[LABS] Testing the Centrify Reports Feature of Centrify Suite 2016

Background
This article describes the steps to install, configure and test the Centrify Reports feature included with Centrify Suite 2016.  You will find this article useful if you're looking to accomplish the following goals:

• Increase the speed of Access and Privilege related reports
• Provide information to your Security or Audit counterparts for Access or Attestation purposes
• Automate Attestation report generation and delivery
• Provide a data source for custom report generation.

Disclaimer:  This post is not a best practice, it's simply to aid you to study and test the feature before your consider it for production scenarios.

What is the Centrify Reports feature designed for?
It's designed to overcome the limitations of existing report generation via LDAP (speed), provide flexibility (SSRS or Bring your Own Reporting), and increase productivity (automate report generation and distribution).

Can you describe an example?
The typical scenario is that depending on your risk or regulatory profile you need to provide user entitlements (who has access to a server or collection of servers in a Centrify zone and  what can they do with Privilege using DirectAuthorize).  For example:

• Who has access to UNIX/Linux or Windows Server? What privileges do they have (dzdo/dzwin)? What AD object grants access?
• Who can access this collection of systems? What privileges do they have (dzdo/dzwin)?

These entitlement reports, are used typically in attestation exercises.  Attestation may be done manually (you get together an ratify that these are the proper people that should have accesss) or automatically using a Security Governance tool (at that point, a feed is inserted to the tool)..  As always, we'll be using the Plan-Do-Check-Adjust methodology.  In the labs, the goal is to test the features to be able to produce an viability assessment of the feature.

Planning
Use these planning steps for your test environment. We'veve added enough information that can be recycled towards production deployments.

Basic Requirements

• Obtain access and privileges reports in a timely fashion (for example, delivered daily, weekly, monthly or quarterly)
• Minimize impact to Active Directory domain controllers
• Automate delivery (e.g. email or shared folder)
• Allow reports consumers to customize reports based on their needs

Potential Stakeholders

• Active Directory Administrator:  To request and set up the account used to replicate AD Group and Centrify zone data to SQL Server.
• IT Infrastructure:  You can set up different distribution methods like file or web server and email.  The infrastructure SME will allocate shares, permission, SMTP relays or web servers.
• Security or Audit Analysts:  These are the consumers of this data.  They provide input on report data/distribution, etc.
• Database (SQL Server) Administrator (optional):  To work to set up a database instance (most likely in production);  if in a test lab, the Centrify bits include SQL Express.
• Reports SME (optional):  Depending on the size of your organization, you may have report developers that can customize the reports based on your security or audit needs.

Technical Requirements
Active Directory and Centrify

• A licensed or evaluation copy of Centrify Suite 2016
• An Active Directory test or production environment with Centrify hierarchical zone data (HZ Zones have RBAC)
• A domain-joined Windows server, ideally 2008 and up
• An Active Directory Service account (or two depending on your setup)
  An account needs the "Replicate changes" right in AD (to be able to read AD data and copy it to SQL)
  An account needs the "logon as a service" right in the system that runs the synchronization
• A Windows administrator or local admin rights to install programs in the test server.

SQL Server

• Versions validated: 2008, 2008R2, 2012, 2014;  Standard, Enterprise or Express (included with Centrify Suite 2016)
  Note:  with SQL Express, you have limitations on scale and capabilities.  E.g. can't do file/email subscriptions.
• If you need to test custom reports, email delivery, scheduling, etc; you'll need a Standard or Enterprise version of SQL
• If you want to test the Centrify-provided reports, you need to deploy SSRS
• If you want to test with a custom tool (e.g. Tableau) you'll need that software.

A Windows Server 2008 and up to install the Centrify Reports Service.  Depending on your deployment model, this may be the same machine as SQL or if it's a production design adhere to your organizational best practices.

Resources

• Centrify Administrator's Guide for Reports
• SQL Server Documentation (or leverage your DBA)
• Social: 
  What rights does “Replicating Directory Changes” actually grant in Active Directory?Please explain: "Replication Synchronization" permission in Active Directory
  Note: depending on the experience of your AD team, they'll know what the rights are used for; this is not unorthodox because it's a common practice when setting Sharepoint, FIM, Office365 DirSync or other services, however as we know you may get push-back based on lack of cognitive knowledge.

Design
Your design is going to be dictated by the capabilities that you with to test and your requirements.  Examples:

• If reports delivered via file-share or email are required and you'll use SSRS, then you need SQL server standard or enterprise.
• If you have your own reporting tool, SSRS is not needed, all you need is connectivity between your tool and the SQL server database instance that was used to sync the AD data that contains the Centrify access control data.

Here are some suggested(*) deployment models:

Note that the common denominators are AD, Centrify Hierarchical zone data and the service account required to sync AD data to SQL server.
(*) Remember that this is a "labs" post and this is a new feature.  Although I have input from beta testers, the true best practices come from our professional services organization.

How frequently should access and privilege data be synchronized between AD and SQL Server?
The answer to this question depends on the attestation requirement.  Examples:

• Some organizations do quarterly user access/privilege attestation exercises.  Perhaps synchronizing every quarter is fine in this organizations.
• Some organizations practice just-in time privileges (e.g. nobody has privileges or knows privilege account passwords) and they need reports daily to make sure there are nobody has any sticky privileges.  Daily reports that get delivered to a security analyst are required in this case, so a daily sync is in order.

