Background In the previous entry to this series, we provided an introduction to the Microsoft Enhanced Security Administrative Environment (MS ESAE) and we outlined its principles ...
Background
In the previous entry to this series, we provided an introduction to the Microsoft Enhanced Security Administrative Environment (MS ESAE) and we outlined its principles and general recommendations. This article's goal is to provide information about how Centrify can enable the implementation of the general principles and recommendations. The final article of the series will focus on the architectural considerations of the MS ESAE.
Part II: How can Centrify help - attack the principles (establish identity assurance, reduce the attack surface, prevent lateral movement, audit everything) - this article.
Part III: Design considerations and technology showcase.
Key takeaways from the previous article
The MS ESAE is a series of recommendations and technologies to prevent credential theft in Windows environments. ESAE and "Red Forest" are sometimes interchanged even if an administrative (red) forest is one of the recommendations.
Pass the Hash (PtH) is one of the techniques used for credential theft in Windows environments. Attacks of this nature require a node breach (a compromised system running malware as administrator).
The realistic goal of MS ESAE is to limit the effect of techniques like PtH (and take those away from an attacker's arsenal), but it focuses on all types of Credential Management and is likely to evolve as threats change and products introduce newer capabilities.
Summarized Principles to Mitigate Credential Theft in Windows Environments
Principle #1 (P1) Perform the basic steps to secure your Active Directory
Reduce the number of Administrators and manage security group membership.
Principle #9 (P9) Deploy an administrative forest (Red Forest) with a selective one-way trust and limit upwards administration in the corporate side. [Next Article]
Principle #10 (P10) Use critical thinking - MS ESAE is complex and may not work in all instances. [Next Article]
How Centrify helps reduce the number of permanent administrators in your environment and separates regular user accounts froma dministrative accounts (P1, P3, P7)
Goal: Reducing the number of administrators (or permanent administrators) will shrink the attack surface. Any compromised credentials will have limited lateral movement capability.
Solutions:
Centrify Agent for Windows™
Centrify Infrastructure Service (provides system-based and vault-based security).
Centrify Endpoint Services (Mac, Windows).
Centrify Audit Trail and Splunk, Q-Radar and HP ArcSight.
Challenges:
Maintaining security posture while enabling IT productivity.
Deploying this capability across multiple system classes without relying in multiple vendors.
Centrify Agent for Windows™
This product allows organizations to perform privilege elevation where it matters most: closest to the asset being protected; this is all accomplished using the DirectAuthorize capability. This allows the elimination of permanent membership to attractive Windows security groups in an Active Directory domain and locally. This client relies on Active Directory to store data structures and access and privilege rules enjoy the benefits of offline access. The key capabilities (among others) are:
Privilege Elevation for Administrators (e.g. Privilege Desktop)
Privilege Elevation for Applications (Windows Applications)
Results: With DirectAuthorize, users log in with their normal accounts, administrative accounts are not being used. Because these accounts are just normal users accounts, in the case of node compromise, lateral movement is limited to the scope of the user account.
Users have the option of elevating privileges as a built-in local group or as an AD security group. Here's a quick demo of privilege elevation:
Additional benefits:
Cross-platform: This capability is also available in UNIX and Linux via our Centrify-enhanced sudo implementation.
Identity Assurance: Privilege elevation can be further secured with MFA.
Audit Trail and Session Capture: These are essential capabilities, especially for Privilege Management Workstations.
Attestation: Being able to determine and/or report-on who has access, what can they do, what's thes source of roles, etc. is a basic capability.
Infrastructure Service - Privilege Service
Privilege Service allows organizations to discover, assign and secure shared accounts accounts (administrative or not). Here are some of the of the areas that this product can help in your quest to implement the best practices:
Separate regular user from privilege user accounts.
Admin account discovery, mapping and assignment.
Anomaly detection.
A single instance can be scoped to work on premises or across IaaS deployments.
How Centrify helps migrating your applications from NTLM dependency (P2)
Goal: Reduce or eliminate the attack vector that relies on NTLM (PtH).
Solutions/Integrations:
Centrify DirectControl and Centrify Agent for Linux
Centrify SSO Plugins (Apache, Java, SAP ABAP, SAP Netweaver, DB2)
Centrify Agent for Windows™
Challenges: Lost functionality, compatibility.
If you are a Centrify customer, one of the key areas you need to know is that our Identity Broker clients (DirectControl & Centrify Agent for Linux) don't have dependencies on NTLM for authentication, privilege elevation or auditing functionality. In addition, if you are using the Centrify Agent for Windows™ to secure Windows systems and provide privilege elevation, you want to make sure that your transition will be smooth.
