This article is the second part of a series to show how to integrate Symantec VIP with the Centrify Identity Platform. Part II will cover the following:
- Pre-requisites for setting up the test environment
- High level architecture of the solution
- Setting up Symantec VIP Manager and Enterprise Gateway
A DirectManage Audit 3.x installation typically creates and deals with two types of databases i.e. an Audit Server database (also known as the Management database) and Audit Store database. The Audit Server database stores DirectManage Audit 3.x application specific settings whereas the Audit Store database is used to store the actual audited user sessions. A typical DirectManage Audit 3.x installation consists of one Audit Server database and one or more Audit Store database(s).
In a nutshell, here are the steps involved when migrating database from one database server to another:
Step 1 - Stop all the collectors
Step 2 - Take backup of existing databases (optional but recommended)
Step 3 - Detach the existing databases and attach them to the new database server
Step 4 - Ensure that CLR integration is enabled on the new database server and login for NT AUTHORITY\SYSTEM exists on the server
Step 5 - Restore the TRUSTWORTHY flag and owner of the database
Step 6 - Modify the newly attached Audit Server database
Step 7 - Restoring connection between Audit Server database and Audit Store database
Step 8 - Update the database entries in Active Directory
Step 9 - Start all the collectors
Attached document explains in details each step above should be taken in case if database migration is inevitable in order to keep the impact on the DirectManage Audit system as minimal as possible.
How to configure SSO for Inormatica Intelligent Cloud Services using SAML...Read more...
How to change log throttles manually in Centrify Agent for Linux and Centrify infrastructure Service
Centrify provides the following scripts to enable/disable debug logging:
- Centrify Agent for Linux: /usr/share/centrifycc/bin/cdebug
- DirectControl: /usr/share/centrifydc/bin/addebug
- DirectAudit: /usr/sbin/dadabug
Enable debugging in journald environmentRead more...
Do you want to give an individual remote access without giving it to all users then this blog is for you!Read more...
This article describes the basic steps to obtain and configure the necessary tools used to import objects into the privilege service vault. This feature was added in Centrify Privilege Service 18.4 and allows admins to import systems, domains, databases and their accounts. This is a powershell module that will be released in github.Read more...
In the documentation for Centrify Report Services, it mentions setting up permissions in SSRS for user accounts that need to access Report Services to view (Report Viewer) and write (Report Writer) reports.
This article goes over the section for "Required SSRS permissions" (Report Admin, Report Viewer, Report Writer)Read more...
This blog goes over the Regular Expression, or REGEX for short, when creating a new command. Some tips and things to watch out for when using REGEX commands.
A Centrify Connector on an AWS private subnet allows you to:
- Gain better accountability of who is accessing the private subnet,
- Apply role-base access to the private subnet,
- Password vault local and domain service accounts being used in the private subnet,
- Provide MFA login for Windows or Linux servers
- Integrate with an Active Directory domain that is associated with the private subnet,
- Provide MFA for other AWS services such as AWS Workspaces.
This article will go over the AWS and Centrify configurations you will need to use a Centrify Connector on an AWS private subnet.Read more...
How to allow users to log into a remote Linux machine via SSH, using Active Directory credentials that require smart card authenticationRead more...
This TechBlog describes how to create a scheduled task that will automatically rotate the Centrify Auditing database on the first day of each month. You can easily modify the command outlined to suit your requirements.Read more...
Leverage your Symantec VIP investment with Centrify
Many organizations already use Symantec VIP to provide MFA authentication assurance to control access to web applications and/or network systems. I wrote an article a while back that explains how you can extend Symantec VIP to provide MFA in conjunction with Centrify Infrastructure Services at server login and privilege elevation. This allows you to centralize non windows identities to Active Directory and use VIP to authenticate users for specific server related tasks.
Now I want to show you how organizations can extend Symantec VIP to provide MFA to web applications and infrastructure resources that use the Centrify Identity Platform as their policy engine. This allows organizations to use Centrify for single sign on, enterprise mobility management, and privileged identity management but also leverage their investment in Symantec VIP to provide MFA when logging on to the Centrify portal or checking out a privileged account.
