This article explains how to log out of CIS using an API command. Additionally two ways are shown to meet this goal.

The first obtaining the content of the cookie of the internet browser and the second using the application Postman.

Read more...

Talking about our supported local clients for remote sessions, one of the quetions I often get back is, "What about PowerShell?".  In this post I will demonstrate how to launch PowerShell sessions from the Centrify cloud platform using PowerShell Web Access (PSWA).

 

pswa8.png

Read more...

You may be familliar with storing shared account passwords and how to retreive them via password checkouts using Centrify Privilege Service (CPS).  But did you know that in addition to storing passwords, you can now also store secrets such as API keys/tokens and encryption keys within CPS?  This short article will describe how you can store these secrets and make them available for use, while ensuring their security using role-based access control and multifactor authentication.secret1.jpg

 

 

 

 

Read more...

In this article, I'll discuss the methods that I use to capture and troubleshoot a new custom User-Name Password Application.

Read more...

How to deploy Safari extension to Mac using Centrify

By Centrify Advisor III 2 weeks ago - last edited 2 weeks ago By Community Manager Community Manager

**Disclaimer: The deployment will depend on the version of macOS/Mac OSX and safari and might not work in later version**

 

Please find the below steps in making use of Centrify Group policy and apple script (scripts are provided as a sample and you can modify it to fit your environment need):

 

1. Use “Computer Configuration > Centrify Settings > Common UNIX Settings > Copy Files” Group Policy to copy over the centrify.safariextz(at the time of written, it is of version 1.150.17052 and please replace the newest if there is any), safari-ext.sh and safari.scpt to the following location on Mac: /tmp/

 

2. Please set the file permissions to 0755 and the owner UID and GID to 0.

 

3. Please also check the box for “Copy as binary” in the GP.

Screen Shot 2017-06-14 at 4.22.56 PM.png

 

 

4. Use “Computer Configuration > Centrify Settings > Common UNIX Settings > Specify command to run” Group Policy in order to run the safari-ext.sh: “sudo /tmp/safari-ext.sh”, it is used to enable the GUI scripting for applescript.

Screen Shot 2017-06-14 at 4.24.53 PM.png

 

5. Use “Computer Configuration > Centrify Settings > Mac OS X Settings > Scripts(Login/Logout) > Specify multiple login scripts” Group Policy in machine level for the script safari-ext2.sh. It is used to run the applescript.

Screen Shot 2017-06-14 at 4.24.19 PM.png

 

6. Once done configuring the 3 GPs mentioned above, please run adgpupdate as the AD user, then the extension will be installed at next user login session.

Configuring Confluence via a Custom SAML App

By Centrify Contributor III 2 weeks ago - last edited 2 weeks ago

How To: Configuring Confluence with a Custom SAML App

 

The following is a description on how to configure  Confluence (Cloud) with Centrify via SAML:

 

  • Centrify Configuration:
  • Confluence Configuration:
    • Navigate to the SAML configuration within Confluence, found under "User Management."
      • Choose "SAML single sign-on" Under "Authentication Method"
      • Under "Identity Provider Entity ID" copy and paste the "Issuer" URL from the Application Settings page in the App Config within The Centrify Identity Portal.
        • To get this value, navigate to To get the value, navigate to Admin Portal > Apps > Confluence SAML App > Application Settings, and copy the URL under "Issuer."
      • Under "Identity Provider SSO URL" copy and paste the "Identity Provider Sign-in URL" from the Application Settings page in the App Config within The Centrify Identity Portal.
        • To get the value, navigate to Admin Portal > Apps > Confluence SAML App > Application Settings > Identity Provider Info > and copy the "Identity Provider Sign-in URL"
      • Under the "Public x509 Certificate" copy/paste the value of the "Signing Certificate" from the Application Settings page in the App Config within The Centrify Identity Portal
        • To get the value, navigate to Admin Portal > Apps > Confluence SAML App > Application Settings > Identity Provider Info > "Download Signing Certificate".  After downloading the .cer file, open it up in a text editor application.  The certificate starts with ----BEGIN CERTIFICATE and ends with ----END CERTIFICATE----.  Copy all of the text in the file.

This completes the configuration of Confluence in both the Centrify Admin Portal, and the Confluence Portal.  After performing the steps above, you're ready to test your configuration.  Log into the user portal with a confluence user, and launch the app.  

 

For more information regarding the Confluence configuration, please see here:

 

https://confluence.atlassian.com/cloud/saml-single-sign-on-873871238.html#SAMLsinglesign-on-SetupSAM...

 

As always, let us know if you were successful in configuring Confluence for SAML by commenting below.

How to enable FileVault 2 from the Centrify Admin Portal

By Centrify Advisor I 2 weeks ago - last edited 2 weeks ago

FileVault 2 allows encryption of an entire drive to keep data secure. The Centrify Identity Service, Mac Edition gives you the ability to enable FileVault 2. This feature is enabled in a policy for enrolled Mac OS X devices.

Enabling FileValut 2 encryption using a policy at the Admin portal does not require a user to manage the computer object in Active Directory. It also does not require a mobile account to be created.

 

The below steps will show you how to enable the FileVault encryption policy, enroll the Mac OS X device and locate the recovery key.

 

Enable the FileVault encryption policy

 

To enable the FileVault encryption policy, go to the Centrify Admin Portal > Policies > Default Policy

 Policies.png

 

In the Default Policy, go to Mobile Device Policies > OS X Settings > Security and privacy settings

 

Enable FileVault.png 

 

 

 

 

Note: If you select Permit one-time display of recovery key on user’s Mac device, admin users see their recovery key the first time they log in after you enable the FileVault encryption policy. This is the only time users see the recovery key. 

 

Save the changes.

 

Enroll the Mac OS X device

 

On the Mac OS device, log into the Centrify User Portal. You will be prompted to enroll the device

Enroll with Centrify.png

 

 

 

The download of the Centrify for Mac agent will begin

 

Download begins for Centrify Agent.png

 

 

 

On the Mac system, log in as the local admin and install the Centrify for Mac agent by double clicking on the .dmg file

 

Install begins of Centrify Agent.png

 

 

 

Double click on CIS-Mac-Agent.pkg file to open the installation package

 

 

Double click to open the package.png

 

A warning will appear regarding the software installation

 Install Centrify Agent.png

 

 

 

At the Welcome page, click on 'Continue' to begin the installation

 

Click here to begin installation.png

 

 

 

Click on Install to begin the installation

Click on Install.png

 

Enter username and password of the local admin account to install the software

 

Enter local admin password.png

 

 

The installation will complete. Click on 'Launch Centrify Agent' to begin the device enrollment.

 

 

Installation complete.png

 

 

A confirmation message will appear for the successful install

 

 

Installation confirmation.png

 

 

Enter the Centrify Directory Service or Active Directory username of the user that you would like to enroll the device for

 

Enter username to enroll.png

 

 

 

Enter the password of  Centrify Directory Service or Active Directory user

 

Enter password.png

 

 

 

Click Enroll to begin the device enrollment

 

Click on Enroll.png

 

 

Enter the username and password of the local admin account

 

Enter local admin password enrolling.png

 

The device enrollment will begin

 

Device enrolling.png

 

 

Configure Safari for Single-Sign On

 

Configure Safari.png

 

 

 

The Safari Single Sign-On configuration will show as completed

Configure Safari complete.png

 

 

 

 

 

FileVault encryption is applied to enrolled devices when an administrator logs in. Encryption begins when the device is reset following an administrator log in. Only OS X users with administrative privileges can encrypt an enrolled device.


Refer to https://support.apple.com/en-us/HT204837 for more information about FileVault.

 

 

3) Wait about 15 minutes and log out as the local admin. You will then receive a prompt to enter the FileVault password

 

Enter FileVault password.png

 

If you have enabled "Permit one-time display of recovery key on user’s Mac device", you will receive a prompt showing the recovery key

 

Filevault Key.png

 

After reaching the desktop as the local admin, go to Finder > System Preferences > Security & Privacy. Got to the FileVault tab and the FileVault encryption will show as encrypting

 

 

FileVault begin.png

 

 

When the encryption has ended, the status will show as finished

 

Encryption end.png

 

 

 

 

Locate the recovery key

 

After the FileVault encryption policy is pushed and an enrolled device’s FileVault is turned on, you can retrieve the recovery key by selecting Show FileVault Recovery Key from the device’s action menu in Admin Portal. Please allow up to 12 hours for the key to appear at the Admin Portal.

 

 

FileVault Key Admin Portal.png

 

 

 

 

The device details should will show that File Vault 2 is enabled

 

Device Details Enabled.png

 

 

This confirms FileVault 2 has been enabled using the Centirfy Identity Service Admin Portal on a Mac OS X device.

 

You can also enable FileVault 2 using Group Policies. Please see the below article:

 

http://community.centrify.com/t5/TechBlog/Using-Centrify-to-Implement-FileVault-2-Disk-Encryption-on...

This article is the first of a multipart series. Part I will cover the following:

  • The effect the current threat landscape is having on the business
  • Why access control is not enough
  • The benefit provided by active log monitoring solutions
  • How SIEMs help.
Read more...

