Centrify Agent for Windows™ Deployment Options

Home >

Centrify Agent for Windows™ Deployment Options - Introduction

Product:

Published:

11 April,19 at 11:51 AM

Rating:

Background

The Centrify Agent for Windows™ provides organizations with the ability to secure Windows systems. This article's goal is to introduce the basic information (pre-requisites, communications), deployment scenarios and tools available for each deployment option. The next articles in the series focus on specialized topics or use cases.

Functionality

Here are the capabilities (at the time of this writing - current version 2017.3) based on the type of Centrify product subscription bundle:

Centrify Identity Services Platform - Endpoint Services

Multi-factor Authentication
- Console
- Remote
- Screen saver unlock
- Offline mode
Windows 10 MDM Enrollment
Zero Sign-On
Audit Trail

Centrify Infrastructure Service

Access Control: Provided via Centrify Zones in Active Directory.
Privilege Elevation: Provided by the Centrify's DirectAuthorize.
MFA enabled via Role-based Access Control (all scenarios as above + privilege elevation).
Audit Trail: Provides a catalogue of events (to enrich SIEM functionality).
Session Capture: Advanced auditing capability that allows the capturing of user activity plus replay.
Shared Account Password Management: secure local account passwords, implement policy, etc.
Privilege Session Management: provide secure access via RDP.
Windows Service Management: secure services, scheduled tasks and IIS Application pool accounts.

Deployment Scenarios

The scenarios are divided in system class (server/desktop and laptop)and are based on the experiences of our existing customer base. Note that we will provide the details in generic lab format given that each organization's deployments has unique requirements.

On-premises deployment using an image source (e.g. the software is installed in the system with the Windows source and it's configured via GPO or other methods).
On-premises deployment using Group Policy or MSI-aware software change and configuration management tool (like Config Manager (SCCM), LANDesk, Symantec, Altiris, etc).
IaaS deployment: A system is launched in AWS, Azure or GCP and as part of the launch process, the system is configured to provide services like MFA, zone access control, privilege elevation, audit, etc. Upon termination, the system is gracefully decommissioned.
Persistent or non-persistent VDI: Using VDI technologies like VMWare's Horizon View or IaaS like Amazon WorkSpaces.

Overview Process by System Class

Server or Secure Workstation

PKI trust is established between the Windows system and the Centrify Identity Services platform.
Install the Centrify Agent for Windows™ at the proper order/timing.
The system is joined to a Centrify Zone (and corresponding computer roles).
In this scenario, Identity Services Platform functionality (like MFA or rescue options) is configured based on zone settings.
Optionally the local Administrator user credential is put in the Identity Services vault and it's password is set under management.
Additional settings like proxies, audit trail settings, Direct Audit installation, etc are configured via Group Policy.
At system sunset (via decommissioning or termination), the proper hygiene is followed: remove the system from the zone (release license), unenroll from Centrify Identity Platform, remove any credentials from the vault and final termination.

Desktop or Laptop

PKI trust is established between the Windows system and the Centrify Identity Services platform.
Install the Centrify Agent for Windows™ at the proper order/timing.
The system is configured to use a specific Centrify Identity Services platform instance.
In this scenario, subsequent configuration comes from Group Policy.
Optionally the local Administrator user credential is put in the Identity Services vault and it's password is set under management.
Additional settings like proxies, audit trail settings, Direct Audit installation, etc are configured via Group Policy.
At system sunset (via decommissioning or termination), the proper hygiene is followed: unenroll from Centrify Identity Platform, remove any credentials from the vault and final termination.

Toolbox

Centrify Agent for Windows™ - Official Documentation.
https://docs.centrify.com/en/css/2017.2-html/index.html#page/Managing_Windows/win_adm_install_agents.html
This is the constantly-evolving documentation. The information in this and subsequent posts is a compilation of information found there.
Centrify Agent for Windows™ MSI package and Transform (.mst) file.
These files are required for GPO or Configuration Management Tool deployments.
Where to obtain: Centrify Download Center, Centrify Identity Platform Admin Portal.

This is the contens of the Agents folder in the Infrastructure Services zip file.
Centrify Group Policy Management Editor Extension
The templates expose the Centrify Group Policy Management Objects.
How to obtain: Centrify Download Center. (Link to 2017.3)
Centrify Licensing Service
To be able to use the GPO feature, you need an installed Centrify license in Active Directory via this service.
How to obtain: Centrify Download Center. (Link to 2017.3)
How to obtain your license key: sent with your software subscription welcome email.
Centrify DirectControl PowerShell
Key tool for automation, especially when launching server images on-demand.
How to obtain: Centrify Download Center. (Link to 2017.3)
Active Directory Module for PowerShell
Key tool for automation, especially when performing Active Directory operations like Group Membership.
How to obtain: Install the feature. (e.g. Install-WindowsFeature RSAT-ADDS)
Centrify Access Manager MMC Console
This is where all the manual administration of Zones, Access, RBAC is implemented.
How to obtain: Centrify Download Center. (Link to 2017.3)
Centrify Audit Manager
Allows for the configuration of DirectAudit installations.
How to obtain: Centrify Download Center. (Link to 2017.3)
Centrify PowerShell Samples
Allows for the enrollment in the Centrify vault, secure or retrieve credentials.
How to obtain: Centrify GitHub, Community Post.

