Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

Centrify 21.2 Release Notes

7 April,21 at 11:05 PM

New Features for the Centrify Vault Suite:

AWS EC2 Instance Continuous Discovery and Automated Management (Preview)

For cloud migration projects, organizations are moving their in-house applications to the Cloud. For many, the path of least resistance is to simply lift-and-shift their VMs and apps into their preferred cloud platform. Whether on-premises or in the cloud, administrators will still need to log in for troubleshooting and maintenance. When on-premises, this is trivial; admins can easily log in with their on-premises enterprise identity (e.g. AD or LDAP credentials). In the cloud, however, there's no immediate direct line-of-sight to the on-premises domain controllers without implementing a site-to-site VPN or replicating your directory infrastructure in the cloud. A typical shortcut is to provide the admins with SSH Keys and local accounts to log in to the Linux VMs and the local administrator account password for Windows VMs. Team members working on the same Linux VM will typically share a single privileged local account. 

All this introduces complexity, risk, and operational overhead. There's no accountability when using shared privileged accounts. If compromised, they give the threat actor the keys to the kingdom, so they increase your attack surface and risk. When there is a personnel change in the team, the rotation of SSH keys and the local administrator account password on all the VMs running in the cloud is operationally intensive. The more VMs, the more work involved. Such efforts are often ignored, resulting in back-doors and potential vectors of attack.

Centrify's Cloud Provider capability, introduced in the 20.6 release, helps address these issues. Adding to the management of AWS root/billing accounts and vaulting of AWS IAM users and their associated Access Keys, this release adds:

  • Discovery now supports a new type for "AWS EC2 Instances" alongside the existing "Active Directory" and "Port Scan" discovery types
  • Additional "Actions" for discovered EC2 instances that support automatic:
    • Downloading and installing a Centrify Client (Windows and Linux).
    • Enrolling the system into the Centrify Platform.
    • Downloading and configuring the "Use My Account" certificate to enable single-click log in from the vault UI.
    • Configuring local sudoers policies to grant users elevated privileges on the system.
  • The ability to automatically deploy a Centrify Gateway Connector on an AWS EC2 Windows instance for a specific VPC and subnet.
  • Continuous Discovery supports automatic removal of terminated instances and the addition of new instances to the Centrify Platform.

Note that AWS EC2 instances discovery and management is a preview release. If you would like to explore this feature, please contact your Centrify representative to have it enabled for your tenant.

User-added imageUser-added image
 

Centrify Privileged Access Request (PAR) App for ServiceNow now supports Orlando, Paris, and Quebec Releases

Centrify Privileged Access Request provides customers with just-in-time access. When an administrator needs additional Centrify roles to check out a vaulted account password, log in to a system, or elevate privilege on a system, she can request such access without leaving the  ServiceNow Service Catalog, leveraging its native workflow. Custom integration between Centrify and ServiceNow fulfills an approved request, provisioning the required role(s) for a limited time. The administrator can then use Centrify Vault Suite to check out the password or remotely log in to the resource. This capability improves operational efficiency and reduces risk by promoting a zero standing privileges posture.

Key features include:

  • Requesting access to IT infrastructure from the ServiceNow Service Catalog.
  • Requesting a Centrify Zone role.
  • Securing remote access to infrastructure without requiring a VPN.
  • Time-bound and monitored access to privileged accounts.
  • Detailed monitoring and reporting of privileged accounts.

Benefits include:

  • Reducing risk with time-bound access to critical resources.
  • Delivering a modern service experience for controlling privileged access.
  • Controlling privileged access to critical assets.
  • Leveraging ServiceNow's strong workflow capabilities.
  • Ensuring policy compliance.
  • Reducing IT service requests by leveraging ServiceNow.
  • Simple request processing for gaining privileged access to critical resources.
  • No need to store or remember shared account credentials.

 

Centrify App and Add-On for Splunk now support Splunk version 8.x

The Centrify Add-On for Splunk categorizes event log data captured from the Centrify Platform related to privileged access activity and normalizes these events for the Splunk Common Information Model (CIM). This allows real-time analysis and risk mitigation to identify a potential breach in progress.

Key features and benefits include:

  • Minimizing the risk associated with privileged access abuse.
  • Centralizing visibility across enterprise deployments.
  • Easily importing categorized data sets from privileged user activity.
  • Leveraging existing investments in SIEM and alert tools without additional costs.

The Centrify App for Splunk provides Centrify Vault Suite customers with dashboards and reports designed to interpret and display Centrify Audit events properly. They can be used as-is or to enrich existing Splunk visualizations with Centrify security-related event data.

Key features and benefits include:

  • Dashboards that show login activity, privileged access activity, privileged access anomalies, and admin activity.
  • Reports around privileged admin activity, login activity, authorization failure, and more.
  • Alerts around multiple login failures in the last day, privileged command authentication failures in the last day, and more.
 

