Wednesday, February 18, 2015

Centrify Server Suite 2015 - Highlights

Centrify has posted the new bits corresponding to Suite 2015 on their customer support website.   Here are some highlights of the new version

Base Agent (adclient)
  • New version is 5.2.2
  • Hadoop Features
    • Enhancements to adkeytab  (it can now create accounts with the "Password Never Expires" flag).
    • Sample scripts provided to automate keytab creation
    • AD Kerberos credential renewal
  • An XML definition file has been provided for Centrify Audit Trail events, this makes it easier to send to SIEM tools (very requested)
  • Centrify-enhanced sudo has been upgraded (now based on 1.8.10p3)
  • LDAP Proxy has been upgraded and now supports TLS (this is great), also a startup script has been provided.
  • A new command line called adgpresult shows the group policies applied for the computer or user.
  • Smartcard support on RHEL7
  • Windows Agent now supports smart card for privilege elevation (awesome!)
Added platforms
-  CentOS 5.11, 6.6 (x86, x86_64)
-  Debian Linux 7.7 (x86, x86_64)
-  Fedora 21 (x86, x86_64)
-  Linux Mint 17.1 (x86, x86_64)
-  OpenSUSE 13.1, 13.2 (x86, x86_64)
-  Oracle Linux 5.11, 6.6 (x86, x86_64)
-  Oracle Linux 7.0 (x86_64)
-  Oracle Solaris 11.2 (x86_64, Sparc 64-bit)
-  Red Hat Enterprise Linux Server 5.11, 6.6 (x86, x86_64)
-  Red Hat Enterprise Linux Desktop 5.11, 6.6 (x86, x86_64)
-  Red Hat Enterprise Linux Server 5.10, 5.11, 7.0 (ppc64)
-  Red Hat Enterprise Linux Server 5.10, 5.11 (IA64)
-  Scientific Linux 5.11, 6.6 (x86, x86_64)
-  Scientific Linux 7.0 (x86_64)
-  Ubuntu Desktop 14.10 (x86, x86_64)
-  Ubuntu Server 14.10 (x86, x86_64)
-  SUSE Enterprise Linux 12 (x86_64)

Audit Agent
  1. Version 3.2.2
  2. XML Definition file for integration with SIEM tools
  3. Improved manageability with PowerShell
  • Cmdlet          Attach-CdaDatabase              
  • Cmdlet          Detach-CdaDatabase      
  • Cmdlet          Export-CdaAuditSessionRecording 
  • Cmdlet          Get-CdaActiveDatabase           
  • Cmdlet          Get-CdaAgent                   
  • Cmdlet          Get-CdaAuditEvent               
  • Cmdlet          Get-CdaAuditRole                
  • Cmdlet          Get-CdaAuditRoleAssignment    
  • Cmdlet          Get-CdaAuditSession            
  • Cmdlet          Get-CdaAuditStore               
  • Cmdlet          Get-CdaCollector                
  • Cmdlet          Get-CdaDatabase                 
  • Cmdlet          Get-CdaInstallation             
  • Cmdlet          Get-CdaManagementDatabase       
  • Cmdlet          Get-CdaUnixCommand              
  • Cmdlet          Get-CdaUnixCommandTranscript    
  • Cmdlet          Get-CdaWindowsEvent            
  • Cmdlet          New-CdaAuditRole                
  • Cmdlet          New-CdaAuditRoleAssignment      
  • Cmdlet          New-CdaAuditStore            
  • Cmdlet          New-CdaDatabase                 
  • Cmdlet          New-CdaSearchCriteria           
  • Cmdlet          Publish-CdaInstallation        
  • Cmdlet          Remove-CdaAgent               
  • Cmdlet          Remove-CdaAuditRole             
  • Cmdlet          Remove-CdaAuditRoleAssignment   
  • Cmdlet          Remove-CdaAuditSession          
  • Cmdlet          Remove-CdaCollector             
  • Cmdlet          Set-CdaActiveDatabase        
  • Cmdlet          Set-CdaAuditRole                
  • Cmdlet          Set-CdaAuditSession             
  • Cmdlet          Set-CdaAuditStore               
  • Cmdlet          Set-CdaConfiguration            
  • Cmdlet          Set-CdaDatabase                 
  • Cmdlet          Set-CdaInstallation             
  • Cmdlet          Set-CdaManagementDatabase       

