Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

[Labs] Securing Windows Cloud Instances with Centrify - Auto-deploy and Secure with Zoneless MFA

11 April,19 at 11:50 AM

Background

The Centrify Agent for Windows provides organizations with the ability to secure Windows systems.

When combined with Centrify Infrastructure, App or Endpoint Services, this enables MFA with Centrify Apps/Endpoint mode (zoneless) and with Infrastructure Service (zone mode).  This article focuses on MFA on Zoneless Mode.

 

To follow this lab guide, you must be very familiar with IaaS solutions.  We will be using AWS as an example.

 

Building Blocks
We have split the orchestration building blocks into several articles for easier testing and future extensions.
scenario-zoneless.PNG

 Recommended Reading

What you'll need (tools/permissions)

  1. An AWS, Azure or GCP Instance
    • Ability to define/modify roles. (e.g. AWS IAM).
    • Ability to launch instances and modify its configuration (e.g. AWS User Data).
    • Ability to host and set ACLs on a web share  (e.g. AWS S3).
    • Ability to create a secure parameter (e.g. AWS KMS + Parameter Store).
    • Network layout that allows communication between Active Directory, Centrify Connector(s) and Instances (e.g. AWS Security Groups).
  2. A Centrify Infrastructure Services Instance
    • You should have a Centrify connector running in your target IaaS service provider (e.g. AWS).
    • Ability to create an Enrollment Code for Infrastructure Service.
    • Centrify Agent for Windows (MSI) and Group Policy Deployment (MST) file.
    • A Centrify Infrastructure Services license installed in Active Directory (via Licensing Service).
  3. To Join Active Directory
    • Your IaaS infrastructure must have a hosted or managed Active Directory implementation.
    • You need the credential of a user with delegated access to join systems to Active Directory.
  4. To set up a GPO (one-time/infrequent updates) setting
    • You should have an Active Directory OU and two AD Security groups.
      (e.g. Centrify MFA Users/Centrify MFA Rescue).
    • You should be able to create, scope and link a Group Policy.
    • You should have a secure management station with the Centrify Group Policy Extensions.
    • You should be able to retrieve the IWA Root certificate for Identity Service platform.

 

Objectives

  • A Windows instance is launched. (e.g. EC2 Windows)
  • The Windows instance retrieves common and secure parameters (e.g. Parameter Store)
  • The system retrieves the MSI package from a central place (e.g. S3 bucket)
  • The system joins Active Directory and restarts.
  • On reboot, the system receives the Group Policy settings.
  • MFA users will be challenged via console, remote or screen unlock and MFA Rescue Users will be skipping MFA.

Methodology:  We will use the Plan-Do-Check-Adjust methodology.

 

Diagram

secure-mfa-scenario.png

Planning Topics

  • What's the Windows system naming convention?  (default or meaningful).
  • How will the PKI certificate be distributed?
  • What functionality is required?  (MFA, Infrastructure Services enrollment, vaulting of local accounts).
  • Interoperability:  Should Windows Credential providers be excluded from the chain?
  • Usability: What will be the grace period for MFA on screen saver unlock?
  • Offline/Safe Mode MFA:  Will this be enabled?  What rescue users will be designated?
  • Communications:  Depends on functionality or usage in your environment.  See network reference here (link).
  • Audit Trail:  Should the Centrify events be sent to the SIEM tool.

In our example:

  1. Systems will have the following name in the Centrify Infrastructure Services portal:  AWS-[last 10 digits of InstanceID)
    This is to make sure that we only use 15 characters (legacy NetBIOS limitation).
  2. The system retrieves the Centrify Agent files (MSI and MST files).  (e.g. AWS S3 bucket).
  3. The system uses PowerShell to launch the msiexec installer tool.
  4. The system uses Powershell to rename, add to the domain and place the system in a specific OU, then reboots.
  5. The system receives the PKI and MFA settings on reboot.

Tested with:  Centrify Infrastructure Services 18.2, Centrify Agent for Windows 2017.3 (3.4.3-872) and Windows Server 2016.

 

Implementation Overview (for AWS)

Note: all these steps 1-5 are one-time or very sporadic for tweaks, upgrades.

