This week we've made available our new version of Centrify Server Suite 2017 and like any new release it's packed with new capabilities, features and bug fixes. This post will allow you to explore what's new in this release and what are the some key planning considerations for successful deployment.
What's new on Server Suite 2017
- Kerberos Library Upgrade: In this release, Kerberos libraries have been upgraded to MIT 5-1.14.1.
- Flexible Authentication Secure Tunneling (FAST): Also known as Kerberos armoring, secures pre-authentication traffic and protects KDCs from error spoofing.
- This upgrade allows support for Smart Cards using AES-256 encryption. Centrify has tested with Oberthur ID One 128 v5.5 Dual SHA256 and G&D FIPS 201 SCE 3.2 SHA256 Cards.
Flexible open-source packaging
- Centrify DirectControl has leveraged OSS packages (OpenLDAP, cURL and OpenSSL); in versions prior to 2017 updating these packages required a re-spin of the whole suite (in all supported platforms)
- Starting with CSS 2017 (DirectControl 5.4) the packages for cURL, OpenSSL and OpenLDAP are independent and can be separately updated, this will allow for faster response to any CVEs that apply to those components.
- Implemented transaction control for LRPC2, this provides security improvements over heavy load. Requires that both DirectControl and DirectAudit are upgraded.
- MFA: Since Centrify Identity Service version 16.10 the IWA negotiations happen over SSL. This means that either Enterprise CA, Public CA or IWA root certificate trust must be established for Centrify Multi-factor Authentication to be successful.
Centrify Report Services
- New Operation Mode (zone mode): The first release of report services works in "domain mode" this means that the "Replicating Directory Changes" delegation was required. Now in this mode, only delegations at the zones container is needed, keeping the scope of the information sent to report services only to Centrify data.
- Report options: include the ability not to generate charts as well as reports for local users.
- SSHv1 is no longer supported.
- AIX: The LAM version of Centrify-enhanced OpenSSH is no longer shipped. This is because supported versions of AIX ship with PAM enabled.
Introducing Centrify Licensing Service
- Customers are asking to provide more efficient and proactive licence capacity and usage and many are asking for elastic licensing to support public cloud workloads.
- Centrify Licensing Service (v1) targets perpetual licensing and provides mechanisms for streamlined capacity, inventory and notification.
- CLS requires a highly-available Windows server that runs the licensing service (this does not have to be a dedicated server)
LDAP Proxy performance enhancements
- The LDAP Proxy now implements new caching mechanisms (at the server auth and client) that can result in performance increases.
Centrify Agent for Windows™
- MFA: Supported at login (console, RDP, screensaver unlock) in two modes: zone mode and zoneless mode. Zoneless mode requires a Centrify Identity Service device license.
- Support for both MFA at login and with privilege elevation (desktop, applications) is exclusive to zone mode (requires Standard Edition license)
- Just like UNIX/Linux MFA, requires IWA over SSL, this means that Enterprise, Public or IWA root cert trust must be planned and implemented.
- Application Manager: This application can be assigned to a role to allow Add/remove of Windows programs
- Feature Manager: This application can be assigned to a role to allow for Windows feature management
- Compiled with libaudit support (system call monitoring at the Kernel level) on RHEL and derivatives (more platforms coming in the next releases)
- DirectAudit is now able to monitor file changes on /etc/, /var/centrifydc and /var/centrifyda
- DirectAudit is now able to audit commands run inside scripts
- DirectAudit is now able to monitor for specific command executions.
