Using local MacOS administrator accounts can lead to security and compliance issues such as unauthorized sharing of the administrator password with non-administrators or remote access by a former employee. The secure approach is to grant Active Directory users Mac administrator rights to minimize risk and meet regulatory compliance. This article will show you how to grant Mac administrator rights to Active Directory users through Centrify's Active Directory group policy settings.
1. In Group Policy Management, create a GPO and enable: Computer Settings > Policies > Centrify Settings > Mac OS X Settings > Accounts > Map zone groups to local admin group
a) Click on the Add... button. A new window will appear.
b) Click on the Browse button. A new window will appear. You can enter manually enter a group name in this window but it is better to browse and select the group to ensure the proper group name is entered.
c) Enter a keyword into the Name field for the Active Directory group that you want to add, then click on Find Now. Make sure you add IT/helpdesk team and any user that needs admin rights on the Mac.
d) Select the desired group name and click OK.
The setting will apply when the user logs out and logs back in.
If your Mac is using Zone mode, use the following article: https://centrify.force.com/support/Article/KB-3049
Prevent unauthorized access and minimize risk by restricting MacOS login access to specific Active Directory users or groups.Read more...
Support has helped multiple customers who are trying to meet the challenges posed by the badlock vulnerability in samba while also learning about how to move to Centrify's new adbindproxy component. This article is based on our recent experience helping customers migrate in hopes it will help other customers who are seeking similar guidance.
The following information applies to Red Hat Linux. If you are using a different operating system, please recognize that some of the commands may differ somewhat.
Let’s log into a Linux machine that is joined to a Centrify zone and has Centrify-enabled samba on it. Once logged in, let’s check the shares on the machine by running smbclient at the command prompt.
After verifying the correct shares are listed, let’s backup the samba configuration file:
dzdo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
We’re now ready to uninstall the Centrify-enabled samba installation form the machine using the rpm command:
dzdo rpm –e CentrifyDC-samba (This is case sensitive)
And then verify it was removed:
dzdo rpm –qa | grep –i Centrify
Ensure nothing for Centrify samba is listed. We’ll then want to remove any stock samba 3 installations. We will first search for them:
dzdo rpm –qa | grep samba
If any show up, we’ll then want to remove the packages with the yum command:
dzdo yum remove samba*
Enter a y to remove when prompted.
We’re now ready to install samba 4, again utilizing the yum command:
dzdo yum install samba4*
When prompted, enter a y to install.
We should then verify installation:
dzdo rpm –qa | grep samba
As long as the installation is listed, we are ready to move the backed up samba config file into place in order to utilize all of our previous samba settings:
dzdo cp /etc/samba/smb.conf.bak /etc/samba/smb.conf
You can check the date stamp to ensure the smb.conf file is the one we just copied into place.
If you’d like to verify the share files are still showing correctly, please run testparm at the command prompt. The shares should show.
We’re now ready to download and install Centrify’s adbindproxy. Please open a browser and navigate to www.centrify.com and then go to Support and then Download Center and use your Support Portal login to log into the site. Once logged in, please go to “Tools and Troubleshooting” and find “Integration with Samba”. It will then show a list of the different operating systems. Please select the TGZ button next to the line that matches your operating system and download the file.
Once the download completes, please copy or move the file to the *nix machine. You can make a directory on the Linux machine where you’d like to untar the tgz file:
You can then navigate to the directory where the tgz file is located and untar it:
mv centrify-adbindproxy……..tgz /tmp/adbindproxy/
tar –xvf centrify-adbindproxy…….tgz
We’ll then install adbindproxy with the rpm command:
dzdo rpm –Uvh centrify-adbindproxy…….rpm
After the installation is complete, we’ll want to run the configuration script for adbindproxy and we’ll mostly be taking the defaults in the script with a few exceptions:
One of the prompts will ask if you want to join the machine to a zone, if it’s already joined, you can jess press enter. If you need to join it to a zone, you can enter the zone name here and press enter.
The next prompt you want to watch for is the one that says:
Please specify the stock samba winbind listen path(dir)if it is not in [/run/samba/winbindd]:
RHEL 6 often uses /var/run/samba/winbindd for its winbindd listen path so you’ll want to verify the winbindd path and change it here if necessary. If it uses the default path, you can just press enter.
You should just be able to take the defaults through the rest of the script but you may want to read them to verify they are correct before pressing enter.
