A Centrify Connector on an AWS private subnet allows you to:
- Integrate with an Active Directory domain that is associated with the private subnet,
- Use the Centrify Connector as a bastion host that is in the private subnet instead of public,
- Password vault local and domain service accounts being used in the private subnet,
- Provide MFA login for Windows or Linux servers
- Provide MFA for other AWS services such as AWS Workspaces.
This article will go over the AWS and Centrify configurations you will need to use a Centrify Connector on an AWS private subnet.Read more...
How to allow users to log into a remote Linux machine via SSH, using Active Directory credentials that require smart card authenticationRead more...
This TechBlog describes how to create a scheduled task that will automatically rotate the Centrify Auditing database on the first day of each month. You can easily modify the command outlined to suit your requirements.Read more...
Leverage your Symantec VIP investment with Centrify
Many organizations already use Symantec VIP to provide MFA authentication assurance to control access to web applications and/or network systems. I wrote an article a while back that explains how you can extend Symantec VIP to provide MFA in conjunction with Centrify Infrastructure Services at server login and privilege elevation. This allows you to centralize non windows identities to Active Directory and use VIP to authenticate users for specific server related tasks.
Now I want to show you how organizations can extend Symantec VIP to provide MFA to web applications and infrastructure resources that use the Centrify Identity Platform as their policy engine. This allows organizations to use Centrify for single sign on, enterprise mobility management, and privileged identity management but also leverage their investment in Symantec VIP to provide MFA when logging on to the Centrify portal or checking out a privileged account.
For example, for an AD user logging into the Centrify end user portal, he/she would be challenged with Symantec VIP as shown below:
The first authentication method is going to ask the user to provide the access code on his/her VIP token:
The second authentication will validate the user's Active Directory, Centrify Directory, or LDAP directory password. Once completed, the user will be taken to the user portal page.
The authentication profile leverages the Centrify policy to authenticate the user with her VIP token first, then prompt for her AD password. This prevents an attacker from locking out the end user's Active Directory account by ensuring that the user has possession of VIP token before allowing the user to enter her AD password.
This shows one example of how an organization can leverage a Centrify policy while still making use of Symantec VIP for MFA. Taking this further, organizations can use Centrify to configure specific rules for when they want to MFA a user with Symantec VIP, and/or the organization can use the Centrify analytics engine to make a user behavioral risk decision based on machine learning to decide when to MFA the user with Symantec VIP.
The benefits of this approach are that the organization can leverage a very powerful access policy engine throughout the enterprise and make context based decisions on whether to authenticate with Symantec VIP for MFA. Additionally, this enables an organization to make use of Centrify without having to rip and replace their existing Symantec VIP solution and re-issue MFA tokens to all end users.
To see more information on how to integrate the two Centrify and Symantec solutions to provide this functionality, please see the How-To article in this series (coming soon).
How to configure the integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk
Part2 - Integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk
The configuration of a profile will be made to start the recordings of the sessions from the elevation of privileges and the integration will be made with splunk so that the auditing sessions can be viewed directly from the Splunk Portal.
Configuración de integración entre Infrastructure Service (Auditing and Monitoring Service) y Splunk
Como configurar la integración entre Infrastructure Service (Auditing and Monitoring Service) y Splunk
Parte2 - Configuración de integración entre Infrastructure Service (Auditing and Monitoring Service) y Splunk
Centrify Infrastructure Services (Privilege Access Service) has the ability to store secrets. These secrets can be free-form text or files (currently up to 5mb in size).
There will be use cases where the contents of these secrets need to be programmatically accessed EG from inside an application or as part of orchestration/DevOps processes.
By leveraging Centrify's OAuth2 authorization framework, this article will describe how to configure OAuth2 to enable a PowerShell script to obtain the contents of a text-based secret from the Centrify platform.
However, it does not stop there. Using this methodology (Oauth2 apps & scopes) and the example script as a base, any programmatic call to the Centrify Identity Platform required for automation may be achieved. Including writing objects such as systems, shared accounts, secrets ETC. Pretty much everything that can be done via the portal can be automated/configured programmatically.
