Background
The Centrify Agent for Windows™ provides organizations with the ability to secure Windows systems.
When combined with Centrify Infrastructure, App or Endpoint Services, this enables MFA with Centrify Apps/Endpoint mode (zoneless) and with Infrastructure Service (zone mode). This article focuses on MFA on Zoneless Mode.
To follow this lab guide, you must be very familiar with IaaS solutions. We will be using AWS as an example.
Building BlocksWe have split the orchestration building blocks into several articles for easier testing and future extensions.
Recommended Reading
What you'll need (tools/permissions)
- An AWS, Azure or GCP Instance
- Ability to define/modify roles. (e.g. AWS IAM).
- Ability to launch instances and modify its configuration (e.g. AWS User Data).
- Ability to host and set ACLs on a web share (e.g. AWS S3).
- Ability to create a secure parameter (e.g. AWS KMS + Parameter Store).
- Network layout that allows communication between Active Directory, Centrify Connector(s) and Instances (e.g. AWS Security Groups).
- A Centrify Infrastructure Services Instance
- You should have a Centrify connector running in your target IaaS service provider (e.g. AWS).
- Ability to create an Enrollment Code for Infrastructure Service.
- Centrify Agent for Windows (MSI) and Group Policy Deployment (MST) file.
- A Centrify Infrastructure Services license installed in Active Directory (via Licensing Service).
- To Join Active Directory
- Your IaaS infrastructure must have a hosted or managed Active Directory implementation.
- You need the credential of a user with delegated access to join systems to Active Directory.
- To set up a GPO (one-time/infrequent updates) setting
- You should have an Active Directory OU and two AD Security groups.
(e.g. Centrify MFA Users/Centrify MFA Rescue). - You should be able to create, scope and link a Group Policy.
- You should have a secure management station with the Centrify Group Policy Extensions.
- You should be able to retrieve the IWA Root certificate for Identity Service platform.
Objectives
- A Windows instance is launched. (e.g. EC2 Windows)
- The Windows instance retrieves common and secure parameters (e.g. Parameter Store)
- The system retrieves the MSI package from a central place (e.g. S3 bucket)
- The system joins Active Directory and restarts.
- On reboot, the system receives the Group Policy settings.
- MFA users will be challenged via console, remote or screen unlock and MFA Rescue Users will be skipping MFA.
Methodology: We will use the Plan-Do-Check-Adjust methodology.
Diagram
Planning Topics
- What's the Windows system naming convention? (default or meaningful).
- How will the PKI certificate be distributed?
- What functionality is required? (MFA, Infrastructure Services enrollment, vaulting of local accounts).
- Interoperability: Should Windows Credential providers be excluded from the chain?
- Usability: What will be the grace period for MFA on screen saver unlock?
- Offline/Safe Mode MFA: Will this be enabled? What rescue users will be designated?
- Communications: Depends on functionality or usage in your environment. See network reference here (link).
- Audit Trail: Should the Centrify events be sent to the SIEM tool.
In our example:
- Systems will have the following name in the Centrify Infrastructure Services portal: AWS-[last 10 digits of InstanceID)
This is to make sure that we only use 15 characters (legacy NetBIOS limitation). - The system retrieves the Centrify Agent files (MSI and MST files). (e.g. AWS S3 bucket).
- The system uses PowerShell to launch the msiexec installer tool.
- The system uses Powershell to rename, add to the domain and place the system in a specific OU, then reboots.
- The system receives the PKI and MFA settings on reboot.
Tested with: Centrify Infrastructure Services 18.2, Centrify Agent for Windows™ 2017.3 (3.4.3-872) and Windows Server 2016.
Implementation Overview (for AWS)
Note: all these steps 1-5 are one-time or very sporadic for tweaks, upgrades.
- Retrieve the IWA Trust certificate from your Centrify Platform Instance.
- Create a test organizational unit (OU).
- Create a GPO and tie it to your test OU.
- Configure the Windows GPO Settings.
- Add the Centrify GPO extensions.
- Configure PKI trust settings.
- Configure the Centrify GPO Settings
- Platform Instance URL.
- Enable MFA.
- Specifying which users are required to sign-in with MFA.
- Specifying which users will be designated for rescue rights.
