11 April,19 at 11:50 AM
Your Centrify Privilege Service (CPS) deployment could go a lot smoother with this checklist. This checklist is a high overview of the necesarry tasks to prepare, deploy, configure, and validate a CPS environment.
Preparation
Have a Centrify tenant with the Privilege Service enabled
Have at least two Centrify Directory Service accounts in System Administrator Role
Have a customized login suffix and tenant URL configured
Define user security policies for login authentication to the Centrify Portals (password or MFA)
If using MFA with mobile device phone numbers, check that these attributes exist and are provisioned in Active Directory
If using MFA with email, check that email attribute exists and has been provisioned
If using RADIUS for MFA, configure RADIUS
If using OATH for MFA, configure OATH
Identify hosts for Centrify Connectors
Check firewall rules from Centrify Connectors to the Centrify Cloud Service
Check firewall rules from Centrify Connectors to the CPS systems
Identify subnets to be associated with each Connector
If using Discovery, check firewall rules to determine if Connectors can connect to potential resources via SMB and RPC over TCP
If using Discovery, identity Active Directory account with permissions to read the machines that will be discovered. Should have local administrator permissions.
If you will be managing services for scheduled tasks or other service accounts, identify service accounts to manage
If you will be managing database accounts, identify the databases (SQL Server or Oracle) to be managed
If you will be managing database accounts, verify that the firewall allows connection from the Connector to the database server or instance
If using auditing, have a working CSS DirectAudit Installation
If using auditing, check firewall rules from Centrify Connectors to the DirectAudit Installation
If using workflow, identify approvers for access requests
For more details, see the following links:
Preparing for your Privilege Management Deployment with the Centrify Infrastructure Service - Part 1
Preparing for your Privilege Management Deployment with the Centrify Infrastructure Service - Part 2
Deployment
Install Centrify Connectors on hosts in client environment
Define Administrative Roles for CPS
Add users or groups as members of the CPS roles
In Admin Portal Settings > Infrastructure, specify Global permissions for systems and accounts
In global security settings: specify the frequency of password rotation, how long passwords can be checked out, etc…
If using auditing, enable auditing for CPS
Discovery
If using auto Discovery, create a Discovery profile Specify an Active Directory account with permissions to read the machines that will be discovered - this account will also need to have local administrator permissions on the systems that will be discovered
Filter Discovery based on Organizational Unit or Active Directory Group - do not proceed without setting a filter
Add passwords to any service accounts that were found and that CPS will be managing
Import
If bulk importing, download and complete the bulk import spreadsheet
Import spreadsheet into CPS using the bulk import wizard
If local accounts were not specified in the bulk import spreadsheet, manually add credentials for those accounts
Configuration system-level permissions, account-level permissions, and domain-level permissions
Create static sets of systems and accounts to grant member permissions
Define who can view accounts (must have view for all operations)
Define who can delete accounts
Define who can edit accounts
Define who can grant permissions to others to use accounts
Define who can checkout accounts
Define who can login remotely as accounts
Define who can update account passwords
Configure of service/application password management
Create administrative service account that can rotate passwords for service accounts, and also start and stop the service or task
Create identical account to service account to be managed (including permissions)
If it's a service account, define restrictions for when the service can be restarted
If it's a scheduled task, both service accounts must have log on as a batch job permissions
Add identical account, administrative service account, and original service account into managed domain accounts in CPS
Create multiplexed account in CPS, comprised of the two service accounts (identical account and original account)
Create service to managed service and managed passwords
Configure permissions for which CPS users can view the service account, force rotate the passwords, etc.
Configuration of database accounts
Add the database accounts - will need the server, port, and account passwords
Configure permissions for which CPS users can view the database account, force rotate the passwords, etc.
Validation
Test checkout of passwords
Test rotation of passwords
Test login of a Windows system
Test login of a UNIX system
Test login of network device system
If using auditing, verify audit data exists in the Audit Analyzer
Policy configuration
If using policy on login, configure login policy
If using policy on checkout, configure password checkout policy
Test deployed policies
Workflow configuration
Configure view system access for potential requestors
Configure workflow rules to request access to specific accounts on target systems
Use the approvers as previously defined in preparation for workflow
Test workflow - both approval and denial scenarios
If using email approvals, verify email approval notifications are received
Post-configuration
If using PuTTY or local RDP client, CPS users must install the local client remote access kit and enable for themselves