After the script completes, the samba services, smbd, nmbd, winbindd and adbindd, will need to be restarted. Centrify has a built in command for restarting all four services so that they don’t have to be restarted one at a time. At the command prompt, please run:
dzdo service centrifydc-samba restart
You’ll be able to verify the services are starting OK at this point.
We’ll want to add this setting to chkconfig to ensure this command runs if the server is ever rebooted. We can do that by running the following command:
dzdo chkconfig --add centrifydc-samba
We then need to start this chkconfig process:
dzdo chkconfig centrifydc-samba
And then verify it started correctly for the run levels that are necessary:
dzdo chkconfig --list centrifydc-samba
We’re ready to verify the samba version installed:
We can also verify we see the Linux shares:
smbclient -L //localhost
And then connectivity to the shares:
It will go to a prompt that looks like smb:\> where you can type in ls and the shares should be listed.
You may also want to go to a Windows machine and verify you can get to the shares from there. If you go to Windows Explorer and, in the address window, type in \\servername\sharename, you should see the contents of the share.
You’re all set. You are now running on stock samba with Centrify’s adbindproxy in place to help integrate samba with Centrify.
Centrify has some additional resources on this subject if you’re interested.
There’s a Samba Integration Guide that came with the adbindproxy download and can be found in the directory where we untarred the tgz file. You can also get this documentation from the Centrify website by going to:
There is also a video that goes over the process step by step that you can view below.
There are also some knowledge-base articles that are helpful with this process. You can find them in the community section of the website. Links to these KBs are listed below.
Staff changes are part of organizational life; promotions, job changes, expired contracts, M&A activities, retirements and other causes contribute in IT turnover. In researching this article I saw turnover rates from 17% to 38% in different industries.
As technology deployments mature, managers and subject matter experts will change, for those who inherit new security practices there's no other source of stress than being handed infrastructure that came-in "before my time" - there's a natural impulse to press the "reset" button. Regardless of what your role is (Application Architect, IT Manager, UNIX or Active Directory Lead), you first need to get an understanding of what Centrify products are providing for you today, if you are maximizing the investment, if the current SMEs are trained to support the products, and if the solutions can solve existing or upcoming challenges.
This article provides tips for leads that inherit Centrify Datacenter deployments.
Tip #1: Know your Centrify Representatives
This is a fundamental step. Your Centrify representatives (Regional Account Manager and Systems Engineer) have a lot of information about your account. They understand the original drivers for Centrify implementation and may also know areas for improvement. Here are a few things they can do for you:
- They can onboard your SMEs to the Customer Support Portal
- They can help with escalations if there are outstanding cases
- They can provide briefings about new or existing features
- They can help with commercial topics (business justification, budgets, quotes, etc)
- They can help you understand your maintenance benefits
- They can help you understand the product lifecycle
- They can coordinate roadmap sessions with Product Management leads.
As you can see, staying in touch with your existing representatives can help you maximize your benefits as a Centrify customer.
In an nutshell, Centrify provides 3 solutions:
Tip #2: Make sure all staff has access to the Customer Support Portal and other Resources
Centrify has invested a lot on revamping resources for customers, therefore access to the Support Center is a key asset because you can:
a) Access the KnowledgeBase: This is the first step when encountering an issue
b) Create and Manage Cases/Escalations: Obtain a self-service view of any or all outstanding cases.
c) Documentation Center: All Centrify documentation resources in a single place.
d) Download Center: All current customers with maintenance are entitled to upgrades
e) Security, Support and Lifecycle centers: Read all about security notifications, SLAs and software version support.
f) Centrify community (public): Feel free to leverage the community for questions, issues or enhancement requests.
Tip #3: Internally: Identify your Stakeholders
You and your team need to have a 360-degree view of your stakeholders. Centrify Server Suite is all about re-using Windows Active Directory infrastructure for authentication and privilege identity management, however the reach extends beyond what's obvious:
Architects may look at the authentication methods exposed by Centrify (Kerberos, GSSAPI, SPNEGO, PAM, SASL, etc) and may be using it with applications. This use case goes beyond Operating System authentication and privilege elevation. They also may be counting on Centrify's AD integration in IaaS environments like Microsoft Azure or Amazon EC2. They may also be leveraging the Centrify LDAP Proxy to provide lookup or authentication services for legacy apps.
Security: Security leads may be using attestation data provided by Centrify to answer the proverbial question: "Who has access to these systems and what can they do" or they may be in charge of defining roles/rights, etc. Extra tip: Centrify has invested on a Report Service just for attestation data.