This technical blog post [with Videos] is intended to highlight the Centrify Identity Platform REST API Framework and its capabilities, specifically as it relates to automating the management of privileged accounts...

Read more...

[How to] Manage access to Dropbox

By Centrify Contributor III 3 weeks ago - last edited 3 weeks ago

Ensure access to Dropbox and other Apps from managed devices only

Read more...

Thank you for choosing Centrify!

 

The following is a step-by-step guide designed to help walk you through an integration of AWS to Centrify Identity Service. 

 

Install time ~ 1-3 hours

 

Requirements

  • AWS account
  • Centrify Identity Service account
  • Active Directory, LDAP or Centrify Cloud Directory
  • Windows Server for Centrify Connector (requirements below)

 

 

How to use guide

This guide is broken into two parts: (1) integrating AWS using SAML for single sign-on (Steps 1-20) and (2) enabling auto-user provisioning (Steps 21-35). The steps are sequential and recommended for a successful integration. 

 

 

Let's get started

 

1) Log into your Centrify Identity Service tenant. 

 

Screenshot 2017-06-04 17.25.08.png

 

2) Install the Centrify Connector by following this guide:

http://community.centrify.com/t5/TechBlog/How-To-Installing-Centrify-Cloud-Connector/ba-p/27840

 

3) Next, we must create roles in Centrify to contain users of AWS. Roles can contain users in Active Directory, LDAP or Centrify's Cloud Directory; and is a logical way of organizing users from your source directory to roles you've defined in AWS. A minimum of one role must be used; for the purposes of this guide, we will create a Centrify role titled 'AWS-EC2-Admins'. This role will contain all AWS administrator users within your source directory. Additional roles that correspond to AWS roles can be created similar to the example role in this guide. To create a role, navigate to 'Roles' -> 'Add Role' to continue.

 

Screenshot 2017-06-04 17.26.01.png

 

4) Name the Centrify role ‘AWS-EC2-Admins'. You can create additional Centrify roles as needed. Click ‘Save’ to proceed.

 

Screenshot 2017-06-04 17.26.37.png

 

5) Click ‘Members’ then click ‘Add’ to begin adding the appropriate active directory users or security group that contains all AWS administrator users. 

 

Tip: It’s best practice to create a security group in your source directory that contains all users you assigned to a particular AWS role. For example, if there are 5 administrator users in AWS, the same 5 users must exist as memebers to the 'AWS-EC2-Admins' role in Centrify. A 1-to-1 mapping allows Centrify the ability to authenticate a user attempting to access AWS with their source directory username/password. It also enables the administrator to create/modify/disable users access from the source directory when it comes to provisioning and de-provisioning. 

 

Screenshot 2017-06-04 17.27.18.png

 

6) Once complete, navigate to 'Apps' -> 'Add Web Apps' and searching for AWS SAML + Provisioning template. 

 

 Screenshot 2017-06-04 17.29.41.png

 

7) When the AWS application template is added, you will arrive at the following screen. Add 'Your AWS Account ID' then click on the 'Download SAML Provider Metadata Document'. 

 

Screenshot 2017-06-04 17.30.19.png

 

8) Next, navigate to 'User Access' and choose the Centrify roles you've created. In this example, I've choosen two roles - 'AWS-EC2-Admin' and 'AWS-EC2-ReadOnly', of which I created in Step 4 above. 

 

Screenshot 2017-06-04 17.30.32.png

 

9) Next, login to your AWS console with an administrator account. Navigate to your the Identity and Access Management Dashboard, then click 'Create Provider'. 

 

Screenshot 2017-06-04 17.31.06.png

 

10) Choose 'SAML' as the 'Provider Type'. Type 'Centrify' as 'Provider Name' and then upload the metadata document from Step 7 (Centrify) to AWS in the 'Metadata Document' field. Click 'Next Step' to continue. 

 

Screenshot 2017-06-04 17.31.47.png

 

11) Verify the provider information, then click 'Create' to continue. 

 

Screenshot 2017-06-04 17.31.55.png

 

12) Next, navigate to 'Roles' then click 'Create new role'. The purpose of this step is to define access policies for the different roles of users that will be using the service. 

 

Screenshot 2017-06-04 17.32.10.png

 

13) Select 'Grant Web Single Sign-On (WebSSO) access to SAML providers' option. 

 

Screenshot 2017-06-04 17.32.27.png

 

14) Verify the SAML provider (Centrify), then click 'Next Step' to continue. 

 

Screenshot 2017-06-04 17.32.38.png

 

15) Review the Role Trust policy document, then click 'Next Step' to continue. 

 

Screenshot 2017-06-04 17.32.50.png

 

16) Choose the appropriate policy name for your role. In this example, I am choosing the 'AmazonEC2FullAccess' policy for my 'AWS-EC2-Admins' role. Once choosen, click 'Next Step' to continue. 

 

Screenshot 2017-06-04 17.33.14.png

 

17) Name the role to the corresponding role name you wish to map to in Centrify (See Step 4 above). Click 'Create role' to continue. 

 

Tip: The AWS role name must match a corresponding Centrify role name for authentication/authentication from Centrify to AWS console. 

 

Screenshot 2017-06-04 17.33.38.png

 

18) You've now successfully completed a SAML integration of AWS to Centrify. Navigate to your User Portal and verify that you are able to see the AWS tile in Centrify. Click on the tile to test access to AWS. 

 

Screenshot 2017-06-04 17.35.59.png

 

19) Choose the appropriate AWS role you have been granted and click 'Sign-in'. 

 

Screenshot 2017-06-04 17.36.13.png

 

20) Verify that you are able to log into the AWS console with the appropriate access that has been granted to you. 

 

Screenshot 2017-06-04 17.36.30.png

 

*** Step 20 completes the SAML only integration of AWS. Please review the steps below which walk through how to enable provisioning. ***

 

21) To enable provisioning in Centrify, navigate to the 'Provisioning' menu in Centrify and click on the 'Enable provisioning for this application'.

 

Tip: You have the option of enabling provisioning in 'Preview Mode' or 'Live Mode'. Preview mode is a non-production sync. It is recommended that you complete the initial provisioning setup using preview mode before committing the integration in production. 

 

Screenshot 2017-06-04 17.36.58.png

 

22) Add a AWS administrator's 'Access key' and 'Secret' to the fields in Centrify. To obtain the values, navigate to 'Delete your root access keys' field in AWS and click 'Manage Security Credentials'. 

 

Screenshot 2017-06-04 17.37.39.png

 

23) Next, click 'Continue to Security Credentials'. 

 

Screenshot 2017-06-04 17.37.47.png

 

24) If you don't already have an access key, click 'Create New Access Key'. 

 

Screenshot 2017-06-04 17.37.59.png

 

25) Copy the 'Access Key' and 'Secret' from AWS to Centrify. Once complete, click 'Verify' in Centrify to continue. 

 

Screenshot 2017-06-04 17.38.55.png 

 

26) If successful, additional provisioning configurations appear in Centrify. In this section, you can choose provisioning rules such as, a deletion of a user from the source directory will disable the user's account in AWS. 

 

Screenshot 2017-06-04 17.39.22.png

 

27) Next, we must create groups in AWS for Centrify to provision users into. In AWS, navigate to 'Groups' then click 'Create New Group' to continue. 

 

Screenshot 2017-06-04 17.39.56.png

 

28) Name the group to a corresponding role you have created in Centrify (See Step 4 above). Click 'Next Step' to continue. 

 

Screenshot 2017-06-04 17.40.26.png

 

29) Choose the appropriate policy for each role. Click 'Next Step' to continue. 

 

Screenshot 2017-06-04 17.40.41.png

 

30) Finalize by clicking 'Create Group'. Create an AWS group for each corresponding AWS role you've designed in Centrify. 

 

Screenshot 2017-06-04 17.40.52.png

 

31) In Centrify, under 'Role Mapping', click 'Add'. Select the AWS role under 'Role'. Map the role to the desgination group you've created in AWS (See Step 28 above). 

 

Screenshot 2017-06-04 17.41.57.png

 

32) Complete this mapping for all Centrify roles and AWS groups you've created. See below as an example of two Centrify roles mapped to two AWS groups. Click 'Save' to continue. 

 

Screenshot 2017-06-04 17.42.12.png

 

33) To finalize the integration, navigate to 'Settings' -> 'Users' -> 'Outbound Provisioning' -> 'AWS Web Services' application, then 'Start Sync'. 

 

Screenshot 2017-06-04 17.42.28.png

 

34) For the initial integration, click 'bypass caching and re-sync all objects' option, then 'Yes' to initiate the sync. 

 

Screenshot 2017-06-04 17.42.35.png

 

35) Switch to your 'User Portal' and verify that you can log into AWS by clicking on the tile and choosing the appropriate role. 

 

Screenshot 2017-06-04 17.35.59.png

 

 

We hope this installation guide was helpful. For all other questions on how Centrify can help you consolidate user identities and solve the #1 cause of all cyber attacks, please contact us athttps://www.centrify.com/about-us/contact/

 

Thank you for choosing Centrify!

