Re: Centrify Agent for Windows™ Deployment Options - Introduction

Centrify Agent for Windows™ Deployment Options - Introduction

By Centrify Guru I ‎02-17-2018 10:06 AM

Background

The Centrify Agent for Windows provides organizations with the ability to secure Windows systems.  This article's goal is to introduce the basic information (pre-requisites, communications), deployment scenarios and tools available for each deployment option.  The next articles in the series focus on specialized topics or use cases.

 

Functionality

Here are the capabilities (at the time of this writing - current version 2017.3) based on the type of Centrify product subscription bundle:

 

Centrify Identity Services Platform - Endpoint Services caw-cip.PNG

  • Multi-factor Authentication
    • Console
    • Remote
    • Screen saver unlock
    • Offline mode
  • Windows 10 MDM Enrollment
  • Zero Sign-On
  • Audit Trail

Centrify Infrastructure Service

caw-is.PNG

  • Access Control:   Provided via Centrify Zones in Active Directory.
  • Privilege Elevation:  Provided by the Centrify's DirectAuthorize.
  • MFA enabled via Role-based Access Control  (all scenarios as above + privilege elevation).
  • Audit Trail:  Provides a catalogue of events (to enrich SIEM functionality).
  • Session Capture:  Advanced auditing capability that allows the capturing of user activity plus replay.
  • Shared Account Password Management:  secure local account passwords, implement policy, etc.
  • Privilege Session Management:  provide secure access via RDP.
  • Windows Service Management:  secure services, scheduled tasks and IIS Application pool accounts.

 

Deployment Scenarios

The scenarios are divided in system class (server/desktop and laptop)and are based on the experiences of our existing customer base.  Note that we will provide the details in generic lab format given that each organization's deployments has unique requirements.

 

  • On-premises deployment using an image source (e.g. the software is installed in the system with the Windows source and it's configured via GPO or other methods).
  • On-premises deployment using Group Policy or MSI-aware software change and configuration management tool (like Config Manager (SCCM), LANDesk, Symantec, Altiris, etc).
  • IaaS deployment:  A system is launched in AWS, Azure or GCP and as part of the launch process, the system is configured to provide services like MFA, zone access control, privilege elevation, audit, etc.  Upon termination, the system is gracefully decommissioned.
  • Persistent or non-persistent VDI:  Using VDI technologies like VMWare's Horizon View or IaaS like Amazon WorkSpaces.

 

Overview Process by System Class

Server or Secure Workstation

  1. PKI trust is established between the Windows system and the Centrify Identity Services platform.
  2. Install the Centrify Agent for Windows at the proper order/timing.
  3. The system is joined to a Centrify Zone (and corresponding computer roles).
    In this scenario, Identity Services Platform functionality (like MFA or rescue options) is configured based on zone settings.
  4. Optionally the local Administrator user credential is put in the Identity Services vault and it's password is set under management.
  5. Additional settings like proxies, audit trail settings, Direct Audit installation, etc are configured via Group Policy.
  6. At system sunset (via decommissioning or termination), the proper hygiene is followed:  remove the system from the zone (release license), unenroll from Centrify Identity Platform, remove any credentials from the vault and final termination.

Desktop or Laptop

  1. PKI trust is established between the Windows system and the Centrify Identity Services platform.
  2. Install the Centrify Agent for Windows at the proper order/timing.
  3. The system is configured to use a specific Centrify Identity Services platform instance.
    In this scenario, subsequent configuration comes from Group Policy.
  4. Optionally the local Administrator user credential is put in the Identity Services vault and it's password is set under management.
  5. Additional settings like proxies, audit trail settings, Direct Audit installation, etc are configured via Group Policy.
  6. At system sunset (via decommissioning or termination), the proper hygiene is followed:  unenroll from Centrify Identity Platform, remove any credentials from the vault and final termination.