For example, for an AD user logging into the Centrify end user portal, he/she would be challenged with Symantec VIP as shown below:
The first authentication method is going to ask the user to provide the access code on his/her VIP token:
The second authentication will validate the user's Active Directory, Centrify Directory, or LDAP directory password. Once completed, the user will be taken to the user portal page.
The authentication profile leverages the Centrify policy to authenticate the user with her VIP token first, then prompt for her AD password. This prevents an attacker from locking out the end user's Active Directory account by ensuring that the user has possession of VIP token before allowing the user to enter her AD password.
This shows one example of how an organization can leverage a Centrify policy while still making use of Symantec VIP for MFA. Taking this further, organizations can use Centrify to configure specific rules for when they want to MFA a user with Symantec VIP, and/or the organization can use the Centrify analytics engine to make a user behavioral risk decision based on machine learning to decide when to MFA the user with Symantec VIP.
The benefits of this approach are that the organization can leverage a very powerful access policy engine throughout the enterprise and make context based decisions on whether to authenticate with Symantec VIP for MFA. Additionally, this enables an organization to make use of Centrify without having to rip and replace their existing Symantec VIP solution and re-issue MFA tokens to all end users.
To see more information on how to integrate the two Centrify and Symantec solutions to provide this functionality, please see the How-To article in this series (coming soon).
How to configure the integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk
Part2 - Integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk
The configuration of a profile will be made to start the recordings of the sessions from the elevation of privileges and the integration will be made with splunk so that the auditing sessions can be viewed directly from the Splunk Portal.
Configuración de integración entre Infrastructure Service (Auditing and Monitoring Service) y Splunk
Como configurar la integración entre Infrastructure Service (Auditing and Monitoring Service) y Splunk
Parte2 - Configuración de integración entre Infrastructure Service (Auditing and Monitoring Service) y Splunk
Centrify Infrastructure Services (Privilege Access Service) has the ability to store secrets. These secrets can be free-form text or files (currently up to 5mb in size).
There will be use cases where the contents of these secrets need to be programmatically accessed EG from inside an application or as part of orchestration/DevOps processes.
By leveraging Centrify's OAuth2 authorization framework, this article will describe how to configure OAuth2 to enable a PowerShell script to obtain the contents of a text-based secret from the Centrify platform.
However, it does not stop there. Using this methodology (Oauth2 apps & scopes) and the example script as a base, any programmatic call to the Centrify Identity Platform required for automation may be achieved. Including writing objects such as systems, shared accounts, secrets ETC. Pretty much everything that can be done via the portal can be automated/configured programmatically.
Whilst this example is in PowerShell any compliant code can leverage this methodology (Java, C#, Go ETC). For example, I have Python code to run SQL queries against the Centrify Identity Platform from LINUX, but that's for another post
For more detail on the Centrify Identity Platform API's see https://developer.centrify.com
Bed Time reading on OAuth2 : https://tools.ietf.org/html/rfc6749Read more...
Ever stayed up late at night dreaming of how awesome it would be to implement RADIUS in your environment? Maybe that's a stretch... But, before you wrestle with your VPN, try setting up a simple test configuration to get a feel for how it all works. Look no further, because this blog will help you do just that!Read more...
My latest Eval Setup videos for the newly released Centrify Infrastructure Services 2018.Read more...
Learn the basic of Microsoft Red Forest and how Centrify can be used to provide a more effective security strategy.Read more...
We will cover how to secure FortiGate Administrator access using Centrify MFA. We will be using an Active Directory user that is federated to Centrify to log in to a FortiGate as an Admin user and prompted for MFA at both CLI and Web GUI login.Read more...
[How to] Integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk
Part1 - Start session recording when performing privilege elevation
We will made the configuration of a profile to start the recordings of the sessions from the elevation of privileges and the Splunk integration with Infrastructure Service (Auditing and Monitoring Service) so the auditing sessions can be viewed directly from the Splunk Portal.
1. Login to the Centrify Admin Portal.
2. Go to Core Services > Policies.
3. Edit an existing policy by clicking on the name of the policy or create one.
4. Go to Endpoint Policies > Common Mobile Settings and click on Common. By default, it is set to "Yes" and you will be able to see Passcodes on an Enrolled device.