 

The following is a step-by-step guide designed to walk you through an integration of Salesforce to Centrify. The integration will allow a central directory of your choosing (e.g. Active Directory, Centrify Cloud Directory, LDAP or Google Directory) as the authentication/authorization mechanism to Salesforce. End-users will enjoy the benefit of a single sign-on login experience while administrators take advange of a single user directory to manage the lifecycle of Salesforce users from. 

 

Install time ~ 1-3 hours

 

Requirements

1) Salesforce account

2) Centrify Identity Service account

3) Active Directory, LDAP or Centrify Cloud Directory

4) Windows server for Centrify Connector (requirements below)

 

 

How to use guide

This guide is broken into two parts: (1) integrating Salesforce using SAML for single sign-on (Steps 1-16) and (2) enabling auto-user provisioning (Steps 17-30). The steps are sequential and recommended for a successful integration. 

 

 

Let's get started

 

1) Log into your Centrify Identity Service tenant. 

 

Screenshot 2017-05-30 18.33.20.png

 

 

2) Install the Centrify Connector by following this guide:

http://community.centrify.com/t5/TechBlog/How-To-Installing-Centrify-Cloud-Connector/ba-p/27840

 

3) Next, we must create roles in Centrify to contain users of Salesforce. Roles can contain users in Active Directory, LDAP or Centrify's Cloud Directory; and is a logical way of organizing users from your source directory to roles you've defined in Salesforce. A minimum of one role must be used; for the purposes of this guide, we will create a Centrify role titled 'Information Technology'. This role will contain all Salesforce administrator users within your source directory. Additional roles that correspond to Salesforce roles can be created similar to the example role in this guide. To create a role, navigate to 'Roles' -> 'Add Role' to continue.

 

Screenshot 2017-05-30 18.38.02.png

 

 

4) Name the Centrify role ‘Information Technology'. Click ‘Save’ to proceed.

 

Screenshot 2017-05-30 18.38.14.png

 

5) Click ‘Members’ then click ‘Add’ to begin adding the appropriate active directory users or security group that contains all Salesforce administrator users. 

 

Tip: It’s best practice to create a security group in your source directory that contains all users you assigned to a particular Salesforce role. For example, if there are 5 administrator users in Salesforce, the same 5 users must exist as memebers to the 'Information Technology' role in Centrify. A 1-to-1 mapping allows Centrify the ability to authenticate a user attempting to access Salesforce with their source directory username/password. It also enables the administrator to create/modify/disable users access from the source directory when it comes to provisioning and de-provisioning. 

 

Screenshot 2017-05-30 18.38.32.png

 

6) Once complete, navigate to 'Apps' -> 'Add Web Apps' and searching for Salesforce SAML + Provisioning template. 

 

5) centrify - adding salesforce app.png

 

7) When the Salesforce application template is added, you will arrive at the following screen. Minimize the following screen and open a new browser tab to log into Salesforce. Log into Salesforce with an administrator account to enable Salesforce enable SAML and provisioning. 

 

6) centrify - salesforce app.png

 

8) In Salesforce, navigate to the 'Single Sign On Settings' menu and click 'Edit'. 

 

1) salesforce - sso config.png

 

9) Click the 'SAML Enabled' checkbox and click 'Save'. 

 

2) salesforce - enable SAML.png

 

10) Next, navigate to the 'SAML Single Sign-On Settings' section and click 'New'. 

3) salesforce enable SSO.png

 

11) When clicked, you will arrive at the following screen where you will exchange configurations between Centrify and Salesforce. 

 

4) salesforce - SAML config.png

 

12) To make the configuration easier, open the Centrify and Salesforce menus side-by-side as illustrated below. 

 

7) centrify and salesforce config pages.png

 

13) Start by creating a name for the 'SAML Single Sign-On Settings' integration to Centrify. Use the picture and summary below to help guide where configurations need to be made:

 

1) Name (Salesforce): Centrify.

2) API Name (Salesforce): Centrify.

3) Entity ID (Salesforce): https://saml.salesforce.com.

4) Issuer: Copy from Centrify to Salesforce.

5) Identity Provider Certificate: Download the signing certificate from Centrify and upload to Salesforce.

6) SAML Identity Type: Click 'Assertion contains the Federation ID from the User Object' option in Salesforce. (See Step 13.2).  

7) Identity Provider URL: Copy from Centrify to Salesforce.

8) Identity Provider Logout URL: Copy from Centrify to Salesforce.

9) Customer Error URL: Copy from Centrify to Salesforce.

10) User Provisioning Enabled: Click to enable in Salesforce (Follow Step 17-30 to complete provisioning).

11) Save (Salesforce): Click in Salesforce.

12) Save (Centrify): Click in Centrify.

 

8) centrify and salesforce configs completed.png

 

13.1) When Step 13 is completed, open the 'Centrify' SAML Single Sign-On Settings profile you just created, and copy the 'Salesforce Login URL' from Salesforce to the 'Assertion Consumer Service URL' field in Centrify. 

 

9) ACS URL After.png

 

13.2) If provisioning is enabled in Step 10 above, you must choose the 'Assertion contains the Federation ID from the User Object' (See Step 6 above) within the 'SAML Single Sign-On Settings' menu in Salesforce. In doing so, you must add a 'Federation ID' value for the administrator user performing the integration. The 'Federation ID' configuration is found by navigating to 'Administration' -> 'Users' -> current administrator user enabling SAML in Salesforce. The value of should be the email address of the administrator user. 

 

If you do not wish to enable provisioning at this time, leave the default option of 'Assertion contains the User's Salesforce username' in Salesforce (See Step 6 above) and disregard the step of adding a 'Federation ID' for the administrator user. The federation ID is only needed if provisioning is enabled in Salesforce. Follow steps 14-16 in this guide to complete a SAML only integration of Salesforce to Centrify. 

 

8.1) salesforce - federation ID.png

 

14) Next, naviagate to 'User Access' and choose the Centrify role 'Information Technology' created in Step 4. You can also add other Centrify roles you created for other roles in Salesforce within this menu. 

 

10) Centrify - role assignment.png

 

15) Next, navigate to the 'Account Mapping' menu in Centrify. Verify that the default value in the 'Directory Service field name' is 'mail'. As a default, Salesforce expects an email attribute from the source directory (i.e. Active Directory) within the SAML assertion sent to Salesforce. While other settings may be used, please review the options within Salesforce before leveraging other attributes in your SAML assertion. 

 

11) centrify - account mapping.png

 

16) Once the 'Account Mapping' value is reviewed, click 'Save' to complete the integration. Switch to your 'User Portal'. You will see the Salesforce tile appear within your portal if you have a valid account in your source directory (i.e. Active Directory) and Salesforce. Click on the Salesforce tile to confirm you are able to access Salesforce from the Centrify portal. 

 

12) centrify - app in portal.png

 

*** Step 16 completes the SAML only integration of Salesforce. Please review the steps below which walk through how to enable provisioning. ***

 

17) To enable provisioning in Centrify, navigate to the 'Provisioning' menu in Centrify and click on the 'Enable provisioning for this application'. Add a Salesforce administrator's 'Username' and 'Password' to the fields in Centrify, then navigate to Salesforce to continue. 

 

Tip: You have the option of enabling provisioning in 'Preview Mode' or 'Live Mode'. Preview mode is a non-production sync. It is recommended that you complete the initial provisioning setup using preview mode before committing the integration in production. 

 

 13) centrify - enable provisioning.png

 

18) To enable the user provisioning feature in Salesforce, click 'Enable' for item 10 in Step 13 above. Additionally, when provisioning is enabled in Salesforce, a Connected App must be created. Navigate to 'App Manager' -> 'Manage Connected Apps', then click 'New Connected App'. 

 

14) salesforce - create connected app.png

 

19) Complete the following information in Salesforce as outlined below. Once complete, click 'Save' to continue. 

 

1) Basic Information

  -> Connected App Name: Centrify

  -> API Name: Centrify

  -> Contact Email: Email address of Salesforce administrator user

    

2) Enable OAuth Settings: Enabled

 

3) Callback URL: Centrify Identity Service URL

 

4) Selected OAuth Scopes: Choose the minimum required options below. 

  -> Access and manage your Chatter data (chatter_api) 

  -> Access custom permissions (custom_permissions)

  -> Access your basic information (id, profile, email, address, phone)

  -> Full access (full)

  -> Perform requests on your behalf at any time (refresh_token, offline_access)

  -> Provide access to custom applications (visualforce)

  -> Provide access to your data via the Web (web)

 

5) Require Secret for Web Server Flow: Enabled

 

15) salesforce - configuring connected app.png

 

20) The Salesforce Connected App may take several minutes to complete. As the changes take affect, the 'Consumer Key' (Item 2) and 'Consumer Secret' (Item 3) will generate and become available for you to proceed to the next step. 

 

16) salesforce - completed connected app.png

 

21) With Centrify and Salesforce opened, copy the 'Consumer Key' in Salesforce to the 'Client ID' field in Centrify. Copy the 'Consumer Secret' in Salesforce to the 'Client Secret' field in Centrify. 

 

17) centrify - client id and secret.png

 

22) To obtain your 'Security Token' in Salesforce, Salesforce recommends a reset of the security token. Click on the 'Reset Security Token' button to obtain your new security token via email. 

