This is the first lab in the series around Strong Authentication (series link). We will be focusing on Windows systems and providing strong authentication for privileged users using Yubikeys. Yubikeys are full-fledged personal identity verification (PIV) cards that work very well with Active Directory Certificate Services and Centrify software for UNIX, Linux and Windows.
- The Windows security model lends itself for organizations to grant additional privileges to users by way of the local Administrators group. In Active Directory environments organizations struggle with excessive memberships on privileged groups like Domain Admins.
- In Active Directory, a common mitigation strategy is to provision each privileged user an "administrative" account (e.g. joe/joe-a). This strategy can be supplemented by having the "-a" account password stored securely.
- Unfortunately, advanced attacks like password mining, pass-the-hash and others have become more ubiquitous, this makes a member of a privileged group ("-a" or not) more susceptible to exposure.
- The "dual account" model is often paired with PSM (jumpbox) to provide session brokering and recording. Unfortunately, this model can be circumvented by bypassing the jumpbox, and since the "-a" account is very powerful, that means that the privileged user can go anywhere.
Although Centrify can accommodate the "dual account" model using Centrify Privilege Service, ideally organizations would implement the least privilege model:
- Users shall only access the systems they need to based on business need-to-know with strong authentication
- Users shall be limited to the minimum privileges required for their functions: this is accomplished by providing users roles with the rights that they need.
- Rights shall be assigned in the context of applications, desktops and network rights. Strong authentication shall be required when using privilege elevation.
- In sensitive systems, access and privilege elevation shall be supplemented with session capture and replay.
- Limit privileged users to a subset of Windows systems based on their needs (AD and Centrify Zones enable this)
- Require strong authentication for console or remote (RDP) access (this is supported natively by Windows)
- Require strong authentication on Privilege Elevation (applications/desktops) (DirectAuthorize is Smart Card ready)
- Reproduce privileged sessions (session capture, transcription, replay).
What you'll need
- Active Directory with Certificate Services
- A domain joined member server with Centrify Server Suite 2016
- Access to Centrify Standard Edition (evaluation or licensed)
- Yubikey PIV Manager (download link)
- Yubikey 4, NANO or NEO
- You need working knowledge of Active Directory and Centrify Zones
We'll use the smart card user certificate provisioned to your test user's Yubikey. In Active Directory we'll require smart card authentication for the user (this also be implemented in a subset of systems using Group Policy).
We will grant the test user a Centrify DirectAuthorize role that allows her to:
- Run Disk Management as the local administrator and will require strong authentication to be launched
- Use an administrative desktop (as local administrator) and requires strong authentication to be launched
Complete the Base Lab Setup
The base lab set up is in the announcement post:
Centrify Setup for Windows Access and Privilege Elevation
To set up using PowerShell
$user = Get-ADUser -Identity Lisa.Simpson # substitute for your user
$cont = "cn=zones,ou=unix,dc=centrify,dc=vms" # substitute for your container DN
$zone = New-CdmZone -Name "Yubikey-Demo" -Container $cont
$criteria1 = New-CdmMatchCriteria -Description "Disk Management - Direct" -FileType "msc" -FileName "diskmgmt.msc" -Argument " " -Path "C:\Windows\System32\"
$criteria2 = New-CdmMatchCriteria -Description "Disk Management - MMC" -FileType "exe" -FileName "mmc.exe" -Argument "C:\Windows\system32\diskmgmt.msc" -Path "C:\Windows\System32\"
$cmd1 = New-CdmApplicationRight -Zone $zone -Name "Disk Management Combo" -MatchCriteria @($criteria1, $criteria2) -RunasSelfGroups "Builtin\Administrators" -RequirePassword $true
$desktop1 = New-CdmDesktopRight -Zone $zone -Name "Admin Desktop" -RunasSelfGroups "Builtin\Administrators" -RequirePassword $true
$role = New-CdmRole -Zone $zone -Name "Demo Role" -WinSysRights remote
Add-CdmApplicationRight -Right $cmd1 -Role $role
Add-CdmDesktopRight -Right $desktop1 -Role $role
New-CdmRoleAssignment -Zone $zone -Role $role -TrusteeType ADUser -ADTrustee $user | Out-Null
To perform the steps for the script above manually
Create the Zone
- Open Access Manager and right-click Zones > Create New Zone
Container: Browse to your container.
