Windows 2012R2 Member Server local administrator

Showing results for 
Search instead for 
Do you mean 
Reply
Participant III
Posts: 8
Registered: ‎10-12-2016
#1 of 8 4,619

Windows 2012R2 Member Server local administrator

Hi All,

 

In my demo/test environment I added a Windows 2012R2 server to the Domain.
This server has a local admin equivalent account.(member of the local administrators group)

I added this account to system in  the Admin Portal. 

 

Now I face 2 challenges:

 

First challange:

How to rotate the password? The setup is identical to my localadmin accounts on the Linux servers.
Detailed job report:
2017-09-06T10:41:40.1979431Z : Changing password for account: localadmin, accountId: xxxxxxxx-xxxxxxxx-xxxx-xxxxxxxx, reason: RotatePassword
2017-09-06T10:41:40.5885875Z : Trying to read the current password
2017-09-06T10:41:40.6354364Z : Setting pending secret :21cecc1e-4b70-4958-9b74-de24768efc02
2017-09-06T10:41:40.8854427Z : Changing account localadmin password on resource win2012-core...
2017-09-06T10:42:03.1879211Z : Unable to update account password
2017-09-06T10:42:03.1879211Z : Details : Error changing password for user localadmin on machine <serverFQDN>: HostIsDown


Server is up and running.

 

Second Challange:

After enabling MFA the security setting will not allow me to logon localy? 

 

Message:  "The account is nog authorized to log in from this station"

 

What GPO setting is preventing me to logon locally?

Without MFA enabled I can log on locally.

 

Kind regards,

 

Wilco Kakkenberg

 

Participant III
Posts: 8
Registered: ‎10-12-2016
#2 of 8 4,616

Re: Windows 2012R2 Member Server local administrator

The problem for the first issue is the Windows Firewall.

 

When Domain firewall is disabled I can rotate the localadmin password.

 

Which port should be open in the Windows FireWall?

 

Centrify Guru I
Posts: 2,411
Registered: ‎07-26-2012
#3 of 8 4,615

Re: Windows 2012R2 Member Server local administrator

@WilcoK,

 

Welcome back to the forums.

If this is a real-world implementation, ideally you should be working with your Centrify lead (professional services), they can provide training, design and implementation assistance.

 

For your first issue, please make sure that the Connector (or connectors) can reach the target system. 

For example, you could have a connector in  AWS unable to reach systems in your on-premises private network.

 

This can be set at the global level (system subnet mapping), or at the system level (connectors tab).  The pic below shows you the Global level settings:

sys-sub-map.PNG

 

Finally, make sure you're covering the basics (e.g. the firewall allows the connector to have access, the ports are set up correctly, etc).  In the case of Windows, depends on the management mode. The options are:

mag-mode.PNG
I also noted that your win2012 system is running server core.  These systems have many services disabled or not available by default.  You must have at least one management mode available.

 

For your 2nd issue, depends on what you're trying to achieve.

 

  • Do you want MFA at login only? or
  • Do you want MFA at login and when the user securely elevates privileges?

Both modes have different design, process and cognitive considerations.

 

Looks like you added the Windows system to a zone and you have not authorized the local user with an RBAC role that allows it to log in.  This means that the "You can log in from this station" message is expected.  There is no GPO preventing you from logging in; you just need to familiarize with how DirectAuthorize on Windows works.

 

Answer what you'd like to accomplish  first, and then when time permits I'll return to the post and give you a suggestion.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant III
Posts: 8
Registered: ‎10-12-2016
#4 of 8 4,611

Re: Windows 2012R2 Member Server local administrator

Thnx for your reply Robertson,

 

For the second issue:

This is exactly the scenario as you suggested:

Looks like you added the Windows system to a zone and you have not authorized the local user with an RBAC role that allows it to log in.  This means that the "You can log in from this station" message is expected.  

  

I have a member server in the domain. Domain user can login with MFA depending on their role.

I'm looking for a way to enable / setup the login (with or without MFA) for local users.

 

Before updating the production environment I'm testing the funcionality in my test enviroment. 

Centrify Guru I
Posts: 2,411
Registered: ‎07-26-2012
#5 of 8 4,608

Re: Windows 2012R2 Member Server local administrator

[ Edited ]

@WilcoK,

 

Hmmmm....

You may be using the wrong approach if you are trying to secure a local account.

 

Our current implementation of MFA requires the system to be domain-joined and the users to be AD users.

 

To protect a local account with MFA, you can do this with Privilege Service.

 

Assumptions

a) The local account is under management

b) You have authorized the account to log in (if using DirectAuthorize too)

c) If to secure RDP access only: you make sure the target users don't have the "Checkout" permission; otherwise they could "go arund the vault" (a typical problem with password-driven solutions).