  1. Retrieve the IWA Trust certificate from your Centrify Platform Instance.
  2. Create a test organizational unit (OU).
  3. Create a GPO and tie it to your test OU.
  4. Configure the Windows GPO Settings.
    • Add the Centrify GPO extensions.
    • Configure PKI trust settings.
  5. Configure the Centrify GPO Settings
    • Platform Instance URL.
    • Enable MFA.
    • Specifying which users are required to sign-in with MFA.
    • Specifying which users will be designated for rescue rights.
  6. Configure AWS foundation
    • Encryption Key
    • Parameters
    • S3 Bucket
  7. Review the PowerShell commands
    • Retrieve Parameters
    • Create computer name
    • Retrieve files from S3 bucket
    • Install the software
    • Join Active Directory (and rename)
  8. Verification.

 

I. Retrieve the IWA Trust certificate from your Centrify Platform Instance

  1. Sign-in to your instance navigate to: Admin Portal > Settings > Network > Centrify Connectors and double-click an active connector for your environment.
  2. Go to the IWA Service tab, and click “Download your IWA root CA certificate.
    iwa.png
  3. Note the location of this file (e.g. downloads).

II. Create a test organizational unit (OU) and AD Groups.

You will be performing these steps from a secure domain-joined Windows system with Active Directory management tools (e.g. ADUC or PowerShell).

  1. Open Active Directory Users and Computers.
  2. In the proper location in your domain tree, create a new OU, and give it a name (e.g. “Deployment”)
  3. Now let's create two Security Groups.  In a designated OU, select New > Group.  Make sure this is a security group with the proper scope.  The names can be something descriptive like "Centrify MFA Users." and "Centrify MFA Rescue Users."
  4. Leave ADUC open for any other future tasks.

III. Create a GPO and tie it to your test OU

You will be performing these steps from a secure domain-joined Windows system with the Group Policy Management console.

  1. Open GPMC and expand your forest, domain and browse to the newly-created OU
  2. Right click the Deployment OU and select “Create a GPO in this domain, and Link it here…
    gpocreate.png
  3. Set a name for your GPO (e.g. Centrify Settings). 
  4.  Right-click the newly-created GPO and select Edit. (Opens the GPO Editor).
  5. Leave the GPO Editor open.

IV. Configure the Windows GPO Settings

Load the Centrify Group Policy Extensions

  1. In the recently-edited GPO, let's add the Centrify Templates for Windows.
  2. Navigate to Computer Configuration > Policies, right-click Centrify Settings, press “Add/Remove templates” and press the Add button.
  3. Click the centrify_windows_settings XML file and press Open.
    gpoe-win.png
    Note:  Each time you upgrade the Centrify consoles, you need to revisit these steps to expose any newly-released GPOs.
  4. Press OK and leave GPOE open.

Establish PKI Trust

  1. In GPOE, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  2. Double-click the Trusted Root Certification Authorities, and in the right pane, right click and select Import.
  3. Browse to the location of the IWA Root Certificate from Section I, and select it.  The certificate in the store should match the tenant that you’ll be using for enrollment.
    pkitrust.png
  4. Leave the GPOE open for the next section.

At this point, you have taken care of the basic Windows Group Policies, including loading the templates, and PKI settings.

 

V. Configure the Centrify GPO Settings

Based on our planning, we are going to:

  • Associate the Windows systems to a specific Centrify platform instance
    This is a required settings established via the Specify the Platform instance URL to use group policy.  This has to be populated with the platform URL.  E.g. https:example.my.centrify.com
  • Enable MFA at login for all Domain Users
    This is established via 2 GPOs. 
    • The first on "turns on" MFA:  Specify whether to enable multi-factor authentication for Windows login when the agent is not joined to a zone usually set to "enabled."
    • The second one: Specify Active Directory users that require multi-factor authentication on Windows login (when the agent is not joined to a zone is populated with the users or groups that contain users to be challenged for MFA.
  • Enable a special group "MFA - Rescue Users" to skip MFA in case of offline or Windows Safe Mode
    This is established via the Specify a list of rescue users (when the agent is not joined to a zone) and is is populated with the users or groups that contain users to be challenged for MFA.
  • Enable corporate enrollment of Windows 10 systems.
    This is the default behavior, however it can be disabled via the Common Settings\Disable automatic enable of MDM enrollment policy GPO.

