Multi-factor authentication (MFA) at OS login provides an extra layer of protection and helps to meet compliance for regulations such as PCI DSS 3.2, NIST 800-171, 23 NYCRR 500, and more. This article will walk you through the steps to enable users to log into Linux and UNIX systems with Active Directory credentials and prompted for multi-factor authentication.Read more...
Centrify provides a solution to join Linux/Unix systems to Active Directory and enable users to log in with Active Directory credentials. This helps to improve security and simplify management by consolidating identites. In order to join a computer to AD, there are two things to prepare on your Linux/UNIX system.
1. Configure DNS settings
Make sure the Windows DNS Server(s) are included in the /etc/resolv.conf file. This enables systems to be able to communicate with an Active Directory domain controller.
Note: The method to configure the DNS settings in /etc/resolv.conf is different for each Linux / UNIX flavor and environment. If your DNS settings in /etc/resolv.conf are not being retained after reboot, you will need to edit the following files instead:
- AWS EC2: /etc/dhcp/dhclient.conf
- CentOS, RHEL: /etc/sysconfig/network-scripts/ifcfg-eth0 or Network Manager
- Ubuntu: /etc/network/interfaces
2. Change the computer name
Before joining your computer to Active Directory, rename your computer to a unique name that is less than 15 characters and meets Active Directory computer naming convention requirements. The method for changing the computer name is also different for each Linux/Unix version, flavor and environment.
Run # hostnamectl set-hostname computername.yourdomain.com --static
1. Edit /etc/sysconfig/network. Make sure HOSTNAME=computername.yourdomain.com
2. Edit /etc/hosts
3. Run the command # hostname computername.yourdomain.com
1. Update the following files with your new computer name:
Bonus - Firewall and network communication check
Make sure nothing is blocking the ports needed to communicate with Active Directory.
After you install the Centrify Agent, you can run ADcheck either before or during the adjoin process.
When you are ready to join your Linux/Unix system to Active Directory, check out the article on many ways to install the Centrify (Linux/Unix) Agent.
Other related articles:
This Tech blog article will guide you through the process of using Centrify Multifactor authentication for Pulse Secure VPN access. At the end of this article you will be in a postion to deploy the Pulse Secure Connect virtual VPN appliance using Centrify strong authentication for your remote users.
Centrify support OATH OTP clients for multi-factor authentication such as Microsoft Authenticator, Google Authenticator, Centrify's mobile app and more. Centrify can use OATH OTP for
- self-service AD password reset,
- web application access,
- computer login (Windows, Linux and UNIX),
- privilege elevation (Windows, Linux and UNIX),
- privilege password checkout,
- and more.
This article will walk through the steps to configure Centrify and Microsoft Authenticator for multi-factor authentication.Read more...
The Centrify Agent for Windows™ provides organizations with the ability to secure Windows systems. This article's goal is to introduce the basic information (pre-requisites, communications), deployment scenarios and tools available for each deployment option. The next articles in the series focus on specialized topics or use cases.Read more...
This is the second article on a series around Centrify's role to participate or enhance the Microsoft Enhanced Security Administrative environment.
The first article on the series covered MS ESAE in FAQ form and introduces 10 Principles derived from this environment.
In this article, we provide information about how centrify can enable the implementation of the general principles and recommendations.
Plesase read the original article (link below) to get the full context of the information:Read more...
In this series we discuss Microsoft's Enhanced Security Administrative Environment (ESAE) and how Centrify participates and provides additional capabilities in this model.
The first article on the series is an introductory post on the topic.Read more...
Security questions are like a second password prompt. Just like passwords, users tend to create weak or easy to guess answers. Unlike passwords, security questions usually do not have policies to enforce complexity, uniqueness and guessability.
Here are some tips to help make your security question answers stronger:
1. Use a non-corresponding answer.
Using an answer that does not correspond to the question will make it harder for unauthorized users to guess or find your answer. For example, if the question is your first car model, answer with "blankcowblueYogurt". If the question is your mother's maiden name, don't use your mother's maiden name as the answer. Your mother's maiden name might be easily acquired through social media, social engineering, stolen records, public records, malware, easily guessed or many other methods.
