Tuesday, February 28, 2017

Ten Tips for Server Suite 2017

Centrify Server Suite 2017 is here and it's not a trivial upgrade, there are major upgrades including Kerberos libraries and how the client packages are laid out.  For those architects or sysadmins looking to implement this upgrade, let's review 10 important tips.
  1. Read the release notes and upgrade guide.
  2. Even if you don't plan to update your clients right away, you can upgrade your consoles and group policy templates
  3. This is a major release and all components must be upgraded DirectControl, DirectAudit (agents/collectors/database), this is because:
    • Kerberos upgrade (enables FAST/Kerberos Armoring) and AES256 Smart Card
    • New LRPC2 transaction protocol
    • New Open-source packaging
    • OpenSSL Upgrade
  4. Plan for Centrify Licensing Service - have the service installed on one or two highly-available windows servers.  Have your technical and procurement leads in the notification lists and designate a thresold to get proactively sent deployment reports.
  5. Due to the new DirectControl packaging, plan to update your DevOps recipes/cookbooks (Chef, Puppet, Ansible, etc)
    Tip:  adjoin has a new option “-F/--forceDeleteObj” to clean up the existing computer object and extension object in Active Directory before performing the adjoin operation.
  6. If you're using Centrify-enhanced OpenSSH on AIX platforms, plan phase out unsupported versions or to migrate and test existing PAM support; this is because Centrify no longer ship a LAM version.
  7. SmartCard: RC4 and DES are no longer supported;  this means you have to plan to upgrade to AES-128 or AES-256 to ensure compatibility.
  8. Leverage the Centrify Repo for quick updates on RPM, APT or Zypper-compatible distributions.
  9. The new capabilities of DirectAudit (config file monitoring, monitored execution, etc) are not turned on by default.  You have to turn on the event.execution.monitor, event.monitor.commands and dash.cmd.audi.show.actual.user parameters in the /etc/centrifyda/centrifyda.conf file.  Make sure you do a baseline analysis first.
  10. Hybrid-cloud support:  remember that you can use Server Suite in your AWS, Azure or GCP deployments and that Centrify provides unique support for complex AD scenarior like one-way trusts, RODC and now Kerberos Armoring.

No comments:

Post a Comment