Upgrade (W2008R2) and Fresh Installation (W2012R2) Videos

Tuesday, February 17, 2015

Centrify + Hadoop Update - February 2015


Back in august 2014, I published a blog entry titled "Using Active Directory and Centrify to Accelerate your Linux-based Big Data Deployments" that helped illustrate how to use Centrify for Servers for the purposes of Big Data with Hadoop.

In the meantime Centrify has been gearing-up for the release of Centrify Suite 2015, part of what's coming is improvements on all popular Hadoop implementations with Cloudera, Hortonworks and MapR.  As a preview, David has released a few of companion whitepapers:

From the post:

"Centrify Server Suite provides Identity, Access and Privilege Management for the Cloudera | Hortonworks | MapR:
  • Simplifying AD integration for Cloudera | Hortonworks | MapR to run in secure mode
  • Automating service account credential management
  • Simplifying access with AD-based user single sign-on authentication
  • Ensuring regulatory compliance with least privilege and auditing
  • Developer SDKs for secure client application access to Hadoop

Enjoy!!

Friday, February 13, 2015

Mac OS X Extras: Using Centrify and your Windows Infrastructure to provide 802.1x EAP-TLS to Mac OS X Systems

Background

Secure access to Wifi or Ethernet networks is a goal of any security conscious IT infrastructure team, however diversity of platforms makes this goal very hard to achieve, especially when organizations are looking to standardize but have diverse client platforms.

In a Windows world, capabilities such as Active Directory Certificate Services, Group Policies, the Network Policy Service and Windows clients make this goal relatively simple.  The popularity of Mac Workstations has forced many organizations to face this challenge.

The good news is that Centrify has worked very hard to make sure that IT Infrastructure folks can leverage their existing Windows infrastructure to solve this challenge on the macs.
The challenge for any technical lead is that the expertise required just to meet the prerequisites is going to be scattered all over the organization; this means that it's time to flex the ability to coordinate and get people to work together.  Hopefully this post provides a lot of clarity.

How easy is it to implement?

It is as easy as enabling one of the Centrify-provided GPOs for Mac OS X.  Specifically the "Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > 802.1x Settings" and you can pick your flavor:
  • Enable Machine Ethernet Profile
  • Enable Machine Wi-Fi Profile
  • Enable User Ethernet Profile
  • Enable User Wi-Fi Profile
However, this entry would not be useful if I just show you that you can enable the GPO, perform a policy refresh and just like magic: network access.

What I've noticed from prospects or customers that are looking to test these capabilities is that they don't understand all the moving pieces that need to be in place in order for this to work. 

In this post we'll use a checklist to make sure that you understand what needs to be in place to be successful.  

Note:  If you already have 802.1x EAP-TLS running with your Windows infrastructure today, you are very well-positioned for success.

Pre-Requisites

Building Blocks

Active Directory and Windows Services:  There are several ways to accomplish this goal, but in this particular instance, because our goal is to consolidate processes, knowledge and infrastructure, we are leveraging Windows capabilities like Active Directory, AD Certificate Services and the Network Policy Service.  AD Groups will be key to provide access controls;  OUs will determine the scope of GPOs to be used.

Public Key Infrastructure:  PKI is needed to provide the encryption, non-repudiation and authentication between the back-end infrastructure (Active Directory) and the client (Ethernet or Wifi).  The key here is the certificate life-cycle management, this is where Windows PKI uses Group Policy.
PKI Disclaimer:  PKI is not joke.  Any proper implementation needs to provide the assurances that PKI is aligned with your security policy.  If your organization does not have a policy for PKI (general assurances, handling of private keys, policies, templates,  Root and SubCAs) consult an expert.