2. Avoid answers that are vulnerable to social engineering.
Even if you use a non-corresponding answer to a security question, unauthorized users may still randomly attempt to use information that could be acquired through social media or social engineering such as the name of your child, pet, school, or company.
3. Follow password complexity rules for your answers.
Security questions are just like a second password. Hackers may use brute force or dictionary attacks on a security question. Following password complexity rules can help to make your security question answers more secure.
An easy to remember and yet complex answer is to use four random words like "blankcowblueYogurt".
4. Use spaces if possible.
Older generation brute force and dictionary attacks don't account for spaces. For modern tools, it can make it longer and harder to crack if there are spaces. Add a space in your answer if allowed. "blank cow blue Yogurt"
Centrify MFA can use security questions for:
- AD password reset / account unlock
- Computer login (Windows / Linux / Unix)
- Privilege elevation (Windows / Linux / Unix)
- Remote access through Centrify's password vault.
- Password checkout for shared privileged accounts.
- AWS Workspaces
- Horizon View
- Accessing a web application
- Accessing the Centrify User and Admin Portals.
- VPN access
Centrify users can set up their security question(s) through the Account tab in the Centrify User portal.
The Centrify IWA root CA certificate is required for silent authentication into the Centrify User Portal or Admin Portal, and for computer MFA login. This article will walk through the steps for downloading the IWA root CA certificate for deployment.
Prerequisite: Install the Centrify Connector on a 64-bit system or VM inside your network.
1. Log into the Centrify Admin Portal. On the left column, navigate to Settings > Network > Centrify Connectors.
2. Click on the name of any Centrify Connector listed in the right pane. The Centrify Connector Configuration window will popup.
3. In the Centrify Connector Configuration window, click on IWA Service, then click on Download your IWA root CA certificate.
Make sure you select the link "Download your IWA root CA certificate" and not the Download button above the link.
Here is a video on how to do it
[What's new] Infrastructure Services 2017.3 - Windows Self-Service Password Reset and MDM Enrollment
Centrify Infrastructure Services 2017.3 - Centrify Agent for Windows™
This is a part of a series of articles showcasing what's new with Centrify Infrastructure Services (formerly Centrify Server Suite) version 2017.3. In this article, we'll discuss what's new with the Centrify Agent for Windows™ including:
- Self-Service Password Reset using the Windows Credential Provider.
- Windows 10 MDM Enrollment.
These capabilities complement some of the platform benefits like Self-Service, Multi-Factor Authentication and Zero Sign-On.Read more...
Various security standards require the computer screen to be locked or logged off after a period of inactivity. This article will show you how to use Centrify to enforce an automatic log out from the Linux CLI after a period of inactivity.
- The Linux system must have the Centrify Agent installed and bound to Active Directory.
- You will need Group Policy Management on a Windows member server with the Centrify Infrastructure Services installed.
1. In Group Policy Management, edit or create a GPO for your Linux system.
2. Enable Computer Configuration > Policies > Centrify Settings > Common UNIX Settings > Specify commands to run
2. Click Add.
3. Enter a custom command, then click OK.
For CentOS use:
grep -q -F TMOUT=900 /etc/bashrc || echo TMOUT=900 >> /etc/bashrc
For Ubuntu use:
grep -q -F TMOUT=900 /etc/bash.bashrc || echo TMOUT=900 >> /etc/bash.bashrc
Change the numbers in the command to your desired number in seconds. (For example, 900 = 15 minutes.) Please note the operating system might round up or down to the closest supported minute.
4. Reboot the Linux system for the setting to apply.
The Centrify Agent will execute the script at every Active Directory group policy interval (default 90 minutes).
Please share if you have a better script or method.
Other related articles
Are you looking for some data that just isn’t covered in the stock reports?
You’ve come to the right place! In this blog, I want to show you some of the basics of writing your own custom reports.Read more...