This is the first lab in the series around Strong Authentication. We will be focusing on Windows systems and providing strong authentication for privileged users using Yubikeys. Yubikeys are full-fledged personal identity verification (PIV) cards that work very well with Active Directory and Certificate Services.
Note: This lab covers topics related to Public Key Infrastructure. As previously advised, PKI should be implemented with strong adherence to Security policy, and a well balanced People-Process-Technology triad.
The challenges
- The Windows security model lends itself for organizations to grant additional privileges to users by way of the local Administrators group. In Active Directory environments organizations struggle with excessive memberships on privileged groups like Domain Admins.
- In Active Directory, a common mitigation strategy is to provision each privileged user an "administrative" account (e.g. joe/joe-a). This strategy can be supplemented by having the "-a" account password stored securely.
- Unfortunately, advanced attacks like password mining, pass-the-hash and others have become more ubiquitous, this makes a member of a privileged group ("-a" or not) more susceptible to exposure.
- The "dual account" model is often paired with PSM (jumpbox) to provide session brokering and recording. Unfortunately, this model can be circumvented by bypassing the jumpbox, and since the "-a" account is very powerful, that means that the privileged user can go anywhere.
Although Centrify can accommodate the "dual account" model using Centrify Privilege Service, ideally organizations would implement the least privilege model:
- Users shall only access the systems they need to based on business need-to-know with strong authentication
- Users shall be limited to the minimum privileges required for their functions: this is accomplished by providing users roles with the rights that they need.
- Rights shall be assigned in the context of applications, desktops and network rights. Strong authentication shall be required when using privilege elevation.
- In sensitive systems, access and privilege elevation shall be supplemented with session capture and replay.
- Limit privileged users to a subset of Windows systems based on their needs (AD and Centrify Zones enable this)
- Require strong authentication for local or remote (RDP) access (this is supported natively by Windows)
- Require strong authentication on Privilege Elevation (applications/desktops) (DirectAuthorize is Smart Card ready)
- Reproduce privileged sessions (session capture, transcription, replay).
- Active Directory with Certificate Services
- A domain joined member server with Centrify Access Manager and Centrify PowerShell
- Access to Centrify Standard Edition (evaluation or licensed)
- Yubikey PIV Manager (download link)
- Yubikey 4, NANO or NEO
- You need working knowledge of Active Directory and Centrify Zones
Scenario Description:
We will provision the proper certificate to a test user (lisa) on her Yubikey. In Active Directory we'll require smart card authentication for the user. (This can be done at a group of systems level using OUs and GPOs).
We will grant the test user a Centrify DirectAuthorize role that allows her to:
- Run Disk Management as administrator and requires strong authentication
- Use an administrative desktop (as local administrator) and requires strong authentication
Optional: We will record her actions using DirectAudit.
Lab Setup
Create Test Users and AD Group
- Open Active Directory Users and Computers and navigate to your desired OU
- Right click and select New > User and follow the wizard until the user is created.
- Right
click the newly-created user and select properties. In the general
tab, update the Email to match the user principal name.
e.g. user@corp.contoso.com and press OK. - Right click the OU and select New > Group and make it a Global/Security group. Call it "Smart Card Users"
- Right click the Group, select properties, go to the Members tab, press Add and add the user created in step 2.
- On the member server, grant the group or user the ability to log on remotely.
Computer > Properties > Remote Settings > Remote Desktop > Select Users > Add > [select user or group] press OK twice.
Modify the Smart Card User (or Smart Card logon) template
- Open the Certification Authority console (Start > Search > Certification Authority)
If you get an error, retarget the console to the appropriate server (e.g. DC1) - On the left pane, right click "Certificate Templates" and select Manage. This will open the Certificate Templates console.
- In the template list, right-click the SmartCard User template and select "Duplicate Template"
- In the General tab, give the template a descriptive name. I used "Smart card User V2" (this is the display name, the actual template name is SmartcardUserV2)
- Click on the Security tab, press Add, select the newly-created Smart Card Users group, check the Enroll and Autoenroll boxes, then press OK and close the Certificate Templates console.
- In the Certification Authorities console, on the left pane, right click "Certificate Templates" and select New > Certificate Template to Issue
- Select the newly-created version of the Smart Card User template (e.g. Smart Card User v2) and press OK.
- Log on to your member system with the test user.
- Open the Yubikey PIV manager tool with the Test User (shift+right click > run as different user)
- If you're using a VM, connect the Yubikey to your virtual machine.
Note: If you're using VMWare, you need to add the parameter below for the Yubikey to be available to your VM.usb.generic.allowHID = "TRUE"
This step is performed by editing the .vmx file and editing it with your current text editor while the VM is off. - Initialize the Yubikey if brand new. Do not forget the PIN.
- In Yubikey PIV manager, press Certificates > Generate New Key and make sure you type the Certificate Template name (not the display name). The subject will match the credential that you launched the Yubikey PIV Manager (e.g. your test user).
- Type the PIN when challenged, and select your existing CA. In my case I use the non HTTP link.
- To
test the smart card authentication, either lock your screen or logoff.