 

18) salesforce - reset code.png

 

23) You will obtain your new Salesforce security token via email. Copy and add to Step 24 below. 

 

 19) email reset code.png

 

24) Add the Salesforce security token to the 'Security Token' field in Centrify. Once complete, click 'Verify' to complete this step. 

 

20) centrify - security token.png

 

25) If the provisioning integration between Centrify and Salesforce is successful, additional menus will populate as shown below. You may keep the default settings or modify based on your preference. 

 

21) centrify - provisioning options.png

 

26) Under the 'Role Mapping' section, click 'Add'. This step allows you to map a Centrify role (containing users in active directory) to a 'Salesforce License', 'Salesforce Role' and 'Salesforce Profile' you've setup in Salesforce. As an example, in Steps 4-5, we created a Centrify Role titled 'Information Technology'. The role contains the administrator users in the source directory (i.e. Active Directory) that are mapped to Salesforce. While this guide illustrates mapping a single Centrify role to Salesforce, utilize the same process for mapping other Centrify roles to existing Salesforce roles to complete your integration. 

 

22) centrify - role mapping.png

 

27) Click 'Save' to continue. 

 

23) centrify - completed role mapping.png

 

28) Next, navigate to 'Settings' -> 'Users' -> 'Outbound Provisioning' -> 'Salesforce' and click 'Start Sync'. An initial sync is required for any new application integrated with Centrify that is enabled with provisioning. 

 

24) centrify - start sync.png

 

29) Click 'bypass caching and re-sync all objects'. This setting allows for an immediate sync of Salesforce to Centrify versus waiting for a periodic sync that Centrify performs automatically. 

 

25) centrify - bypass sync.png

 

30) Switch to your 'User Portal' and verify that you can log into Salesforce when clicking on the Salesforce tile. 

 

26) centrify - app in portal.png

 

We hope this installation guide was helpful. For all other questions on how Centrify can help you consolidate user identities and solve the #1 cause of all cyber attacks, please contact us at https://www.centrify.com/about-us/contact/

A short step by step configuration guide on how to configure the Fortinet FW with Centrify for SSO using RADIUS

Read more...

We heard from some customers that would like to use AD credentials to authenticate to IBM Sterling Connect:Direct. IBM Sterling Connect:Direct provides security-rich, point-to-point file transfers to lessen dependency on unreliable File Transfer Protocol (FTP) transfers.

 

Continue reading...

Read more...

This blog will show you how to join a Mac OS X computer to a domain and enroll it in the Centrify Identity Service platform at the same time. Typically, an Active Directory administrator performs this procedure, but during the enrollment steps, assigns the computer to a different Active Directory user account.

The assigned user is added to the identity platform as the device owner and is able to view and manage the enrolled computer through the Centrify user portal. An identity platform administrator can assign the user to one or more roles that determine the applications, permissions, and policies that apply to the user on this computer.

Here is how to use Centrify Join Assistant to join a computer to a domain and enroll it in the identity platform:

 

1. First you will need the following accounts:

a. Active Directory account that can join a computer to a domain

 

AD Admin.png


b. Administrator that has System Administrator or Device Management permissions to the Admin Portal.

Cloud Admin.png

 


c. Active Directory user account.

Jane Doe.png

 

2. Download the Centrify DirectControl agent onto the Mac system at the Support Portal Download Center.



3. Install the Centrify DirectControl agent

 

CDC Downloads folder.pngInstall CDC.pngClick Continue.pngClik Continue - 2.pngAgree to license.pngCDC Install.png

Agree to license.png

Clik Continue - 2.png

Enter local admin password.png

Install begin.png

Select Join Assistant.png

4. After installation, go to Finder > System Preferences > Centrify > Centrify Join Assistant

Join Assistant.png

At the Welcome page, click on Continue

 

Begin Join Assistant.png

Enter the local admin password

 

Enter Admin- JA.png

Enter domain you would like to join the Mac system to and enter the username and password of the Active Directory account that has permissions to join to a domain.

 

Enter AD Creds.png

Click Continue.

 

Decide if you are using Auto Zone or Zone for the user and computer objects. Select the option "Enroll with Centrify Cloud Service to enable remote management". Enter the Container DN you would like to place the computer object.

 

License Mode page.png


Click Join and the Mac will being to join to the domain

 

Joining Mac.png

After the join to the domain is completed, you will be prompted to enter the Identity Service URL and the username of the user would like to enroll the device for

jane.doe.png

The enrollment of the device will then begin

Loading to the cloud.png

When the enrollment has completed, you will receive a confirmation that the enrollment for the user is successful

jane joined succes.png

When the user logs into the Centrify User Portal, they will see the device listed under the Device section

jane device.pngjane device.png

 

What will you do if someone checks out the root password and then creates SSH keys so that they can go around your password vault anytime they want?

Read more...

Organizations may need to configure the screen saver start time for security or compliance. This article will show you how to use Active Directory group policies to prevent users from changing the screen saver start time. 

 

screensavertimelocked.png

 

Step 1. On a Mac, create a custom profile with Apple Configurator 2

1. Launch Apple Configurator 2. You can also create this with Profile Manager.

2. Go to File > New Profile.

3. Enter a profile name in the Name field.

profile-name.png

 

4. Then go to Passcode on the left column and set a time for Maximum Auto-Lock.

profile-lock-time.png

5. Go to File > Save

 

Step 2. Upload the profile to SYSVOL

1. Go to \\<domain>\SYSVOL\<domain> and create a mobileconfig folder if it does not exist.

2. Upload the profile to the mobileconfig folder.

3. In the Group Policy for your Macs, enable Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Custom Settings > Install MobileConfig Profiles.

Installmobileconfig.png

4. Click on the Add button, enter the name of your profile, then click OK.

5. Click OK.

 

The policy will apply at the next group policy interval, or you can launch Terminal ont he Mac and run adgpupdate to apply immediately.

This Cheat Sheet should be used with Centrify Mac Agent version 5.2.4 and higher.

 

The Centrify Mac Diagnostic Tool location:
/Library/Application Support/Centrify/MacDiagnosticTool.app

  

 

Centrify Agent

 

To join the domain in Auto Zone:
sudo /usr/local/sbin/adjoin --user domain_admin_username --workstation domain.com

 

To join the domain in Zone mode:
sudo /usr/local/sbin/adjoin --user domain_admin_username --zone zonename domain.com

 

To leave the domain and disable the computer object:
sudo /usr/local/sbin/adleave --user domain_admin_username 

 

To leave the domain and remove the computer object:
sudo /usr/local/sbin/adleave --user domain_admin_username --remove

 

To leave the domain and leave the computer object untouched in Active Directory:
sudo /usr/local/sbin/adleave --user domain_admin_username --remove

 

To print information for the domain:
/usr/local/bin/adinfo

 

To print network diagnostic information for the domain:
sudo /usr/local/bin/adinfo --diag

 

To view licensing mode:

/usr/local/sbin/adlicense

 

To enable licensed features:

sudo /usr/local/sbin/adlicense --licensed

 

To look up an Active Directory user's information:

/usr/local/bin/adquery user -A username

 

To look up an Active Directory computer's information:

/usr/local/bin/adquery user -A computername$

 

To look up an Active Directory computer's Manager (managedBy attribute used with FileVault policy):

 

/usr/local/bin/adquery user -b managedBy computername$

 

To look up an Active Directory group's information:

/usr/local/bin/adquery group -A groupname

 

To change the currently logged in user's Active Directory password:

/usr/local/bin/adpasswd

 

To change an Active Directory user's password:

/usr/local/bin/adpasswd --adminuser domain_admin_username username@domain.com

 

To flush the Mac agent cache (Active Directory users will need to login again to cache their credentials after this is ran):

sudo /usr/local/sbin/adflush

 

The location of the Centrify configuration file:
/etc/centrifydc/centrifydc.conf

 

The location of Centrify Kerberos tools:
/usr/local/share/centrifydc/kerberos/bin/

 

To restart the Mac agent:
sudo /usr/local/share/centrifydc/bin/centrifydc restart 


 

To turn on logging:
sudo/usr/local/share/centrifydc/bin/cdcdebug on

 

To turn off logging:
sudo/usr/local/share/centrifydc/bin/cdcdebug off 

 

To clear out the current log file:

sudo/usr/local/share/centrifydc/bin/addebug clear


Log file location:
/var/log/centrifydc.log

 

To uninstall the Mac agent:
sudo /usr/local/share/centrifydc/bin/uninstall.sh

 

To uninstall silently:
sudo /usr/local/share/centrifydc/bin/uninstall.sh --std-suite

 

 

Group Policy

 

To force group policy updates for both user and machine policies:
/usr/local/bin/adgpupdate

 

To update group policy for user policies only:
/usr/local/bin/adgpupdate --target User

 

To update group policy for machine policies only:
/usr/local/bin/adgpupdate --target Computer

 

To view the curent set group policies:

/usr/local/bin/adgpresult

 

To view the curent set user group policies:

/usr/local/bin/adgpresult --user username

 

To view the curent set machine group policies:

/usr/local/bin/adgpresult --machine

 

The location of computer group policy reports:
/var/centrifydc/reg/machine/gp.report 

 

The location of the user group policy reports:
/var/centrifydc/reg/user/username/gp.report  