Implementation

  1. In the recently-edited GPO, let's add the Platform URL.
  2. Navigate to Computer Configuration > Policies > Centrify Settings > Windows Settings and expand MFA Settings.
    Note: If you don't see the Windows Settings section, you did not import the templates.
  3. Double-click Specify the platform URL to use, enable it and set it to the URL for your tenant and press OK.
    Make sure you use the default URL, not any of the vanity URLs that your tenant may have.  E.g. aab234.my.centrify.com.
    gpo-url.png
  4. Double click the: Specify whether to enable multi-factor authentication for Windows login when the agent is not joined to a zone, set it to enabled and press OK.
    gpo-mfa-enable.png
  5. Double click the: Specify the Active Directory users that require multi-factor authentication on Windows login when the agent is not joined to a zone GPO, enable it and add your test users or test AD group(s), then press OK.
    gpo-mfa-users.png
  6. Now go to the Common Settings folder and Double click the: Specify a list of rescue users (when the agent is not joined to a zone) GPO, enable it and add your rescue users group (e.g. Centrify MFA Rescue Users).
    gpo-mfa-resc.PNG
    At this point, you should be done with all Group Policy Editor Settings.

 

VI. Configure AWS foundational Tasks

Configure an Encryption Key

  1. Sign-in to your AWS console and go to the IAM Service.
  2. Use these instructions to create an encryption key.
    https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
  3. Once you have the encryption key set up,  you must grant a policy that allows decryption.  In my environment, I have a key IAM Role called  "Cenrify-IAM-Role-4EC2" and I have granted decryption rights. When systems are launched, they are added to this role that grants the system with the ability to decrypt secure string.
  4. Return to the EC2 service.

Set up Parameters

  1. Sign-in to your AWS console and navigate to: Services > EC2> Systems Manager Shared Resources > Parameter Store
  2. Click on Create Parameter  create the following parameters:

    Name
    Type
    Value
    domain
    StringName of our Active Directory domain.
    e.g. corp.contoso.com
    ipdns1StringIP address of your domain controller in AWS
    e.g. 172.31.14.16
    ipdns2StringIP address of your second domain controller in AWS
    e.g. 172.31.20.24
    userStringUser name for joining the system to Active Directory
    e.g. CORP\ad-joiner
    Ideally this is a user with delegated access (not a permanent
    member of attractive groups)
    If you need to know how to delegate the right to join a domain
    click here.
    user-pwSecure
    String
    Password for the joining user.  You have to specify a
    KMS ID and Value.
    oupathStringThe Distinguished Name for the OU used for Deployment
    e.g. "OU=Deployment,DC=example,DC=com"
    s3bucketStringContains the S3 Bucket Name
    msikeyStringThe key (name) of the Centrify Agent for Windows MSI file in the S3 bucket
    mstkeyStringThe key (name) of the Centrify Agent for Windows MST file in the S3 bucket
  3. Now open the S3 service.

Create, Populate and Permission your S3 Bucket

  1. If you need to learn how to create S3 buckets.  Click here.
  2. Add the Centrify Agent for Windows MSI and Group Policy Deployment MST files to your bucket.
    centri-bucket-dzwin.PNG
  3. Set the permissions for your EC2 role (e.g. Centrify-IAM-Role-4EC2) so it can read the files (or the whole bucket).
    For instructions on how to grant access to an IAM role access to an S3 bucket, click here.

