Add to collection(s) Add to saved
  1. No category
Uploaded by sachin tendulkar

442970375-CentrifyZTP-Corev19-6-Lab-Guide-FY2019-pdf

advertisement 
Technical Training
Centrify Zero Trust Privilege
Core Edition
Lab Guide
Revision 2019-Q3-v19
©2019 Centrify Corporation. All Rights
Reserved
Centrify Zero Trust Privilege – Lab Guide
This page is intentionally left blank.
Centrify Corporation
http://www.centrify.com
2
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Legal notice
This document and the software described in this document are furnished under and are subject to the
terms of a subscription license agreement or a non-disclosure agreement. Except as expressly set forth
in such subscription license agreement or nondisclosure agreement, Centrify Corporation provides this
document and the software described in this document “as is” without warranty of any kind, either express
or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular
purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions;
therefore, this statement may not apply to you.
This document and the software described in this document may not be lent, sold, or given away without
the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as
expressly set forth in such subscription license agreement or non-disclosure agreement, no part of this
document or the software described in this document may be reproduced, stored in a retrieval system,
or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written
consent of Centrify Corporation. Some companies, names, and data in this document are used for
illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically
made to the information herein. These changes may be incorporated in new editions of this document.
Centrify Corporation may make improvements in or changes to the software described in this document
at any time.
© 2018 Centrify Corporation. All rights reserved. Portions of Centrify software are derived from third party
or open source software. Copyright and legal notices for these sources are listed separately in the
Acknowledgements.txt file included with the software.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf
of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in
accordance with 48 C.F.R. 227.7202-1 through 227.7202-4 (for Department of Defense (DOD)
acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the software and
documentation are being licensed to U.S. Government end-users (a) only as Commercial Items and (b)
with only those rights as are granted to all other end-users pursuant to the terms and conditions of the
subscription license agreement.
Centrify, Centrify Express, Centrify for Mobile, Centrify for SaaS, Centrify Identity Service, Centrify
Privilege Service, Centrify Server Suite, Centrify Suite, Centrity User Suite, DirectAudit, DirectAuthorize,
DirectControl, DirectControl Express, DirectManage, DirectManage Express and DirectSecure are
registered trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active
Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks
of Microsoft Corporation in the United States and other countries. Centrify Suite is protected by U.S.
Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,442,962 and 9,378,391.
The names of any other companies and products mentioned in this document may be the trademarks or
registered trademarks of their respective owners. Unless otherwise noted, all the names used as
examples of companies, organizations, domain names, people and events herein are fictitious. No
association with any real company, organization, domain name, person, or event is intended or should
be inferred.
3
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
This page is intentionally left blank.
4
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
About this Guide
This hands-on exercise guide will walk you through the fundamental features and functionality
of Centrify Privilege Access Service and Identity Platform. You will be working with several
computer systems as you complete each exercise, however not all systems will need to be
powered during each lab exercise. Before each lab begins you will be provided initial instructions
related to required systems. This is done to conserve resources in the virtual environment.
If you plan to use the training materials for in-house training, you can configure a training
environment in your network, but it is recommended to consider your network configurations and
security practices. This environment is for training purposes and will not match your network
environment.
During this training, you are the IT Administrator for Omicron Equipment Company. Omicron’s
network includes a Windows Active Directory domain controller, a Windows application server,
a Windows Database server, two (2) UNIX servers and a dedicated server for Centrify. The
configuration of this network environment is listed below.
5
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Computer System Configuration
Hostname
Hardware
Software & Configuration
DC.OMICRON.LAB
2 Processor
4 GB RAM
40 GB HDD
OS: Windows 2012 R2
1. Hostname Changed
2. IP Address Changed to Static
3. Active Directory Domain Services Installed
4. Active Directory Domain Controller Configured
(omicron.lab)
5. DNS Configured with Reverse Lookup Zone
6. DNS Host Entries for UNIX Based Systems
7. Active Directory Certificate Services Installed
8. Active Directory Certificate Authority Configured
(Enterprise CA Root)
9. Staff OU Added
10. AD Users and Groups Added (See AD Identities
below)
11. Internet Explorer Enhanced Security Disabled
12. Firewall Disabled
13. Windows Update configured to check for updates
without download.
14. Create PAS Host Certificate
APPSERVER.OMICRON.LAB
2 Processor
8 GB RAM
40 GB HDD
OS: Windows 2012 R2
1. Hostname Changed
2. IP Address Changed to Static
3. System joined to omicron.lab domain
4. Secondary DNS added/ Configured
5. Internet Explorer Enhanced Security Disabled
6. Firewall Disabled
7. Windows Update configured to check for updates
without download.
