...ttps://community.centrify.com/t5/TechBlog/Labs-Using-Centrify-Audit-Trail-for-Windows-with-AWS-CloudWatch/ba-p/27913 Related Articles Securing Windows Servers with Centrify Infrastructure S...
The Centrify Agent for Windows™ provides organizations with the ability to secure Windows systems.
When combined with Centrify Infrastructure, App or Endpoint Services, this enables MFA with Centrify Apps/Endpoint mode (zoneless) and with Infrastructure Service (zone mode). This article focuses on MFA on Zoneless Mode.
To follow this lab guide, you must be very familiar with IaaS solutions. We will be using AWS as an example.
Building Blocks We have split the orchestration building blocks into several articles for easier testing and future extensions.
Setting-up an AWS Test Lab for Centrify Provides a step-by-step guide to setup and host Active Directory in AWS, plus walks you through the process of implementing several Centrify software pieces.
Ability to launch instances and modify its configuration (e.g. AWS User Data).
Ability to host and set ACLs on a web share (e.g. AWS S3).
Ability to create a secure parameter (e.g. AWS KMS + Parameter Store).
Network layout that allows communication between Active Directory, Centrify Connector(s) and Instances (e.g. AWS Security Groups).
A Centrify Infrastructure Services Instance
You should have a Centrify connector running in your target IaaS service provider (e.g. AWS).
Ability to create an Enrollment Code for Infrastructure Service.
Centrify Agent for Windows (MSI) and Group Policy Deployment (MST) file.
A Centrify Infrastructure Services license installed in Active Directory (via Licensing Service).
To Join Active Directory
Your IaaS infrastructure must have a hosted or managed Active Directory implementation.
You need the credential of a user with delegated access to join systems to Active Directory.
To set up a GPO (one-time/infrequent updates) setting
You should have an Active Directory OU and two AD Security groups. (e.g. Centrify MFA Users/Centrify MFA Rescue).
You should be able to create, scope and link a Group Policy.
You should have a secure management station with the Centrify Group Policy Extensions.
You should be able to retrieve the IWA Root certificate for Identity Service platform.
A Windows instance is launched. (e.g. EC2 Windows)
The Windows instance retrieves common and secure parameters (e.g. Parameter Store)
The system retrieves the MSI package from a central place (e.g. S3 bucket)
The system joins Active Directory and restarts.
On reboot, the system receives the Group Policy settings.
MFA users will be challenged via console, remote or screen unlock and MFA Rescue Users will be skipping MFA.
Methodology: We will use the Plan-Do-Check-Adjust methodology.
What's the Windows system naming convention? (default or meaningful).
How will the PKI certificate be distributed?
What functionality is required? (MFA, Infrastructure Services enrollment, vaulting of local accounts).
Interoperability: Should Windows Credential providers be excluded from the chain?
Usability: What will be the grace period for MFA on screen saver unlock?
Offline/Safe Mode MFA: Will this be enabled? What rescue users will be designated?
Communications: Depends on functionality or usage in your environment. See network reference here (link).
Audit Trail: Should the Centrify events be sent to the SIEM tool.
In our example:
Systems will have the following name in the Centrify Infrastructure Services portal: AWS-[last 10 digits of InstanceID) This is to make sure that we only use 15 characters (legacy NetBIOS limitation).
The system retrieves the Centrify Agent files (MSI and MST files). (e.g. AWS S3 bucket).
The system uses PowerShell to launch the msiexec installer tool.
The system uses Powershell to rename, add to the domain and place the system in a specific OU, then reboots.
The system receives the PKI and MFA settings on reboot.
Tested with: Centrify Infrastructure Services 18.2, Centrify Agent for Windows™ 2017.3 (3.4.3-872) and Windows Server 2016.
Implementation Overview (for AWS)
Note: all these steps 1-5 are one-time or very sporadic for tweaks, upgrades.
Retrieve the IWA Trust certificate from your Centrify Platform Instance.
Create a test organizational unit (OU).
Create a GPO and tie it to your test OU.
Configure the Windows GPO Settings.
Add the Centrify GPO extensions.
Configure PKI trust settings.
Configure the Centrify GPO Settings
Platform Instance URL.
Specifying which users are required to sign-in with MFA.
Specifying which users will be designated for rescue rights.
Configure AWS foundation
Review the PowerShell commands
Create computer name
Retrieve files from S3 bucket
Install the software
Join Active Directory (and rename)
I. Retrieve the IWA Trust certificate from your Centrify Platform Instance
Sign-in to your instance navigate to: Admin Portal > Settings > Network > Centrify Connectors and double-click an active connector for your environment.
Go to the IWA Service tab, and click “Download your IWA root CA certificate.”
Note the location of this file (e.g. downloads).
II. Create a test organizational unit (OU) and AD Groups.
You will be performing these steps from a secure domain-joined Windows system with Active Directory management tools (e.g. ADUC or PowerShell).
Open Active Directory Users and Computers.
In the proper location in your domain tree, create a new OU, and give it a name (e.g. “Deployment”)
Now let's create two Security Groups. In a designated OU, select New > Group. Make sure this is a security group with the proper scope. The names can be something descriptive like "Centrify MFA Users." and "Centrify MFA Rescue Users."