If you can unlock or login successfully, you should be ready for the
next steps.
Centrify Setup
To Create the Zone, Role, Rights and Assignments using PowerShell:
Import-Module ActiveDirectory Import-Module Centrify.DirectControl.PowerShell $user = Get-ADUser -Identity Lisa.Simpson # substitute for your user $cont = "cn=zones,ou=unix,dc=centrify,dc=vms" # substitute for your container DN $zone = New-CdmZone -Name "Yubikey-Demo" -Container $cont $criteria1 = New-CdmMatchCriteria -Description "Disk Management - Direct" -FileType "msc" -FileName "diskmgmt.msc" -Argument " " -Path "C:\Windows\System32\" $criteria2 = New-CdmMatchCriteria -Description "Disk Management - MMC" -FileType "exe" -FileName "mmc.exe" -Argument "C:\Windows\system32\diskmgmt.msc" -Path "C:\Windows\System32\" $cmd1 = New-CdmApplicationRight -Zone $zone -Name "Disk Management Combo" -MatchCriteria @($criteria1, $criteria2) -RunasSelfGroups "Builtin\Administrators" -RequirePassword $true $desktop1 = New-CdmDesktopRight -Zone $zone -Name "Admin Desktop" -RunasSelfGroups "Builtin\Administrators" -RequirePassword $true $role = New-CdmRole -Zone $zone -Name "Demo Role" -WinSysRights remote Add-CdmApplicationRight -Right $cmd1 -Role $role Add-CdmDesktopRight -Right $desktop1 -Role $role New-CdmRoleAssignment -Zone $zone -Role $role -TrusteeType ADUser -ADTrustee $user | Out-Null
To perform the steps for the script above manually
Create the Zone
- Open Access Manager and right-click Zones > Create New Zone
Name: Yubikey-Demo
Container: Browse to your container. - Press Next and Finish
- Launch Disk Management (e.g. Start > Run > diskmgmt.msc)
- Open Access Manager > Open they Yubikey-Demo zone > Authorization > Windows Right Definitions > Right Click Applications > New Windows Application
Name: Disk Management ComboMatch Criteria: Press Add > Import Process and Select Disk Management and Press OK
Press Add > Import File > Browse to c:\Windows\System32 and select diskmgmt.msc, press OK.
This will add another way to launch the application.
RunAs: Self with added group privileges > Press Add Builtin Groups > Select Administrators, press OK and check the box for Authentication Required and press OK.
- In Access Manager > Open they Yubikey-Demo zone > Authorization > Windows Right Definitions > Right Click Desktops > New Windows Desktop
Name: Admin Desktop
Runas: Press Add Builtin Groups > Select Administrators, press OK and check the box for Authentication Required and press OK.
In Access Manager > Open they Yubikey-Demo zone > Authorization > Right Click Role Definitions > Select Add Role
- Name: Demo Role
System Rights: "Remote Login is allowed" < this will allow the user only to access via RDP - Press OK and right-click the newly created role and select "Add Right"
- The role is ready to be assigned. Now press OK and right-click the Authorization > Role Assignments > Select Assign Role
- Press the Add AD account > type the name of your test user, select it and press OK.
Note: This is a permanent direct assignment to a user principal at the zone level. This is not the best practice, typically you grant role assignments temporarily (for attestation), in a subset of systems and to AD groups for better administration.
- In your domain-joined test systems, browse to the path for the Centrify Standard Edition software.
- Go to Agent > and Run "Centrify Windows Agent.exe"
- Follow the Wizard, you will select the "Access" components. If you have DirectAudit, also select Audit.
- When the installation ends, you need to configure the client to join your desired zone.
- The system will ask to reboot when complete.
- When a Windows system is added to the Centrify Zone, the security model changes.
- In order to access a Centrified Windows system, users must be explicitly granted logon rights. This means that even Domain Admins won't be able to access those sytsems.
- The type of access is based on the Windows setup (Remote/Log on Locally) and the Centrify Role definition (Console/Remote)
- When adding your first system to a zone, you will have an opportunity to explicitly add Domain Admins, otherwise you may completely lock the system
- In Active Directory Users and Computers, find and double-click the test user.
- Account Tab > Account Options > Check the box for "Smart Card is required for interactive logon"
- Press OK
Test Plan:
- Try to access the system with any other AD user than test user - expected result: Access Denied
This is because users need to be explicitly be granted access using a Centrify role. - Try to access the system with Lisa with her password - expected result: Access Denied
This is because the test user was defined with "Smart card required for interactive logon" - Try to access the system via the console with Smart Card - expected result: Access Denied
This is because the role created in Centrify does not grant console login. - Try to access the system via RDP with smart card PIN - expected result: Access Granted
- Try to run application "disk management" normally - expected result: Error: "You don't have access rights to logical Disk Manager on [Server]"
This is because when the user launches the app, they are doing so without any privileges. - Launching App or Privileged Desktop:
Right click App > Run with Privilege > Challenge with Password - Expected result: Access Denied
Right click App > Run with Privilege > Challenge smart card PIN - Expected result: Access Granted