In the case of DirectControl (adclient), we can use NTLM, but we rely mainly on Kerberos. An area of note is the Samba integration. We provide an Identity Mapper for this integration, the Samba server may have a dependency on NTLM depending on its version - engage with the Samba project or your OS distributor in this topic.
All the SSO Plugins provide support to both NTLM and Kerberos. The NTLM integrations can be disabled via parameters.
In the case of the Centrify Agent for Linux (cclient), although you can use AD users, it ultimately uses HTTPS and REST.
In the case of the Centrify Agent for Windows™ there are no dependencies in NTLM; the agent aligns with Windows functionality in the existing version.
How Centrify helps implementing different local administrative passwords per workstation (P4)
Goal: Reduce the attack surface, prevent lateral movement.
Solutions/Integrations:
Centrify Infrastructure Service - Privilege Service
Centrify Endpoint Services
Challenges: limit the use of point solutions, implement rich policy, use across multiple platforms. Automation (with older vaults).
Infrastructure Service - Privilege Service
We discussed how Privilege Service can help on separating admin vs. user accounts, but the same solution can be used to establish distinct administrator accounts.
Cross-platform: works for desktops, servers, databases and network devices.
Implement policies to secure these accounts like: MFA on check-out or secure access, regular password rotation, password history, etc.
Implement across on premises or IaaS implementations.
Endpoint Services - Local Account Password Management (LAPM)
LAPM leverages the platform's vaulting capabilities to allow management of unique local administrator passwords for laptops.
Policy-based management Control fine-grained details of the LAPM capability
Self-Service
Centrify's LAPM for Mac offers a Self-Service capability
Muti-purpose Policy Engine The policy engine for the Endpoint services allows for Policy, Mobile Device, Mobile Container and Mobile application management across Android, iOS, MacOS and other platforms. Translation: get more out of your investment.
Note: At the time of this writing, the ability to rotate passwords for systems on the go (e.g. systems that infrequently visit the network or BYOD) is available for OS X. Windows LAPM is actively being worked on with a target of the Summer 2018.
How Centrify can help control the privileges of service accounts (P6)
Goal: Discover over-privileged service accounts, control password rotation, reduce attack surface, prevent lateral movement.
Solutions/Integrations:
Centrify Infrastructure Service
Challenges: service account real estate, usage, permissions, legacy application support.
Infrastructure Service - Privilege Service
We discussed how Privilege Service can help with separating admin vs. user accounts and how it can help implement unique administrator passwords in cross-platforms. Privilege Service can also address the issue of service accounts allowing you to:
Discover what Windows services are running in your environment with Active Directory or Windows local identities. - Inventory.
Bring them under management (password rotation)
Maintain high-availability with our MUX capability.
Here's a quick demo:
How Centrify allows organizations to embrace Temporary Access Controls (JIT, on-demand)
Goal: Reduce the attack surface, limit the time window for an attacker to mount an effective attack.
Solutions/Integrations:
Centrify Infrastructure Service
ServiceNow - Centrify Privilege Access Request
Challenges: maintain productivity, use across multiple platforms, don't prevent break-fix, align with existing ITSM or workflow solutions.
Infrastructure Service
Temporary access controls (access/privilege) is a key design goal for Infrastructure Service. Temporary and time-bound RBAC capabilities (system-level)
Infrastructure Service (formerly Server Suite) implements temporary access controls via role assignments. The power of this solution for organizations is the following:
Controls the assignment of access and privileges.
Users gain (or lose) access or privileges regardless of the state of the identity in Active Directory.
Multiple integration possibilities:
Via the vault
Via PowerShell
Via adedit (TCL-based).
Controls the Effectiveness of roles and rights. This means that if a user population with permanently-assigned roles, can have entitlements be effective in a specific time window. E.g. (a "backup operator" may traverse the filesystem only from 8PM to 8AM).
The Centrify Identity Platform provides workflow as a core service. In addition to supporting single or multiple approval levels, there are time-bound options to get secure access to a system, password checkouts or requesting a Centrify zone role.
The options are:
Permanent assignment - should not be the best practice.
Temporary assignment - provides a window of time after approval.
Windowed - provides the ability to set up access for a datetime window (very adequate for change-control windows).
Integrations with ITSM and Workflow Solutions
For organization standardizing with ITSM solutions like ServiceNow, we offer native integrations and documented APIs for frictionless adoption to an existing organizational process.
In this article we have discussed how Centrify can help with the general principles around ESAE, these principles are a "no-brainer" from a security perspective, however, it's easier said than done. Expect organizational push back and friction. In the 3rd installment of the series, we'll talk about the various technologies introduced since Windows Server 2008 R2 directly related to Windows Credential theft, and we'll provide our take on them.