A Policy/Configuration Management Engine:  Group Policy provides the rules and the enforcement for configuration items and even provides certificate auto-enrollment - a way to manage the certificate lifecycle (issuance, renewal, revocation, etc); in addition, GPOs will be the way that Centrify will provide the Apple profile information.

Network Policy Service: The NPS service on Windows provides the services like Remote Authentication Dial-in User Service (RADIUS) and the policy rules to enable 802.1x.  The NPS Service interacts with Active Directory to leverage groups and attributes.

802.1x-Capable Network Devices:  Any modern switch or access point supports 802.1x EAP and RADIUS.

Centrify Agent for Mac OS X:  This use case showcases the power of the Centrify agent.  Not only it leverages its ability to integrate with AD, but to use advanced services and perform this cohesively within the MacOS platform.  Key capabilities:  Certificate Auto-Enrollment, System Profiles, GPO Engine.

The Lab

  • For AD and PKI:  Modified Microsoft Test Lab Guide:  Provides the corp.contoso.com domain with a running Microsoft CA.  The RootCA (corp-DC1-CA) certificates are deployed using GPOs.
    Translation:  A common Certificate Authorithy with the proper Certificate Revocation publication methods needs to be provisioned. I did not set APP1 as a SubCA.
  • For RADIUS and Policies:  I'm piggybacking on my APP2 Windows 2012 server
  • Network Devices:  I'm using Cisco small business (300 series) switch and a TPLink (TL-WA90x) Wireless Access Point.
  • Mac Client:  Old Macbook running 10.7 and Centrify 5.2.1

Basic Checklist
OS X System is Centrified
Centrify agent is connected  (run adinfo -m)

PKI Checklist
All Systems have a Root CA in their trust chain?
The Network Policy Server has a computer certificate?
A proper 802.1x certificate template was set up for Mac Systems?
The Mac Auto-Enrollment GPO has been properly deployed?
Was the computer Certificate on the Mac based on the proper template?

You may need to look in the CA's Issued Certificates.
With PKI it's all about consistency.  All systems trust the Enterprise CA; All Certs are Issued by the CA or SubCAs and Programs (like NPS) are using the same trust chain.


NPS/Network Device Checklist
RADIUS clients have been set up properly on the NPS Server
RADIUS servers are properly configured on the network devices
Is there connectivity between RADIUS clients and servers?

Connection Request Policies are set up appropriately (Conditions/Settings)
Network Policies are set up to Allow access based on Conditions
Clients Meet the Conditions
Any conditions added (like AD group membership) must be met in order to have successful connections.
For example, if you're using a condition in which your Mac has to belong to a group called "Mac Workstations 802.1x" you can use the 'adquery user -A computername$ | grep MemberOf'  command to enumerate the AD groups that the computer belongs to

$ adquery user rpmacbook$ -A | grep memberOf
memberOf:corp.contoso.com/Mac/Corporate/Mac Workstations 802.1x,corp.contoso.com/Users/Domain Computers

802.1x Mac Group Policy
Is the Mac System Wifi-capable?
Wifi SSID is correct?
Template Name is correct?
The template Display Name may be different than the template Name
Has the policy been refreshed?  (adgpupdate - remember replication!)
System Preferences > System > Profiles contains payload?

Connected?


Video Playlist

Wednesday, February 11, 2015

Mac OS X Extras: Using Centrify and AD GPOs to Manage File Vault 2 Disk Encryption

Background

Apple protects data at rest using symmetric encryption (AES-128) for OS X systems. File Vault 2 was introduced in OS X Lion and support for GPO Management with Centrify was released with version 2013.2 (5.1.1).  This post will document the steps to set up FV2 management leveraging Centrify's AD GPOs.

What are you gaining by doing this?
FV2 provides the mechanisms to generate an Institutional key to be distributed to systems.  With Centrify and leveraging GPOs this can be done centrally.  This way you can distribute the certificate and provide a mechanism for recovery in case an user can't decrypt their drive.

