT CA Audit logs, filters and monitors critical events and execute alerts and
other actions based on established policies.
CENTRAL SECURITY DATA REPOSITORY CA Audit stores audit data in a central repository, built
around a scalable relational database for easy access, provides reporting for historical and
10 TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT
Many organizations deploy a heterogeneous server infrastructure including both Windows and
UNIX systems. CA Access Control enables consistent, integrated management and enforcement
of access security policies across both of these environments. The Policy Manager provides a
single interface through which policies can be administered and the advanced policy manage-
ment architecture ensures these policies are distributed and enforced on all Windows and
UNIX servers. Consolidated management of UNIX and Windows decreases the amount of
administrative work required and improves the system administrator efficiency, saving
significant management cost.
FIGURE C COMPLIANCE REQUIRES CONSISTENT ACCESS SECURITY
CA Access Control elevates the
collective level of access security
across platforms and enables
CA Access Control Architecture
Effective security software needs to be implemented as an integral part of a computer’s
operating environment. CA Access Control intercepts system requests for access to various
system resources before they arrive at the operating system, verifies if the requests are
allowed by the defined security policy and enforces the appropriate behavior.
All CA Access Control components benefit from a strong self-protection mechanism. This
means that it is virtually impossible for users to intentionally or unintentionally bring down,
change or erase CA Access Control files, services or data. Should a CA Access Control service
fail, regardless of the reason, the CA Access Control in-memory monitoring service
immediately restarts it. This ensures that CA Access Control provides all-time services and
ensures security is never compromised due to unavailability of critical services.
TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT 11
The essential components of CA Access Control include:
DATABASE The Database maintains all the users and groups in the organization, the system
resources that need protection and the rules governing user and group access to system
resources. The highly optimized Database interacts with the Engine to provide real-time
authorization information. CA Access Control continuously protects database information
and services against unauthorized access or sabotage.
ENGINE The Engine receives access requests to determine whether or not they are permissible.
Upon receiving a request, the Engine consults the Database, accesses the relevant access
policies and decides whether or not access should be allowed.
POLICY MODEL The Policy Model administers the PMDB. It is responsible for managing the list
of subscriber databases and propagating all updates from the PMDB to its subscribers.
ENTERPRISE MANAGEMENT SERVER* The enterprise management service includes a central
Web management server for managing the policies and logical host groups as well as the
policy-based reporting. It runs on standard J2EE application servers and utilizes a relational
database. While the enterprise management server enables enterprise scale management of
thousands of hosts, CA Access Control endpoints remain self-sufficient and do not rely on the
central management server for enforcing access and can also be managed directly through a
lightweight Web UI or command line.
SECTION 8 CA Access Control — Part of a Bigger Identity and Access
CA Access Control can be installed independently and provide full server access protection
without dependencies on other CA or third-party products. However, all products in the CA
Identity & Access Management solution share common approaches and components for Web
user interface, administration concepts, delegation of responsibilities and reporting to ensure a
consistent administrative experience.
Given that operating system access protection may be a single component of a defense-in-
depth strategy, CA Access Control provides integration with CA security products including:
• CA Identity Manager As a provisioning target for CA Identity Manager, the CA Access
Control user base can be managed from and automatically kept in sync with CA Identity
• CA Security Command Center CA Access Control security events can be collected by or
automatically routed to any remote server defined by CA Security Command Center.
• CA ACF2™ Security and CA Top Secret® Security CA Access Control can leverage the
mainframe user store provided by CA ACF2 Security or CA Top Secret Security as a trusted
repository or user passwords can be synchronized with those mainframe user stores. This
assists organizations seeking to manage access to critical mainframe resources, privileges
and utilities in the same way that CA Access Control provides protection for Windows
*Some features listed are only available in CA Access Control Premium Edition
12 TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT
During the course of regular operations, administrators of all roles operate in close proximity to
sensitive data, processes or applications running on a Windows infrastructure. In the standard
structure of a Windows and Active Directory deployment, these IT and security administrative
functions are tightly coupled with one another. While this may not necessarily affect IT system
administration, it can severely impact the integrity of security policy enforcement. Effective
separation of these duties requires an independent, fine-grained access enforcement and
CA Access Control provides the necessary system-level access control, cross-platform policy
management, operating system hardening and secure auditing capabilities for organizations to
effectively protect their mission-critical server infrastructure and maintain regulatory compliance.
To learn more about the CA Access Control architecture and technical approach, visit
TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT 13
CA (NSD: CA), one of the world's leading independent,
enterprise management software companies, unifies and
simplifies complex information technology (IT) management
across the enterprise for greater business results. With our
Enterprise IT Management vision, solutions and expertise,
we help customers effectively govern, manage and secure IT.
Learn more about how CA can help you
transform your business at ca.com