Centrify extends Microsoft's Red Forest to Linux and UNIX
Utilises the benefits of privilege elevation configurations in Microsoft’s Red Forest to provide a comprehensive IT security posture
Centrify, a leading provider of Identity-Centric Privileged Access Management (PAM) solutions, today announced extended privilege elevation configurations in the Red Forest to Linux and UNIX, building on its investment and leadership in this critical bridge between heterogeneous systems. With Centrify’s Identity-Centric PAM solutions, IT administrators utilising Microsoft’s Red Forest can now achieve a more consistent security posture, reduce risk, and improve accountability, operational consistency and compliance.
Microsoft’s Enhanced Security Administrative Environment (ESAE), aka “Red Forest,” is a popular security model designed to help minimise the risk of a domain level breach. It is ideal for companies with large populations of Windows servers, but leaves potential holes in heterogeneous IT infrastructure environments. Administrator privileges configured in the Red Forest are not enforced on their Linux and UNIX servers, resulting in a decentralised and fragmented security posture.
To bridge this gap, Centrify has enhanced its Identity-Centric PAM solution to extend privilege elevation configurations in the Red Forest to Linux and UNIX. Centrify is the first PAM vendor to support the most common Red Forest administrator use cases by providing identity consolidation and least privilege capabilities to *NIX platforms. For administrators logging into a Linux or UNIX system, Centrify ensures that the user’s Red Forest security group memberships are honored, whether logging directly into the server, or indirectly via Kerberos Single Sign-On (SSO) from another Windows system.
“We’re thrilled to bring yet another innovation to our customers who build their business around Active Directory, extending Centrify’s Identity-Centric PAM solutions to help our customers maximise the value of their Microsoft Red Forest deployments,” said Nate Yocom, Chief Technology Officer at Centrify. “Centrify‘s approach is based on Zero Trust principles to manage privileged identities and access end-to-end, across the entire corporate ecosystem including DevOps environments and tools such as containers and microservices.”
Many organisations have complex Active Directory infrastructures forged through rapid organic growth or mergers and acquisitions. They have long relied on Centrify’s innovations, such as supporting complex one-way, cross-forest trusts. Those who have embraced a Red Forest model benefit from enhanced protection against domain-specific attacks. However, organisations who also have a Linux or UNIX estate have not been able to take advantage of this, resulting in a patchwork security posture with access controls managed in multiple places. Centrify extends these benefits to heterogeneous environments, ensuring that Red Forest shadow group membership and related privileges are honored on Linux and UNIX servers. With this, IT gains a true centralised PAM solution that reduces risk, improves operational efficiencies, and helps ensure compliance.
Centrify empowers IT with the solution for true cross-platform security, ensuring that Red Forest access controls are enforced consistently across the entire IT server estate. Centrify achieves this with core elements of its Identity-Centric PAM solutions:
Centrify Authentication Service
- Joins Linux and UNIX servers to Active Directory
- Navigates the one-way, cross-forest trust required in Red Forest architectures
Centrify Privilege Elevation Service
- Upon login to a domain-joined Windows server, Centrify interrogates the Kerberos login ticket to obtain Red Forest group membership
- Upon direct login to a *NIX server, Centrify honors the Red Forest security group membership and applies the privileges to the administrative session
- During Kerberos-based SSO from a domain-joined Windows server to a *NIX server, Centrify honors the Red Forest security group membership and applies the privileges to the administrative session