Whilst this example is in PowerShell any compliant code can leverage this methodology (Java, C#, Go ETC). For example, I have Python code to run SQL queries against the Centrify Identity Platform from LINUX, but that's for another post
For more detail on the Centrify Identity Platform API's see https://developer.centrify.com
Bed Time reading on OAuth2 : https://tools.ietf.org/html/rfc6749Read more...
Ever stayed up late at night dreaming of how awesome it would be to implement RADIUS in your environment? Maybe that's a stretch... But, before you wrestle with your VPN, try setting up a simple test configuration to get a feel for how it all works. Look no further, because this blog will help you do just that!Read more...
My latest Eval Setup videos for the newly released Centrify Infrastructure Services 2018.Read more...
Learn the basic of Microsoft Red Forest and how Centrify can be used to provide a more effective security strategy.Read more...
We will cover how to secure FortiGate Administrator access using Centrify MFA. We will be using an Active Directory user that is federated to Centrify to log in to a FortiGate as an Admin user and prompted for MFA at both CLI and Web GUI login.Read more...
[How to] Integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk
Part1 - Start session recording when performing privilege elevation
We will made the configuration of a profile to start the recordings of the sessions from the elevation of privileges and the Splunk integration with Infrastructure Service (Auditing and Monitoring Service) so the auditing sessions can be viewed directly from the Splunk Portal.
1. Login to the Centrify Admin Portal.
2. Go to Core Services > Policies.
3. Edit an existing policy by clicking on the name of the policy or create one.
4. Go to Endpoint Policies > Common Mobile Settings and click on Common. By default, it is set to "Yes" and you will be able to see Passcodes on an Enrolled device.
5. If you want to disable the “Passcodes” you will need to select No in the “Show "Passcodes" interface in the mobile apps and the user portal”.
6. When it is set to “No” you will not be able to see Passcodes once the policies are updated on the device.
Use Centrify GPOs to Create and Distribute a Customized Kerberos Configuration File (/etc/krb5.conf)
Today we are going to use two Centrify GPOs to create a custom krb5.conf file and distribute it to our Unix/Linux systems:
ComputerConfiguration -> Policies -> CentrifySettings -> Common UNIX Settings -> "Copy files"
ComputerConfiguration -> Policies -> CentrifySettings -> DirectControlSettings -> "Add centrifydc.conf properties"
Our first action is to create theRead more...
End-users are seeking modern ways to interact with IT and other shared services groups across their organization. They look for self help — where they can get secure access to apps, manage their own passwords, search for known apps or servers, request access to services that they need. IT-users need to automate tasks like account provisioning and password resets, and manage privileged access to on-premises and cloud-based infrastructure. Centrify’s identity management integrations with ServiceNow help automate processes, improve visibility, and provide a better experience for ServiceNow end-users and privileged IT-users.
Do you want to enable just-in-time privilege for your administration to infrastructure? Do you want to tie back the access to a valid service ticket in the workflow system of record (servicenow)?Read more...
- Log into the Centrify Admin Portal.
- Go to Core Services > Policies.
- Edit an existing policy by clicking on the name of the policy or create one.
- Go to Endpoint Policies > Device Enrollment Settings, then select Yes in the “Show welcome screen on enrollment drop down”. By default, it is set to Yes.
- Go to Settings > Endpoints > Endpoint Customization, then check the box on the left of “Specify unique welcome message for supported languages.”
- Below will show a number of message for supported languages. By default, each welcome message for different language will state “This welcome text and logo can be configured by visiting https://(tenant).my.centrify.com/manage, under 'Settings'.
- You can edit the welcome message by clicking on a language. After any change click the Save button.
8. When you enroll a device that is listed as one of the languages from the table it will show the welcome message that is attached to the language. Below shows a phone that is set in Spanish and English.