Toolbox

  • Centrify Agent for Windows - Official Documentation.
    https://docs.centrify.com/en/css/2017.2-html/index.html#page/Managing_Windows/win_adm_install_agents...
    This is the constantly-evolving documentation.  The information in this and subsequent posts is a compilation of information found there.
  • Centrify Agent for Windows MSI package and Transform (.mst) file.
    These files are required for GPO or Configuration Management Tool deployments.
    Where to obtain:  Centrify Download Center, Centrify Identity Platform Admin Portal.
    cfy-down2.png
    cfy-down.png
    caw-bits.PNGThis is the contens of the Agents folder in the Infrastructure Services zip file.
  • Centrify Group Policy Management Editor Extension
    The templates expose the Centrify Group Policy Management Objects.
    How to obtain:  Centrify Download Center. (Link to 2017.3)
  • Centrify Licensing Service
    To be able to use the GPO feature, you need an installed Centrify license in Active Directory via this service.
    How to obtain:  Centrify Download Center. (Link to 2017.3)
    How to obtain your license key: sent with your software subscription welcome email.
  • Centrify DirectControl PowerShell
    Key tool for automation, especially when launching server images on-demand.
    How to obtain:  Centrify Download Center. (Link to 2017.3)
  • Active Directory Module for PowerShell
    Key tool for automation, especially when performing Active Directory operations like Group Membership.
    How to obtain:  Install the feature.  (e.g. Install-WindowsFeature RSAT-ADDS)
  • Centrify Access Manager MMC Console
    This is where all the manual administration of Zones, Access, RBAC is implemented.
    How to obtain:  Centrify Download Center. (Link to 2017.3)
    source-bits.PNG
  • Centrify Audit Manager
    Allows for the configuration of DirectAudit installations.
    How to obtain:  Centrify Download Center. (Link to 2017.3)
  • Centrify PowerShell Samples
    Allows for the enrollment in the Centrify vault, secure or retrieve credentials.
    How to obtain:  Centrify GitHub, Community Post.

 

Centrify Agent for Windows Pre-Requisites
Official documentation:  https://docs.centrify.com/en/css/2017.2-html/index.html#page/Managing_Windows/win_adm_install_agents...

  • The computer is running a supported Windows 64-bit operating system version.
  • The computer is joined to Active Directory.
  • The computer has sufficient processing power, memory, and disk space for the agent to use.
    Read the minimum requirements for each Windows version here.  Note that you need to add to the minimum spec depending on the use case.
  • The computer has the .NET Framework, version 4.5.2 or later.
    This requirement changes between versions.
  • The computer has Windows Installer version 3.1, or later.
  • For secure communications and capabilities such as MFA, enrollment and vaulting, the Windows system must trust the Integrated Windows Authentication (IWA) trust CA certificate from the Centrify Identity Platform.

 

 

Network Communications

Between Centrify Connector and Windows Client and Active Directory Domain Controllers (all use cases).  These are the "well-known" ports required for Active Directory communication. 

Protocol Port Direction Comment
SMB/CIFS TCP 445 Centrify Connector and
Windows client to DC
Group policy relies on this port.
RPC TCP 135 Centrify Connector and
Windows client to DC
Group policy relies on this port.
RPC Endpoint ("TCP Dynamic") TCP 49152-65535 Centrify Connector and
Windows client to DC
Group policy may rely on these ports.
LDAP TCP/UDP 389 Centrify Connector and
Windows client to DC
 
Kerberos Password TCP 464 Centrify Connector and
Windows client to DC
 
Kerberos TCP 88 Centrify Connector and
Windows client to DC
 
Global Catalog TCP 3268 Centrify Connector and
Windows client to DC
 

 

Between the Centrify Connector to the target Windows System  (server and secure workstation use cases)

Protocol Port Direction Comment
RDP TCP 3389
Windows (inbound) If secure access from the Infrastructure Service will be allowed (configurable).
RPC Endpoint Mapper TCP 135
Windows (inbound) For Infrastructure Services Discovery, or if Management Mode is "RPC over TCP"
RPC Endpoint ("TCP Dynamic") TCP 49152-65535
Windows (inbound) For "RPC Endpoint Mapper" (Configurable)
Note: varies between Windows versions.
SMB/CIFS TCP 445
Windows (inbound) For CPS discovery, or if Management Mode is "SMB"
WinRM over HTTP TCP 5985
Windows (inbound) If Management Mode is "WinRM over HTTP"
WinRM over HTTPS TCP 5986
Windows (inbound) If Management Mode is "WinRM over HTTPS"
IWA Service

TCP 80

TCP 8443

Connector (inbound)

IWA (SPNEGO) service is used for the Windows system to
authenticate to the Web Service running on the connector.