5. If you want to disable the “Passcodes” you will need to select No in the “Show "Passcodes" interface in the mobile apps and the user portal”.
6. When it is set to “No” you will not be able to see Passcodes once the policies are updated on the device.
Use Centrify GPOs to Create and Distribute a Customized Kerberos Configuration File (/etc/krb5.conf)
Today we are going to use two Centrify GPOs to create a custom krb5.conf file and distribute it to our Unix/Linux systems:
ComputerConfiguration -> Policies -> CentrifySettings -> Common UNIX Settings -> "Copy files"
ComputerConfiguration -> Policies -> CentrifySettings -> DirectControlSettings -> "Add centrifydc.conf properties"
Our first action is to create theRead more...
End-users are seeking modern ways to interact with IT and other shared services groups across their organization. They look for self help — where they can get secure access to apps, manage their own passwords, search for known apps or servers, request access to services that they need. IT-users need to automate tasks like account provisioning and password resets, and manage privileged access to on-premises and cloud-based infrastructure. Centrify’s identity management integrations with ServiceNow help automate processes, improve visibility, and provide a better experience for ServiceNow end-users and privileged IT-users.
Do you want to enable just-in-time privilege for your administration to infrastructure? Do you want to tie back the access to a valid service ticket in the workflow system of record (servicenow)?Read more...
- Log into the Centrify Admin Portal.
- Go to Core Services > Policies.
- Edit an existing policy by clicking on the name of the policy or create one.
- Go to Endpoint Policies > Device Enrollment Settings, then select Yes in the “Show welcome screen on enrollment drop down”. By default, it is set to Yes.
- Go to Settings > Endpoints > Endpoint Customization, then check the box on the left of “Specify unique welcome message for supported languages.”
- Below will show a number of message for supported languages. By default, each welcome message for different language will state “This welcome text and logo can be configured by visiting https://(tenant).my.centrify.com/manage, under 'Settings'.
- You can edit the welcome message by clicking on a language. After any change click the Save button.
8. When you enroll a device that is listed as one of the languages from the table it will show the welcome message that is attached to the language. Below shows a phone that is set in Spanish and English.
As customers move more and more to the cloud, many customers are leveraging AWS Workspaces as a Desktop as a Service Solution (DaaS) to provide end users access to corporate resources at any time from any where. Given Workspaces are available to anyone, from anywhere, a key consideration to moving to AWS Workspaces, is of course Security.
AWS Workspaces can be configured to require Multi-Factor Authentication (MFA) to add a layer of protection to a user name and password (the first “factor”) by requiring users to enter an authentication code (the second factor), which can be provided by a virtual or hardware MFA solution.
There are two ways to do this.
Option 1) Use Centrify Endpoint Services. @Robertson in this article covered how to use the Centrify agent to enforce strong workspace level security with Centrify's Endpoint Services solution to deliver:
- Access control using Centrify Zone technology
- Strong Authentication with MFA at login, screen lockout or remote desktop
- Privilege Elevation for application or administrative desktop
This is the most secure option.
Option 2) Use Centrify's MFA service with AWS Radius support to require MFA before accessing AWS Workspaces
In this howto, we will focus on option 2.
Multi-factor authentication (MFA) at OS login provides an extra layer of protection and helps to meet compliance for regulations such as PCI DSS 3.2, NIST 800-171, 23 NYCRR 500, and more. Centrify enables the ability to prompt for MFA at console or ssh login. This article will walk you through the steps to enable users to log into Linux and UNIX systems with Active Directory credentials and prompted for multi-factor authentication.Read more...
As Infrastructure and Application Development continue to converge in a Dev Ops world, container technology is being heavily adopted by organizations. As a trusted security partner, Centrify customers and prospects are asking how can Centrify secure this new dynamic container based eco system?
@David covered in his article how Centrify can control both access and privileges across a containerized ecosystem with the Centrify Identity Platform. This blog will showcase several of those best practices using Github and DockerHub published resources.Read more...
Administrators today are implementing MFA in earnest, and often come across some instances where the "out of the box" options just will not do it. Sometimes, a user may ask to use his personal email address instead of corporate mail to log in.Read more...