11 April,19 at 11:51 AM
Background
In the previous entry to this series, we provided an introduction to the Microsoft Enhanced Security Administrative Environment (MS ESAE) and we outlined its principles and general recommendations. This article's goal is to provide information about how Centrify can enable the implementation of the general principles and recommendations. The final article of the series will focus on the architectural considerations of the MS ESAE.
Key takeaways from the previous article
How Centrify helps reduce the number of permanent administrators in your environment and separates regular user accounts froma dministrative accounts (P1, P3, P7)
Goal: Reducing the number of administrators (or permanent administrators) will shrink the attack surface. Any compromised credentials will have limited lateral movement capability.
Solutions:
Challenges:
Centrify Agent for Windows™
This product allows organizations to perform privilege elevation where it matters most: closest to the asset being protected; this is all accomplished using the DirectAuthorize capability. This allows the elimination of permanent membership to attractive Windows security groups in an Active Directory domain and locally. This client relies on Active Directory to store data structures and access and privilege rules enjoy the benefits of offline access. The key capabilities (among others) are:
Results: With DirectAuthorize, users log in with their normal accounts, administrative accounts are not being used. Because these accounts are just normal users accounts, in the case of node compromise, lateral movement is limited to the scope of the user account.
Users have the option of elevating privileges as a built-in local group or as an AD security group. Here's a quick demo of privilege elevation:
Additional benefits:
Infrastructure Service - Privilege Service
Privilege Service allows organizations to discover, assign and secure shared accounts accounts (administrative or not). Here are some of the of the areas that this product can help in your quest to implement the best practices:
How Centrify helps migrating your applications from NTLM dependency (P2)
Goal: Reduce or eliminate the attack vector that relies on NTLM (PtH).
Solutions/Integrations:
Challenges: Lost functionality, compatibility.
If you are a Centrify customer, one of the key areas you need to know is that our Identity Broker clients (DirectControl & Centrify Agent for Linux) don't have dependencies on NTLM for authentication, privilege elevation or auditing functionality. In addition, if you are using the Centrify Agent for Windows™ to secure Windows systems and provide privilege elevation, you want to make sure that your transition will be smooth.
How Centrify helps implementing different local administrative passwords per workstation (P4)
Goal: Reduce the attack surface, prevent lateral movement.
Solutions/Integrations:
Challenges: limit the use of point solutions, implement rich policy, use across multiple platforms. Automation (with older vaults).
Infrastructure Service - Privilege Service
We discussed how Privilege Service can help on separating admin vs. user accounts, but the same solution can be used to establish distinct administrator accounts.
Endpoint Services - Local Account Password Management (LAPM)
LAPM leverages the platform's vaulting capabilities to allow management of unique local administrator passwords for laptops.
Centrify's LAPM for Mac offers a Self-Service capability
For more info about LAPM, check out this page: https://www.centrify.com/solutions/mac-and-mobile/local-administrator-password-management/
Note: At the time of this writing, the ability to rotate passwords for systems on the go (e.g. systems that infrequently visit the network or BYOD) is available for OS X. Windows LAPM is actively being worked on with a target of the Summer 2018.
Goal: Discover over-privileged service accounts, control password rotation, reduce attack surface, prevent lateral movement.
Solutions/Integrations:
Challenges: service account real estate, usage, permissions, legacy application support.
Infrastructure Service - Privilege Service
We discussed how Privilege Service can help with separating admin vs. user accounts and how it can help implement unique administrator passwords in cross-platforms. Privilege Service can also address the issue of service accounts allowing you to:
Here's a quick demo:
Goal: Reduce the attack surface, limit the time window for an attacker to mount an effective attack.
Solutions/Integrations:
Challenges: maintain productivity, use across multiple platforms, don't prevent break-fix, align with existing ITSM or workflow solutions.
Infrastructure Service
Temporary access controls (access/privilege) is a key design goal for Infrastructure Service.
Temporary and time-bound RBAC capabilities (system-level)
Infrastructure Service (formerly Server Suite) implements temporary access controls via role assignments. The power of this solution for organizations is the following:
Integrated Privilege Access Request (vault-level, system-level)
The Centrify Identity Platform provides workflow as a core service. In addition to supporting single or multiple approval levels, there are time-bound options to get secure access to a system, password checkouts or requesting a Centrify zone role.
The options are:
Integrations with ITSM and Workflow Solutions
For organization standardizing with ITSM solutions like ServiceNow, we offer native integrations and documented APIs for frictionless adoption to an existing organizational process.
Summary
In this article we have discussed how Centrify can help with the general principles around ESAE, these principles are a "no-brainer" from a security perspective, however, it's easier said than done. Expect organizational push back and friction. In the 3rd installment of the series, we'll talk about the various technologies introduced since Windows Server 2008 R2 directly related to Windows Credential theft, and we'll provide our take on them.