- Amazon Linux AMI
- CentOS 6.8 (x86, x86_64)
- CentOS 7.3 (x86_64)
- Debian Linux 7.1, 8.5-8.7 (x86, x86_64)
- Fedora 24, 25 (x86, x86_64)
- Mac 10.12 (x86_64)
- Oracle Linux 6.8 (x86, x86_64)
- Oracle Linux 7.3 (x86_64)
- Red Hat Enterprise Linux 6.8 (x86, x86_64)
- Red Hat Enterprise Linux 7.1, 7.2, 7.3 (ppc64le)
- Red Hat Enterprise Linux 7.2 (zLinux) on Standard Edition
- Red Hat Enterprise Linux 7.3 (x86_64)
- Red Hat Enterprise Linux 7.3 (ppc64)
- SUSE 12 (ppc64le)
- Ubuntu 16.10 (x86, x86_64)
- Fedora 21
- Mac 10.9
- OpenSUSE 13.1
- SUSE Linux Enterprise 10.x
- Ubuntu 15.04, 15.10
Component Version Upgrades
- Centrify-enhanced OpenSSH is now based on OpenSSH 7.3p1
- Centrify-enhanced sudo (dzdo) is now based on sudo 1.8.17p1
- Centrify-curl is based on libcurl version 7.51.0
- Centrify-openssl is upgraded to version 1.0.2j
- Centrify PuTTY is upgraded to version 0.67
Planning tips for Server Suite 2017
- As recommended, read the release notes and upgrade guide.
- Even if you don't plan to update your clients right away, you can upgrade your consoles and group policy templates.
- This is a major release and all components must be upgraded: DirectControl, DirectAudit (agents/collectors/database), this is because:
- Kerberos upgrade
- New LRPC2 transaction protocol
- New Open-source packaging
- OpenSSL upgrade
- Plan for Centrify Licensing Service - have the service installed on one or two highly-available windows servers. Have your technical and procurement leads in the notification lists and designate a thresold to get proactively sent deployment reports.
- Due to the new DirectControl packaging, plan to update your DevOps recipes/cookbooks (Chef, Puppet, Ansible, etc)
Tip: adjoin has a new option “-F/--forceDeleteObj” to clean up the existing computer object and extension object in Active Directory before performing the adjoin operation.
- If you're using Centrify-enhanced OpenSSH on AIX platforms, plan phase out unsupported versions or to migrate and test existing PAM support; this is because we no longer ship a LAM version.
- SmartCard: RC4 and DES are no longer supported; this means you have to plan to upgrade to AES-128 or AES-256 to ensure compatibility.
- Leverage the Centrify Repo for quick updates on RPM, APT or Zypper-compatible distributions.
- The new capabilities of DirectAudit (config file monitoring, monitored execution, etc) are not turned on by default. You have to turn on the event.execution.monitor and event.monitor.commands parameters in the /etc/centrifyda/centrifyda.conf file. Make sure you do a baseline analysis first.
- Hybrid-cloud support: remember that you can use Server Suite in your AWS, Azure or GCP deployments and that Centrify provides unique support for complex AD scenarior like one-way trusts, RODC and now Kerberos Armoring.
Conclusion - It's all about value
- With each release of Server Suite, Centrify adds more new capabilities that ensure alighment with security practices and regulations and operational efficiency.
- You have to learn to spot issues with your current deployment like:
- Challenging management due to a large number of zones: this may mean that your implementation is following outdated practices. Back in 2010 Centrify introduced Hierarchical zones, this allows for better administration, privilege management and a reduced number of zones.
- Not leveraging privilege management: Authentication was the problem 10 years ago. Now you're faced with multi-platform attestation, conformance with MFA requirements, etc. These are all parts of the product that you own.
- Not getting the proper "insight": Centrify Report Services and the integrations with Splunk, ARCSight and QRadar are the best ways to understand what's happenning in your Centrify deployment today.
Check out this article series to see the insights you should be getting: http://community.centrify.com/t5/TechBlog/Security-Corner-Reviewing-your-Access-and-Privilege-Management/ba-p/26966
- Cognitive gaps: If you or your team feel that have inherited a Centrify deployment and don't have the proper training, let your reps know and they'll take care of that.
- For an article discussing what do if you inherited a Centrify infrastructure, go here: http://community.centrify.com/t5/TechBlog/10-Tips-I-Inherited-a-Centrify-Server-Suite-Deployment-What-s/ba-p/23891
Expect some in-depth articles on some of the newest features of this release.