SPECIFICATION PROFILE

ADMINISTRATION | BOKS SERVERCONTROL

Fox Technologies, Inc. | www.foxt.com | sales@foxt.com | 616.438.0840

250 Monroe, Suite 400 | Grand Rapids, MI 49503 Phone: +1 616 438 0840 | Email: info@foxt.com | Web: www.foxt.com

Specification Profile: Administration | BoKS ServerControl

SPEC PROFILE: BoKS ServerControl Administration |

FoxT BoKS ServerControl FoxT BoKS ServerControl enables organizations to centralize the administration of users, improve the controls over how users are granted access to system resources, as well as enhance the auditability of UNIX and Linux servers. By eliminating manual processes and inefficiencies, organizations can significantly improve administrator productivity while providing a more secure computing environment. There are three main components in the BoKS infrastructure:

BoKS Master The BoKS Master is the server that controls central security functions and contains the only writable copy of the BoKS database. The Master can respond to requests for authentication and access to a BoKS Server Agent for UNIX based upon information in the database. BoKS Replica A BoKS Replica holds a read-only copy of the BoKS database. A Replica responds to requests for authentication, reducing the load on the Master, and can be used as a failover device for the BoKS Master. Depending on network size, a BoKS Domain may have many Replicas, which retrieve updated information automatically from the Master. BoKS Server Agent for UNIX The BoKS Agent is the software component installed on a UNIX/Linux server enabling management and protection of that host.

BoKS offers several methods to manage the environment for extreme flexibility:

• FoxT Control Center (FCC) - The BoKS web-based administration utility • Command Line Interface (CLI) - A good candidate for scripted, bulk admin • Active Directory (AD Bridge) - Sync from Microsoft Active Directory • LDAP - Sync from a standard LDAP directory • Web Services Interface (WSI) - A SOAP based web interface

The Web Services interface is a great way to integrate with existing corporate systems as well as managing multiple BoKS Domains.

1

250 Monroe, Suite 400 | Grand Rapids, MI 49503 Phone: +1 616 438 0840 | Email: info@foxt.com | Web: www.foxt.com

Specification Profile: Administration | BoKS ServerControl

Account Provisioning A user account in BoKS contains all of the typical attributes that define a UNIX/Linux user (username, UID, GID, common name (GECOS/GCOS), home directory, shell). Accounts may have additional defined attributes (some of which are unique to BoKS), including:

• Secondary Groups • Account expiration • Password complexity rules and expiration • Inactivity timeout • Userclass membership • SSH Public Key information

These attributes can be inherited from the default policy, or overridden on a per-user basis.

Access and Privileged Management BoKS enforces a least privilege model. All access must be authorized before a user can utilize resources in the domain. Access can be configured on a per-user basis, but it is more typical to define access in a pre-defined role, known as a BoKS Userclass.

A Userclass is a named collection of rules defining allowable access and privilege. Each rule (or 'access route') can define aspects such as connection source, connection destination, access method, target user account, and authentication type.

BoKS controls many access methods and privileges, including:

• SSH • TELNET • RLOGIN • RSH • REXEC • XDM • FTP • SU • SUEXEC (A sudo-like utility)

BoKS further separates SSH into individually managed components:

• SSH Shell • SSH Exec (remote command execution) • Secure Copy (SCP) • Secure SFTP (SFTP) • X11 Forwarding

2

250 Monroe, Suite 400 | Grand Rapids, MI 49503 Phone: +1 616 438 0840 | Email: info@foxt.com | Web: www.foxt.com

Specification Profile: Administration | BoKS ServerControl

• SSH Tunneling BoKS is capable of enforcing many different authentication methods, including:

• Simple Authentication (password) • SSH Key-based • SSH host-based • RSA SecurID • Kerberos (Including Microsoft Active Directory) • LDAP

Each access route can mandate a particular authentication method. Even access routes within the same Userclass are able to define different authentication methods. For instance, a Userclass may authorize SSH Shell access authenticated by a password. In the same Userclass, authorization to switch to a privileged account may require a stronger authentication method, such as RSA SecurID authentication. Userclasses can be as broad or as granular as required to meet your needs. You have complete control of each connection, offering total flexibility and scalability. Host Groups A BoKS Hostgroup is a named collection of servers and can be used for a number of purposes. One example is to use a Hostgroup as the destination target for an access route. Instead of configuring an access route to allow access to a particular server, you can set the destination to a Hostgroup. Any access configured will apply to all servers defined in the Hostgroup. If a new server is provisioned and shares the same function and access requirements as a collection of existing servers, you simply need to add the server as a member of the Hostgroup, and the existing access routes will immediately apply to the new server. The same logic applies to user accounts. When a user account is created, it is defined as a one-to-one relationship (the account is valid on one particular server) with the syntax server:account, or more typically, in a Hostgroup with the syntax Hostgroup:account. When an account is created in a Hostgroup, the account is immediately valid on every server in the Hostgroup. As above, if a new server is provisioned and added to the Hostgroup, all user accounts defined in that Hostgroup are immediately valid on the new server. Note however, that a valid account does not equate to access to the server. The user will still need to have an access route allowing access, as described above. This has the benefit of limiting unrestricted movement of an attacker, even if credentials are stolen. Logging and Reporting BoKS has the ability to log every event including access/authentication requests (pass and fail), account creation and modification, and file monitoring. The logs can be exported to a syslog server or a Security Information and Event Management System (SIEM).

3

250 Monroe, Suite 400 | Grand Rapids, MI 49503 Phone: +1 616 438 0840 | Email: info@foxt.com | Web: www.foxt.com

Specification Profile: Administration | BoKS ServerControl

When required, BoKS can keystroke log a session. This log can contain a configurable amount of information:

• All input (no output) • All input and limited output • All input and all output

The included BoKS Report Manager is able to produce default and custom reports for audit and compliance needs. The reports can be exported to a number of common formats, such as Microsoft Excel, PDF, Comma Separated Values, and more.

Scalability BoKS is a great fit for any size environment, from small to mid-size companies, to the largest enterprise organizations. With the number of management methods available, you can customize the environment to meet your support needs. Administration tasks can be delegated to allow a tiered support structure and maximize staff efficiency. With BoKS centrally managing all aspects of account provisioning, access control and privilege escalation, your current staff will be able to keep pace with today’s ever-expanding server environments.

4