 

The location of login scripts:
/var/centrifydc/loginscripts/machine
/var/centrifydc/loginscripts/user/username

/var/centrifydc/scripts/additional/login
/var/centrifydc/scripts/additional/logout

 

To retrieve machine certificates:
sudo /usr/local/share/centrifydc/sbin/adcert --machine --keychain

 

To retrieve user certificates:
/usr/local/share/centrifydc/sbin/adcert --user --keychain

 

The location of machine certificates:
/var/centrify/net/certs

 

The location of user certificates:
~/.centrify

/Users/username/.centrify

 

 

Directory Services

 

To see if the machine is joined to the domain using the Apple plugin:
/usr/sbin/dsconfigad –show

 

To unbind from the domain using the Apple plugin:

sudo /usr/sbin/dsconfigad –remove -username domain_admin_username

 

To list all of the users in the Directory Service and in Active Directory for the zone:
/usr/bin/dscl /Search -list /Users

 

To list only the Active Directory users enabled for the zone:
/usr/bin/dscl /CentrifyDC -list /Users

 

To display detailed information about the specified Active Directory user:
/usr/bin/dscl /CentrifyDC -read /Users/username

 

To list all of the groups in the DirectoryService and in Active Directory for the zone:
/usr/bin/dscl /Search -list /Groups


 

To list only the Active Directory groups enabled for the zone:
/usr/bin/dscl /CentrifyDC -list /Groups

 

Command to display detailed informationa bout the specified Active Directory group name:
/usr/bin/dscl /CentrifyDC -read /Groups/groupname

  

 

FileVault

 

To see if FileVault is enabled:

/usr/bin/fdesetup status

 

To list FileVault enabled users:

/usr/bin/fdesetup list

 

To disable FileVault:

sudo /usr/bin/fdesetup disable

 

To add a local or mobile account to the FileVault user list:

sudo /usr/bin/fdesetup add -usertoadd username

 

 

Smart Card

 

To see if smart card support is enabled: 
/usr/local/bin/sctool --status

 

To enable smart card support: 
/usr/local/bin/sctool --enable

 

To disable smart card support: 
/usr/local/bin/sctool --disable

 

To dump out all the certificates and Active Directory information present on the smart card:

/usr/local/bin/sctool --dump

 

To get a new kerberos ticket: 

/usr/local/bin/sctool --pkinit

 

Related Articles:

 

A Centrify Server Suite Cheat Sheet

By default PostgreSQL creates and stores user accounts in the SQL database. With a little work, the accounts can be managed from Active Directory and the passwords can be rotated on a regular basis using Centrify Privilege Service. 

Read more...

Centrify provides an account migration tool that simplifies the process of converting a local account's home directory into the Active Directory account. Migrating the account helps to save the user's files, application settings, and browser bookmarks.

Read more...

Centrify for Google Chromebook Single Sign-On Configuration Guide

 

Google G Suite has become one of the most popular on-demand business software in the market and your organization took the plunge to migrate to Google G Suite. You need to assign licenses to your end users automatically, and give them single sign-on. You’re worried about Chrome Book device management and BYOD, and how to manage all that for on-premises apps and cloud apps, too. You’ve got a few questions, and are looking for answers. Without SSO user productivity is greatly affected, without Multi Factor Authentication the risk of exposing inappropriate access increases and without automated account provisioning / de-provisioning IT has to manage all accounts manually.

 

Fortunately, Centrify Identity Service (CIS) provides a solution. CIS for Google G Suite offers a complete, robust, and easy-to-use Active Directory (AD) or CIS Cloud Directory integration with Google G Suite, providing a seamless authentication experience for Google G Suite users and an easy to use intuitive Administrative interface for IT staff to automate the process of on- and off-boarding employees with day one productivity.

With CIS you can ensure that users have seamless access via single sign-on (SSO) and that their Google G Suite accounts are created, updated, and deactivated on an integrated cycle with the rest of the systems in IT.

 

Centrify Identity Service enables integration with any web application that also enables administrators to:

  • SSO via SAML or CIS form fill to all Google G Suite: Gmail, Docs, Sites, Calendar, Analytics, etc.
  • Provide secure SSO with Active Directory integration
  • Automatically provision/de-provision users & apps by Active Directory group
  • Demonstrate compliance through usage auditing
  • Increase application ROI with seat-utilization reporting

Secure Application Access via MFA from unauthorized systems or locations

Read more...

Background

Centrify recently commissioned a study with Forrester Research that yielded some important information about the state of Security.  Bottom-line, we have decided to throw money and resources to the problems around information security rather than rethinking our approach, the results are more breaches and exposures.

You can access the study results here: https://www.centrify.com/lp/rethink-security-ebook

 

A key conclusion on over 200 organizations surveyed is that those with higher Identity and Access Management (IAM) maturity were breached 50% less while maintaining operational efficiency. 

 

As you read the previous paragraph, you may ask yourself: what is the first step the journey to the continuous improvement required for IAM maturity?  As illustrated in the model below,
model.png

a the key component is to establish identity assurance with technologies like MFA or PKI, however this is challenging enough because many organizations have not achieved this on-premises, much less in IaaS/PaaS platforms like Amazon AWS.

 

This is where Centrify can help.  This article is about guiding you on how to use the Centrify platform to establish identity assurance in several use cases:  

  • Accessing the AWS Consoles with shared accounts (like Amazon root) or Federated identities
  • Accessing EC2 instances locally (Linux or Windows)
  • Accessing AWS commands via the CLI (E.g. PowerShell or Python)

Please note that identity assurance concepts apply to both users and systems (due to API access);  in this use case we'll focus on interactive (user) use cases.  For system/system or app/app, other mechanisms like PKI or Kerberos can be used and we can cover in another entry.

 

The Centrify Advantage

The biggest advantage for Centrify lies in it's platform and integrations, as a company that covers both Identity as a Service (IDaaS) as well as Privileged Identity Management (PIM) we understand that everything starts with Identity Consolidation.   This is not the "legacy" (metadirectory/connector-based mid-2000s) identity consolidation, this is the "straight-to-the-source" standards based approach using Federation in the IDaaS side, plus direct-integration (with Kerberos) in the case of heterogeneous OS platforms.  We add to this a series of services:

  • A policy service
  • A multi-factor authentication engine (that includes modern and legacy-based support)
  • A risk-based engine (analytics) 

Our native integrations with Active Directory make us a prime vendor to consolidate capabilities;  here's an example, if an organization wants to secure access to a web app, integrate a non-windows platform to a central directory like AD and get MFA, they may engage 3 distinct vendors, however Centrify can help with world-class solutions on the three areas.  Let's look at a the examples.

  

Securing Shared or Federated Access to the AWS Console

Centrify Identity Service provides several turn-key templates to help with shared or federated (via SAML or using the AWS API) SSO for Amazon Web Services.  We have covered these integrations here:

 

However, the powerful policy engine and the support for multiple authentication profiles makes this integration simple and flexible.  

anatomy-of-rule.png

Here's a quick demo on how this integration is enabled and the user experience:

Notice how we achieved our goals:  identity consolidation and assurance while maintaining usability.

 

Securing Access to Linux and Windows AWS EC2 Instances

Centrify Server Suite provides native integration with Active Directory, regardless of your deployment model. 

multi.png

By leveraging AD (hosted by you or in AWS), you are eliminating the duplication of identity sources caused by SSH keys with the addition of DirectAuthorize technology that provides role-based access control and privilege elevation and is fully-integrated with the policy and authentication profiles provided by Identity Service or Privilege Service.  We have discussed these integrations here:
 

Provided the Identity Service/Privilege Service setup is correct and the proper PKI trust is in place, for Access and Privilege elevation, all we need to do is set up the proper checkbox at the role, UNIX command or Windows desktop or application.

 anatomy-ss.png

Here's the user experience that meets the requirements for identity assurance via MFA for both Linux and Windows in the context of access and privilege elevation.

 

Notice how we achieved our goals:  identity consolidation and assurance while maintaining usability.

 

Securing Access to AWS CLI (e.g. PowerShell)

Administration of AWS Services is often performed via the AWS CLI (implemented via Windows PowerShell or UNIX CLI).

If you're using Centrify Identity Service with SAML federation into AWS, you can implement the SSO plugin provided with the template.

aws-plugin.png

References:

Here's the user experience in PowerShell.  Note that the experience will be based on the authentication profile that applies to the user by policy.

pt1.png

If you have multiple roles, you get to select them:

rolesel.png 

Finally, the authentication token is stored in the $me variable and the user can move-on to use AWS PowerShell commandlets.   See the pattern here?  Identity assurance with MFA and role-based access without compromising usability and achieving this with with a single solution set.

  

Metrics

A cliché of business schools is the statement "you can't manage what you can't measure"; but since we're dealing with IT security, you may want to track how we are performing towards our goal of consistent identity assurance, in these AWS examples, we can use AWS CloudWatch metrics to measure the percentage of access in the proper context (e.g. Console, EC2, etc) is performed with assurance.  Therefore a good metric to track would be:

 iaratio.png

 

MFA events are tracked for Linux, Windows and Identity Platform, this allows you to be creative and get information from CloudWatch or from Identity Service.

assurancedash.png

Note the CloudWatch widgets above.  In my Linux space, I have a ratio of close to 60% identity assurance (4 out of 7 successful logins were with MFA), however my track record on the sample data I created on Windows is much better (100%).  You use the same approach for privilege elevation via Centrify-enhanced sudo or Centrify Agent for Windows.