- Configure AWS foundation
- Encryption Key
- Parameters
- S3 Bucket
- Review the PowerShell commands
- Retrieve Parameters
- Create computer name
- Retrieve files from S3 bucket
- Install the software
- Join Active Directory (and rename)
- Verification.
I. Retrieve the IWA Trust certificate from your Centrify Platform Instance
- Sign-in to your instance navigate to: Admin Portal > Settings > Network > Centrify Connectors and double-click an active connector for your environment.
- Go to the IWA Service tab, and click “Download your IWA root CA certificate.”
- Note the location of this file (e.g. downloads).
II. Create a test organizational unit (OU) and AD Groups.
You will be performing these steps from a secure domain-joined Windows system with Active Directory management tools (e.g. ADUC or PowerShell).
- Open Active Directory Users and Computers.
- In the proper location in your domain tree, create a new OU, and give it a name (e.g. “Deployment”)
- Now let's create two Security Groups. In a designated OU, select New > Group. Make sure this is a security group with the proper scope. The names can be something descriptive like "Centrify MFA Users." and "Centrify MFA Rescue Users."
- Leave ADUC open for any other future tasks.
III. Create a GPO and tie it to your test OU
You will be performing these steps from a secure domain-joined Windows system with the Group Policy Management console.
- Open GPMC and expand your forest, domain and browse to the newly-created OU
- Right click the Deployment OU and select “Create a GPO in this domain, and Link it here…”
- Set a name for your GPO (e.g. Centrify Settings).
- Right-click the newly-created GPO and select Edit. (Opens the GPO Editor).
- Leave the GPO Editor open.
IV. Configure the Windows GPO Settings
Load the Centrify Group Policy Extensions
- In the recently-edited GPO, let's add the Centrify Templates for Windows.
- Navigate to Computer Configuration > Policies, right-click Centrify Settings, press “Add/Remove templates” and press the Add button.
- Click the centrify_windows_settings XML file and press Open.
Note: Each time you upgrade the Centrify consoles, you need to revisit these steps to expose any newly-released GPOs. - Press OK and leave GPOE open.
Establish PKI Trust
- In GPOE, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
- Double-click the Trusted Root Certification Authorities, and in the right pane, right click and select Import.
- Browse to the location of the IWA Root Certificate from Section I, and select it. The certificate in the store should match the tenant that you’ll be using for enrollment.
- Leave the GPOE open for the next section.
At this point, you have taken care of the basic Windows Group Policies, including loading the templates, and PKI settings.
V. Configure the Centrify GPO Settings
Based on our planning, we are going to:
- Associate the Windows systems to a specific Centrify platform instance
This is a required settings established via the Specify the Platform instance URL to use group policy. This has to be populated with the platform URL. E.g. https:example.my.centrify.com - Enable MFA at login for all Domain Users
This is established via 2 GPOs.
- The first on "turns on" MFA: Specify whether to enable multi-factor authentication for Windows login when the agent is not joined to a zone usually set to "enabled."
- The second one: Specify Active Directory users that require multi-factor authentication on Windows login (when the agent is not joined to a zone is populated with the users or groups that contain users to be challenged for MFA.
- Enable a special group "MFA - Rescue Users" to skip MFA in case of offline or Windows Safe Mode
This is established via the Specify a list of rescue users (when the agent is not joined to a zone) and is is populated with the users or groups that contain users to be challenged for MFA. - Enable corporate enrollment of Windows 10 systems.
This is the default behavior, however it can be disabled via the Common Settings\Disable automatic enable of MDM enrollment policy GPO.
Implementation
- In the recently-edited GPO, let's add the Platform URL.
- Navigate to Computer Configuration > Policies > Centrify Settings > Windows Settings and expand MFA Settings.
Note: If you don't see the Windows Settings section, you did not import the templates. - Double-click Specify the platform URL to use, enable it and set it to the URL for your tenant and press OK.
Make sure you use the default URL, not any of the vanity URLs that your tenant may have. E.g. aab234.my.centrify.com.
- Double click the: Specify whether to enable multi-factor authentication for Windows login when the agent is not joined to a zone, set it to enabled and press OK.
- Double click the: Specify the Active Directory users that require multi-factor authentication on Windows login when the agent is not joined to a zone GPO, enable it and add your test users or test AD group(s), then press OK.
- Now go to the Common Settings folder and Double click the: Specify a list of rescue users (when the agent is not joined to a zone) GPO, enable it and add your rescue users group (e.g. Centrify MFA Rescue Users).
