Background This is the first lab in the series around Strong Authentication (series link). We will be focusing on Windows systems and providing strong authentication for privileged users usin...
Background
This is the first lab in the series around Strong Authentication (series link). We will be focusing on Windows systems and providing strong authentication for privileged users using Yubikeys. Yubikeys are full-fledged personal identity verification (PIV) cards that work very well with Active Directory Certificate Services and Centrify software for UNIX, Linux and Windows.
The challenges
The Windows security model lends itself for organizations to grant additional privileges to users by way of the local Administrators group. In Active Directory environments organizations struggle with excessive memberships on privileged groups like Domain Admins.
In Active Directory, a common mitigation strategy is to provision each privileged user an "administrative" account (e.g. joe/joe-a). This strategy can be supplemented by having the "-a" account password stored securely.
Unfortunately, advanced attacks like password mining, pass-the-hash and others have become more ubiquitous, this makes a member of a privileged group ("-a" or not) more susceptible to exposure.
The "dual account" model is often paired with PSM (jumpbox) to provide session brokering and recording. Unfortunately, this model can be circumvented by bypassing the jumpbox, and since the "-a" account is very powerful, that means that the privileged user can go anywhere.
The opportunity
Although Centrify can accommodate the "dual account" model using Centrify Privilege Service, ideally organizations would implement the least privilege model:
Users shall only access the systems they need to based on business need-to-know with strong authentication
Users shall be limited to the minimum privileges required for their functions: this is accomplished by providing users roles with the rights that they need.
Rights shall be assigned in the context of applications, desktops and network rights. Strong authentication shall be required when using privilege elevation.
In sensitive systems, access and privilege elevation shall be supplemented with session capture and replay.
Lab Goals
Limit privileged users to a subset of Windows systems based on their needs (AD and Centrify Zones enable this)
Require strong authentication for console or remote (RDP) access (this is supported natively by Windows)
Require strong authentication on Privilege Elevation (applications/desktops) (DirectAuthorize is Smart Card ready)
We'll use the smart card user certificate provisioned to your test user's Yubikey. In Active Directory we'll require smart card authentication for the user (this also be implemented in a subset of systems using Group Policy).
We will grant the test user a Centrify DirectAuthorize role that allows her to:
Run Disk Management as the local administrator and will require strong authentication to be launched
Use an administrative desktop (as local administrator) and requires strong authentication to be launched
To perform the steps for the script above manually
Create the Zone
Open Access Manager and right-click Zones > Create New Zone Name: Yubikey-Demo Container: Browse to your container.
Press Next and Finish
Create the Disk Management Application
Launch Disk Management (e.g. Start > Run > diskmgmt.msc)
Open Access Manager > Open they Yubikey-Demo zone > Authorization > Windows Right Definitions > Right Click Applications > New Windows Application Name: Disk Management ComboMatch Criteria: Press Add > Import Process and Select Disk Management and Press OK Press Add > Import File > Browse to c:\Windows\System32 and select diskmgmt.msc, press OK. This will add another way to launch the application. RunAs: Self with added group privileges > Press Add Builtin Groups > Select Administrators, press OK and check the box for Authentication Required and press OK.
Create the Admin Desktop Right
In Access Manager > Open they Yubikey-Demo zone > Authorization > Windows Right Definitions > Right Click Desktops > New Windows Desktop Name: Admin Desktop Runas: Press Add Builtin Groups > Select Administrators, press OK and check the box for Authentication Required and press OK.
Create, Configure and Assign the Demo role
In Access Manager > Open they Yubikey-Demo zone > Authorization > Right Click Role Definitions > Select Add Role
Name: Demo Role System Rights: "Remote Login is allowed"
Press OK and right-click the newly created role and select "Add Right"
The role is ready to be assigned. Now press OK and right-click the Authorization > Role Assignments > Select Assign Role
Press the Add AD account > type the name of your test user, select it and press OK. Note: This is a permanent direct assignment to a user principal at the zone level. This is not the best practice, typically you grant role assignments temporarily (for attestation), in a subset of systems and to AD groups for better administration.
Install DirectAuthorize for Windows and join the system to the Centrify Zone
In your domain-joined test systems, browse to the path for the Centrify Standard Edition software.
Go to Agent > and Run "Centrify Windows Agent.exe"
Follow the Wizard, you will select the "Access" components. If you have DirectAudit, also select Audit.
When the installation ends, you need to configure the client to join your desired zone.
The system will ask to reboot when complete.
Important Notes:
When a Windows system is added to the Centrify Zone, the security model changes.
In order to access a Centrified Windows system, users must be explicitly granted logon rights. This means that even Domain Admins won't be able to access those sytsems.
The type of access is based on the Windows setup (Remote/Log on Locally) and the Centrify Role definition (Console/Remote)
When adding your first system to a zone, you will have an opportunity to explicitly add Domain Admins, otherwise you may completely lock the system
Configure your Test user for Smart Card Authentication
In ADUC, find and double-click the test user.
Account Tab > Account Options > Check the box for "Smart Card is required for interactive logon"
Press OK. You are ready to start testing.
Test Plan:
Try to access the system with any other AD user than test user - expected result: Access Denied This is because users need to be explicitly be granted access using a Centrify role.
Try to access the system with Lisa with her password - expected result: Access Denied This is because the test user was defined with "Smart card required for interactive logon"
Try to access the system via the console with Smart Card - expected result: Access Denied This is because the role created in Centrify does not grant console login.
Try to access the system via RDP with smart card PIN - expected result: Access Granted
Try to run application "disk management" normally - expected result: Error: "You don't have access rights to logical Disk Manager on [Server]" This is because when the user launches the app, they are doing so without any privileges.
Launching App or Privileged Desktop: Right click App > Run with Privilege > Challenge with Password - Expected result: Access Denied Right click App > Run with Privilege > Challenge with smart card PIN- Expected result: Access Granted