 

In the case of Identity Service or Privilege Service, the platform provide dashboards and reports like the Security Overview - User Logins

dash.png

These dashboards allow for reviewing information within 7 days or 24 hours and to look at specific date-time ranges. 

 

Conclusion

Identity assurance is closer than what you think, with the "barriers of entry" for MFA solutions going down, it's all about working with the right partner and Centrify excels at securing apps, endpoints, infrastructure and secrets; finally, the obvious challenge is organizational dynamics;   If you still have groups opposed to centralizing directories or maintaining legacy infrastructure, you can split the project in several phases and attack the platforms that are easier from a people/process standpoint.  Once you can demonstrate identity assurance within those applications or infrastructure, it's going to be hard for those "holding on to the past" to ignore that the best practices are here to stay. The model applies to all aspects of any risk-sensitive information technology area and like every other framework it's not a silver bullet; new threats, attack vectors, compliance requirements and tools are introduced, therefore this has to evolve as well.

 

Related Articles

Using Centrify Audit Trail for UNIX/Linux with AWS CloudWatch

http://community.centrify.com/t5/TechBlog/Labs-Using-Centrify-Audit-Trail-for-UNIX-Linux-with-AWS/ba...

[Labs] Using Centrify Audit Trail for Windows with AWS CloudWatch

http://community.centrify.com/t5/TechBlog/Labs-Using-Centrify-Audit-Trail-for-Windows-with-AWS-Cloud...

[Security Corner] Reviewing your Access and Privilege Management Model with Centrify tools: http://community.centrify.com/t5/TechBlog/Security-Corner-Reviewing-your-Access-and-Privilege-Manage... 

Centrify Identity Service now includes a turnkey Munki solution for application management for managed Macs delivering a best in class user experience without any setup or configuration hassle.

Read more...

Background

As more and more organizations run infrastructure in IaaS platforms like Amazon AWS, there's an increased need to enhance security operations and prove effective implementation of security controls.  AWS provides a solution set that includes CloudWatch.  

 

About CloudWatch

As defined by Amazon "CloudWatch monitors your Amazon Web Services (AWS) resources and the applications you run on AWS in real time. You can use CloudWatch to collect and track metrics, which are variables you can measure for your resources and applications." 

For more information, check out the Getting Started guide for CloudWatch:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html

 

The goal of this article, is to provide some initial guidance to leverage AWS CloudWatch to collect, track and measure Centrify Audit Trail events in Windows systems running in AWS.

For a companion article that covers UNIX/Linux instances, click here:  http://community.centrify.com/t5/TechBlog/Labs-Using-Centrify-Audit-Trail-for-UNIX-Linux-with-AWS/ba...

 

About Centrify Audit Events

Centrify Audit Events (CentrifyAuditTrail) is the cross-platform framework used by Centrify Server Suite to document and provide access, privilege and audit trail event data. When a Centrify-enabled service is invoked, an audit trail event is written to UNIX syslog or Windows event log.  These events are documented in the  Audit Events Administrator's Guide for the current version of Server Suite.  The types or content of the events vary depending on the edition (Standard or Enterprise)

 

For more information, check out the current guide for Server Suite 2017: https://docs.centrify.com/en/css/suite2017/centrify-audit-events-guide.pdf

 

Pre-Requisites

For this lab, you'll need:

  • An AWS Account with the proper VPC setup, privileges in CloudWatch and IAM
  • Active Directory (run by you or managed by Amazon) and the proper VPC name resolution and communications
  • A Centrify zone, sample users and access/privilege setup
  • At least one Windows system joined to Active Directory and the Centrify zone
  • The Windows system should have some Centrify data (e.g. access, privilege elevations) present in the application event log.

Centrify AWS Lab:  You'll need to be at Standard Edition level to follow this lab, more info here:

http://community.centrify.com/t5/TechBlog/Labs-Setting-up-an-AWS-Test-Lab-for-Centrify/ba-p/27771

 

Implementation Overview

  1. Set-up your AWS Windows Instances for CloudWatch Logs (use AWS's docs)
  2. Verify Centrify Audit Trail events in the CloudWatch log group
  3. Identify Access and Privilege-related Metrics provided by Centrify
  4. Create the Filters and Assign a Metric
  5. Create a Dashboard
  6. Create an Alarm

 

Set-up your AWS Linux Instances for CloudWatch Logs

For information on this topic, please review AWS's documentation:
http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/UsingConfig_WinAMI.html#send_logs_to_cwl

 

Note that Centrify Audit Trail resides in the Windows Application log.  To gather the proper event data, make sure you are capturing information and warning messages, this is configured by modifying the AWS.EC2.Windows.CloudWatch.json file in the proper location based on your deployment (stand alone or using SSN service) and under teh ApplicationEventLog stanza, setting the Levels to 7 as illustrated below:

 

{
    "Id": "ApplicationEventLog",
    "FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
    "Parameters": {
        "LogName": "Application",
        "Levels": "7"
    }
},

Once you have the Windows logs logs for your instances in the corresponding Log Group, please proceed to the next section.

 

Verify Centrify Audit Trail events in the CloudWatch log group

  1. Go to your CloudWatch console: https://console.aws.amazon.com/cloudwatch/home
  2. Click on Logs > Click on the log group for your Windows instances (e.g. "Default-Log-Group"  or the group you are using for your Windows event logs)
  3. Click on Search log group and in filter events, type "AUDIT_TRAIL"
  4. Verify the results.
     win-audit.png
    If you have a Windows system that was joined to the Centrify zone, there will be event data about access, privileges and other activities.

Now you have verified that your systems are streaming syslog data with Centrify Audit Trail information.

 

Identify Access and Privilege-related Metrics provided by Centrify

The Centrify Agent for Windows™ provides access control,multi-factor authentication and role-based privileged elevation; this component is called DirectAuthorize.  DirectAuthorize controls how users access the system and what commands they can run. The implementation of privilege elevation leverages roles defined in Active Directory and the DirectAuthorize client for Windows.

 

Example 

The metrics that you'll track will depend in your objectives and in your maturity level.  For illustration purposes, let's track successful and unsuccessful access and privilege elevation in my Windows EC2 instances. After reviewing the Centrify Audit events guide, I identify the following events:

 

Access Control

Windows Remote Login Success:  These events are recorded when an authorized user from the Centrify zone is succesfully granted access to the Windows system;  the Centrify Event Id is 6003.
6003.png
You can leverage the Audit Trail admin guide for a full catalog.

 

Windows Remote Login Failure:  The opposite of the event above, it's a warning stating that the user was not authorized to log in from the current station.  This may denote an attempt at lateral movement. The Event Id is 6011.
6011.png
 

Privilege Elevation

Run with Privilege Success:  Indicates successful privilege elevation the Centrify Agent for Windows; this may be a privileged desktop or an application; the event ID is 6012.
6012.png  

Run with Privilege Success:  Indicates an unsuccessful attempt at privilege elevation the Centrify Agent for Windows; this may be a privileged desktop or an application and could be user error or an abuse attempt; the event ID is 6018.

6018.png

 

Create the Filters and Assign a Metric

  1. Go to your CloudWatch console: https://console.aws.amazon.com/cloudwatch/home
  2. Click on Logs and select the radio buttion next to your log group (e.g. Default-Log-Group)
  3. Click Create Metric Filter
    • In filter pattern, type: centrifyEventID=6003
    • Press "Assign Metric" 
  4. In Filter Name, type a unique name for the filter
  5. In Metric details, create a new namespace (e.g. CentrifyAuditTrail) or browse for it if you already have it.
  6. In Metric name, give it a descriptive metric.
    metric-2.png
  7. Press Assign Metric.
  8. Repeat the process for all the metrics you've identified.

Create a Dashboard

Before creating a dashboard, you may want to plan how to visualize the data.  In some instances it's useful to see the aggregate data (# of events), in others it's useful to see a trend (graphs overlapped with time).

Once you have thought of how to visualize the data, it's time to get started with your Dashboard. 

 

  1. Go to your CloudWatch console: https://console.aws.amazon.com/cloudwatch/home
  2. Click on Dashboards > Create Dashboard and give it a name, then press Create Dashboard
  3. To add aggregated information, select the Number widget
  4. Select your Namespace, Dimension and check the metric(s) to be measured
  5. Go to the graphed metrics tab, and select the proper statistic and period  (e.g. sum and 1 day) and press Update Widget.
  6. Once you have the Widget in the dashboard, adjust the size and label.

Repeat the process with the trend using with a line or stacked area.

 

Below is a simple dashboard that includes the metrics above.

dzwin-dash.png 

Create an Alarm

A meaningful alarm could be based on a pattern outside expected behavior, an availability issue or another event (or aggregation of events) based on the risk that wants to be corrected.  This example is for illustration purposes only.