8. Silverlight Installed
9. Python Installed
10. Google Chrome Installed
11. User Access Control (UAC) disabled
12. Local Administrator Account Omicron-A Added
(Password: Centr1fy)
HELPDESK.OMICRON.LAB
2 Processor
512 MB RAM
12 GB HDD
OS: CentOS 6.6
1. Hostname Changed
2. IP Address Changed to Static
3. Name Server Configured to include AD DNS
4. Perl Installed
5. Users and Groups Installed (See UNIX Identities
below)
6. RPM Installed
7. WGET Installed
8. Wheel/ Sudoer File edited
9. Centrify Repo file configured and added
10. sshd_config file modified (ChallengeResponse
allowed
6
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
PAYROLL.OMICRON.LAB
2 Processor
512 MB RAM
12 GB HDD
OS: CentOS 6.6
1. Hostname Changed
2. IP Address Changed to Static
3. Name Server Configured to include AD DNS
4. Perl Installed
5. Users and Groups Installed (See UNIX Identities
below)
6. RPM Installed
7. WGET Installed
8. Wheel/ Sudoer File edited
9. Centrify Repo file configured and added
10. sshd_config file modified (ChallengeResponse
allowed
CENTRIFY.OMICRON.LAB
4 Processor
16 GB RAM
60 GB HDD
OS: Windows 2012 R2
1. Hostname Changed
2. IP Address Changed to Static
3. Internet Information Services (IIS) Installed
4. Internet Explorer Enhanced Security Disabled
5. Firewall Disabled
6. Windows Update configured to check for updates
without download.
7. Active Directory Tools Added
PS import-module servermanager
PS add-windowsfeature rsat-adds-tools
PS install-windowsfeature -name GPMC
8. Group Policy Tools added to Taskbar & Start
9. Active Directory Users and Computers added to
Taskbar & Start
10. Services added to Taskbar & Start
11. Silverlight Installed
12. Python Installed
13. Google Chrome Installed
14. User Access Control (UAC) disabled
15. WINSCP installed
DATABASE.OMICRON.LAB
2 Processor
8 GB RAM
50 GB HDD
OS: Windows 2012 R2
16. Hostname Changed
17. IP Address Changed to Static
18. MS SQL Server Installed with Reporting Services
19. Internet Explorer Enhanced Security Disabled
20. Firewall Disabled
21. Windows Update configured to check for updates
without download.
22. Silverlight Installed
23. Python Installed
24. Google Chrome Installed
25. User Access Control (UAC) disabled
7
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Active Directory Identities
Given Name
Username
Password
Group Memberships
OMICRON_GRP_Auditors
OMICRON_GRP_Contractors
OMICRON_GRP_Finance
OMICRON_GRP_Helpdesk
OMICRON_GRP_IT
OMICRON_GRP_Sales
OMICRON_GRP_Security
OMICRON_GRP_UNIXAdmins
OMICRON_GRP_UNIXDBA
OMICRON_GRP_WindowsDBA
Administrators
Domain Admins
Domain Users
Enterprise Admins
Group Policy Creator Owners
Schema Admins
Domain Admins
Domain Users
Enterprise Admins
OMICRON_GRP_IT
OMICRON_GRP_Security
AD Context
Administrator
administrator
Centr1fy
Alex Foster
afoster
Centr1fy
Amy Houston
ahouston
Centr1fy
Domain Users
OMICRON_GRP_Auditors
Ann Washington
awashington
Centr1fy
Domain Users
OMICRON_GRP_Sales
Bob Hughes
bhughes
Centr1fy
Domain Users
OMICRON_GRP_IT
OMICRON_GRP_Helpdesk
Bradley Adams
badams
Centr1fy
Domain Users
OMICRON_GRP_Sales
Brandon Michaels
bmichaels
Centr1fy
Domain Users
OMICRON_GRP_IT
OMICRON_GRP_Security
Carol Nichols
cnichols
Centr1fy
Domain Users
OMICRON_GRP_Contractors
Diego Martinez
dmartinez
Centr1fy
Domain Users
OMICRON_GRP_Contractors
Felipe Montoya
fmontoya
Centr1fy
Domain Users
OMICRON_GRP_Contractors
Jennifer Charles
jcharles
Centr1fy
Domain Users
OMICRON_GRP_IT
OMICRON_GRP_Helpdesk
OU=Staff,
DC=omicron,
DC=lab
OU=Staff,
DC=omicron,
DC=lab
OU=Staff,
DC=omicron,
DC=lab
OU=Staff,
DC=omicron,
DC=lab
Joe Miller
jmiller
Centr1fy
Domain Users
OMICRON_GRP_IT
OMICRON_GRP_Helpdesk
OU=Staff,
DC=omicron,
DC=lab
8
OU=Users,
DC=omicron,
DC=lab
OU=Staff,
DC=omicron,