At this point, you should be done with all Group Policy Editor Settings.
VI. Configure AWS foundational Tasks
Configure an Encryption Key
- Sign-in to your AWS console and go to the IAM Service.
- Use these instructions to create an encryption key.
https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html - Once you have the encryption key set up, you must grant a policy that allows decryption. In my environment, I have a key IAM Role called "Cenrify-IAM-Role-4EC2" and I have granted decryption rights. When systems are launched, they are added to this role that grants the system with the ability to decrypt secure string.
- Return to the EC2 service.
Set up Parameters
- Sign-in to your AWS console and navigate to: Services > EC2> Systems Manager Shared Resources > Parameter Store
- Click on Create Parameter create the following parameters:
- Now open the S3 service.
-
Create, Populate and Permission your S3 Bucket
- If you need to learn how to create S3 buckets. Click here.
- Add the Centrify Agent for Windows MSI and Group Policy Deployment MST files to your bucket.
- Set the permissions for your EC2 role (e.g. Centrify-IAM-Role-4EC2) so it can read the files (or the whole bucket).
For instructions on how to grant access to an IAM role access to an S3 bucket, click here.
V. Construct the PowerShell to onboard the System
- Define and retrieve the first batch of variables/parameters
$instid = Get-EC2InstanceMetadata -Category InstanceID
$system_name = "awsi"+($instid).Substring($instid.Length - 11)
$domain = (Get-SSMParameterValue -Name domain).Parameters[0].Value
$ipdns1 = (Get-SSMParameterValue -Name ipdns1).Parameters[0].Value
$ipdns2 = (Get-SSMParameterValue -Name ipdns2).Parameters[0].Value
$username = (Get-SSMParameterValue -Name user).Parameters[0].Value
$password = (Get-SSMParameterValue -Name user-pw -WithDecryption $True).Parameters[0].Value | ConvertTo-SecureString -asPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($username,$password)
$oupath = (Get-SSMParameterValue -Name oupath).Parameters[0].Value
$msikey = (Get-SSMParameterValue -Name msikey).Parameters[0].Value
$mstkey = (Get-SSMParameterValue -Name mstkey).Parameters[0].Value
$s3bucket = (Get-SSMParameterValue -Name s3bucket).Parameters[0].Value
$file = (Read-S3Object -BucketName $s3bucket -Key $msikey -File $msikey)
$mst = (Read-S3Object -BucketName $s3bucket -Key $mstkey -File centrify.mst)
Note that we are downloading the Centrify installation files (MSI/MST) directly ($file, $mst). We should have all the parameters needed for each transation. - Set-up DNS name resolution for the domain
Set-DnsClientServerAddress "Ethernet 2" -ServerAddresses $ipdns1,$ipdns2
Note that this should be modified to be Ethernet for Windows Server 2012R2 and Ethernet 2 for Windows Server 2016 - Install Centrify Agent for Windows using PowerShell and msiexec.
$DataStamp = get-date -Format yyyyMMddTHHmmss
$logFile = '{0}-{1}.log' -f $file.fullname,$DataStamp
$MSIArguments = @(
"/i"
('"{0}"' -f $file.fullname)
"/qn"
"/norestart"
("/l " + """$logFile""")
("/TRANSFORMS=" + $mst.fullname)
)
Start-Process "msiexec.exe" -ArgumentList $MSIArguments -Wait -NoNewWindow
At this point, the client should be installed. - Now, let's rename the system and join it to Active Directory.
$rename = Rename-Computer -NewName $system_name
# this is ugly, but needed!
sleep 5
Add-Computer -DomainName $domain -Credential $credential -OUPath $oupath -Options JoinWithNewName,AccountCreate -Restart -Force
V. Considerations for Instance Termination
Before terminating the instance:
- The system should be removed from Active Directory (Remove-Computer)
- In time, the system will be removed from the list (e.g. EC2 instances).
Testing (verifying) the implementation
Here are the high-level steps to start your testing.
- Launch an EC2 Windows Instance.
- In the configuration tab, make sure you add it to your IAM role (the one that is granted access to retrieve parameters, decrypt and read the EC2 bucket)
- Paste the contents of your PowerShell script in the User Data field between [script-goes-here] .
- Continue launching your system normally.
Test Matrix