V. Construct the PowerShell to onboard the System

  • Define and retrieve the first batch of variables/parameters
    $instid = Get-EC2InstanceMetadata  -Category InstanceID
    $system_name = "awsi"+($instid).Substring($instid.Length - 11)
    $domain = (Get-SSMParameterValue -Name domain).Parameters[0].Value
    $ipdns1 = (Get-SSMParameterValue -Name ipdns1).Parameters[0].Value
    $ipdns2 = (Get-SSMParameterValue -Name ipdns2).Parameters[0].Value
    $username = (Get-SSMParameterValue -Name user).Parameters[0].Value
    $password = (Get-SSMParameterValue -Name user-pw -WithDecryption $True).Parameters[0].Value | ConvertTo-SecureString -asPlainText -Force
    $credential = New-Object System.Management.Automation.PSCredential($username,$password)
    $oupath = (Get-SSMParameterValue -Name oupath).Parameters[0].Value
    $msikey = (Get-SSMParameterValue -Name msikey).Parameters[0].Value
    $mstkey = (Get-SSMParameterValue -Name mstkey).Parameters[0].Value
    $s3bucket = (Get-SSMParameterValue -Name s3bucket).Parameters[0].Value
    $file = (Read-S3Object -BucketName $s3bucket -Key $msikey -File $msikey)
    $mst = (Read-S3Object -BucketName $s3bucket -Key $mstkey -File centrify.mst)
    Note that we are downloading the Centrify installation files (MSI/MST) directly ($file, $mst).  We should have all the parameters needed for each transation.
  • Set-up DNS name resolution for the domain
     Set-DnsClientServerAddress "Ethernet 2" -ServerAddresses $ipdns1,$ipdns2
    Note that this should be modified to be Ethernet for Windows Server 2012R2 and Ethernet 2 for Windows Server 2016
  • Install Centrify Agent for Windows using PowerShell and msiexec.
    $DataStamp = get-date -Format yyyyMMddTHHmmss
    $logFile = '{0}-{1}.log' -f $file.fullname,$DataStamp
    $MSIArguments = @(
        "/i"
        ('"{0}"' -f $file.fullname)
        "/qn"
        "/norestart"
        ("/l " + """$logFile""")
        ("/TRANSFORMS=" + $mst.fullname)
    )

    Start-Process "msiexec.exe" -ArgumentList $MSIArguments -Wait -NoNewWindow 
    At this point, the client should be installed.
  • Now, let's rename the system and join it to Active Directory.
    $rename = Rename-Computer -NewName $system_name
    # this is ugly, but needed!
    sleep 5
    Add-Computer -DomainName $domain -Credential $credential -OUPath $oupath -Options JoinWithNewName,AccountCreate -Restart -Force
 
V. Considerations for Instance Termination

Before terminating the instance:

  • The system should be removed from Active Directory  (Remove-Computer)
  • In time, the system will be removed from the list (e.g. EC2 instances).

 

Testing (verifying) the implementation

Here are the high-level steps to start your testing.

  1. Launch an EC2 Windows Instance.
    launch.PNG
  2. In the configuration tab, make sure you add it to your IAM role (the one that is granted access to retrieve parameters, decrypt and read the EC2 bucket)
    config1.PNG
  3. Paste the contents of your PowerShell script in the User Data field between [script-goes-here] .
    config2.PNG
  4. Continue launching your system normally.

 Test Matrix

Test Name
Test Steps
Expected Result
Domain Join
1. Connect to the EC2 Instance with an Active Directory user that is part of the Remote Desktop Users group.The user is able to log in.
Configuration
and Rescue User test

1. Log in with a user from the Centrify MFA Rescue Users group.

2.  You will not be challenged for MFA.

3. Open the Agent Configuration application.  you should have the "Centrify Identity Platform" set up and enabled
caw-cip.PNG

You should have the "Centrify Identity Platform" set up and enabled
MFA Tests
(console, remote and screen unlock)

1. Logoff your Windows System.

2. Attempt login with a user from the "Centrify MFA Users" group.

3. Attempt login via RDP (if enabled).

4. Lock your Station (Windows + L).

The user should be challenged for MFA on all 3 instances.
MFA Test
(offline)

1. As an MFA user, make sure you set up an offline passcode for the system.

2. Disable network communication with the outside world.
(this way the system can't reach the Centrify instance).

3. Attempt login.

You should be prompted for offline passcode and if satisfied, log in successfully. 
Audit Trail

1. Log into your test system.

2. Open the Event Viewer application

3. Navigate to the Application Log.

4. Search for Centrify Audit Trail V2 source events.

All MFA events are being reported.

Verification Video

Suggested Adjustments

Related Articles

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.