Example:  The threshold for attempted abouse of privilege elevation feature of the Centrify Agent for Windows for  3 or more attempts within a 5 minute period, when this happens, an email should be triggered to the members of the Security Operations distribution list.

  1. Go to your CloudWatch console: https://console.aws.amazon.com/cloudwatch/home
  2. Click Browse Metrics and next to Centrify-dzdo-Denied, click the alarm icon.
  3. In create alarm:
    Name: Alarm-DZWin-Privilege-Abuse
    Whenever: is equal or greater than 3 for 1 consecutive period
    Period: 5 minutes
    Statistic: Sum
  4. Actions
    Whenever this alarm state is Alarm
    Create a new list (secops@your-domain.com)

Trigger the alarm

  1. Sign-in to your Windows instance with your administrator
  2. For any application in your desktop, right click and select "Run with Privilege" 
  3. You should get this message:
    dzwin-denied.png
  4. Repeat 3 more times.  This should trigger the alarm.
    alarm21.png
  5. Review the Dashboard.  After a few minutes, the alarm will return to normal and you'll be notified
    alarms.png

Conclusion

We have only scratched the surface of the capabilities provided by AWS CloudWatch, however in the context of Identity and Access Management, the enrichment of security operations via logs, alerts and dashboards should be done via standard tools; otherwise if each tool duplicates these capabilties, then security operations won't know where to go first.  Centrify provides native plugins for Splunk, IBM QRadar and HP ArcSight.  These tools provide both operational data as well as like the following privilege command pie chart.
most-used.png

 

Related Articles

[Using Centrify Audit Trail for UNIX/Linux with AWS CloudWatch] 

http://community.centrify.com/t5/TechBlog/Labs-Using-Centrify-Audit-Trail-for-UNIX-Linux-with-AWS/ba...

[Security Corner] Reviewing your Access and Privilege Management Model with Centrify tools: http://community.centrify.com/t5/TechBlog/Security-Corner-Reviewing-your-Access-and-Privilege-Manage...  

Setting a Centrify AWS Test Lab: http://community.centrify.com/t5/TechBlog/Labs-Setting-up-an-AWS-Test-Lab-for-Centrify/ba-p/27771
Using AWS OpsWorks (Chef 12) to deploy Centrify DirectControl on EC2 Linux instances: http://community.centrify.com/t5/TechBlog/Labs-Using-AWS-OpsWorks-Chef-12-to-deploy-Centrify-DirectC

Centrify Audit Trail Administrator's guide (2017): https://docs.centrify.com/en/css/suite2017/centrify-audit-events-guide.pdf 

Background

As more and more organizations run infrastructure in IaaS platforms like Amazon AWS, there's an increased need to enhance security operations and prove effective implementation of security controls.  AWS provides a solution set that includes CloudWatch.  

 

About CloudWatch

As defined by Amazon "CloudWatch monitors your Amazon Web Services (AWS) resources and the applications you run on AWS in real time. You can use CloudWatch to collect and track metrics, which are variables you can measure for your resources and applications." 

For more information, check out the Getting Started guide for CloudWatch:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html

 

The goal of this article, is to provide some initial guidance to leverage AWS CloudWatch to collect, track and measure Centrify Audit Trail events in UNIX, Linux systems running in AWS.

For a companion article that describes the process for Windows instances, go here: http://community.centrify.com/t5/TechBlog/Labs-Using-Centrify-Audit-Trail-for-Windows-with-AWS-Cloud...

 

About Centrify Audit Events

Centrify Audit Events (CentrifyAuditTrail) is the cross-platform framework used by Centrify Server Suite to document and provide access, privilege and audit trail event data. When a Centrify-enabled service is invoked, an audit trail event is written to UNIX syslog or Windows event log.  These events are documented in the  Audit Events Administrator's Guide for the current version of Server Suite.  The types or content of the events vary depending on the edition (Standard or Enterprise).

 

For more information, check out the current guide for Server Suite 2017: https://docs.centrify.com/en/css/suite2017/centrify-audit-events-guide.pdf

 

Pre-Requisites

For this lab, you'll need:

  • An AWS Account with the proper VPC setup, privileges in CloudWatch and IAM
  • Active Directory (run by you or managed by Amazon) and the proper VPC name resolution and communications
  • A Centrify zone, sample users and access/privilege setup
  • At least one Linux system joined to Active Directory and the Centrify zone
  • The Linux system should have some Centrify data (e.g. logins, privilege elevations) present in syslog.

Centrify AWS Lab:  You'll need to be at Standard Edition level to follow this lab, more info here:

http://community.centrify.com/t5/TechBlog/Labs-Setting-up-an-AWS-Test-Lab-for-Centrify/ba-p/27771

 

Implementation Overview

  1. Set-up your AWS Linux Instances for CloudWatch Logs (use AWS's docs)
  2. Verify Centrify Audit Trail events in the CloudWatch log group
  3. Identify Access and Privilege-related Metrics provided by Centrify
  4. Create the Filters and Assign a Metric
  5. Create a Dashboard
  6. Create an Alarm.

 

Set-up your AWS Linux Instances for CloudWatch Logs

For information on this topic, please review AWS's documentation:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_GettingStarted.html

Once you have the /var/log/messages logs for your instances, please proceed to the next section.

 

Verify Centrify Audit Trail events in the CloudWatch log group

  1. Go to your CloudWatch console: https://console.aws.amazon.com/cloudwatch/home
  2. Click on Logs > Click on the log group for your Linux instances (e.g. "/var/log/messages"  or the group you are using for your Linux syslog)
  3. Click on Search log group and in filter events, type "AUDIT_TRAIL"
  4. Verify the results
     audit-trail.png
    If you have a system that was joined to the domain via Centrify, there will be event data about access, privileges and other activities.

Now you have verified that your systems are streaming syslog data with Centrify Audit Trail information.

 

Identify Access and Privilege-related Metrics provided by Centrify

Centrify DirectControl provides access control and role-based privileged elevation; this component is called DirectAuthorize.  DirectAuthorize controls how users access the system and what commands they can run. The implementation of privilege elevation leverages Centrify-enhanced sudo.

 

Example 

The metrics that you'll track will depend in your objectives and in your maturity level.  For illustration purposes, let's track successful and unsuccessful access and privilege elevation in my Linux EC2 instances. After reviewing the Centrify Audit events guide, I identify the following events:

 

Access Control

PAM Authentication Granted:  These events are related to the UNIX framework;  the PAM Auth module is used by any PAM-enabled application.  This can be a catch-all for any app using it (e.g. OpenSSH server, Switch User (su), etc);  the Centrify Event Id is 24100.

pamev.png

Centrify SSHD Denied:  My EC2 instances are running Centrify-enhanced OpenSSH.  I'm interested in looking at this metric, especially on instances with public IPs because it may denote attempts to break-in or move laterally. The Event Id is 27101.

 

Privilege Elevation

Centrify dzdo Granted:  Indicates successful privilege elevation using Centrify-enhanced sudo.  Event id: 30000.

Centrify dzdo Denied :  Indicates denied privilege elevation using Centrify-enhanced sudo.  It may allow to identiy attempts for privilege abuse.  Event id: 30001.

 

Create the Filters and Assign a Metric

  1. Go to your CloudWatch console: https://console.aws.amazon.com/cloudwatch/home
  2. Click on Logs and select the radio buttion next to your log group (e.g. /var/log/messages)
  3. Click Create Metric Filter
    • In filter pattern, type: centrifyEventID=24100
    • Press "Assign Metric" 
  4. In Filter Name, type a unique name for the filter
  5. In Metric details, create a new namespace (e.g. CentrifyAuditTrail) or browse for it if you already have it.
  6. In Metric name, give it a descriptive metric.
    metric.png
  7. Press Assign Metric.
  8. Repeat the process for all the metrics you've identified.

Create a Dashboard

Before creating a dashboard, you may want to plan how to visualize the data.  In some instances it's useful to see the aggregate data (# of events), in others it's useful to see a trend (graphs overlapped with time).

Once you have thought of how to visualize the data, it's time to get started with your dashboard. 

 

  1. Go to your CloudWatch console: https://console.aws.amazon.com/cloudwatch/home
  2. Click on Dashboards > Create Dashboard and give it a name, then press Create Dashboard
  3. To add aggregated information, select the Number widget
  4. Select your Namespace, Dimension and check the metric(s) to be measured
  5. Go to the graphed metrics tab, and select the proper statistic and period  (e.g. sum and 1 day) and press Update Widget.
  6. Once you have the Widget in the dashboard, adjust the size and label.

Repeat the process with the trend using with a line or stacked area.

 

Below is a simple dashboard that includes the metrics above.

 

dash.png

Create an Alarm

A meaningful alarm could be based on a pattern outside expected behavior, an availability issue or another event (or aggregation of events) based on the risk that wants to be corrected.  This example is for illustration purposes only.

Example:  The threshold for attempted abuse of Centrify-enhanced sudo is 3 or more attempts within a 5 minute period, when this happens, an email should be triggered to the members of the secops distribution list.

