Monday, January 18, 2016

[LABS] Testing the Local Account Management feature of Centrify Suite 2016

Background
There are several kinds of non-user accounts like local admin accounts (e.g. root, Administrator), application service accounts (e.g. oracle, Apache), network services (e.g. hdfs, yarn) or batch job/multi-tier apps (e.g. sftp, ssh, etc.)  The goal of Local Account management is to leverage the existing management infrastructure and framework (Active Directory, Centrify Zones, DirectMange/PowerShell/UNIX adedit) and the Centrify client (DirectControl) to provide an additional set of security controls. Centrify Suite 2016 provides the ability to:
  • Control local UNIX user accounts (provision, disable, visibility or removal from /etc/passwd)
  • Control local UNIX primary or secondary groups (provision, visibility control membership, or removal from /etc/group)
  • Perform actions upon user creation/deletion, e.g. home directories, environment variables, password management/lifecycle.
We will provide the basic building blocks for you to evaluate this feature in your lab to explore the feasibility of it.
Like other posts, we'll use the Plan-Do-Check-Adjust model.

Planning
Use these planning steps for your test environment. We'veve added enough information that can be recycled towards production deployments.

Potential Stakeholders
  • Centrify SME or Security Lead:  These users are entitled to perform management of zone operations inside Active Directory.
  • Account Owners:  These are the subject matter experts that understand how the user or group accounts are used in the environment.  They can answer questions like these
    a) What local user (or group) accounts are required in a system or collection of systems?
    b) Should the account have a password?  should the password be managed?
    c) What are the group account members?
    d) Should the user or group account be visible to apps using name service (NSS)?
  • Security Lead for Password Management:   This is the SME for a shared account password management solution.  They may know how to invoke any tools to manage the lifecycle for a shared account.
Technical Requirements
Active Directory and Centrify
  • A licensed or evaluation copy of Centrify Suite 2016
  • An Active Directory test or production environment with Centrify a Centrify Hierarchical zone
  • A UNIX/Linux system with Centrify DirectControl 5.3+
Password Management (optional)
  • If using Centrify Privilege Service (CPS), you need the CLI toolkit for your platform and a Cloud Connector that can reach your test systems.
  • If using a 3rd party password manager, you need the tools and knowledge of the methods provided by the vendor
    In this example, we'll be using CPS.
Resources
How Local Account Management Works
The design and management is very similar to what you're used today with Centrify and UNIX-enabled AD users or Groups.
Local Mgmt - Concept.PNG
Information about the local user or group is stored in Active Directory.  The local users or groups are defined in the zone.  The scope of the local account is determined by where the identity is defined and the role that is assigned.  For example, if an account should exist and be enabled in all servers, then it's defined in the topmost zone and assigned a role with visibility at that level.  If it should only be visible to a group of systems (e.g. Database Servers) this can be done at the child zone or computer role level.  The management is exactly identical to UNIX-enabled AD users.
Once the changes are made in AD and the flush interval passes (or the adflush command is issued) the local account actions will be triggered.
There are additional CLI tools:
  • admanagelocal:  to view existing managed local accounts or refresh the changes (or use adflush).
  • handle_local_accts.sh:  this is a sample script provided to perform post-provisioning actions (e.g. home directory creation).  There are two versions of this script, one included with DirectControl, another one included with the CPS CLI Tools.

A Basic Lab Design
In my test environment I have:
Local Mgmt - my lab.png


1. An AD domain (centrify.vms) with a single domain controller (dc.centrify.vms)
2. A domain-joined server called "member" that has Access Manager installed (Suite 2016)
3. A Centrify zone called global with 2 computer roles:  App Servers and Web Servers
4. Two Linux servers (engubu1404 in the App Servers collection and engcen6 a Web Server)
5. Optional:  because I'll be testing the password lifecycle management, I have a CPS tenant and a cloud connector running on member.  CPS will provide the shared account password management functionality and workflow.