DC=lab
OU=Staff,
DC=omicron,
DC=lab
OU=Staff,
DC=omicron,
DC=lab
OU=Staff,
DC=omicron,
DC=lab
OU=Staff,
DC=omicron,
DC=lab
OU=Staff,
DC=omicron,
DC=lab
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
John Smith
jsmith
Centr1fy
Domain Users
OMICRON_GRP_IT
OMICRON_GRP_Security
OU=Staff,
DC=omicron,
DC=lab
Kim Rogers
krogers
Centr1fy
Larry Patel
lpatel
Centr1fy
Domain Users
OMICRON_GRP_Finance
OMICRON_GRP_UNIXAdmins
Domain Users
OMICRON_GRP_Finance
Laura Bennett
lbennett
Centr1fy
Domain Users
OMICRON_GRP_Contractors
Li Wang
lwang
Centr1fy
Domain Users
OMICRON_GRP_Finance
Linda Scott
lscott
Centr1fy
Domain Users
OMICRON_GRP_IT
OMICRON_GRP_Security
OU=Staff,
DC=omicron,
DC=lab
OU=Staff,
DC=omicron,
DC=lab
OU=Staff,
DC=omicron,
DC=lab
OU=Staff,
DC=omicron,
DC=lab
OU=Staff,
DC=omicron,
DC=lab
Mia Thompson
mthompson
Centr1fy
Domain Users
OMICRON_GRP_Auditors
Michael Perry
mperry
Centr1fy
Domain Users
OMICRON_GRP_Sales
Nancy Jenkins
njenkins
Centr1fy
Domain Users
OMICRON_GRP_Sales
Nelson Long
nlong
Centr1fy
Domain Users
OMICRON_GRP_Auditors
Robert Johnson
rjohnson
Centr1fy
Domain Users
OMICRON_GRP_IT
OMICRON_GRP_Helpdesk
Sam Nguyen
snguyen
Centr1fy
Domain Users
Wilson Spaulding
wspaulding
Centr1fy
Domain Users
OMICRON_GRP_Finance
OU=Staff,
DC=omicron,
DC=lab
OU=Staff,
DC=omicron,
DC=lab
OU=Staff,
DC=omicron,
DC=lab
OU=Staff,
DC=omicron,
DC=lab
OU=Staff,
DC=omicron,
DC=lab
OU=Staff,
DC=omicron,
DC=lab
OU=Staff,
DC=omicron,
DC=lab
UNIX Identities
Given Name
ROOT
Alex Foster
Kim Rogers
Li Wang
Sam Nguyen
Larry Patel
Wilson Spaulding
Bob Hughes
Robert Johnson
Jennifer Charles
Joe Miller
Username
Password
Group Memberships
root
alex
kim
wang
sam
larry
wilson
bob
robert
jennifer
joe
password1
Centr1fy
Centr1fy
Centr1fy
Centr1fy
Centr1fy
Centr1fy
Centr1fy
Centr1fy
Centr1fy
Centr1fy
Wheel/Sudoers, Users for both systems
Users for both systems
Users for both systems
Users for both systems
Users for both systems
Users for both systems
Users for Helpdesk Only
Users for Helpdesk Only
Users for Helpdesk Only
Users for Helpdesk Only
9
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Additional Configurations:
AD Default Group Policy Changes:
•
•
Computer Configuration →Policies →Windows Settings → Security Settings → Account Policies
→ Password Policy
o Minimum Password Age = 0
Computer Configuration →Policies →Windows Settings → Security Settings → Account Policies
→ Account Lockout Policy
o Account Lockout Threshold = 3 invalid logon attempts
o Account Lockout Duration = 10 minutes
o Reset account lockout counter after = 10 minutes
10
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Table of Contents
1.
Install Centrify Identity Platform
…….…………………………………
13
2.
Install and Configure Centrify Connector
....…….………………………………
17
3.
Customize and Configure Portal
…….…………………………………
21
4.
Complete Global Configuration Settings
…….…………………………………
25
5.
Configure Domain Administrative Account
.………………………………………
29
6.
Create and Configure Roles with Administrative Rights
………………...……………
31
7.
Create and Configure Authentication Profiles
…... .…………………………………
35
8.
Import Systems Using Bulk Import Template
…….…………………………………
37
9.
Configure Discovery Profiles
…….…………………………………
39
10.
Create New Sets
…….…………………………………
41
11.
Configure Properties for Local and Shared Accounts
…………………..…………
45
12.
Configure Secrets
…….…………………………………
49
13.
Configure Multifactor Authentication for Secure Remote Login
……………………
53
14.
Configure Multifactor Authentication for Password Check-out
.……………………
55
15.
Configure Request Workflow
…….…………………………………
57
16.
Configure Account Unlock and Self Service
………………………………………
61
17
Manage Active Sessions
…….…………………………………
65
18.
Configure and Run Reports
…….…………………………………
67
19.
