Wednesday, July 22, 2015

My favorite Centrify features for the last year (2014-2015)....

Background

With the release of Centrify Server Suite 2015.1 and Cloud (CIS/CPS) 15.6 we have wrapped up another great year of introducing great capabilities to keep our existing customers happy and to help them solve the challenges of today and tomorrow.

I am biased towards functionality that help existing customers optimize their existing deployments, and in this article I will outline my personal top 10 Centrify features that promote operational efficiency for existing Centrify Server Suite or Centrify Identity/Privilege Service customers.


Finally, this would not be possible without product management that listens attentively and tries to understand our use cases plus our amazing engineering team.  This is a very exciting time to be at Centrify.


1. UNIX/Linux/Mac Agent:  Enhancements to adjoin
Top10 - Enhancements to adjoin.jpg
Release date:  Apple Scheme (2014.1); ComputerRole (2015.1)
What is it:  Facilitate OS X Migrations and optimize your automation scripts
How does it improve Operational Efficiency:  When an existing OS X user moves from the Apple Directory Services plugin, extra steps eliminated.  Reduced size of provisioning scripts for servers (Chef recipes, Puppet scripts).
What do I need to do to get the benefits: Upgrade to 2015.1 (5.2.3.x).

2. Identity Service: Application Provisioning
Top10 - CIS App Provisioning.jpg
Release date:  Preview started in April 2014 for Box, GoogleApps, Office 365, Salesforce and ZenDesk
What is it:  Just add a user (or remove) to an AD group or CIS role, and the user will get provisioned (or deprovisioned), the proper license is applied and if supported, the proper role is assigned as well.
How does it improve Operational Efficiency:  Use the normal cadence of group management and extend it to be the hub for your App provisioning and effective controls to disable access timely and control costs.
What do I need to do to get the benefits: Use the App Catalog and find apps ready for provisioning.

3. DirectAudit: Performance and Scalability Improvements for Enteprise Edition
Top10 - DA Enhancements.jpg
Release date:  July 2015 (Server Suite Enterprise Edition 2015.1)
What is it:  Centrify invested significant development cycles to optimize all components of DirectAudit
How does it improve Operational Efficiency:  Scalability, right-sizing, better compression, better optimization, this all translates in less effort to maintain DirectAudit deployments.
What do I need to do to get the benefits: Upgrade to 2015.1 DirectAudit.

4. Manageability: PowerShell Management for Centrify DirectManage and DirectAudit
Top10 - PowerShell.jpg
Release date:  DirectManage (Server Suite 2014), DirectAudit (Server Suite 2015)
What is it:  Windows PowerShell to automate/orchestrate Access and Audit capabilities
How does it improve Operational Efficiency:  The tasks traditionally performed in the DirectControl and DirectAudit MMCs now can be scripted, automated and orchestrated by leveraging PowerShell.  All PowerShell commandlets leverage the DirectManage or DirectAudit APIs.
What do I need to do to get the benefits: Install the PowerShell Modules for your platform.

5. Windows PIM:  SmartCard Support for Windows Privilege Elevation
Top10 - DZWin Multifactor.jpg
Release:  Server Suite 2015
What is it:  In high-security environments, when a privileged AD user uses Centrify to perform Windows Privilege Elevation, the user can be prompted  for the smartcard PIN.
How does it improve Operational Efficiency:  By eliminating "-a" accounts and forcing Windows users to use privilege elevation, you are doing the proper due-diligence to limit the impact of advanced threats.
What do I need to do to get the benefits: Upgrade to Server Suite 2015 (3.2.x)

6. Kerberos:  Infinite Kerberos Ticket Renewal
Top10 - Infinite Kerberos Ticket.jpg
Release date:  Server Suite 2015.1 (July 2015)
What is it:  Kerberos tickets expire, but there are applications (e.g. Hadoop) that require jobs or credentials to be effective longer than the policy define din AD.  These parameters and GPOs allow the UNIX agent to trigger a renewal based on AD principal (user or group).
How does it improve Operational Efficiency:  Improves the supportability of these use cases.
What do I need to do to get the benefits: Upgrade to Server Suite 2015.1 (5.2.3.x)

7. LDAP Proxy:   Support for TLS and Startup Scripts
Top10 - TLS Support added to LDAPProxy.jpg
Release date:  Server Suite 2015 (March 2015)
What is it:  Secure communications for our very useful LDAP Proxy.
How does it improve Operational Efficiency:  Several apps and appliances only support LDAPS, in addition, now there's no need to do manual scripts to startup the slapd daemon.
What do I need to do to get the benefits: Upgrade to Server Suite 2015 (5.2.3.x)

8. Mac Agent:  AD + Identity Service Combo Join
Top 10 - OS X Combo Join.jpg
Release date:  Server Suite 2014.1 and CIS
What is it:  Macs in the enterprise are on the move and multiplying.  Not only they need to be managed from AD to get unified identity, but being able to provide Enterprise Manageability and Self-Service.
How does it improve Operational Efficiency:  Now you can empower your mobile Mac workforce with capabilities while decreasing calls to the help desk, this goes along with their existing iOS, Android or Windows devices.
What do I need to do to get the benefits: Enroll your Macs now using Identity Service.  Just go to the Devices tab.

