Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

[Security Corner] Centrify and the Microsoft Enhanced Security Administrative Environment (2/3)

11 April,19 at 11:51 AM

Background

In the previous entry to this series,  we provided an introduction to  the Microsoft Enhanced Security Administrative Environment (MS ESAE) and we outlined its principles and general recommendations.  This article's goal is to provide information about how Centrify can enable the implementation of the general principles and recommendations.  The final article of the series will focus on the architectural considerations of the MS ESAE.

 

Key takeaways from the previous article

  • The MS ESAE is a series of recommendations and technologies to prevent credential theft in Windows environments.  ESAE and "Red Forest" are sometimes interchanged even if an administrative (red) forest is one of the recommendations. 
  • Pass the Hash (PtH) is one of the techniques used for credential theft in Windows environments.  Attacks of this nature require a node breach (a compromised system running malware as administrator).
  • The realistic goal of MS ESAE is to limit the effect of techniques like PtH (and take those away from an attacker's arsenal), but it focuses on all types of Credential Management and is likely to evolve as threats change and products introduce newer capabilities.

Summarized Principles to Mitigate Credential Theft in Windows Environments

  • Principle #1 (P1)  Perform the basic steps to secure your Active Directory
    • Reduce the number of Administrators and manage security group membership.
    • Establish administrative workstations (or servers).
    • Protect Domain Controllers and maintain them up-to-date.
    • Monitor your environment.     
  • Principle #2 (P2) Have a plan to migrate applications and services that depend on NTLM.
  • Principle #3 (P3)  Separate user accounts vs admin accounts.
  • Principle #4 (P4)  Implement distinct admin passwords per workstation.
  • Principle #5 (P5)  Use "Privilege Access Workstations" for administration [Next Article].
  • Principle #6 (P6)  Control the privileges of service accounts.
  • Principle #7 (P7)  Don't allow regular users to have administrative rights in endpoints (desktops, laptops, etc.)
  • Principle #8 (P8)  Embrace Temporary Access Controls (JIT, on-demand).
  • Principle #9 (P9)  Deploy an administrative forest (Red Forest) with a selective one-way trust and limit upwards administration in the corporate side. [Next Article]
  • Principle #10 (P10) Use critical thinking - MS ESAE is complex and may not work in all instances. [Next Article]

How Centrify helps reduce the number of  permanent administrators in your environment and separates regular user accounts froma dministrative accounts (P1, P3, P7)

Goal:  Reducing the number of administrators (or permanent administrators) will shrink the attack surface.  Any compromised credentials will have limited lateral movement capability.

Solutions: 

  • Centrify Agent for Windows
  • Centrify Infrastructure Service  (provides system-based and vault-based security).
  • Centrify Endpoint Services (Mac, Windows).
  • Centrify Audit Trail and Splunk, Q-Radar and HP ArcSight.

Challenges: 

  • Maintaining security posture while enabling IT productivity.
  • Deploying this capability across multiple system classes without relying in multiple vendors.

Centrify Agent for Windows

This product allows organizations to perform privilege elevation where it matters most: closest to the asset being protected; this is all accomplished using the DirectAuthorize capability.  This allows the elimination of permanent membership to attractive Windows security groups in an Active Directory domain and locally.  This client relies on Active Directory to store data structures and access and privilege rules enjoy the benefits of offline access. The key capabilities (among others) are:

  • Privilege Elevation for Administrators (e.g. Privilege Desktop)
  • Privilege Elevation for Applications (Windows Applications)

Results:  With DirectAuthorize, users log in with their normal accounts, administrative accounts are not being used.  Because these accounts are just normal users accounts, in the case of node compromise, lateral movement is limited to the scope of the user account. 

Users have the option of elevating privileges as a built-in local group or as an AD security group.  Here's a quick demo of privilege elevation:

 Additional benefits: 

  • Cross-platform:  This capability is also available in UNIX and Linux via our Centrify-enhanced sudo implementation.
  • Identity Assurance:  Privilege elevation can be further secured with MFA.
  • Audit Trail and Session Capture:  These are essential capabilities, especially for Privilege Management Workstations.
  • Attestation:  Being able to determine and/or report-on who has access, what can they do, what's thes source of roles, etc. is a basic capability.

Infrastructure Service - Privilege Service

Privilege Service allows organizations to discover, assign and secure shared accounts accounts (administrative or not).  Here are some of the of the areas that this product can help in your quest to implement the best practices:

  • Separate regular user from privilege user accounts.
  • Admin account discovery, mapping and assignment.
  • Anomaly detection.
  • A single instance can be scoped to work on premises or across IaaS deployments.

 

 AA disc.PNG

 

How Centrify helps migrating your applications from NTLM dependency (P2)

Goal:  Reduce or eliminate the attack vector that relies on NTLM (PtH).

Solutions/Integrations: 

  • Centrify DirectControl and Centrify Agent for Linux
  • Centrify SSO Plugins (Apache, Java, SAP ABAP, SAP Netweaver, DB2)
  • Centrify Agent for Windows

Challenges: Lost functionality, compatibility.

 

If you are a Centrify customer, one of the key areas you need to know is that our Identity Broker clients (DirectControl & Centrify Agent for Linux) don't have dependencies on NTLM for authentication, privilege elevation or auditing functionality.   In addition, if you are using the Centrify Agent for Windows to secure Windows systems and provide privilege elevation, you want to make sure that your transition will be smooth.