More Resources:
Brian does a great job here and John in the Centrify for Mac online CBT.  Thanks to both since I used their materials as research for this post.

Planning

Pre-Requisites to use Centrify GPOs with FileVault2
  • The system hostname has to match how the computer was joined to active directory.
    To verify, on a terminal, type the hostname command and compare it with the joined as name in AD (adinfo --name).  Alternatively you can use the adquery user -A computername$ command too.  The command sudo scutil --set HostName your-hostname can update the hostname if needed.
    $ hostname
    mac109.local
    $ adinfo --name
    mac109.corp.contoso.com
    $ adquery user -A mac109$
    dn:CN=mac109,OU=Corporate,OU=Mac,DC=corp,DC=contoso,DC=com
    samAccountName:mac109$
  • Ideally, the system is configured for Dynamic DNS; DNS is well-maintained or you issue the addns command.
    $ sudo addns -U -m
    Password:
    Updating host records for mac109.corp.contoso.com on 10.0.0.1.
    Updated host records mac109.corp.contoso.com.
    Updating reverse lookup records for mac109.corp.contoso.com on dc1.corp.contoso.com.
    Updated reverse lookup record  210.0.0.10.in-addr.arpa.


    $ ping mac109
    PING mac109.corp.contoso.com (10.0.0.210): 56 data bytes
    64 bytes from 10.0.0.210: icmp_seq=0 ttl=64 time=0.044 ms
    64 bytes from 10.0.0.210: icmp_seq=1 ttl=64 time=0.067 ms

  • The Mac must have the recovery partition installed - this is required to boot and request the password to decrypt the disk.  You can use the diskutil list command to enumerate partitions.
    $ diskutil list | grep Recovery
    3:    Apple_Boot Recovery HD             650.0 MB   disk0s3
  • Institutional Account - you need a mobile-enabled (see my video on how to do this with GPOs) AD account that can be used as the "Managed by" field in the computer object.
Other things to plan for:
  • Assurance around the handling of the institutional certificate.
  • Lifecycle management of the Certificate (usually good for a year but not checked by OS X)
  • Securing the Institutional Account's password.
  • Computers with File Vault 2 enabled by the end-user  (10.9 has improvements on this)
Implementation and Verification

First, we need to use a Centrified system as the "template" to create the FileVault2 Master Password with in turn will create a Certificate and a Keychain.
  1. Sign-on to the template Centrified system with the Account to be used for Recovery.
  2. Go to System Preferences > Users and Groups and unlock the Padlock
  3. Click on the Gears under Login Options and Select "Set Master Password"
  4. Navigate to /Library/Keychain and you will see two files: 
    • FileVaultMaster.keychain
    • FileVaultMaster.cer
      Double-click the FileVaultMaster.keychain, this will open KeyChain Access.
  5. Right-click the FileVaultMaster Certificate and Select "Export FileVault Recovery Key" and save it as a .cer in a known location.
Note:  Make sure you delete all copies of the keychain, certificate and secure the .cer file after you have used it.

Now we need to setup the "Managed By" attribute in Active Directory for the computer object corresponding to the template system.
  1. Open Active Directory Users and Computers (ADUC)
  2. Navigate to find your MacOS template computer, right click and select properties.
  3. Go to the Managed By tab and click Change.  Select the Recovery account.
  4. Press OK and close ADUC
Next, we need to enable the GPO for File Vault 2.
  1. Open GPMC and navigate to your Mac GPO, right click and select edit.
  2. Navigate to Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security and Privacy  and select "Enable File Vault2" 
  3. Enable the GPO and click select and browse to find the FileVault2 Certificate generated from the Master Key in the first section.