Use Cases

We are going to focus in several use cases:
Local UNIX Group Tests
  • Provision a local group:
    - to all domain-joined systems
    - to a subset or individual system
  • Manage group memberships
  • Remove from /etc/group
Local UNIX UserTests
  • Provision a local user
    - to all domain-joined systems
    - to a subset or individual system
    - have the password randomized and the home directory created
  • Disable the user
  • Remove from /etc/passwd
Local User and Password Management (optional*)
  • Provision a local user and manually manage the account's password
  • Provision a local user and automatically manage the account's password
  • Retrieve the password for usage in break glass or scripting scenarios (admin or request via workflow)
    * These tests are optional given that they require a password manager that provides certain toolsets
Implementation
Download and Install the Centrify Suite 2016 bits
  1. Download the Standard Edition 2016 Consoles
  2. Download the Centrify client bits for your platform
  3. Install Access Manager
  4. Install or upgrade your agents  (e.g. install.sh, rpm or yum, apt or dpkg, etc)
  5. Join a zone (use adjoin)
Although these steps should be straightforward to you, they are documented here:


General Test Cadence
There's a simple methodology to these tests:
  1. Perform the change or update (e.g. create the local user/group, make visible, remove, change membership, etc)
  2. Open a session to a system in scope of the previous change
  3. Run getent (passwd or group) [target user or group]  > these result should not yield the results
  4. Run adflush or 'admanagelocal --reload' (with sudo or dzdo) > this step causes the flush interval to expire and the changes in the zone to be committed by DirectControl
  5. Run getent (passwd or group) [target user or group]  > these result should yield the results expected.
For example, if you create a new UNIX group called my-group (GID 3232) in all systems, after an adflush all systems should produce the same result.  If you do this in an individual system (or group of systems.

Differences between Group and User tests
a) Local Users follow the same rules as UNIX-enabled AD users 
Local users must have an identity and a role assigned to be visible in a system.  This allows for you to scope the visibility to the zone (all), child-zone (subset), computer role (subset) or individual system.  This differs from Groups that can be enabled at the zone, child-zone or individual system.
Local Mgmt - local user assignment.png
You can even time-bound the visibility of the role assigned to a local user.
b)Users must belong to at least a singe existing primary group
Local Mgmt - user profile-group.png
Otherwise, the provisioning won't work.
c) Post-provisoning actions must be defined via parameter or GPO
Provisioning users does not mean that home directories, environment variables or the password lifecycle will be handled by the Centrify agent; those actions are customizable.  Centrify provides a parameter called adclient.local.account.notification.cli; it can be used with a provided script /usr/share/centrifydc/samples/localaccmgmt/handle_local_accts.sh to perform these actions.

d) Don't fall in the poor habits
Always prefer computer roles (users) and child zones (users, groups) instead of computer overrides.

Local Group Testing Video

Local User Testing Video (without actions)


Testing local user provisioning plus actions
Using the provided handle_local_accts.sh to enable provisioning actions
In order to allow for actions to be performed upon user provisioning (or de-provisioning), Centrify provides a sample script called handle_local_accts.sh that will perform actions like assign a random password, create home directories, etc.  To enable this script:
  1. Enable the adclient.local.account.notification.cli parameter (set for none)
    $ dzdo vi /etc/centrifydc/centrifydc.conf
    # search for adclient.local.account.notification.cli
    # enable the parameter by removing the pound and
    # set it to the path of the sample file
    adclient.local.account.notification.cli /usr/share/centrifydc/samples/localacctmgmt/handle_local_accts.sh
    
  2. Run adreload (as root or with sudo/dzdo) and restart your testing.
    For example, to verify that a home directory was created after enabling a local account, you can use the following sequence:
    # use access manager to enable the account (e.g. james-foo)
    $ dzdo /usr/share/centrifydc/bin/admanagelocal --reload
    $ getent passwd managed-all
    # this should confirm that the user is enabled
    $ ls -l /home
    # there should be an entry for the recently-created account

Testing local user provisioning plus password management
Using CPS to manage the password lifecycle of a Centrify-provisioned local user account
This test can be performed with any password manager that provides UNIX/Linux-based CLI utilities.  The idea is that upon local account creation, the password manager is notified of the account creation, the password is randomized, changed and managed by the solution.   This example uses Centrify Privilege Service to illustrate the use case.