Active Directory: As the underlying infrastructure used by Centrify, you have to be involved in impact assessment and change control for AD. Extra tip: Centrify software is ready for any Domain for Forest functional level, however it is good to know what are the implications.
Other Infrastructure Leads: There are other infrastructure leads (e.g. storage administrators) that may be using Centrify utilities (like the LDAP or NIS proxy) for Windows to UNIX identity consolidation or Mac OS X administrators that have achieved advanced AD integration with Centrify's OS X client/
Tip #4: Know where your deployment is today
This is a key step. You need to understand how Centrify is used today because of compliance alignment or capability reasons.
- Are you using software that is end-of-life?
- Are you over or under-deployed?
- What's your current Centrify inventory?
- Are you missing any activation keys?
- Are you using out of date practices (e.g. Classic zones)?
- Are you submitting deployment reports as per your MSA?
The questions above can be answered by using the Access Manager console or the stand-alone Centrify Deployment Report Utility.
Are your consoles up-to-date?
Although consoles should not be used for day-to-day administration (if you've deployed based on best practices), it's convenient to keep them up-to-date (no worries, they are backwards-compatible). New versions of the consoles come out two or 3 times a year.
Have you implemented privilege management?
A common occurrence in environments with large turnover is that Centrify Standard Edition implementations are not using the software for PIM on UNIX/Linux or Windows; we often see organizations using sudo/sudoers or "-a" or "run as" accounts instead of leveraging the robustness of Centrify software.
"What is DirectAuthorize" http://community.centrify.com/t5/Centrify-Server-S
"A better way to sudo" by @Gautam: http://community.centrify.com/t5/Community-Tech-Bl
Have you implemented multi-factor authentication?
Step-up or Multifactor authentication has evolved from a VPN-only capability to a must have in different contexts. Centrify software is ready for this, and with Centrify Identity Service, you can get Push MFA, OTP, OATH, Phone factor, SMS, YubiKey and legacy support for physical tokens like SecurID on UNIX, Linux, Windows, Apps and VPNs.
Have you integrated your filers?
When consolidating Windows and UNIX identity, your heterogeneous client environment can benefit from unified shared folder access and Centrify provides utilities to provide identity data to filers such as Hitachi, EMC, NetApp and others. This ensures that a multi-protocol share (NFS, Apple, CIFS) provides unified access.
Is your deployment in good health? When was the last time the environment was analyzed?
There are several tips to know if your deployment is in good health. Start by using the Analyze Wizard to determine if there are any issues with orphaned objects and poor habits.
On the client side, disconnections and frequent unlatching may be related to issues with DNS, connectivity or domain controller overhead. Use the "adinfo -T" command or the adcheck utility.
Are your DirectAudit stores holding-up as expected (data retention)?
If you are using Enterprise Edition, data retention and DirectAudit storage has to be closely monitored. Centrify provides PowerShell to initiate actions automatically
- How is your UNIX/Linux/Mac onboarding today?
- How do you provision UNX/Linux roles and rights? Is the process manual or automatic?
- How do you attest or report on access/privileges? Is the process manual or automatic?
- How do you manage the lifecycle of servers (build-join-decommission-leave)? Are there areas of optimization?
Remember that technology enables your process, not the other way around.
Tip #5: Set up yourself and your team for success
IT is a service-oriented business, however if there are cognitive gaps, your personnel won't be able to deliver on established SLAs and they will go through unnecessary stress. Ask yourself and your team:
- Are your SMEs trained to support Centrify?
- If you're taking on a re-design, are your SMEs ready?
Centrify offers several training offerings including onsite training, public classes and computer-based training. Learn more here: https://www.centrify.com/services/#training
If you consider AD and Centrify critical and you want to take it to the next level, you can review the certification program.
Tip #6: Assess if you are adhering to current Centrify best practices
The core product of Centrify Server Suite (DirectControl) has been around for 12 years at the time of this writing; most importantly, Centrify has invested heavily on the product with new features, security and maintenance releases. Platforms are added, but most importantly, design guidelines change. The same way Active Directory's design principles have changed since Windows 2000, a similar change has happened with Centrify. The introduction of Hierarchical zones, UNIX/Linux and Windows RBAC, Utilities and MFA have changed drastically the way Centrify implementations are executed. Gone are the days of multiple 'flat' classic zones. Many other different constructs have been introduced for flexibility.
