Automating Cloud Security with Centrify Express and RightScale

(1)

Q U I C K S T A R T G U I D E . M A Y 2 0 1 1

Automating Cloud Security with

Centrify Express and RightScale

How to secure cloud systems by joining them to your Active Directory infrastructure

Abstract

(2)

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation.

Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Centrify, DirectControl and DirectAudit are registered trademarks and Centrify Suite, DirectAuthorize, DirectSecure and DirectManage are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

RightScale is a registered trademark of RightScale, Inc.; ServerTemplates and RightScripts are trademarks of RightScale, Inc.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

(3)

Introduction

One of the primary benefits of using cloud servers is the extremely short time between a decision to use another server to its production usage. Cloud services providing Infrastructure as a Service offerings such as Amazon enable their customers to simply clone an existing Linux or Windows machine image with a few pre-defined settings and, upon completion of the clone and launch of the image, the new cloud server instance is available for use. However, the customer will need to login with the pre-configured account and create additional user accounts as needed. This Quick Start Guide shows how to leverage Active Directory to both manage the existing pre-defined accounts on these cloud servers as well as to dynamically control user accounts, access and privileges through centralized management within Active Directory.

Centrify Express

Centrify Express is a free version of the same Active Directory integration technology that 3000+ enterprise customers currently have in production on hundreds of thousands of servers. Centrify Express consists of:

 Centrify DirectControl Express. An authentication agent that enables Active Directory-based

user account administration and password management as well as single sign-on for UNIX, Linux and Mac systems.

 Centrify DirectManage Express. A central management console to discover non-Windows

systems, install DirectControl Express and join them to Active Directory. Once the systems are joined to Active Directory the console provides an interface to manage script execution as well as establish single sign-on enabled remote sessions.

 Centrify-enabled Open Source Tools. Enhances productivity with painless remote terminal

access with OpenSSH as well as remote file system access through Samba where both are tightly integrated with Active Directory.

 Centrify Cloud Tools. Provides both preconfigured Amazon Machine Images with Centrify

Express pre-loaded as well as configuration scripts and guidance on how to integrate cloud servers with Active Directory.

 Centrify Insight. Centrify provides additional reports and dashboards on top of the Splunk

platform.

Centrify Express provides the necessary Active Directory integration to enable centralized control of user accounts, access controls and privilege authorizations. This guides shows you how to use Centrify Express and Active Directory to control Amazon AMI instances.

Centrify Express RightScripts for RightScale

As part of Centrify Cloud Tools, Centrify has created four RightScripts for use with RightScale in order to automate the installation and configuration of Centrify DirectControl Express on any

(5)

authentication and privilege policies. There are four RightScripts provided as described below which you will find in the RightScript Library if you search for Centrify as the publisher.

 Centrify – Install Centrify Suite Express. This RightScript can be added as a boot script to

any ServerTemplate to determine the operating system of the cloud server that was launched, then download directly from Centrify the latest version of Centrify Express and then install Centrify DirectControl Express and Centrify OpenSSH on the supported cloud server instance.

 Centrify – Join Active Directory. After Centrify Suite Express has been installed, this

RightScript is run as a Boot Script to join the new cloud server instance to your Active Directory domain. Once this script has executed, the system will be configured to allow any of your Active Directory users to login with their Active Directory user ID and password to the new cloud server instance.

 Centrify – Setup Active Directory Access and Privilege Management. This script will

configure the system to require Active Directory group membership in order for your Active Directory users to be able to login or execute commands with privileges.

 The local root account is configured to require the Active Directory password for the “cloud.root” account upon login as root. This configuration ensures that your Active Directory infrastructure is in control of the root login to the newly created cloud server instance once it has been joined to Active Directory.

 In order to control user access to the new cloud server instance, this script will ask for the name of an Active Directory group whose members will be granted rights to login.

(6)

 Centrify – Leave Active Directory. This decommission script will terminate the relationship of

the cloud server and Active Directory and reset the computer account so that the next new instance can reuse the computer account.

Centrify DirectManage Express

DirectManage Express provides an interface to make it easier to manage your cloud server instances. It supports calling the EC2 APIs in order to perform initial discovery as well as to refresh the currently running instances within Amazon EC2. Once the EC2 instances have been added to this management tool, you can more easily perform various remote administrative tasks such as initiate a PuTTY or WinSCP session through a right-click task menu or to perform more advanced operations such as to run customer scripts across one or more systems.

Setting up the Required Environment

Active Directory Domain Services

While most organization will have their Active Directory set up and running within the enterprise, there are several ways to configure your existing Active Directory to support the management of systems in the DMZ or on public networks such as the Amazon Web Service cloud. This Quick Start Guide will keep things simple by showing you how to use an isolated Active Directory domain that is set up outside the firewall, completely independent of any existing internal Active Directory. For this exercise, we simply need the common authentication infrastructure that Active Directory provides to centralize account administration across the AMI instances that you will create in the cloud.

Additionally, you can configure a one-way trust with existing Active Directory domains in order to leverage the existing user accounts you may already have set up within the firewall.

For additional reading on how to leverage your existing Active Directory user accounts for login to these hosted servers, Microsoft has documented guidance on several configuration options:

Active Directory Domain Services in the Perimeter Network (Windows Server 2008)

(http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=c1d0fd00-bf31-4b20-95c6-279a4ce7c2b4#tm )

You also need to set up a DNS server running on your domain controller configured to require authentication for any DNS updates and service the new cloud.company.com domain forwarding any other requests to your existing DNS servers. We will use this DNS server later as the AMIs are configured to securely auto-update their public IP address with the hostname of the joined computer account.

(7)

Set Up Accounts within Active Directory

In order to control the users who are allowed to log into your new cloud server instances, you need to create both end-user accounts within your Active Directory as well as an account to be used to control the password for the root account on each of the new cloud server instances.

User Accounts

To set up the account that will control the local root user’s password, create a “cloud.root” user account within Active Directory and set the password. If you want to disable the ability to su to root, then simply disable the Active Directory account for cloud.root.

Also, create an Active Directory account for any end-users you want to grant login rights to your cloud server instances and set an initial password. No other data is needed because the local UNIX profile will be created automatically at login, as will the home directory.

User Groups

In order to grant Active Directory users the rights to login to these cloud server instances, you need to add the end-users to an Active Directory group; for this example, I’ve used the Active Directory group “cloud.access”. Create an Active Directory global security group called cloud.access and add your authorized users to this group. The Centrify RightScript will ask you for the name of this Active Directory group to use for ACCESS_GROUP.

Additionally, you may have some users whose responsibilities require root privileges, and you can also centrally control which users are granted sudo permissions to run commands as root. You simply need to create an Active Directory global security group; for this example, I’ve used the Active Directory group “cloud.admins”. Just add the Active Directory user accounts for your administrators to this group. Anyone who is a member of this group can use the sudo command to run any command with root privileges after validating their Active Directory password. The Centrify RightScript will ask you for the name of this Active Directory group to use for PRIVILEGE_GROUP.

Computer Accounts

There are several ways to set up the cloud servers to join Active Directory upon first boot, and there are security tradeoffs with each of the possible approaches.

Auto-join possible approaches:

 The user ID and password for an account that is authorized to join the system to Active Directory could be handed off to the instance upon launch and a RightScript could prompt for this user account and password to provide to the new instance. However, there is no easy way to ensure the privacy of the password since it must be provided to the instance over an insecure channel.

(8)

Kerberos-authenticated join to Active Directory, which could be used for automation within the enterprise. However, again there is no easy way to ensure privacy of this credential during the launch of an EC2 instance.

 Another option is to configure the cloud server instances to perform a self-service join into a pool of pre-created computer accounts. In this model, there is no need to provide join credentials to the new instance because it will try to join an existing computer account within the pool of sequential accounts until it succeeds. This has the added benefit that, upon successful join to Active Directory, you will know the computer hostname. We will use this model for the example presented since it is the simplest to manage.

Active Directory Computer Account Pool

The primary purpose of the first two Centrify RightScripts is to install Centrify Express and auto-join using the self-service join process at boot or reboot in order to join the next available computer account in the Active Directory pool of computer accounts setup for these cloud server Instances. You will need to pre-create the pool of computer accounts in Active Directory using a common hostname prefix followed by an incrementing number from 1 to 100. The “Centrify – Join Active Directory” RightScript will prompt you for the HOSTNAME_PREFIX as part of the Join process.

To pre-create the pool of computer accounts in Active Directory you will need to pre-create the computer accounts as well as to grant the computer accounts rights to reset their own password using the following procedure.

 Precreate Computer Accounts. Right-click on the Computers container and select New, then

Computer. Provide the name of the computer, such as ec2host,1 and click OK.

 Set the Permissions for Self Join. Select the new computer account, open the Properties and

(9)

instances to reset their computer account as they leave the domain during termination as directed by the Decommissioning RightScript.

Amazon Web Services Account

You will need to make sure that you have an AWS account set up so that you can launch new Amazon EC2 hosted cloud servers.

Simply browse to http://aws.amazon.com/ and click on the “Sign Up Now” button in order to create your own AWS account. You will need your Amazon-assigned Access Key as well as the corresponding Secret Key in order to enable the RightScale system to manage your EC2 cloud servers.

RightScale Account

You will also need an account at RightScale in order to create your own RightScale ServerTemplate to launch a cloud server instance of your choice along with the Centrify RightScripts to join these servers to Active Directory.

(10)

At first login to RightScale you will be prompted to enter your Amazon AWS credentials so that RightScale can help you manage your cloud infrastructure.

Creating a RightScale ServerTemplate

Now that you have an account and have logged into the RightScale dashboard, you need to create a ServerTemplate that you can launch later within your default deployment. You can learn more about ServerTemplates on RightScale’s site at http://www.rightscale.com/products/advantages/cloud-ready-servertemplates.php. However, for this example, we will use the ServerTemplate to create dynamically configured cloud servers that are defined independent of a specific hosting provider.

MultiCloud Image

First, we’ll need to import a MultiCloud Image, sometimes called a RightImage, which describes a cloud server image on a particular hosting provider so that we can add it to a new ServerTemplate.

 Click on the “Design” drop-down menu item and then “MultiCloud Images” under the Library section.

 Search for Ubuntu and then select one of the RightImage_Ubuntu_10.04 MultiCloud Images.  Click the green “Import” button to import it to your Library. If you click on the “Cloud” tab, you

(11)

ServerTemplate

To create your first ServerTemplate, from the RightScale Dashboard just click on Design and then ServerTemplate. On this page, click the New button. Then you simply need to provide a Name for the ServerTemplate and Description. You also need to select an existing MultiCloud Image to use for the base Operating System,

 Click on “Design” drop down menu item and then “ServerTemplate”.  Click on the “New” button

 Provide a name for the new ServerTemplate, such as MyUbuntuServer.

 Then select the radio button for “Select an existing MultiCloud Image” and click on the “Select ad Image” button.

 To select the RightImage that we just imported above, click on RightScale as the publisher, then click on the name of the MultiCloud Image that we imported such as

“RightImage_Ubuntu_10.04_x64_v5.6_EBS [rev 10]”, then click “Select”

(12)

Adding Centrify RightScripts to your ServerTemplate

Now that you have a ServerTemplate defined that contains a MultiCloud Image, you need to import the Centrify RightScripts so that you can add them to this ServerTemplate as Boot and Decommission scripts to control how this server is configured at launch.

 Click on the “Design” drop-down menu item and then “RightScripts” under the Library section.  In the Search dialog, enter “Centrify” and select the “Publisher” under “Search in:” option. You

will see four Centrify RightScripts that all need to be imported.

 For each of the Centrify RightScripts, click on the title to see the properties for the RightScript and then click the green “Import” button to import it to your Library. You can use your browser’s back button twice to get back to the search results to import the other RightScripts.

At this point, you are ready to add the RightScripts to your ServerTemplate.

 To get back to your ServerTemplate, click the “Design” menu item and then “ServerTemplates”, then click on the name of the ServerTemplate that you created earlier “MyUbuntuServer”. Now click on the “Scripts” tab.

 Under the heading Boot Scripts, click on “Add Script” and select Centrify as the publisher and select the “Centrify – Install Centrify Suite Express” RightScript and click “Select”.

(13)

 Under the heading Boot Scripts, click on “Add Script” and select Centrify as the publisher and select the “Centrify – Setup AD Access and Privilege Management” RightScript and click “Select”.

 Under the heading Decommission Scripts, click on “Add Script” and select Centrify as the publisher and select the “Centrify – Leave Active Directory” RightScript and click “Select”.

 Now if you click on the “Inputs” tab, you will see the data inputs that these RightScript will need when you launch the ServerTemplate. You will fill in the data later when you launch.

Add your ServerTemplate to a Deployment

The last step is to add this ServerTemplate to your deployment so that we can launch this server.  Click on the “Add to Deployment” button.

 In the Add Server dialog, select one of the Amazon clouds to launch the server in, such as “AWS US-West” and then click “Continue” .

 Check all the parameters for the Cloud settings.

(14)

 Check that your SSH key is the one that you imported earlier.  Select a security group such as “default”.

 Leave “Availability Zone” set to “Any”.

 Leave all other settings set to the default and click “Add”.

Now the server is in your default deployment environment, and you can proceed to launching the server.

Launching Cloud Servers in a RightScale

Deployment

Now that you’ve defined the ServerTemplate with the Centrify RightScripts and added it to your default deployment, you can launch the cloud server. As the server boots, it will execute the Centrify RightScripts in order to install the latest version of Centrify Express from the Centrify Download Center, join the server to your Active Directory, and configure it to grant access to the users that are a member of your access control group and privileges to your admin group.

(15)

 You should see your ServerTemplate listed and to the right under “Actions”. You will see a blue button with a mouse-over label of “Launch”. Click on this Blue launch button.

 Next you will see a page with launch inputs for your ServerTemplate.

(16)

 ACCESS_GROUP. Enter the Active Directory group that you will use to control which of

your Active Directory users is authorized to login to this server; previously we created a group called “cloud.access”.

 DNS_IP_ADDRESS. Enter the IP Address of your Active Directory domain controller, which

should also be configured as a DNS Master for the domain that it is servicing such as cloud.company.com. Upon boot, this new server will use this IP address for all hostname resolution and will auto-update its hostname entry in DNS with its currently assigned public IP Address.

 DOMAIN. Enter the domain Name of your Active Directory domain that you are using for

cloud servers, such as cloud.company.com.

 HOSTNAME_PREFIX. Enter the prefix of the Computer Names that you pre-created

previously such as “ec2host”, be sure to leave off the numeric value since the boot scripts will auto add and increment the numeric to find a good computer account the new server can join.

 PRIVILEGE_GROUP. Enter the Active Directory group name that you created for your

cloud administrators such as “cloud.admins”

 Now click “Launch” button.

(17)

Accessing the New AMI Instances

Once the Cloud server instance is running, click on the operational server nickname in order to find the public DNS name for the instance so that you can launch an SSH client and login with any of your Active Directory user accounts that are a member of the “ec2.access” group within Active Directory. You can also login to the system using its Active Directory computer name, which will be registered in your DNS so that you don’t have to find the public DNS name of the new instance. This helps to provide single sign-on through PuTTY.

Active Directory User Single Sign-on using PuTTY

Single sign-on requires that the client workstations that you use will be able to both find the IP address of the host that you are connecting to via DNS as well as be able to request a Kerberos ticket for the destination host from a trusted Active Directory domain. For this example, we will log in as an end-user on the domain controller and launch the Centrify version of PuTTY to get signed onto the AMI instance without having to type user credentials. Even better is that host authentication is performed based on a Kerberos key exchange, which is completely automatic, meaning that you don’t need to manage SSH host keys anymore.

(18)

In the PuTTY Configuration dialog, you will only need to enter the Active Directory computer account name of the new instance.

(19)

Click Open in order to establish a Kerberos-authenticated connection to the Active Directory-integrated AMI instance.

As you can see, the logged-in user is able to authenticate to this AMI instance without having to enter a user ID or password since PuTTY was able to obtain a Kerberos service ticket for the remote host and the Centrify OpenSSH Server was configured to authenticate the user based on GSSAPI, which enables single sign-on.

Privileged Command Execution Using Sudo

Users who are a member of the ec2.admin group in Active Directory will be able to run any command with root privileges simply by using the sudo command in front of their privileged command.

Additionally, if you want to modify the permissions granted to the ec2.admins group or create additional groups and manage their sudo rights, you can modify the /etc/sudoers file to contain additional entries such as the two below that Centrify has added to the default /etc/sudoers file.

(20)

Using DirectManage Express to Access and Manage

Centrify Express Instances

DirectManage Express provides an interface to make it easier to manage your EC2 instances once they are running. In order for DirectManage to enable management of the instances, it will need to have the new instances added to its database, which can easily be done by calling the EC2 APIs with your AWS account credentials to retrieve the list of currently running instances within Amazon EC2.

Adding EC2 Instances

To add the currently running EC2 instances, in DirectManage Express, simply select the “Add

(21)

You will also be asked for login credentials in order to access the EC2 instances. Since the EC2 instance will be joined to Active Directory automatically, you can use any Active Directory account that is a member of both the ec2.access and ec2.admin groups since those accounts will be able to both login and execute commands with privileges. You should provide the login name of the Active Directory account and specify that it should use sudo for privilege elevation. As an example, you could use an account called dm.manager created for this specific purpose.

(22)

Accessing and Managing EC2 Instances

Once the EC2 instances have been added, you can more easily perform various remote administrative tasks such as to initiate a PuTTY or WinSCP session or to perform more advanced operations such as to run custom scripts across one or more systems.

 Remote Session. You can right-click on a computer and launch a remote PuTTY or WinSCP

session.

 Run Script. DirectManage supports running scripts on one or more computers. These scripts can

be either Linux shell scripts, which will be delivered to the remote system and executed, or they can be LUA scripts that run on the local Windows computer with the ability to call other Windows APIs such as to access Active Directory in addition to remote command execution on the Linux system.

 Manage Software. DirectManage can also manage the software installed on a computer, which

in most environments would be used to install the full Centrify Suite and join Active Directory. However, in this environment, DirectManage can be used to upgrade the pre-installed Centrify Express to Centrify Suite Standard or Enterprise Edition in order to use the more advanced features where needed.

Benefits of Upgrading to Centrify Suite Standard,

Enterprise or Platinum Editions

(23)

Centrify Suite Standard Edition builds on Centrify Express by providing Active Directory Group

Policy enforcement, extending the access control model to support multiple Zones, and enforcing fine-grained, role-based privileges through DirectAuthorize.

 Group Policy. Windows administrators will be familiar with Group Policy as a way to define

system policies that are automatically enforced and periodically updated once the machine joins Active Directory. Centrify provides hundreds of Group Policy settings to control both the DirectControl agent, OpenSSH settings, and iptables firewall settings, to name a few.

 Centrify Zones. Centrify Express enables all users in Active Directory to log in with

system-generated Linux profiles. Centrify Zones enable administrators to define the Linux profile for users of a group of systems. Administration of these groups of systems, aka Zones, can be delegated to various administrators. This guide showed how to use an Active Directory group to control which users are authorized to login to a system. However, this cannot be easily managed centrally. Zones provide centralized control over user access, requiring users to be members of the Zone in order to login to the computer in that Zone.

 Role-Based Privileges with DirectAuthorize. Sudo was used in this guide to grant the

centrify account and any users in the ec2.admins group within Active Directory the right to run any command as root. While this configuration will centralize the management of root privileges, you would need to manually configure additional policies to provide appropriate rights to other administrative roles. DirectAuthorize provides a centralized administrative interface to enable describing any number of roles and granting these roles a set of access rights and command privileges. This makes it easier to create additional roles, such as or web developers or database admins, granting the appropriate rights based on their role.

Centrify Suite Enterprise Edition contains all the functionality of Standard Edition with the addition

of user session-level auditing. Many of the events that take place on these AMI instances will be logged into syslog and, while you could configure the rollup of the logs to a central server, the logs typically don’t provide the level of insight into the actual activities on the systems that is needed to understand what is being done on the system. DirectAudit is designed to record the user sessions, sending the data off to a centralized SQL Server where you can browse the sessions by user or by server as well as search for sessions that contain specific strings within the input or output. Once an “interesting” session is found, you can replay the session to see exactly what someone was doing on your AMI instance. This level of visibility is increasingly important since the instances running in EC2 are publicly accessible within a hosted environment versus being inside your on-premise data center where you can assure a certain level of physical and network security.

Centrify Suite Platinum Edition extends the access controls provided in Standard Edition by

(24)

encryption between the web server and any trusted web developers or any communications to backend database servers.

Centrify Application Single Sign-on Modules are available for several applications and databases

to enable Active Directory-based single sign-on. Several modules are available for web platforms such as Apache, Tomcat, JBoss, WebLogic and WebSphere, as well as applications such as DB2 and SAP. Additionally, several other applications can be configured to use Active Directory user accounts if they are compatible with PAM (for UNIX-based Active Directory user ID- and password-based login), LDAP (for Active Directory user ID- and password-based login) or GSSAPI (for Active Directory-based Kerberos single sign-on based login).

Frequently Asked Questions

Question What are the charges for using these Centrify RightScripts?

Answer There is no additional charge from Centrify. You are responsible for any base fees that Amazon or other cloud providers charge based on the type and size of the cloud server instances that you launch.

Question Do I need to use SSH keys to log in?

Answer No. One of the benefits of using Active Directory and Kerberos to log in is the use of Kerberos tickets.

Question Is the traffic between these AMIs and the Active Directory protected? Are user passwords protected during the login process?

Answer Yes. Active Directory uses secured protocols leveraging the Kerberos infrastructure that is an integrated part of Active Directory. All communications with Active Directory domain controllers is Kerberized in order to both ensure that trusted systems are talking with each other after mutual authentication and that the communications between them is secured through Kerberos signed and sealed communications.

How to Contact Centrify

North America

(And All Locations Outside EMEA)

Europe, Middle East, Africa

(EMEA) Centrify Corporation 785 N. Mary, Suite 200 Sunnyvale, CA 94085 United States Centrify EMEA Lilly Hill House Lilly Hill Road

Bracknell, Berkshire RG12 2SJ United Kingdom

Sales: +1 (408) 542-7500 Online: www.centrify.com/contact

Automating Cloud Security with Centrify Express and RightScale