To set up this test, you need to have a CPS tenant with a Cloud Connector that can reach your systems and a Linux system with the CLI Toolkit.
  1. Create a CPS role for the systems that will be used for testing and assign the Privileged Management right
    CPS - add right.png
    You can also use an AD group and add your computer objects and use it to nest it into the CPS role.
  2. Now you can download and copy the CLI toolkit to your test system.
    cli toolkit.PNG
    You can add the bits to your repository or copy the installation files manually.
  3. Install the CLI toolkit and add the system as a CPS resource (e.g. in my engcen7 RHEL system)
    # install the CPS CLI toolkit bits
    $ dzdo yum install centrifycc-rhel6-x86_64.rpm
    # add the system as a CPS resource
    $ dzdo cjoin -k -n engcen7 -a engcen7.centrify.vms
    # The command joins a system using Kerberos, names it engcen7 and gives it the 
    # hostname/ip of engcen7.centrify.vms (FQDN instead of address).  
    # You can verify the status using the cinfo command.
  4. Switch the provisioning handler.  The CPS CLI toolkit includes another version of the handler.
    $ dzdo vi /etc/centrifydc/centrifydc.conf  # modify the parameter below
    adclient.local.account.notification.cli /usr/share/centrifycc/samples/localacctmgmt/handle_local_accts.sh
    
  5. Run adreload (e.g. dzdo/sudo adreload)
  6. Now you can add a new local account using access manager (e.g. managed-all)
  7. First, verify that the home directory has been created, and then verify in the CPS accounts page that the account exists under the server.
    CPS - managed.PNG
  8. You can also use the cgetaccount command to check-out the password for temporary use directly from the CLI.
    CPS - managed.PNG
    This is not really a practical example, most likely you'd assign the value of the password to a variable and use it on a script.
Provisioning local account with actions (random password/home directory) video

Provisioning local account with password lifecycle management (requires CPS or Password Manager)


This last video provides an example of Server Suite and Privilege Service working together:
  1. We review the set up in the Centrify Privilege Service (connector, managed system role)
  2. We verify the CLI toolkit in the target systems
  3. We join the system as a resource in CPS (using cjoin)
  4. We enable the adclient.local.account.notification.cli parameter to use the handle_local_accts.sh provided with CPS and reload the configuration
  5. We enable our test account in Access Manager
  6. We verify that the account exists in /etc/passwd and that home directory has been created
  7. We verify that the acccount exists under the CPS server resource
  8. We check-out the password via CPS Web GUI and UNIX CLI (with cgetaccount)
  9. We perform an assisted SSH session with the account via CPS console.

Adjustments
There are several improvements to be made, for example:
  • Customize the handler script to be suited to your environment
  • Use your existing password manager to manage the lifecycle
  • Upon deprovisioning, the home folder can be gzipped+tar and removed

Wednesday, January 13, 2016

[LABS] Testing the Centrify Reports Feature of Centrify Suite 2016

Background
This article describes the steps to install, configure and test the Centrify Reports feature included with Centrify Suite 2016.  You will find this article useful if you're looking to accomplish the following goals:
  • Increase the speed of Access and Privilege related reports
  • Provide information to your Security or Audit counterparts for Access or Attestation purposes
  • Automate Attestation report generation and delivery
  • Provide a data source for custom report generation.
Disclaimer:  This post is not a best practice, it's simply to aid you to study and test the feature before your consider it for production scenarios.

What is the Centrify Reports feature designed for?
It's designed to overcome the limitations of existing report generation via LDAP (speed), provide flexibility (SSRS or Bring your Own Reporting), and increase productivity (automate report generation and distribution).

Can you describe an example?
The typical scenario is that depending on your risk or regulatory profile you need to provide user entitlements (who has access to a server or collection of servers in a Centrify zone and  what can they do with Privilege using DirectAuthorize).  For example:
  • Who has access to UNIX/Linux or Windows Server? What privileges do they have (dzdo/dzwin)? What AD object grants access?
  • Who can access this collection of systems? What privileges do they have (dzdo/dzwin)?
These entitlement reports, are used typically in attestation exercises.  Attestation may be done manually (you get together an ratify that these are the proper people that should have accesss) or automatically using a Security Governance tool (at that point, a feed is inserted to the tool)..  As always, we'll be using the Plan-Do-Check-Adjust methodology.  In the labs, the goal is to test the features to be able to produce an viability assessment of the feature.

Planning
Use these planning steps for your test environment. We'veve added enough information that can be recycled towards production deployments.