  • In the case of DirectControl (adclient), we can use NTLM, but we rely mainly on Kerberos.
    An area of note is the Samba integration.  We provide an Identity Mapper for this integration, the Samba server may have a dependency on NTLM depending on its version - engage with the Samba project or your OS distributor in this topic.
  • All the SSO Plugins provide support to both NTLM and Kerberos.  The NTLM integrations can be disabled via parameters.
    no-ntlm-apache.PNG
  • In the case of the Centrify Agent for Linux (cclient), although you can use AD users, it ultimately uses HTTPS and REST.
  • In the case of the Centrify Agent for Windows there are no dependencies in NTLM; the agent aligns with Windows functionality in the existing version.

 

How Centrify helps implementing different local administrative passwords per workstation (P4)

Goal:  Reduce the attack surface, prevent lateral movement.

Solutions/Integrations: 

  • Centrify Infrastructure Service - Privilege Service
  • Centrify Endpoint Services

Challenges: limit the use of point solutions, implement rich policy, use across multiple platforms.  Automation (with older vaults).

 

Infrastructure Service - Privilege Service

We discussed how Privilege Service can help on separating admin vs. user accounts, but the same solution can be used to establish distinct administrator accounts.
cps-dash.PNG

 

Endpoint Services - Local Account Password Management (LAPM)

LAPM leverages the platform's vaulting capabilities to allow management of unique local administrator passwords for laptops.

  • Policy-based management
    mac-lapm.PNGControl fine-grained details of the LAPM capability
  • Self-Service

lapm.PNGCentrify's LAPM for Mac offers a Self-Service capability

  • Muti-purpose Policy Engine
    The policy engine for the Endpoint services allows for Policy, Mobile Device, Mobile Container and Mobile application management across Android, iOS, MacOS and other platforms.  Translation:  get more out of your investment.

For more info about LAPM, check out this page:  https://www.centrify.com/solutions/mac-and-mobile/local-administrator-password-management/

Note:  At the time of this writing, the ability to rotate passwords for systems on the go (e.g. systems that infrequently visit the network or BYOD) is available for OS X.  Windows LAPM is actively being worked on with a target of the Summer 2018.

 

How Centrify can help control the privileges of service accounts (P6)

Goal:  Discover over-privileged service accounts, control password rotation, reduce attack surface, prevent lateral movement.

Solutions/Integrations: 

  • Centrify Infrastructure Service

Challenges:  service account real estate, usage, permissions, legacy application support.

 

Infrastructure Service - Privilege Service

We discussed how Privilege Service can help with separating admin vs. user accounts and how it can help implement unique administrator passwords in cross-platforms.  Privilege Service can also address the issue of service accounts allowing you to:

  • Discover what Windows services are running in your environment with Active Directory or Windows local identities. - Inventory.
  • Bring them under management (password rotation)
  • Maintain high-availability with our MUX capability.

Here's a quick demo:

How Centrify allows organizations to embrace Temporary Access Controls (JIT, on-demand)

Goal:  Reduce the attack surface, limit the time window for an attacker to mount an effective attack.

Solutions/Integrations: 

  • Centrify Infrastructure Service
  • ServiceNow - Centrify Privilege Access Request

Challenges: maintain productivity, use across multiple platforms, don't prevent break-fix, align with existing ITSM or workflow solutions.

 

Infrastructure Service

Temporary access controls (access/privilege) is a key design goal for Infrastructure Service. 
Temporary and time-bound RBAC capabilities (system-level)

tac-css.PNGInfrastructure Service (formerly Server Suite) implements temporary access controls via role assignments.  The power of this solution for organizations is the following:

  • Controls the assignment of access and privileges.
  • Users gain (or lose) access or privileges regardless of the state of the identity in Active Directory.
  • Multiple integration possibilities:
    • Via the vault
    • Via PowerShell
    • Via adedit (TCL-based).
  • Controls the Effectiveness of roles and rights.  This means that if a user population with permanently-assigned roles, can have entitlements be effective in a specific time window.  E.g. (a "backup operator" may traverse the filesystem only from 8PM to 8AM).

Integrated Privilege Access Request (vault-level, system-level)

tac-cps.PNGThe Centrify Identity Platform provides workflow as a core service.  In addition to supporting single or multiple approval levels, there are time-bound options to get secure access to a system, password checkouts or requesting a Centrify zone role.

 

The options are:

  • Permanent assignment - should not be the best practice.
  • Temporary assignment - provides a window of time after approval.
  • Windowed - provides the ability to set up access for a datetime window (very adequate for change-control windows).

 

Integrations with ITSM and Workflow Solutions

For organization standardizing with ITSM solutions like ServiceNow, we offer native integrations and documented APIs for frictionless adoption to an existing organizational process.

 

 

Summary

In this article we have discussed how Centrify can help with the general principles around ESAE, these principles are a "no-brainer" from a security perspective, however, it's easier said than done.  Expect organizational push back and friction.  In the 3rd installment of the series, we'll talk about the various technologies introduced since Windows Server 2008 R2 directly related to Windows Credential theft, and we'll provide our take on them.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.