The key here is that attestation has a component of comparing the access/privilege data from one time period to another and you have to plan your synchronization based on that.  Technically,  after the first sync or a rebuild, only the delta changes are requested from AD, this ensures that these operations don't negatively impact your Domain Controllers.  In a complex environment, your AD lead should understand that proximity to a Global Catalog will be an important design consideration.

Implementation
Download Suite 2016 from the Customer Support Portal and unzip the bits in an accessible folder on the domain-joined server.

Set up the AD Service Account
This step may be done for you by a Windows administrator.

1. Open Active Directory Users and Computers and navigate where you want the account to be created (OU or container)
2. Right-click the OU, New User and in the form type the First Name, Last Name and User logon name (e.g. centrify-reports) and press next
   
3. Set up a password for the account, depending on your practices, you may set the account's password to never expire, press next and then finish.

Delegate the Rights to Replicate Directory Changes from AD
In my example, I'm delegating at the top level of the domain, depending on the location of your users/groups, this may change.  This step may be done for you by a Windows administrator.

1. In Active Directory Users and Computers, right click the domain (e.g. corp.contoso.com) and select "Delegate Control" and press next on the first wizard page
2. Users or Groups:  Press the add button and find the newly created account, then press OK and press next.
3. Tasks to Delegate: Select "Create a custom task to delegate" and press next
4. Active Directory Object Type:  Keep the default radio button and press next
5. Permissions:  In permissions, scroll down and check the "Replicating Directory Changes" permission and press next and finish.
   

Delegate the Rights for the Account to run as a Service
In my example, I'm using AD Group Policy to grant my user the right to run as a service in that system.  The system is in an OU called Servers.  This step may be done for you by a Windows administrator.

1. Open the Group Policy Management tool and navigate to the OU that corresponds to the server, create or modify a GPO in and link it to that OU, right click it and select Edit (launches the group policy management editor).
   Alternatively, you would do this the Local Security Policy for the system.
2. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment and find the GPO named "Log on as a Service" and double-click it.
3. If not checked, check the "define these policy settings" and press the Add User or Group, click browse and make sure that the "From this location" has the AD domain selected otherwise click Locations and select it. 
4. Type the name of the service account and press check names.  Press OK three times.
   
5. Now you can close GPME and GPMC.

Installation of Report Services
You need administrative rights to install and configure this software.  This may have been granted to you or you're assisted by a Windows administrator.

1. Using Windows Explorer, find the unzipped Centrify 2016 folder and navigate to DirectManage > Report Services and either the MSI or EXE file in that folder (it's the same)
2. EULA Page:  Accept and press next
3. Destination Folder:  Select the proper destination or leave as default and press next and press install.
4. In the final page, leave the Config Wizard box checked.

The Report Services installation package installs 3 key apps:

• Configuration Wizard,
• Report Services Control Panel, and
• Report Services launcher.

Now you have two options for configuration, with SQL Express (included) or with SQL Standard or Enterprise

Configuration for SQL Express or Standard/Enterprise

1. Launch the centrify Report Services Configuration Wizard and press next in the welcome page.  The next steps depend on your setup:
2. If using SQL Express:
   SQL Server Page:  Select the "Install SQL Server Express instance on this computer" and use the default name (REPORTS) or change the name and press next.
   SQL Server Package:  press next or specify an alternative set of bits (must know what you're doing), press next.
3. If using SQL Standard or Enterprise:
   In this step, you're either authorized at the SQL server level login (integrated or mixed) or assisted by your SQL DBA
   SQL Server Page:  Select the "Use an existing instance" and browse to the instance to be used; press next and give it some time to connect.
4. Deploy Centrify Reports (optional):  You can choose to deploy the Centrify attestation reports to the SQL Server Reporting Services website.  This is only optional if you plan to use another reporting tool, press next.
   Note that you may need to run the Reporting Services Configuration Manager applet to determine these URLs.
5. Monitored Domains:  Defaults to the local domain, add any additional (you must have had delegated the account permissions and the proper AD trust direction has to be in place), press next.
6. Sync Schedule:  Select an appropriate frequency based on your reports needs, press next
7. Report Services:  Select "use account" and browse for the AD service account set up.  Type in the password and press next.
   At this point, the wizard will check if the account has the proper permissions in the monitored domains.  If you did not get the correct delegations, this will fail.
8. Press close and then next.
   At this point the installer will perform an assisted installation of SQL Server Express.
9. Once completed, you'll get to the configuration completed page and the check box to do an initial sync will be selected.  When you press finish, the service will do the initial sync.  From that point on, all will be delta synchronizations.

Verification (Check)
The verification steps vary depending on the features you've deployed. However, a key step is to verify that AD roles and rights and principal data is being sent to SQL server in the interval that is set.  For this you can use the Report Service Control Panel.

If you chose to deploy the SSRS reports, you should be able to use the Report Services shortcut and access the sharepoint-based report services.  This grants access to subscriptions, report builder, etc (if you're not running Express).

Here are some verification videos: 

Adjustments
There are may adjustments to be made to this configuration.  Some may or may not be related to Centrify technologies:

• Set up a file share subscription
• Set up a SMTP distribution email
• Use a custom tool for reporting
• Programmatically retrieve reports data

The good news is that all the building blocks already are in place.  Future entries can cover these topics.