Basic Requirements
  • Obtain access and privileges reports in a timely fashion (for example, delivered daily, weekly, monthly or quarterly)
  • Minimize impact to Active Directory domain controllers
  • Automate delivery (e.g. email or shared folder)
  • Allow reports consumers to customize reports based on their needs
Potential Stakeholders
  • Active Directory Administrator:  To request and set up the account used to replicate AD Group and Centrify zone data to SQL Server.
  • IT Infrastructure:  You can set up different distribution methods like file or web server and email.  The infrastructure SME will allocate shares, permission, SMTP relays or web servers.
  • Security or Audit Analysts:  These are the consumers of this data.  They provide input on report data/distribution, etc.
  • Database (SQL Server) Administrator (optional):  To work to set up a database instance (most likely in production);  if in a test lab, the Centrify bits include SQL Express.
  • Reports SME (optional):  Depending on the size of your organization, you may have report developers that can customize the reports based on your security or audit needs.
Technical Requirements
Active Directory and Centrify
  • A licensed or evaluation copy of Centrify Suite 2016
  • An Active Directory test or production environment with Centrify hierarchical zone data (HZ Zones have RBAC)
  • A domain-joined Windows server, ideally 2008 and up
  • An Active Directory Service account (or two depending on your setup)
    An account needs the "Replicate changes" right in AD (to be able to read AD data and copy it to SQL)
    An account needs the "logon as a service" right in the system that runs the synchronization
  • A Windows administrator or local admin rights to install programs in the test server.
SQL Server
  • Versions validated: 2008, 2008R2, 2012, 2014;  Standard, Enterprise or Express (included with Centrify Suite 2016)
    Note:  with SQL Express, you have limitations on scale and capabilities.  E.g. can't do file/email subscriptions.
  • If you need to test custom reports, email delivery, scheduling, etc; you'll need a Standard or Enterprise version of SQL
  • If you want to test the Centrify-provided reports, you need to deploy SSRS
  • If you want to test with a custom tool (e.g. Tableau) you'll need that software.
A Windows Server 2008 and up to install the Centrify Reports Service.  Depending on your deployment model, this may be the same machine as SQL or if it's a production design adhere to your organizational best practices.

Resources
Design
Your design is going to be dictated by the capabilities that you with to test and your requirements.  Examples:
  • If reports delivered via file-share or email are required and you'll use SSRS, then you need SQL server standard or enterprise.
  • If you have your own reporting tool, SSRS is not needed, all you need is connectivity between your tool and the SQL server database instance that was used to sync the AD data that contains the Centrify access control data.
Here are some suggested(*) deployment models:
Reporting - Deployment Diagrams.png
Note that the common denominators are AD, Centrify Hierarchical zone data and the service account required to sync AD data to SQL server.
(*) Remember that this is a "labs" post and this is a new feature.  Although I have input from beta testers, the true best practices come from our professional services organization.

How frequently should access and privilege data be synchronized between AD and SQL Server?
The answer to this question depends on the attestation requirement.  Examples:
  • Some organizations do quarterly user access/privilege attestation exercises.  Perhaps synchronizing every quarter is fine in this organizations.
  • Some organizations practice just-in time privileges (e.g. nobody has privileges or knows privilege account passwords) and they need reports daily to make sure there are nobody has any sticky privileges.  Daily reports that get delivered to a security analyst are required in this case, so a daily sync is in order.
The key here is that attestation has a component of comparing the access/privilege data from one time period to another and you have to plan your synchronization based on that.  Technically,  after the first sync or a rebuild, only the delta changes are requested from AD, this ensures that these operations don't negatively impact your Domain Controllers.  In a complex environment, your AD lead should understand that proximity to a Global Catalog will be an important design consideration.

Implementation
Download Suite 2016 from the Customer Support Portal and unzip the bits in an accessible folder on the domain-joined server.