 

Assuming all this is working (giving you instructions for a specific system or account)

 

Prompting for MFA on Secure Accesss (e.g. RDP - also applies to SSH)

  1. Navigate to Infrastructure > Systems and click on the system in question.
  2. Set up the default system challenge or set up rules based on criteria.

mfa-login.png

Now if the user needs to RDP into this system, they will always (if default is used) or based on rules will be challenged for MFA.

 

To do the same with the password checkout, modify the rule at the account level.

 

I hope this helps

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant III
Posts: 8
Registered: ‎10-12-2016
#6 of 8 4,605

Re: Windows 2012R2 Member Server local administrator

@Robertson

 

The MFA for local accounts is optional. First I need to be able to login.

 

Scenario is identical to linux servers. 

 

login from the admin portal with local useraccount with an ssh session. Works excelent with Linux. 

 

It worked fine fort the Windows Server 2012 before I enabled MFA. With MFA in place Domain users are prompted for MFA but local user are not allowed to login. Not through RDP or server console.

Kind regards,

 

Wilco Kakkenberg

 

Centrify Guru I
Posts: 2,411
Registered: ‎07-26-2012
#7 of 8 4,597

Re: Windows 2012R2 Member Server local administrator

[ Edited ]

@WilcoK,

 

If you are planning for production, you must do a tried and true design.  We have seen customers doing things without a reference that end-up creating a management nightmare.  Advice: there are training and assisstance packages that we offer.

 

There are two ways to do MFA on Windows

 a) At Login only (must trust platform instance PKI)

b) At login and privilege elevation (must trust platform instance PKI , must join zone)

 

At login only

Preconditions

a) You have installed the centrify agent for windows

c) Your system has PKI trust to the Centrify platform.

 

  1. Don't configure the system to join a zone, instead,
  2. configure your Centrify platform intance and set the users/groups that will be challenged.  This can be set by GPO too.

mfa-simple.JPG

There are several articles that walk through this setup in the community site like this oneNoteL This one overlooks the PKI steps.  You can look for PKI explanation and troubleshooting tips here.

 

At login and privilege elevation

You must join the system to a zone, this is subject to planning. Showing you a quick and dirty way using the local system.  A true production deployment leverages computer roles, child zones or zones to do this. 

 

Preconditions

a) All of the above preconditions, plus

b) You have a Centrify zone configured with a Centrify Platform instance

c) Your roles must be configured for MFA

 

The rules of DirectAuthorize state that to log in to a system a user must have

  1. An identity (not a consideration for Windows systems, since they all belong to AD)
  2. A role that grants the ability to log in.

 

There are two built-in roles that allow this:  UNIX Login and Windows Login.

 

  1. On your Centrify Management Station, open Access Manager
  2. Navigate to the zone that the system belongs to and expand Computers, then expand the Windows system in question and select role assignments
  3. Right click > Assign Role
    - Select Role > pick Windows Login
    - Assign role > select the appropriate time, and principals (AD or local)
    ra-win.JPG
    - Once assigned, to accelerate time, run dzflush.exe on the target system
  4. Test local access. 
    Now you should be able to log in and you overcame your first hurdle.

 To add MFA to this setup, you should follow some of the posts or the help, like this one.

 

Final note:  I know that you are clicking around to get this done (as a matter of fact, the prescription I gave you above, does not scale correctly), ultimately all this can be automated with DevOps.  You also have to think how to operate it effectively.  If you have a small environment this is manageable, otherwise, things can get out of hand quickly if you don't possess the cognitive knowledge to design for manageability. 

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Highlighted
Participant III
Posts: 8
Registered: ‎10-12-2016
#8 of 8 4,563

Re: Windows 2012R2 Member Server local administrator

@Robertson

 

Many many thnx, this was the missing part:

 

On your Centrify Management Station, open Access Manager Navigate to the zone that the system belongs to and expand Computers, then expand the Windows system in question and select role assignments Right click > Assign Role
- Select Role > pick Windows Login
- Assign role > select the appropriate time, and principals (AD or local)

 

Also many thanks for your advise. I studied the Evaluation Centers. This is a little bit more advanced than the subjects covered in the documentation. I totaly agree that without a true authentication scenario Centify configuration can turn into a big puzzle. That's why I have my test/demo environment. Here I'm testing scenario's based on business rules.

 

In this case, a supplier needs local access with specific rights to one specific  Windows Server.  In this case I can provide the supplier access to the server through the Centrify portal, with a workflow for approval.

 

Thnx to your help I just achived this goal!!

 

once again many many thnx.