- Press Next and Finish
Create the Disk Management Application
- Launch Disk Management (e.g. Start > Run > diskmgmt.msc)
- Open Access Manager > Open they Yubikey-Demo zone > Authorization > Windows Right Definitions > Right Click Applications > New Windows Application
Name: Disk Management ComboMatch Criteria: Press Add > Import Process and Select Disk Management and Press OK
Press Add > Import File > Browse to c:\Windows\System32 and select diskmgmt.msc, press OK.
This will add another way to launch the application.
RunAs: Self with added group privileges > Press Add Builtin Groups > Select Administrators, press OK and check the box for Authentication Required and press OK.
Create the Admin Desktop Right
- In Access Manager > Open they Yubikey-Demo zone > Authorization > Windows Right Definitions > Right Click Desktops > New Windows Desktop
Name: Admin Desktop
Runas: Press Add Builtin Groups > Select Administrators, press OK and check the box for Authentication Required and press OK.
Create, Configure and Assign the Demo role
In Access Manager > Open they Yubikey-Demo zone > Authorization > Right Click Role Definitions > Select Add Role
- Name: Demo Role
System Rights: "Remote Login is allowed" < this will allow the user only to access via RDP
- Press OK and right-click the newly created role and select "Add Right"
- The role is ready to be assigned. Now press OK and right-click the Authorization > Role Assignments > Select Assign Role
- Press the Add AD account > type the name of your test user, select it and press OK.
Note: This is a permanent direct assignment to a user principal at the zone level. This is not the best practice, typically you grant role assignments temporarily (for attestation), in a subset of systems and to AD groups for better administration.
Install DirectAuthorize for Windows and join the system to the Centrify Zone
- In your domain-joined test systems, browse to the path for the Centrify Standard Edition software.
- Go to Agent > and Run "Centrify Windows Agent.exe"
- Follow the Wizard, you will select the "Access" components. If you have DirectAudit, also select Audit.
- When the installation ends, you need to configure the client to join your desired zone.
- The system will ask to reboot when complete.
- When a Windows system is added to the Centrify Zone, the security model changes.
- In order to access a Centrified Windows system, users must be explicitly granted logon rights. This means that even Domain Admins won't be able to access those sytsems.
- The type of access is based on the Windows setup (Remote/Log on Locally) and the Centrify Role definition (Console/Remote)
- When adding your first system to a zone, you will have an opportunity to explicitly add Domain Admins, otherwise you may completely lock the system
Configure your Test user for Smart Card Authentication
- In ADUC, find and double-click the test user.
- Account Tab > Account Options > Check the box for "Smart Card is required for interactive logon"
- Press OK. You are ready to start testing.
- Try to access the system with any other AD user than test user - expected result: Access Denied
This is because users need to be explicitly be granted access using a Centrify role.
- Try to access the system with Lisa with her password - expected result: Access Denied
This is because the test user was defined with "Smart card required for interactive logon"
- Try to access the system via the console with Smart Card - expected result: Access Denied
This is because the role created in Centrify does not grant console login.
- Try to access the system via RDP with smart card PIN - expected result: Access Granted
- Try to run application "disk management" normally - expected result: Error: "You don't have access rights to logical Disk Manager on [Server]"
This is because when the user launches the app, they are doing so without any privileges.
- Launching App or Privileged Desktop:
Right click App > Run with Privilege > Challenge with Password - Expected result: Access Denied
Right click App > Run with Privilege > Challenge with smart card PIN- Expected result: Access Granted