Monday, May 30, 2016

Centrify Suite 2016.1 Highlights

Last week Centrify made available the mid-year release (2016.1) that comes packed with new capabilities.

Given that the PCI DSS 3.2 focuses stresses multi-factor authentication Centrify is gearing-up to help organizations that are looking to align with it this fall both with their legacy solutions (e.g. RSA SecurID) and modern methods.

Multi-factor Authentication Extended
  • Centrify MFA with DirectAuthorize is now extended to HP-UX, AIX and Solaris  (this completes the UNIX/Linux ecosystem).
  • DirectAuthorize for Windows introduces MFA on Windows privilege elevation
  • Updated whitepaper RSA SecurID MFA integration that includes now server access and privilege elevation (instead of just PAM stacking).  QA'd with RSA 7.1 on AIX (5.3, 6.1, 7.1), HP-UX 11i v2/v3, RHEL (4.8, 5.8, 6.2), SUSE 11SP2, Solaris 11 & 10.
    Note that this is for non-GUI login and Centrify-enhanced sudo (dzdo)
  • OATH OTP (e.g. Google Authenticator, Yubico Authenticator, FreeOTP, Duo, etc.) is now usable via Centrify MFA with Identity Service.
  • Parameter-based MFA controls for supporting Centrify Auto Zone and Classic Zones.
  • The adcdiag command line tool was introduced to provide pre-flight checks for MFA setup.
  • Enhancements to PowerShell commands for provisioning of MFA fields.
OATH OTP support opens more possibilities with Google Authenticator or YubiKey
adcdiag should provide the same value to MFA implementations as adcheck does for AD joins.
Centrify auto zone other legacy modes get multi-factor at login and can be configured via GPOs

Microsoft AD, Kerberos, Certificates and Smart Card
  • AD Cross-forest authentication with alternate UPN is now supported
  • Support for Microsoft's  "Define host name-to-Kerberos host mapping" GPO
  • Certificate Management and auto-enrollment now supports Elliptic Curve Algorithms.
  • Centrify Hierarchical Zones now support the sourcing of UNIX identity from pre-existing RFC2307 attributes.  This can simplify provisioning for organizations that use those fields.

UNIX/Linux Client and Utilities Enhancements
  • The NIS Proxy (adnisd) now has it's own watchdog process.
  • Enhanced argument checking for dzdo (Centrify-enhanced sudo)
  • New Events documented when MFA challenges fail or succeed
  • Centrify-enhanced OpenSSH is now based on OpenSSH 7.2p2
  • OpenSSL is based on 1.0.2g
  • Centrify LDAP Proxy now supports TLS 1.2
  • libcurl is based on 7.44.0
  • PuTTY is upgraded to version 0.64
  • A new command "adcdiag" has been added to troubleshoot MFA
  • A new command "adobjectrefresh" has been added to only refresh specific users or groups instead of the whole cache.
  • Parameter and utility enhancements to support Hortonworks Hadoop Ambari 2.1.2
adobjectrefresh will be a great addition for Centrify administrators
Added Platforms
  • AIX 7.2
  • Latest version of Amazon Linux AMI (x86, x86_64)
  • CentOS 7.2 (x86_64)
  • Debian Linux 7.10, 8.3, 8.4 (x86, x86_64)
  • Oracle Enterprise Linux 7.2 (x86_64)
  • Scientific Linux 7.2 (x86_64)
  • openSUSE 42.1 (x86_64)
  • SUSE 12 SP1 (x86_64)
  • Scientific Linux 7.2 (x86_64)
  • Ubuntu 16.04 LTS (x86, x86_64)
  • Windows 10 (App and network rights)

Removed Platforms
  • Debian Linux 6
  • Fedora 20
  • HPUX 11.11, 11.23
  • Oracle Solaris 9
  • Ubuntu 14.10
  • OS X 10.9
Windows Client Enhancements
  • MFA Challenge on Applications or Desktop launches
  • Audit Trail Events for MFA Challenges

Mac Platform Enhancements

  • Simplified setup
    There's no need to download DirectManage components.  Centrify has released a new "Mac Console" that contains the Centrify ADUC extension, GPOE and License Manager in a small (100 MB) bundle (contrast with 1.6GB for DirectManage).

No comments:

Post a Comment