HTTP and HTTPs ports are configurable

API Proxy 8080 (TCP) Connector (inbound) Server Authentication (MFA) also relies on this.
RDP (Native Client) TCP 5555 Connector
(inbound)
Configurable port if using secure access with the Microsoft RDP client.

 

Between the Centrify Agent for Windows and a Proxy Server (optional scenario)

Protocol Port Direction Comment
Proxy Configurable Proxy Server
(Inbound)
These ports are configurable.  For example for a Squid Proxy, the port is 3128, other proxies may use 8080.

Notes:  Since Centrify Identity Platform 17.6, MFA clients can leverage the Centrify Connector to proxy traffic.

 

Between the Centrify Connector and a RADIUS Service (optional scenario)

Protocol Port Direction Comment
RADIUS UDP 1812/1813(UDP)
(or custom port)
Centrify Connector (outbound)  RADIUS Server or Infrastructure (Inbound)

When CIP is acting as the RADIUS client,

this can be overridden at the connector level

 

 

Questions and lanning Considerations for Each Deployment Type

Centrify Identity Services Platform - Endpoint Services

  • How will the PKI certificate be distributed?
  • What functionality is required?  (MFA, Windows 10 MDM enrollment, ZSO, Vaulting of Admin Accounts).
  • Interoperability:  Should Windows Credential providers be excluded from the chain.
  • Usability: What will be the grace period for MFA on screen saver unlock?
  • Offline/Safe Mode MFA:  Will this be enabled?  What rescue users will be designated?
  • Communications:  Depends on functionality or usage.
  • Audit Trail:  Should the Centrify events be sent to the SIEM tool.

Centrify Infrastructure Services - Access Control and Privilege Elevation

  • How will the PKI certificate be distributed?
  • What functionality is required? (Access Control, Privilege Elevation MFA on login/elevation, Windows 10 MDM enrollment, ZSO, Vaulting of Admin Accounts).
  • Interoperability:  Should Windows Credential providers be excluded from the chain.
  • Usability:  What will be the grace periods for MFA on screen saver unlock and/or privilege elevation?
  • Offline/Safe Mode MFA:  Will this be enabled?  Who will be assigned Rescue Rights roles?
  • Communications:  Depends on functionality or usage.
  • Audit Trail:  Enabling integrations with Splunk, IBM Q-Radar or HP ArcSight

Centrify Infrastructure Services - Auditing and Monitoring Service

  • Functionality to be enabled: session capture vs. events only (EU privacy considerations).
  • Will users be notified that they are being audited?
  • What's the retention policy for session data by system class?

Centrify Infrastructure Services - Privilege Service Vault

  • Is the system going to be added to the vault for secure access purposes?
  • Are there any credentials that are going to be vaulted automatically?  Will these passwords be managed?
  • What needs to happen when the system is decommissioned/terminated?  What will happen with he credentials and history?

 

Articles in this series

 

Related Topics

 

Conclusion

We have you covered in the Windows Platform.  Subsequent articles will focus on specific deployment scenarios.

Comments
By fW701400
on ‎10-10-2018 03:11 AM

Thanks for sharing the complete information about that. actually, Centrify Agent for Windows provides organizations with the ability to secure Windows systems. Earlier I don't have much more knowledge about that. From this post, it is clear to me. Recently I have updated my laptop from window 7 to window 10. Now I got the problem that my laptop become too slow and it quite frustrating then I took assistance from 

team. they resolved my issues. So, anybody facing any type of issues related to that then they can go through the same.

By Centrify Guru I
on ‎10-10-2018 10:23 AM

@fW701400,

 

Thanks for letting us know about your experience.

Please note that an operating system upgrade requires some degree of planning.  We always advise that you update Centrify software first (to a version that supports the newer OS)  PRIOR to the OS upgrade.

 

Also note that this article is aimed to IT Pros looking to mass-deploy the client.

 

R.P

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel