Whats New in Centrify Server Suite 2016

© 2016 Centrify Corporation. All Rights Reserved. 1

What’s New in Centrify Server Suite 2016Presented by:Brad Zehring, Director of Product ManagementHubert Sigler, Sr. Technical Support Engineer


• Welcome

• New Features

• Product updates

• Closing

Agenda


Multi-factor Authentication for Servers

ENTERPRISE DATA CENTER

Shared AccountSessions and Auditing

Audit DB

Jum

p B

ox

Centrify Identity Platform

Centrify Cloud Connector

Multi-factor Authentication for Linux Login

SERVER SUITE

PrivilegeElevation

Block cyber attacks

• MFA for Linux login and privilege elevation

• Unique zone-based policies control step-up authentication through role assignment

• Servers communicate securely with on-premises Cloud Connector to initiate MFA

Authentication methods• Centrify Mobile Authenticator

• Phone call to user’s Active Directory published number

• OTP to SMS or email

• Security question

Multi-factor Authentication to Cloud Service

Multi-factor Authentication for Login and Privilege Elevation


MFA for Linux login and Privilege Elevation

Coming in Server Suite 2016


Local Account Provisioning

Local account and group management• Consolidate application and service accounts

into Active Directory• Identity life-cycle management strengthens

securityManage user identities and local accounts

• Enabled: Create locally if it does not exist• Disabled: Prevent login• Remove: Delete the entry from /etc/passwd or

/etc/group

Zone-based Application Identity Management


Secure Local Account Passwords

Centrify Agent uses a notification cli callout for all actions:

• Example script enables CPS to manage the password

• Supports 3rd party password managers

Credential Management with Password Managers• New accounts have a random password set and

registered with CPS

• Unlocked accounts have a new random password set

• Removed accounts will be deleted from CPS

Secure and Manage Passwords Admin• Defines Local Accounts in a Zone• Defines local groups in a Zone

Centrify Agent• Create/Delete Local Accounts• Create/Delete Local Groups• Notification to manage

passwords

Notification.clicallout script

Password Manager


Report Services for Standard Edition

New Report Services infrastructure replaces Report Center• Enterprise class service leverages SQL Server Report Services• Significantly improved reporting performance• Web accessible reports

New Compliance Reports• SOX & PCI reports included

Scheduled Reports• Schedule reports to be delivered via email or shared

Visual report creation• Leveraging SQL Server Report Services (SSRS)

Simplifies data access• Enables usage of external BI Tools for data visualization


Agenda

Server Suite Editions Standard Enterprise

DirectControl 5.3.0 ü üDirectManage 5.3.0 ü üWindows Agent 3.3.0 ü üDirectAudit 3.3.0 ü

Centrify DirectControl 5.3.0


Centrify DirectControl 5.3.0

• Multi-Factor Authentication (MFA)• Local Account Management• Report Services• Agent components• General• Support Platforms update


Multi-Factor Authentication (MFA)

• Supported for AD users in hierarchical zone on Linux systems• Can be enabled for PAM (ie login) and dzdo• Requires Centrify Cloud (CIS) & Cloud Connector• Can be configured to require the following methods in addition to password:

• Centrify Mobile App (iOS/Android)• SMS message• Phone call• Email verification• Answer Security Question

• Rescue/Backup login can be enabled in the event of cloud connectivity issues


Multi-Factor Authentication (MFA), PAM (Login) Example


Multi-Factor Authentication (MFA), dzdo & Mobile Example


Local Account Management

• Hierarchical zones can now provision & manage local users/groups on AD joined *nix systems• Examples: oracle, db2, other service accounts

• Automation ready with capability to register users in Centrify Privilege Service (CPS) or other password management solution• Can call script to setup password, create home

directory, etc


Centrify Report Services

• Brand new component, included with DirectManage• Leverages SQL Reporting Service (SSRS) to deliver a robust web-based

reporting solution for your AD users• Securely synchronizes a subset of AD user, group, and zone data into a

Reporting DB• Pre-canned reports included

• PCI & SOX

• Support for custom reports• Access Manager no longer required


Centrify Report Services Control Panel & Client


Centrify Report Services Report Sample


Agent components• Centrify LDAP Proxy

• ldapsearch adds extendedDN to the –e or –E option to return the extended distinguished name of the object

• Centrify OpenSSH• Updated to OpenSSH 7.1p1

• Still supports SSH protocol version 1 unlike stock OpenSSH

• New parameter 'Krb5ccUnique‘ to control how to generate Kerberos credentials cache. Default is “yes”

• Some parameter updates (see release notes)

• No longer installed by default by install.sh, must use custom installation to install• Will upgrade if prior version installed

• Still required to address known AIX issues:• For use with DirectAudit to audit local users

• Matching local/AD user


General

• New right introduced “User is visible”• Similar to “listed” role in previous versions

• New option “adinfo –y cloud” to view cloud status• New option “adkeytab –t” to report the last password change attempt time and

results• New option “adflush –c” to refresh cloud connector info• OpenSSL updated to 0.9.8zg• cURL updated to 7.44.0 • Support to append CA root certificate to the system default store on RHEL


Support Platforms Update

Newly Added

• Fedora 23 (x86, x86_64)• CentOS 6.7 (x86, x86_64)• Oracle Enterprise Linux 6.7 (x86, x86_64)• Red Hat Enterprise Linux Desktop 6.7 (x86, x86_64)

• Red Hat Enterprise Linux Server 6.7 (x86, x86_64)

• Red Hat Enterprise Linux Server 6.7 (ppc64 – no Power8)

• Red Hat Enterprise Linux Desktop 7.2 (x86_64)

• Red Hat Enterprise Linux Server 7.2 (x86_64)

• Red Hat Enterprise Linux Server 7.0, 7.1, 7.2 (ppc64 – no Power8)

• Scientific Linux 6.7 (x86, x86_64)• Ubuntu Desktop 15.10 (x86, x86_64)• Ubuntu Server 15.10 (x86, x86_64)• SUSE Linux Enterprise Desktop 11 SP4 (x86, x86_64)

• SUSE Linux Enterprise Server 11 SP4 (x86, x86_64, ppc64, ia64)

• SUSE Linux Enterprise Server 12 (ppc64 – no Power8)

• Oracle Solaris 11.3 (x86_64, SPARC)

End of Life (EOL)

• All 32-bit Windows platforms• Fedora 19 (32-bit and 64-bit)• Oracle Enterprise Linux 4.x (32-bit and 64-bit)

• openSUSE 12.1, 12.2, 12.3 (32-bit and 64-bit)

• Oracle Solaris 8 SPARC

Sun setting

• Debian Linux 6.x (32-bit and 64-bit)• Fedora 20 (32-bit and 64-bit)• HP-UX 11.11, 11.23 PA-RISC (Normal and Trusted modes)

• HP-UX 11.23 Itanium (Normal and Trusted modes)

• Oracle Solaris 9 (32-bit and 64-bit)• Ubuntu Desktop 14.10 (32-bit and 64-bit)• Ubuntu Server 14.10 (32-bit and 64-bit)

Pre-sunset

• Fedora 21 (32-bit and 64-bit)• Ubuntu Desktop 15.04, 15.10 (32-bit and 64-bit)

• Ubuntu Server 15.04, 15.10 (32-bit and 64-bit)

• SUSE Linux Enterprise Desktop 10 (32-bit and 64-bit)

• SUSE Linux Enterprise Server 10 (32-bit and 64-bit)

• openSUSE 13.1 (32-bit and 64-bit)

Centrify DirectManage 5.3.0


Centrify DirectManage 5.3.0

• Access manager• New requirements: Windows 7 SP1/Windows 2008 R2• Documentation no longer installed during install wizard, still present in /Documentation folder in

download• Support for managed service accounts (MSA)• Ability to delegate zone control to multiple zones at once• “Generate Centrify Recommended Deployment Structure” Wizard now integrated with the Setup Wizard

• Report Center• Disabled by default in Access Manager• Replaced by Report Services introduced in this release


Centrify DirectManage 5.3.0, cont’d…

• Access Module for PowerShell• Based on .Net Framework 4.5• Support for ZPA• Support for “user is visible” system right• Get-CdmManagedComputer enhancements:

• Preferred Site

• Subnet Site

• Zone Provisioning Agent (ZPA)• Support for managed service accounts (MSA) and group managed service accounts (gMSA) as the

service account

• Group Policy Extensions• ADM templates no longer shipping, only ADMX templates are available


Centrify DirectManage 5.3.0, cont’d…

• Deployment Manager• Support for public key authentication using AES-128-CBC• During “Manage Software” wizard installed components will now be automatically selected• During “Manage Audit” wizard it now supports change of DirectAudit Installation name on computers

allowing locally configured installation

Centrify DirectAudit 3.3.0


Centrify DirectAudit 3.3.0

• General• Documentation no longer installed during wizard install• Agent more resilient to brief disconnects from the collector• Agent can be configured to prefer collectors in the local AD site• Option to enable/disable video capture now supported on a per-system basis• Better control of host names as they are displayed in DA Analyzer• Now bundled with MS SQL Server 2008 R2 SP 2 Express with Advanced Services• Improved Audit Trail despooling performance

• Collector• Support for new reg key "SkipFirstSnapshot“ to help reduce overhead for smaller audit sessions• Command recognition enhancements


Centrify DirectAudit 3.3.0, cont’d

• Audit Analyzer• Auditors with full control over a session can assign one or more AD users as Reviewers of that session

using Audit Analyzer or PowerShell cmdlet. • A user who was granted Reviewer using this method will be allowed to replay the session and update the review

status (Audit Role assignment not required). The reviewer will not have delete rights under this method.

• Audit Manager• No new enhancements this release

• DA Agent for *nix• Configure disconnect timeout "dad.collector.connect.timeout“• “dareload –b” to request bind to another collector if available• Better protection against simultaneous edits made to NSS/PAM files during “decontrol –e|-d”• “dainfo –q [info]” introduced to control output


Centrify DirectAudit 3.3.0, cont’d• Database

• New scheduled task in the Audit Management Server service to collect DirectAudit licensing info from, the DA databases and store in Active Directory to permit more open execution of Deployment Report.

• New and enhanced database indexes to improve query performance and reduce CPU on SQL server

• FindSessions.exe Tool• Improved performance when handling multiple Audit Store databases

• DA Agent for Windows• New GP settings "Set maximum size of the offline data file" and "Set maximum recorded color quality"

• Audit Module for PowerShell• New Cmdlets:

• "Set-CdaAuditSessionReviewer", delegate session reviewer directly to an Active Directory user or group

• "Get-CdaAuditSessionReviewer", get the AD users and groups who were delegated as session reviewers

Centrify Windows Agent 3.3.0


Centrify Windows Agent 3.3.0

• Access Component (formerly DirectAuthorize)• Contextual menu renamed from "Run as Role" to "Run with Privilege“• Documentation no longer installed during wizard install• Privileged desktop now supported on Windows 8/8.1/2012R2

• "Centrify Start Menu" button added to privileged desktop (similar to the Windows Start Menu)

• Desktop label on privileged desktop replaced by a brief systray notification • Can be controlled via Group Policy

• New command, "dzjoin“ added to facilitate joining a zone via CLI or Scripting• Simplified Run with Privilege (ie only one Role present)• Support removed for switching to privileged desktop as a privileged AD user

• Still supported if group is used


Windows 8/8.1/2012 Privilege Desktop Example


Windows Agent – Old Desktop Label


Windows Agent – New Desktop Label


Centrify Windows Agent 3.3.0, cont’d

• Audit Component• New Group Policy settings

• “Set maximum size of the offline data file“

• "Set maximum recorded color quality“

• "Use the host name specified by the agent“

• "Centrify DirectAudit Settings/Common Settings"

• Support for auditing Metro UI and tile applications in Windows 8/Windows 2012• Support for "Agents must prefer collectors in the same site as the agent“ option in Audit Manager• Audit Trail despooling performance enhancements

In Closing


Where to next?

• What's New in Centrify Server Suite 2016• https://www.centrify.com/support/customer-support-portal/whats-new/server-suite/

• Centrify Server Suite 2016 Release Notes• http://www.centrify.com/support/documentation/server-suite/#2016-notes

• Centrify Download Center• https://www.centrify.com/support/customer-support-portal/download-center/

• This presentation will be provided to customers


Questions?

• Join the conversation at http://community.centrify.com/• Login using your Centrify customer login • Free registration• Use the “Centrify Server Suite” location

Date post:	22-Jan-2018
Category:	Technology
Upload:	centrify-support
View:	1,234 times
Download:	0 times

Whats New in Centrify Server Suite 2016

Technology