9. Identity Service:  App Gateway  (Per-app VPN, Secure Access)
Top10 - CIS App Gateway.jpg
Release date:  Beta in 2014, live January 2015
What is it:  App gateway eliminates the need to establish a persistent VPN to access an application or a resource (server, appliance)
How does it improve Operational Efficiency:  Eliminate the need for VPN access for external users  (consultants, external partners) for both apps and servers.
What do I need to do to get the benefits: Get Centrify Identity Suite App Edition

10. Identity Platform:  Centrify Privilege Service
Station - Portal Mixed.JPG

CPS - Password Checkout.jpgMobile - Password Checkout.jpg
Release date:  May 2015
What is it:  Shared account password management (SAPM), secure remote access, privileged session monitoring (PSM), mobile-ready, deploy anywhere.
How does it improve Operational Efficiency:  Built on the Identity Platform, complements Server Suite by providing SAPM and PSM plus more!
What do I need to do to get the benefits: Request a trial now!

This is a copy of a featured article written in the Centrify Community.

Thursday, July 9, 2015

Implement strong access controls for Hadoop clusters using Centrify

This 15-minute video also features Centrify Privileged Service



Centrify can help challenges with Hadoop implementations for confidentiality and integration at the OS-level.  No need to stand-up independent MIT Kerberos infrastructure, plus the strongest Access Controls to meet or exceed any security or regulatory requirement.

Wednesday, July 8, 2015

Using Centrify with the Microsoft CA and the Autoenrollment GPO for your UNIX/Linux/Mac PKI Certificate needs

Background

Active Directory provides a Public Key Infrastructure (PKI) capability with the Microsoft Certificate Authority.  This is quite convenient to system administrators especially when combined with Group Policy since it allows for the automation of the Certificate lifecycle:  issue, renew, revoke, supersede templates, etc.



We've discussed this before, but Centrified clients can also take advantage of Certificate auto-enrollment.  This can happen automatically or manually using the adcert utility.

How it works?

The process works as follows:
  1. When a system is joined to AD using Centrify, as part of the join the system will read the domain controller's SYSVOL for Group Policies.  The system may download the trust chain (containing the trusted CAs or the local root CA) and any revocation information to the /var/centrify/net/certs folder.
  2. If the auto-enrollment policy that applies to the system points to a usable template, the agent will attempt to enroll automatically when the GPO refresh interval starts.
    Note: there are different auto-enrollment GPOs depending on the version of Active Directory.
  3. The agent will use the computer's credentials with the adcert utility and connect to the CA or Intermediate CA to obtain a certificate set for autoenrollment.
  4. adcert will issue pkcs10 request for each template, if an issuing CA is found for the templates in question and the certificates, chain and private key (if defined exportable by the template) will be placed in the /var/centrify/net/certs folder with this format:
    [name of template].cert
    [name of template].key
    [name of template].chain
Once the certificate is in your system, you may be able to use it as is, or you may have to change the encoding using OpenSSL tools.

Here are two video examples:

Using Auto-enrollment for your Apache HTTPS certs




Using Auto-enrollment with Mac OS X Systems




Tuesday, July 7, 2015

Let's break a few things....

In this video series we explore how different Centrify products respond to failure scenarios.

Centrify UNIX, Linux Mac Clients - Cached Credentials

Setting up the Account Prevalidation GPO

How Privileged Elevation for Windows handles AD Failures

DirectAudit High-Availability (playlist)

Identity Service HA for Cloud Connectors


Saturday, July 4, 2015

Business Problems: Overcoming the Confidentiality and Integration challenges with Hadoop Clusters using Centrify

Background

Hadoop implementations present multiple challenges to enterprises at the Operating System layer(*), I like to categorize them in 2 areas:

Confidentiality

  • Hadoop clusters are unsecure by default.  What that means is that there's no service-to-service authentication and that privileged users have access to world-readable information and can elevate to privileged Hadoop accounts.
  • Multiple clusters are needed because of the development nature of the apps.  Typically at least a DEV/QA and PROD environments are needed, depending on the risk profile of the organization, each environment may be in different isolated environments and require different access control rules.
  • Different types of users need access:  From the SysAdmin, to the Hadoop Admin, to the Data Scientist, they all have different access and privileged needs.
  • The data classification of the business intelligence may require additional controls.  What if the cluster crunches Personal, Financial, Health, Energy or Card data?   SOx, PCI, HIPAA, NERC or FERC compliance is needed.