  1. Go to your CloudWatch console: https://console.aws.amazon.com/cloudwatch/home
  2. Click Browse Metrics and next to Centrify-dzdo-Denied, click the alarm icon.
  3. In create alarm:
    Name:  Alarm-Abuse-dzdo
    Whenever: is equal or greater than 3 for 1 consecutive period
    Period: 5 minutes
    Statistic: Sum
  4. Actions
    Whenever this alarm state is Alarm
    Create a new list (secops@your-domain.com)

Trigger the alarm

  1. Sign-in to your Linux instance with homer
  2. Type 'dzdo su - root' and press enter
  3. You should get this message:
    [homer@cdctest2 ~]$ dzdo su -
    Sorry, user homer is not allowed to execute '/bin/su -' as root on cdctest2.\
  4. Repeat 3 more times.  This should trigger the alarm.
    alarm.png
  5. Review the Dashboard.  After a few minutes, the alarm will return to normal and you'll be notified
    alarm2.png

Conclusion

We have only scratched the surface of the capabilities provided by AWS CloudWatch, however in the context of Identity and Access Management, the enrichment of security operations via logs, alerts and dashboards should be done via standard tools; otherwise if each tool duplicates these capabilties, then security operations won't know where to go first.  Centrify provides native plugins for Splunk, IBM QRadar and HP ArcSight.  These tools provide both operational data as well as like the following privilege command pie chart.
most-used.png

 

Related Articles

[Labs] Using Centrify Audit Trail for Windows with AWS CloudWatch:

http://community.centrify.com/t5/TechBlog/Labs-Using-Centrify-Audit-Trail-for-Windows-with-AWS-Cloud...

[Security Corner] Reviewing your Access and Privilege Management Model with Centrify tools: http://community.centrify.com/t5/TechBlog/Security-Corner-Reviewing-your-Access-and-Privilege-Manage...  

Setting a Centrify AWS Test Lab: http://community.centrify.com/t5/TechBlog/Labs-Setting-up-an-AWS-Test-Lab-for-Centrify/ba-p/27771
Using AWS OpsWorks (Chef 12) to deploy Centrify DirectControl on EC2 Linux instances: http://community.centrify.com/t5/TechBlog/Labs-Using-AWS-OpsWorks-Chef-12-to-deploy-Centrify-DirectC

Centrify Audit Trail Administrator's guide (2017): https://docs.centrify.com/en/css/suite2017/centrify-audit-events-guide.pdf 

[How To] - Installing the Centrify Connector

By Centrify Contributor III on ‎04-21-2017 03:40 PM - last edited 3 weeks ago

Thank you for choosing Centrify!

 

The following is a step-by-step guide designed to help walk you through an installation of the Centrify Connector. The Centrify Connector is a lightweight application that provides the following services: 

  • Active Directory/LDAP Proxy
  • Application Gateway 
  • RADIUS Server
  • Web Server (IWA)

 

Architecture Diagram

 

Screenshot 2017-06-10 21.39.25.png

 

 

Hardware Requirements

 

  • Windows Server 2008 R2 (64 bit) or newer with 8 GB of memory. 
  • Internet access (outbound port 443) to reach the Centrify Identity Services platform. 
  • A 'Baltimore Cyber Trust Root CA' certificate installed in the 'Local Machine Trusted Certificate' root authorities store.
  • Microsoft .NET version 4.5 or later.

 

If you are referencing accounts in an Active Directory tree or forest, the Centrify Connector can be joined to any domain controller in the tree (it does not need to be the root). In addition, that domain controller must have two-way, transitive trust relationships with the other domain controllers. 

 

Centrify recommends at least two Centrify Connectors on separate physical servers for high availability and redunancy. Centrify Connectors work active-active, load balance and are site aware.

 

Let's Get Started

 

1) Download the Centrify Connector package by logging into your Identity Services 'Admin Portal' navigating to 'Settings' -> 'Network' -> 'Centrify Connectors' -> 'Add Centrify Connector'

 

Screenshot 2017-06-10 22.04.29.png

 

2) Click on the ’64-bit’ link to download the installation package to the server you want to install the Cloud Connector on. 

 Screenshot 2017-04-23 09.27.01.png

 

 

3) Install the Centrify Connector on the member server by double clicking on the executable file.

 

9 - installing cloud connector.png

 

4) Click ‘Next’ to continue.

 

Screenshot 2017-04-21 15.03.18.png

 

5) Review the Centrify End User Software License and Services Agreement, accept the terms of the agreement, then click ‘Next’ to continue.

 

Screenshot 2017-04-21 15.03.36.png

 

6) Click ‘Install’ to install the Centrify Connector on the server.

 

Screenshot 2017-04-21 15.09.00.png 

 

7) Click ‘Finish’ to complete installation of the Centrify Connector on the server.

 

Screenshot 2017-04-21 15.31.43.png

 

8) A second installation wizard will appear to initiate the connection between active directory and your Centrify Identity Service tenant. Once the window does appear, click ‘Next’ to continue.

 

Note: The second installation wizard may take up to a few minutes to appear. 

 

Screenshot 2017-04-23 09.50.29.png

 

 

9) Provide your Centrify Identity Service administrator username and password. This is the default administrator password provided during activation to your Centrify Identity Service tenant. Click ‘Next’ to continue.

 

Screenshot 2017-04-21 15.15.16.png

 

10) If you are installing the Centrify Connector on a web proxy server, add server configurations in this window. While available as an option, a web proxy server is not required for the Centrify Connector. Click ‘Next’ to continue.

 

Screenshot 2017-04-21 15.19.44.png

 

11) The following step is optional and is required if you want Centrify to automatically keep users in the Centrify Admin Portal current with users in Active Directory. 

 

If you are installing the Centrify Connector with an account that has 'Read' permissions to the Deleted Objects container, you can click 'Next' to continue. The Centrify Connector will inherit the permissions of the user installing the Centrify Connector during the installation.

 

If you are install the Centrify Connector with an account that does not have 'Read' permissions to the Deleted Objects container, proceed to step 12 below to provide an account that does have the permissions.

 

Screenshot 2017-04-21 15.19.28.png 

 

12) If you are installing the Centrify Connector with credentials that do not have read access to the Deleted Objects folder, and you want to take advantage of Centrify's auto provisioning feature, you can specify alternative credentials by clicking on 'Edit -> Specify alternate user credentials'. The Centrify Connector will inherit permissions of the credentials you specify in this menu or by the user installing the Centrify Connector on the server. If you specify alternative credentials, click 'OK' then 'Next' to continue. 

 

Screenshot 2017-04-21 15.19.57.png

 

13) The Centrify Connector will attempt to connect to your Centrify Identity Service tenant. When you see five successes, click ‘Next’ to continue.

 

Screenshot 2017-04-21 15.20.09.png

 

14) Click ‘Finish’ to continue.

 

Screenshot 2017-04-21 15.20.40.png

 

15) The Centrify Connector Configuration console will display upon completion of the installation. Verify the connection is successful within the ‘Status’ tab.

 

Note: You can install multiple connectors to architect high availability and redundancy in your environment. Repeat the installation steps to install additional Centrify Connectors in your environment for redundancy and high availability. Centrify Connectors work active/active, load balance authentication traffic and are sight aware. 

 

Screenshot 2017-04-23 09.57.25.png

 

 

16) The ‘Centrify Connector’ tab within the Centrify Connector Configuration console, gives you the ability to 'Start'/'Stop' the connection to your Identity Service tenant. You can also 'View Log' from the persistent outbound connection the Centrify Connector has established to your Identity Service tenant.  

 

Screenshot 2017-04-23 09.59.11.png

 

 

 

17) In Centrify, refresh the web-page and verify that the connection was successful. If you have multiple Centrify Connectors, you will see each instance of those connections listed in this menu. 

 

Screenshot 2017-06-10 22.19.09.png

 

We hope this installation guide was helpful. For all other questions on how Centrify can help you consolidate user identities and solve the #1 cause of all cyber attacks, please contact us at https://www.centrify.com/about-us/contact/

 

[How to] Centrify for Google G Suite Deployment Guide

By Centrify Contributor III on ‎04-21-2017 03:19 PM - last edited ‎04-21-2017 03:24 PM

Centrify for Google G Suite offers a complete, robust, and easy-to-use Active Directory (AD) or Centrify Cloud Directory integration with Google G Suite providing a seamless authentication experience for Google G Suite users and an easy to use intuitive Administrative interface for IT staff to automate the process of on- and off-boarding employees with day one productivity.

 

With Centrify you can ensure that users have seamless access via single sign-on (SSO) and that their Google G Suite accounts are created, updated, and deactivated on an integrated cycle with the rest of the systems in IT.

Secure access to Google G Suite from any device. Enforce and update mobile security settings, and remotely lock or wipe devices. Lock the Centrify Mobile App with a passcode or fingerprint, and prevent unauthorized users from accessing your Google data. No separate software required.

 

The Google G Suite Deployment Guide covers…

 

  • Preparing your Google G Suite and Google G Suite developer account
  • Limiting access to certain Google G Suite based on Security Group
  • Configuring automated account provisioning into Google G Suite
  • Enabling Single Sign On in Google G Suite
  • Provisioning new Users
  • Integration with Active Directory
  • Securing the Administrative Account for Google G Suite

 

Read more...

Showing results for 
Search instead for 
Do you mean 
Labels
Leaderboard

Community Control Panel