Set up the AD Service Account
This step may be done for you by a Windows administrator.
  1. Open Active Directory Users and Computers and navigate where you want the account to be created (OU or container)
  2. Right-click the OU, New User and in the form type the First Name, Last Name and User logon name (e.g. centrify-reports) and press next
    reporting - user.png
  3. Set up a password for the account, depending on your practices, you may set the account's password to never expire, press next and then finish.
Delegate the Rights to Replicate Directory Changes from AD
In my example, I'm delegating at the top level of the domain, depending on the location of your users/groups, this may change.  This step may be done for you by a Windows administrator.
  1. In Active Directory Users and Computers, right click the domain (e.g. corp.contoso.com) and select "Delegate Control" and press next on the first wizard page
  2. Users or Groups:  Press the add button and find the newly created account, then press OK and press next.
  3. Tasks to Delegate: Select "Create a custom task to delegate" and press next
  4. Active Directory Object Type:  Keep the default radio button and press next
  5. Permissions:  In permissions, scroll down and check the "Replicating Directory Changes" permission and press next and finish.
    reporting - ad-delegation.png
Delegate the Rights for the Account to run as a Service
In my example, I'm using AD Group Policy to grant my user the right to run as a service in that system.  The system is in an OU called Servers.  This step may be done for you by a Windows administrator.
  1. Open the Group Policy Management tool and navigate to the OU that corresponds to the server, create or modify a GPO in and link it to that OU, right click it and select Edit (launches the group policy management editor).
    Alternatively, you would do this the Local Security Policy for the system.
  2. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment and find the GPO named "Log on as a Service" and double-click it.
  3. If not checked, check the "define these policy settings" and press the Add User or Group, click browse and make sure that the "From this location" has the AD domain selected otherwise click Locations and select it. 
  4. Type the name of the service account and press check names.  Press OK three times.
    reporting - service.png
  5. Now you can close GPME and GPMC.
Installation of Report Services
You need administrative rights to install and configure this software.  This may have been granted to you or you're assisted by a Windows administrator.
  1. Using Windows Explorer, find the unzipped Centrify 2016 folder and navigate to DirectManage > Report Services and either the MSI or EXE file in that folder (it's the same)
  2. EULA Page:  Accept and press next
  3. Destination Folder:  Select the proper destination or leave as default and press next and press install.
  4. In the final page, leave the Config Wizard box checked.
The Report Services installation package installs 3 key apps:
  • Configuration Wizard,
  • Report Services Control Panel, and
  • Report Services launcher.
Now you have two options for configuration, with SQL Express (included) or with SQL Standard or Enterprise

Configuration for SQL Express or Standard/Enterprise
  1. Launch the centrify Report Services Configuration Wizard and press next in the welcome page.  The next steps depend on your setup:
  2. If using SQL Express:
    SQL Server Page:  Select the "Install SQL Server Express instance on this computer" and use the default name (REPORTS) or change the name and press next.
    SQL Server Package:  press next or specify an alternative set of bits (must know what you're doing), press next.
  3. If using SQL Standard or Enterprise:
    In this step, you're either authorized at the SQL server level login (integrated or mixed) or assisted by your SQL DBA
    SQL Server Page:  Select the "Use an existing instance" and browse to the instance to be used; press next and give it some time to connect.
  4. Deploy Centrify Reports (optional):  You can choose to deploy the Centrify attestation reports to the SQL Server Reporting Services website.  This is only optional if you plan to use another reporting tool, press next.
    Note that you may need to run the Reporting Services Configuration Manager applet to determine these URLs.
  5. Monitored Domains:  Defaults to the local domain, add any additional (you must have had delegated the account permissions and the proper AD trust direction has to be in place), press next.
  6. Sync Schedule:  Select an appropriate frequency based on your reports needs, press next
  7. Report Services:  Select "use account" and browse for the AD service account set up.  Type in the password and press next.
    At this point, the wizard will check if the account has the proper permissions in the monitored domains.  If you did not get the correct delegations, this will fail.
  8. Press close and then next.
    At this point the installer will perform an assisted installation of SQL Server Express.
  9. Once completed, you'll get to the configuration completed page and the check box to do an initial sync will be selected.  When you press finish, the service will do the initial sync.  From that point on, all will be delta synchronizations.


Verification (Check)
The verification steps vary depending on the features you've deployed. However, a key step is to verify that AD roles and rights and principal data is being sent to SQL server in the interval that is set.  For this you can use the Report Service Control Panel.
Reporting - control panel2.jpg
If you chose to deploy the SSRS reports, you should be able to use the Report Services shortcut and access the sharepoint-based report services.  This grants access to subscriptions, report builder, etc (if you're not running Express).
Reporting - Website.png
Here are some verification videos: 

Adjustments
There are may adjustments to be made to this configuration.  Some may or may not be related to Centrify technologies:
  • Set up a file share subscription
  • Set up a SMTP distribution email
  • Use a custom tool for reporting
  • Programmatically retrieve reports data
The good news is that all the building blocks already are in place.  Future entries can cover these topics.