Integration

  • Kerberos:  Many organizations balk at the proposition of standing-up a separate MIT Kerberos implementation; and even if AD is an option, test environments may be in a one-way trust.
  • Different organizations == Different requirements, therefore the devil is in the details:
    • Process
    • Technology/Infrastructure
    • People
    • Regulations
(*) There are additional security challenges, like how to protect data at the Hadoop layer, for this, your trusted Hadoop vendor (Cloudera, Hortonworks, MapR, etc) have an ecosystem of applications.  Centrify can provide identity information to those apps.

Technical Briefing

The following videos provide technical demos on how Centrify can overcome these challenges


Putting it all together

  • Centrify allows for OS level integration for Linux and UNIX systems that enables:
    • Centralized Administrations of multiple Hadoop Clusters
    • Regardless of how complex your AD may be 
    • No schema extensions or software in domain controllers
    • Using UNIX frameworks
    • Kerberos just works out of the box
    • Leverage AD fully:  Kerberos, Group Policy, PKI
  • Centrify enables the implementation of strong access controls to enforce
    • Least access
    • Least privilege (RBAC- not password Centric)
    • Easy attestation and reporting
    • Separation of Duties
    • Works on Windows to eliminate the problem of the persistent administrator
  • For environments with Personal, Financial, Health or Card data
    • Session transcription 
    • Session replay
    • Event consolidation
    • Works on Windows
  • Hadoop-exclusive features:
    • adkeytab for advanced keytab/service account provisioning
    • Kerberos infinite ticket renewal parameters and GPOs
    • LDAP Proxy to assist apps like Sentry, Hue and Knox
    • Partner with Cloudera, MapR and Hortonworks

Centrify + AD + Hadoop = faster, more secure and regulation-aligned big data projects.

Friday, July 3, 2015

Implementing the Centrify's Account Prevalidation Capability on UNIX, Linux and OS X using Group Policies

Requirement
In case of an Active Directory catastrophic failure, a limited set of trusted administrators shall be able to log in to UNIX, Linux or OS X systems and perform the actions defined in their privileged management roles.

Scenario
Contoso has 3,000 servers and many of them on branch deployments and public clouds, there are no DCs in the branches.  WAN connectivity can be lost and a mechanism to allow trusted administrators to perform actions should be available.  It's highly unlikely the set of trusted admins have logged in to all systems. This is why Centrify implemented the account prevalidation feature.

Tools and Targets
  • Group Policy Management
  • Active Directory Users and Computers
  • CLI tools:  adgpupdate, adgpresult, setspn & PowerShell(windows)
  • Configuration files:  /etc/centrifydc/centrifydc.conf
 Planning
  • Target Group:  Account prevalidation can be assigned to users or groups.  Ideally this would be assigned to groups so the management can be delegated to the Helpdesk, or front ended by an ITSM or Worfklow solution.
    This means that an AD Group should be requested.  Sample Name:   Centrify-Prevalidated-Admins
  • Process: 
    Onboarding:  When senior UNIX, Linux or Mac OS X administrators are onboarded, the user template or form should be updated so they are added to this group by default.
    One-offs:   When critical projects are going on and stakeholders need to be added to this group, our ITSM tool will front end a workflow request that ends on a PowerShell action that adds (or removes) the user from the target group.
    Attestation:   This group does not have any additional rights, however it has to be attested as part of the disaster recovery plan.
Implementation
What you'll need
  • Centrify Standard Edition or Centrify Identity Service Mac Edition  (licensed)
  • A Windows system with Group Policy Management and the Centrify Group Policy Extensions (GPOE) installed
  • An Active Directory group pre-populated with the users that will be prevalidated
  • A GPO tied to the OU of the target UNIX, Linux or OS X systems.
  • Rights to edit the GPO
  • Centrified system in the OU that has the GPO linked to verify.
First, Gather information about the members of the group
From a Centrified System 
$ adquery group -A Centrify-Prevalidated-Users | grep members
members:centrifyimage.vms/Staff/IT/Diana Wirth

From Windows with PowerShell
PS > get-adgroupmember Centrify-Prevalidated-Users | Select-Object samaccountname

samaccountname
--------------
dwirth
rpimentel

Second, Configure the GPO
  1. Open Group Policy Management
  2. Create or edit the GPO in the corresponding forest/domain/OU.
    GPMC - Location of NIX.jpg
  3. In group Policy Editor, navigate to Computer Configuration > Policies > Centrify Settings(*) > DirectControl Settings(**) > Account Prevalidation.  In the right pane, double-click on "Specify allowed groups for prevalidation" select Enabled and populate the dialog box with the group predefined for this purpose and press OK and close Group Policy Editor.
    GPO - account prevalidation.jpgGPO - Prevalidation groups.jpg
    (*) If you don't see a Centrify Settings section, you don't have the Centrify GPOE installed.
    (**) If you don't see a "DirectControl Settings" folder, you need to add the template.