Leave ADUC open for any other future tasks.
III. Create a GPO and tie it to your test OU
You will be performing these steps from a secure domain-joined Windows system with the Group Policy Management console.
Open GPMC and expand your forest, domain and browse to the newly-created OU
Right click the Deployment OU and select “Create a GPO in this domain, and Link it here…”
Set a name for your GPO (e.g. Centrify Settings).
Right-click the newly-created GPO and select Edit. (Opens the GPO Editor).
Leave the GPO Editor open.
IV. Configure the Windows GPO Settings
Load the Centrify Group Policy Extensions
In the recently-edited GPO, let's add the Centrify Templates for Windows.
Navigate to Computer Configuration > Policies, right-click Centrify Settings, press “Add/Remove templates” and press the Add button.
Click the centrify_windows_settings XML file and press Open. Note: Each time you upgrade the Centrify consoles, you need to revisit these steps to expose any newly-released GPOs.
Press OK and leave GPOE open.
Establish PKI Trust
In GPOE, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
Double-click the Trusted Root Certification Authorities, and in the right pane, right click and select Import.
Browse to the location of the IWA Root Certificate from Section I, and select it. The certificate in the store should match the tenant that you’ll be using for enrollment.
Leave the GPOE open for the next section.
At this point, you have taken care of the basic Windows Group Policies, including loading the templates, and PKI settings.
V. Configure the Centrify GPO Settings
Based on our planning, we are going to:
Associate the Windows systems to a specific Centrify platform instance This is a required settings established via the Specify the Platform instance URL to use group policy. This has to be populated with the platform URL. E.g. https:example.my.centrify.com
Enable MFA at login for all Domain Users This is established via 2 GPOs.
The first on "turns on" MFA: Specify whether to enable multi-factor authentication for Windows login when the agent is not joined to a zone usually set to "enabled."
The second one: Specify Active Directory users that require multi-factor authentication on Windows login (when the agent is not joined to a zone is populated with the users or groups that contain users to be challenged for MFA.
Enable a special group "MFA - Rescue Users" to skip MFA in case of offline or Windows Safe Mode This is established via the Specify a list of rescue users (when the agent is not joined to a zone)and is is populated with the users or groups that contain users to be challenged for MFA.
Enable corporate enrollment of Windows 10 systems. This is the default behavior, however it can be disabled via the Common Settings\Disable automatic enable of MDM enrollment policy GPO.
In the recently-edited GPO, let's add the Platform URL.
Navigate to Computer Configuration > Policies > Centrify Settings > Windows Settings and expand MFA Settings. Note: If you don't see the Windows Settings section, you did not import the templates.
Double-click Specify the platform URL to use, enable it and set it to the URL for your tenant and press OK. Make sure you use the default URL, not any of the vanity URLs that your tenant may have. E.g. aab234.my.centrify.com.
Double click the: Specify whether to enable multi-factor authentication for Windows login when the agent is not joined to a zone, set it to enabled and press OK.
Double click the: Specify the Active Directory users that require multi-factor authentication on Windows login when the agent is not joined to a zone GPO, enable it and add your test users or test AD group(s), then press OK.
Now go to the Common Settings folder and Double click the: Specify a list of rescue users (when the agent is not joined to a zone) GPO, enable it and add your rescue users group (e.g. Centrify MFA Rescue Users). At this point, you should be done with all Group Policy Editor Settings.
VI. Configure AWS foundational Tasks
Configure an Encryption Key
Sign-in to your AWS console and go to the IAM Service.
Once you have the encryption key set up, you must grant a policy that allows decryption. In my environment, I have a key IAM Role called "Cenrify-IAM-Role-4EC2" and I have granted decryption rights. When systems are launched, they are added to this role that grants the system with the ability to decrypt secure string.
Return to the EC2 service.
Set up Parameters
Sign-in to your AWS console and navigate to: Services > EC2> Systems Manager Shared Resources > Parameter Store
Click on Create Parameter create the following parameters:
Name of our Active Directory domain. e.g. corp.contoso.com
IP address of your domain controller in AWS e.g. 172.31.14.16
IP address of your second domain controller in AWS e.g. 172.31.20.24
User name for joining the system to Active Directory e.g. CORP\ad-joiner Ideally this is a user with delegated access (not a permanent member of attractive groups) If you need to know how to delegate the right to join a domain click here.
Password for the joining user. You have to specify a KMS ID and Value.
The Distinguished Name for the OU used for Deployment e.g. "OU=Deployment,DC=example,DC=com"
Contains the S3 Bucket Name
The key (name) of the Centrify Agent for Windows MSI file in the S3 bucket
The key (name) of the Centrify Agent for Windows MST file in the S3 bucket
Now open the S3 service.
Create, Populate and Permission your S3 Bucket
If you need to learn how to create S3 buckets. Click here.
Add the Centrify Agent for Windows MSI and Group Policy Deployment MST files to your bucket.
Set the permissions for your EC2 role (e.g. Centrify-IAM-Role-4EC2) so it can read the files (or the whole bucket). For instructions on how to grant access to an IAM role access to an S3 bucket, click here.
V. Construct the PowerShell to onboard the System
Define and retrieve the first batch of variables/parameters