In addition, there are many deployments out there that are not complete. Maybe turnover hit during the project or other priorities pulled your team out of the project before the areas of Privilege Management have been implemented.
There's also the mentality of "if it's not broken, don't fix it" this is completely miss-aligned with the principle of constant improvement.
This is why Centrify includes an upgrade guide with the documentation and also provides PS-led health checks that help identify areas of improvement. There's also a newly-created Centrify+ program for existing customers.
2016 upgrade guide: https://docs.centrify.com/en/css/suite2016/centrif
Centrify Health Check Datasheet: https://www.centrify.com/resources/dsh-en-health-c
Centrify+ Datasheet: https://www.centrify.com/resources/dsh-en-centrify
Tip #7: Embrace automation and DevOps
All Centrify software is ready for your existing automation tool set. Chef, Puppet, Ansible, Satellite, etc, they all support native package deployments. In addition, cloud IaaS (like Amazon OpsWorks) have a framework that makes the launching of instances, automatic joins and the decommissioning very simple.
Windows PowerShell modules provided with DirectManage and DirectAudit extend automation to other levels. This can be combined with orchestration, workflow or ITSM tools like ServiceNOW.
Utilities like the Zone Provisioning Agent can make any traditional IdM or Worflow integration point simple, by performing add/moves or changes of AD security groups.
Tip #8: Are you measuring? You can't manage or improve what you aren't measuring
Metrics are part of your arsenal to develop a baseline and understand your business area and since Centrify is all about Access Control, you should be able to measure:
- Successful or failed authentication attempts to UNIX/Linux or Mac assets by regular users
- Successful or failed authentication attempts to UNIX/Linux or Mac assets by privileged accounts [with or without MFA]
$ dzdo tail -f /var/log/messages | grep dwirth Jun 25 17:13:46 engcen6 adclient: INFO AUDIT_TRAIL|Centrify Suite|PAM|1.0|100|PAM authent ication granted|5|user=dwirth(type:ad,dwirth@CENTRIFYIMAGE
.VMS) pid=51511 utc=1466892826753 cent rifyEventID=24100 status=GRANTED service=sshd tty=ssh client=member3.centrifyimage.vms
- Successful or failed privilege elevation events on UNIX, Linux or Windows systems [with or without MFA]
INFO AUDIT_TRAIL|Centrify Suite|PAM|1.0|300|PAM account management granted|5|user=dwirth(type:ad,dwirth@CENTRIFYIMAGE
.VMS) pid=51481 utc=1466892756393 centrifyEventID=24300 status=GRANTED service=dzdo tty=/dev/pts/1 client=(none)
- Failed attempts by valid users in unauthorized UNIX/Linux or Mac assets
- Centrified systems that grant more access
- AD users with more Centrified system access
- AD groups with more Centrified system access
- UNIX/Linux systems without Centrify software (unprotected)
- Password change frequency for UNIX-enabled users
- Mean time between access revokation
- Orphaned accounts (computers, users)
Tip #9: Maximize your Centrify Assets
- Unlike other solutions, Centrify is not only Red Hat Linux-centric, it provides support for all commercial Linux, HP-UX, AIX, Solaris and OS X
- Centrify Standard Edition provides Privileged Identity Management for Windows and helps eliminate the issue of widespread local/domain administrator while preventing advanced attacks.
- Centrify Server Suite Enterprise Edition adds session capture and replay for UNIX, Linux and Windows
- Centrify Platinum Edition adds Group Policy-based IPSec/PKI server and domain isolation
- Centrify Identity Service is an industry-recognized IDaaS platform that includes SSO plugins for Apache, Java, SAP, DB2 and others.
- Centrify Priviege Service extends Centrify PIM capabilities providing Shared Account Password Management, Privilege Session Management for systems, devices, databases, directories and more.
- Hadoop: If you have a Hadoop deployment, you can accelerate it by leveraging Active Directory and Centrify.
Tip #10: Ask us for new capabilities or improvements
Tech companies are only as good as their ability to deliver capabilities required by their customers. Let your voice be heard in the community or in the Idea Exchange; feel free to tell us what's next.
At Centrify we focus on helping organizations secure their assets by focusing on the new perimeter: Identity. Our solutions provide operational efficiencies given that they reuse existing infrastructure (e.g. Active Directory) or simply eliminate complexities.
Proteger la información de su compañia ante un ataque o robo de datos puede lograrse fácilmente con un poco de malicia y algunas herramientas. Usted debe estar preparado!Read more...