New Features for Centrify Cloud Suite:

Support for Offline Login

To fully support the Linux and Windows operating systems as authentication clients, the Centrify Client now supports offline login. By definition, offline login is an availability control used when the system cannot communicate to the realm that the system has joined ("enrolled" in Centrify terminology).  This may be due to service unavailability, connectivity issues, etc. The result is that the end-user is unable to access the system.

Key features include:

  • Offline login policy.
  • Offline login with cached credentials.
  • Offline login with cached credentials and identity validation.
  • New Reports to show offline login activity for the last 30 days and systems that allow offline login.
  • MFA for specific local administrator accounts.
  • Platform independence (features is supporting both Windows and Linux clients).
User-added image

 

Centrify Client for Windows will now challenge for MFA when Elevating Privilege using "Use My Alternate Account"

On Windows, when a user right-clicks an application and selects "Use my alternate account" from the contextual menu to run with elevated privileges, the Centrify Client now supports an MFA challenge, if configured.

The Centrify Client can to determine that extra MFA is configured, fetch the MFA challenge(s), and present them to the user.


New Features

  • Privilege elevation for CClient – Phase 1 (preview #2)
    This release includes the second preview of the first phase of privilege elevation support for Centrify CClient. This preview adds the following features:

    - Workflow support. A distinct approver list can be specified for each privilege elevation policy. If no distinct approver list is specified in the policy itself, the default approver list set up for the system is used.

    - Auditing of PAS events. PAS events are generated whenever privilege elevation policy is defined / modified or deleted using the UI or via a REST API, or when a policy change fails. The event includes the command being executed, the user who made the change, the timestamp and a description of the change.

     
  • Different password rotation policy for local and Active Directory domain accounts
    Local accounts and different accounts in a domain often need different password rotation frequencies and complexities based on the privilege each account has. For example, a domain administrator account might need to be changed every 30 days but regular local and domain users might be allowed 90 days. It is now possible to create a unique password rotation policy and complexity for a set of users.

Change for hot fix 1
  • Resolved an issue that could cause a performance impact enumerating large sets with individual object permissions (CC-77891).

Changes

The following list records issues resolved in this release and behavior changes.

 
  • To prevent issues in enterprises that have a group policy enabled to block execution of unsigned scripts, all PowerShell scripts in the Hyper-Scalable Privileged Access Service package are now signed (CC-76803).
     
  • Old connectors that did not track the state of SSH or RDP configuration now consistently show them as enabled by default on the connector configuration page and network page (CC-77214).
     
  •  The documentation for the UpdateResource REST API has been updated to note that Name, FQDN and ComputerClass are required parameters. Previously the documentation had stated that these were optional (CC-75696).
     
  • When uploading secrets, dragging a folder would occasionally create multiple folders of the same name. Now a single folder is created as expected (CC-75882).
     
  • With the Linux agents, an empty /etc/centrifycc/user.ignore file will no longer fail login to the system for all users with all login methods (CC-77279).
     
  • New users can now log in for the first time when configured to use phone as an MFA factor (CC-76462).
     
  • Web and native RDP login now allows Unicode characters in the account name, password and system name (CC-75484).


Notice of discontinuation
 
  • In the 21.3 release support for TLS 1.1 will be fully deprecated from Centrify cloud products, including mobile apps. Only TLS 1.2 and above will be allowed.
     
  • The Centrify Android app will discontinue support for Android 4.4 with release 21.4. Users with Android 4.4 devices may continue to use the release 21.3 Android app, however functionality introduced after 21.3 may not work as expected.
     
  • With the 21.5 release we are planning to drop browser extension support for Microsoft Internet Explorer version 11, due to Microsoft end-of-life-ing the product and to improve the security posture of the cloud service.

Supported Platforms

Centrify Connector

  • Windows Server 2012r2, Server 2016, Server 2019

Self-hosted Centrify Privileged Access Service

  • Windows Server 2012r2, Server 2016, Server 2019

Hyper-scalable Centrify Privileged Access Service

  • Windows Server 2016, Server 2019

Centrify Clients for Linux


Client for Red Hat 6:
  • Red Hat Enterprise Linux 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1
  • CentOS 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 8.0
  • Fedora 30, 31
  • Oracle Linux 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 7.9
  • Amazon Linux AMI 2017.09, 2018.03
  • Amazon Linux 2 2017.09, 2018.03
     
Client for Red Hat 7 (ARM architecture):
  • 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1
     
Client for CoreOS
  • Latest stable release 2345.3.0

Client for SUSE 12
  • SUSE 12, 15

Client for Debian 9
  • Debian 9
  • Ubuntu 16.04LTS, 18.04LTS, 18.10, 19.04

Centrify Client for Microsoft Windows

  • Windows Server 2012r2, Server 2016, Server 2019

Windows PAS Remote Access Kit

  • Windows 10, Server 2012r2, Server 2016, Server 2019

Centrify app for Android

  • Android 4.4 (API level 19) and later

Centrify app for iOS

  • iOS 11 and above


(Tested systems and devices for Privileged Access Service are listed in the documentation)