Third, Add the Preval SPN to the members of the group and commit the changes in the Centrified system

a) To add the SPN

# From Windows with the setspn utility
C:\> setspn -A preval/rpimentel rpimentel
Checking domain DC=centrifyimage,DC=vms

Registering ServicePrincipalNames for CN=Diana Wirth,OU=IT,OU=Staff,DC=centrifyimage,DC=vms
        preval/dwirth
Updated object

# From Windows using PowerShell
PS > Get-ADUser dwirth | Set-ADUser -ServicePrincipalNames @{Add="preval/dwirth"}

# From a Centrified System Using adedit
## Authenticate as someone who can edit the target object
$ kinit administrator
Password for administrator@CENTRIFYIMAGE.VMS:

# Open adedit, bind to domain and use the add_object_value function
$ adedit
>bind centrifyimage.vms
>package require ade_lib
1.0
> add_object_value "CN=Diana Wirth,OU=IT,OU=Staff,DC=centrifyimage,DC=vms" serviceprincipalname "preval/dwirth"
1
> exit

# Manually using Active Directory Users and Computers
  1. Open ADUC
  2. In the View menu, check "Advanced Features"
  3. Open your target user > Attribute Editor > servicePrincipalName
  4. Click add, and type  preval/<user>, press OK twice.
ADUC - mv preval.jpg

b) To verify the SPN was added succesfully
# from a Centrified system using CLI
$ adquery user dwirth --attribute servicePrincipalName
preval/dwirth

# from Windows using PowerShell
PS > Get-ADUser dwirth -prop ServicePrincipalNames | Select-Object Name, ServicePrincipalNames

Name                                  ServicePrincipalNames
----                                  ---------------------
Diana Wirth                           {preval/dwirth}

c) To commit the changes to a system for the purposes of testing
## flush the cache - only if you want this immediately (will happen automatically after cache flush interval + gpo refresh
$ dzdo adflush
DNS cache flushed successfully.
Authorization cache store flushed successfully.
GC and DC caches expired successfully.
DA name cache flushed successfully.
DA installation information cache flushed successfully.


## perform a group policy update - again, this happens on the GPO refresh.
$ adgpupdate
Refreshing Computer Policy...
Success
Refreshing User Policy...
User Policy disabled on this machine.

## verify that the GPO inserted changes in the config file
$ adgpresult | grep Centrify-Prevalidated-Users
        adclient.prevalidate.allow.groups = Centrify-Prevalidated-Users,

Notes:  This process can also be implemented with a Management tool like Chef, Puppet, Spacewalk, etc.  Ultimately the parameter that will be adjusted is the "adclient.prevalidate.allow.groups" in the /etc/centrifydc/centrifydc.conf file.  This can also be part of a master config file that is enforced across the board, but watch out for conflicts with GPOs.  You must pick a tool.

Verify and Test
 To verify prevalidation you'll need a recently centrified system OR a system that you know one of your test subjects has never logged in.  You will also have to switch the agent to offline mode.  There are two ways to do it:
a) If this is a VM, go to the hypervisor console, and disconnect the network; OR
b) Force the agent to go offline by adding all your DCs to the dns.block parameter.
E.g. if I have 2 DCs  (dc1.corp.contoso.com and dc2.corp.contoso.com), the parameter would look like this:
dns.block:  dc1.corp.contoso,com, dc2.corp.contoso.com
c) If you have console access, you can also disable the network interface momentarily.

This video explains the installation and testing process:


Adjustments
 There are several areas of improvement for this process:

Automation
A really cool improvement has to do with the automation of the prevalidation SPN.  For example, you can implement both in a Centrified UNIX/Linux system or with Windows PowerShell script that checks if new users are added to your target group, and automatically will add (or remove) the preval SPN.

Service Management and Approvals
If you have an ITSM (like ServiceNow) or an IdM with workflow/approvals, you can front-end this process by adding references and approvals to be able to answer these questions:
  • Why is this user a member of this group?
  • Who approved?
  • What's the reference number