Centrify Agent for Windows™ Pre-Requisites
Official documentation: https://docs.centrify.com/en/css/2017.2-html/index.html#page/Managing_Windows/win_adm_install_agents.html

The computer is running a supported Windows 64-bit operating system version.
The computer is joined to Active Directory.
The computer has sufficient processing power, memory, and disk space for the agent to use.
Read the minimum requirements for each Windows version here. Note that you need to add to the minimum spec depending on the use case.
The computer has the .NET Framework, version 4.5.2 or later.
This requirement changes between versions.
The computer has Windows Installer version 3.1, or later.
For secure communications and capabilities such as MFA, enrollment and vaulting, the Windows system must trust the Integrated Windows Authentication (IWA) trust CA certificate from the Centrify Identity Platform.

Network Communications

Between Centrify Connector and Windows Client and Active Directory Domain Controllers (all use cases). These are the "well-known" ports required for Active Directory communication.

Protocol	Port	Direction	Comment
SMB/CIFS	TCP 445	Centrify Connector and Windows client to DC	Group policy relies on this port.
RPC	TCP 135	Centrify Connector and Windows client to DC	Group policy relies on this port.
RPC Endpoint ("TCP Dynamic")	TCP 49152-65535	Centrify Connector and Windows client to DC	Group policy may rely on these ports.
LDAP	TCP/UDP 389	Centrify Connector and Windows client to DC
Kerberos Password	TCP 464	Centrify Connector and Windows client to DC
Kerberos	TCP 88	Centrify Connector and Windows client to DC
Global Catalog	TCP 3268	Centrify Connector and Windows client to DC

Between the Centrify Connector to the target Windows System (server and secure workstation use cases)

Protocol	Port	Direction	Comment
RDP	TCP 3389	Windows (inbound)	If secure access from the Infrastructure Service will be allowed (configurable).
RPC Endpoint Mapper	TCP 135	Windows (inbound)	For Infrastructure Services Discovery, or if Management Mode is "RPC over TCP"
RPC Endpoint ("TCP Dynamic")	TCP 49152-65535	Windows (inbound)	For "RPC Endpoint Mapper" (Configurable) Note: varies between Windows versions.
SMB/CIFS	TCP 445	Windows (inbound)	For CPS discovery, or if Management Mode is "SMB"
WinRM over HTTP	TCP 5985	Windows (inbound)	If Management Mode is "WinRM over HTTP"
WinRM over HTTPS	TCP 5986	Windows (inbound)	If Management Mode is "WinRM over HTTPS"
IWA Service	TCP 80 TCP 8443	Connector (inbound)	IWA (SPNEGO) service is used for the Windows system to authenticate to the Web Service running on the connector. HTTP and HTTPs ports are configurable
API Proxy	8080 (TCP)	Connector (inbound)	Server Authentication (MFA) also relies on this.
RDP (Native Client)	TCP 5555	Connector (inbound)	Configurable port if using secure access with the Microsoft RDP client.

Between the Centrify Agent for Windows and a Proxy Server (optional scenario)

Protocol	Port	Direction	Comment
Proxy	Configurable	Proxy Server (Inbound)	These ports are configurable. For example for a Squid Proxy, the port is 3128, other proxies may use 8080.

Notes: Since Centrify Identity Platform 17.6, MFA clients can leverage the Centrify Connector to proxy traffic.

Between the Centrify Connector and a RADIUS Service (optional scenario)

Protocol

Port

Direction

Comment

RADIUS

UDP 1812/1813(UDP)
(or custom port)

Centrify Connector (outbound) RADIUS Server or Infrastructure (Inbound)

When CIP is acting as the RADIUS client,

this can be overridden at the connector level

Questions and lanning Considerations for Each Deployment Type

Centrify Identity Services Platform - Endpoint Services

How will the PKI certificate be distributed?
What functionality is required? (MFA, Windows 10 MDM enrollment, ZSO, Vaulting of Admin Accounts).
Interoperability: Should Windows Credential providers be excluded from the chain.
Usability: What will be the grace period for MFA on screen saver unlock?
Offline/Safe Mode MFA: Will this be enabled? What rescue users will be designated?
Communications: Depends on functionality or usage.
Audit Trail: Should the Centrify events be sent to the SIEM tool.

Centrify Infrastructure Services - Access Control and Privilege Elevation

How will the PKI certificate be distributed?
What functionality is required? (Access Control, Privilege Elevation MFA on login/elevation, Windows 10 MDM enrollment, ZSO, Vaulting of Admin Accounts).
Interoperability: Should Windows Credential providers be excluded from the chain.
Usability: What will be the grace periods for MFA on screen saver unlock and/or privilege elevation?
Offline/Safe Mode MFA: Will this be enabled? Who will be assigned Rescue Rights roles?
Communications: Depends on functionality or usage.
Audit Trail: Enabling integrations with Splunk, IBM Q-Radar or HP ArcSight

Centrify Infrastructure Services - Auditing and Monitoring Service

Functionality to be enabled: session capture vs. events only (EU privacy considerations).
Will users be notified that they are being audited?
What's the retention policy for session data by system class?

Centrify Infrastructure Services - Privilege Service Vault

Is the system going to be added to the vault for secure access purposes?
Are there any credentials that are going to be vaulted automatically? Will these passwords be managed?
What needs to happen when the system is decommissioned/terminated? What will happen with he credentials and history?

Articles in this series