As customers move more and more to the cloud, many customers are leveraging AWS Workspaces as a Desktop as a Service Solution (DaaS) to provide end users access to corporate resources at any time from any where. Given Workspaces are available to anyone, from anywhere, a key consideration to moving to AWS Workspaces, is of course Security.
AWS Workspaces can be configured to require Multi-Factor Authentication (MFA) to add a layer of protection to a user name and password (the first “factor”) by requiring users to enter an authentication code (the second factor), which can be provided by a virtual or hardware MFA solution.
There are two ways to do this.
Option 1) Use Centrify Endpoint Services. @Robertson in this article covered how to use the Centrify agent to enforce strong workspace level security with Centrify's Endpoint Services solution to deliver:
- Access control using Centrify Zone technology
- Strong Authentication with MFA at login, screen lockout or remote desktop
- Privilege Elevation for application or administrative desktop
This is the most secure option.
Option 2) Use Centrify's MFA service with AWS Radius support to require MFA before accessing AWS Workspaces
In this howto, we will focus on option 2.
Multi-factor authentication (MFA) at OS login provides an extra layer of protection and helps to meet compliance for regulations such as PCI DSS 3.2, NIST 800-171, 23 NYCRR 500, and more. Centrify enables the ability to prompt for MFA at console or ssh login. This article will walk you through the steps to enable users to log into Linux and UNIX systems with Active Directory credentials and prompted for multi-factor authentication.Read more...
As Infrastructure and Application Development continue to converge in a Dev Ops world, container technology is being heavily adopted by organizations. As a trusted security partner, Centrify customers and prospects are asking how can Centrify secure this new dynamic container based eco system?
@David covered in his article how Centrify can control both access and privileges across a containerized ecosystem with the Centrify Identity Platform. This blog will showcase several of those best practices using Github and DockerHub published resources.Read more...
Administrators today are implementing MFA in earnest, and often come across some instances where the "out of the box" options just will not do it. Sometimes, a user may ask to use his personal email address instead of corporate mail to log in.Read more...
Learn how to protect Office 365 accounts from brute force attacks and prevent account lock outs. This article will show you how to use password-less authentication to prevent AD account lockouts and distracting MFA notifications caused by brute force attacks.Read more...
This article will help you set up a second factor of authentication to your Citrix StoreFront portal using Centrify Application ServicesRead more...
Before you join a computer to AD, there are three things to check:
- DNS settings
- Computer name
- Network communication between the Linux/UNIX system and Active Directory domain controller(s)
Centrify Infrastructure Services (Privilege Service) can securely store account and password combinations for local accounts.
In a break glass scenario, an authorized user can checkout a password using the Centrify mobile app.
The password can subsequently be checked in manually or automatically after a set period of time and potentially rotated if it is a managed password.
This Tech blog article will guide you through the process of using Centrify Multifactor authentication for Pulse Secure VPN access. At the end of this article you will be in a postion to deploy the Pulse Secure Connect virtual VPN appliance using Centrify strong authentication for your remote users.
Joining Linux and UNIX machines to an Active Directory domain with Centrify Infrastructure Services has countless benefits, not the least of which is the ability to do away with SSH Public Key authentication. There are several good reasons to discontinue the use of SSH Keys. For a complete list of all of them, please reference the NIST Internal Report 7966.
I can save you some dry reading, and summarize it like this. If improperly managed, the use of SSH Keys can present a massive security risk. Even if every measure is taken to properly manage them, SSH key provisioning is still prone to human error, and after all, UNIX admins are only human.Read more...
Centrify support OATH OTP clients for multi-factor authentication such as Microsoft Authenticator, Google Authenticator, Centrify's mobile app and more. Centrify can use OATH OTP for
- self-service AD password reset,
- web application access,
- computer login (Windows, Linux and UNIX),
- privilege elevation (Windows, Linux and UNIX),
- privilege password checkout,
- and more.
This article will walk through the steps to configure Centrify and Microsoft Authenticator for multi-factor authentication.Read more...