    Note the expiration of the Certificate.  You need to update the master keychain password and get the certificate renewed and the GPO updated in time (or not, given that OS X does not check validity)
Finally, we refresh the group policies and review the effective changes. This way the Centrify agent will distribute the certificate via GPO and set up File Vault 2 for you.
  1. Log on to the Centrified Mac and open Terminal.  Run adgpupdate.  This will refresh the GPOs.
  2. Log out.  This will prompt a synchronization of the mobile configuration.  Attempt login and you'll be prompted for the user's password.  This will enable FileVault2 and you'll go to firmware boot.  The user will be prompted for the password to decrypt FV2 and continue the boot process.
  3. At this point you can verify that FV2 is being enabled by looking at System Preferences > Security and Privacy > File Vault 2.
At this point all we need to do is add additional users that can decrypt the FV2 disk, by using the Enable Users button.  This window will list all users with Mobile Accounts that can be added.  In this case, since this computer will be used by Fred Thomas and Diana Wirth, I enabled their accounts as well as the local admin Centrify SE.  You will need to type in each user's password or the user has to be present to type those credentials.


When users type in their AD password, they can continue to boot and their session is automatically logged in.

From now, all Centrified OS X computers joined to the target will be enabled for FV2 automatically and the AD account will be able to serve as recovery.

Adjustments
Here are some adjustment categories:
  • Differences between OS X versions
  • Automating the Master password/Keychain/Cert using a script
  • Automatically adding mobile users to decrypt drives
  • Helping an AD user with recovery
  • Vaulting and cycling the recovery account
  • Different recovery accounts by business unit using an OU, etc.
Videos



Mac OS X Extras: Using Centrify and AD GPOs to Manage Portable Home Directories

Background

In OS X it is possible to set up a mobile user account that provides synchronized home folders, one on your Mac and one on the network account server. With Centrify, these "portable home directories" can leverage the user's existing Windows home directory to consolidate information.  Centrify allows the use of AD Group Policy to manage Portable Home Directories.

Assuming you have a Centrified MacOS X system:

Planning

At a high level, these things need to be thought out:
  • Windows home directories:  There are countless resources on this topic.  Home folders have to be created, and then assigned to users.  Keep in mind permissioning as well.
  • Understand the version(s) of OS X in your environment and the mobility settings behavior:  Apple has modified the implementation of mobile accounts over several versions.  The advantage is that Centrify provides a GPO that considers multiple versions of the OS:
  • Correct GPO scoping:  In this example we use loopback processing, however, based on your deployment, you may have multiple GPOs that apply to different AD principals.

Implementation
  1. Open GPMC and edit the Centrify GPO for OS X systems.
  2. On the left pane, navigate to "Computer Configuration > Policies > Centrify Settings > Adclient Settings" and in the right pane double click the "Enable Auto Zone user home directory (Mac OS X)"  and enable it.  This GPO modifies the auto.schema.use.adhomedir parameter in the /etc/centrifydc/centrifydc.conf file.
  3. Navigate to "User Configuration > Policies > Centrify Settings > OS X Settings >   Mobility settings" and in the right pane double click the "Use version specific settings" GPO and enable it.
  4. Based on the version of OS X that you have (in my example Mavericks 10.9) go to the corresponding folder (e.g. Mac OS X 10.8/9 settings) and enable the "Configure mobile account creation" - set it to enabled and check the "Create mobile account when user logs into the network"  check-box.
  5. To make sure the GPO is refreshed on the Mac OS X client, just run the adgpupdate command.
Verify
  1. On a Windows system with Active Directory Users and Computers (ADUC), open your test user account's properties and go to the Profile tab.  Make sure the home folder is set up appropriately for your environment.
  2. Sign-in to your Centrified OS X system, you'll see the following:
    Upon login, the user is prompted to create their portable home directory.
Adjust

Adjustments will be based on your environment.  Here are some general items:
- What happens when accounts expire?  (should mobile home directories be deleted?)
- Home folders:  what items will be skipped? What items will be explicitly synchronized?
- Synchronization settings:  By default every 20 minutes automatically.
- Preference Sync rules, etc.


Lab Video