Dedicate Centrify Connector
…….…………………………………
69
11
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
12
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Lab 1 - Install Centrify Identity Platform
Omicron Equipment Company has recently purchased Centrify Privilege
Access Service. IT Administrator, Alex Foster has prepared a domain
joined Windows server for the installation of the Centrify Identity Platform
inside the network. In this exercise, you will install the Centrify Identity Platform.
For this exercise you will need to power up the domain controller (dc.omicron.lab) and the new
windows server (centrify.omicron.lab).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
STAGE 1: Install Centrify Identity Platform
2. Launch the Install Privilege Access Service shortcut found on the Desktop:
3. The Centrify Installation Wizard will be displayed.
Click Next
4. Accept the terms of the license agreement
Click Next
5. The License Information window will be displayed. A file containing the license
information is stored on the server in the following location
C:\centrify\LicenseKey.txt
Without exiting the installation wizard, open the file and copy the company name and
paste it in the corresponding section of the wizard.
Repeat this set with the license key
Click Next
13
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
6. The Feature Selection will show you the installation options you can use. For this
training, you will perform an Evaluation installation.
No change is required. Click Next
7. The Centrify Identity platform uses a PostgresSQL Database that can be included in
the installation or you can point to an existing instance.
For this training, we will include it in the installation and a custom database is not
needed.
No change is required. Click Next
8. The destination folder will be set, and no further change is required.
Click Next.
9. Now that the configuration of the installation has been completed.
Click Install to begin the process.
10. Once completed, you can move to STAGE 2 of the installation process.
Click Finish.
STAGE 2: PowerShell Configuration
11. Once the Installation of the Identity Platform is complete, PowerShell will
automatically launch.
You will be prompted to supply specific information to further configure the Identity
Platform.
Username of initial administrator account (default: admin@opie.demo)
Type: admin@omicron.lab
12. Enter the administrator email address (default: opiedemo@centrify.com)
Type: admin@omicron.lab
13. Enter and Verify the administrator password
Type and Confirm: Centr1fy
14
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
14. Enter the FQDN used for this service (default: centrify.omicron.lab)
Press Enter to use the default
15. You will then be asked if you want to supply a custom host certificate. One has been
provided and is stored in the folder below:
C:\centrify\vault-cert.pfx
Type Y to use the custom certificate and a folder section will be displayed. Browse to
the folder and select the certificate and Click Open.
The certificate does not require a password. Type N to continue.
16. A Folder selection will now be displayed to identify the service database location.
No change is required. Click Select Folder to continue.
A series of Microsoft C++ distribution tasks will begin and facilitate the configuration
process – PLEASE BE PATIENT.
17. Another folder Selection will be displayed to identify the location of the service setup/
recovery file.
No change is required. Click Select Folder to continue.
Additional tasks will execute and once completed the Internet browser will be
launched, navigating to the new Centrify Portal Login.
18. Login using the Admin Account created during steps 11-13 and confirm a successful
login into the portal.
Close the browser and PowerShell.
15
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
This page is intentionally left blank.
16
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Lab 2 - Install and Configure Centrify
Connector
In this exercise, you will connect the Omicron Active Directory Domain
to the Centrify Identity Platform by deploying a Centrify Connector.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows server (centrify.omicron.lab), and the Windows Application Server
(appserver.omicron.lab).
1. Login to appserver.omicron.lab
Username: afoster
Password: Centr1fy
2. Open the Internet browser and navigate to the Centrify Portal
https://centrify.omicron.lab/manage
3. Login using the administrator account created in Lab 1.
Username: admin@omicron.lab
Password: Centr1fy
PART I: Download and Install Centrify Connector Software
4. Close the Welcome Message by clicking Cancel.
On the left side of the page, Click Settings
5. Click Network
6. Under Centrify Connectors, Click the Add Centrify Connector button.
7. Under Download, Click the 64-bit link to download the Centrify Connector Software.
8. From the Downloads folder, launch the Cloud-Mgmt-Suite-win64.exe application.
9. The Centrify Installation Wizard will appear.
Click Next
17
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
10. Accept the terms of the license agreement and Click Next
11. The Centrify Connector Setup can be configured to install specific features and change
the storage location of the Connector software.
No change is required. Click Next
12. Now that the configuration of the installation has been completed, Click Install to begin
the process.
13. Once completed, you can move to the Centrify Connector Configuration.
Click Finish.
PART II: Centrify Connector Configuration Wizard
14. Once the Installation is complete, the Centrify Connector Configuration Wizard will
automatically launch.
Click Next
15. You will need to enter the following information to link the Centrify Connector to the
instance of Centrify Identity Platform.
Admin User Name: admin@omicron.lab
Admin Password:
Centr1fy
Centrify Service:
https://centrify.omicron.lab
16. The Web Proxy Configuration is used when a web proxy is required to communicate
with Identity Platform.
Web Proxy is not needed in this training. Click Next.
17. The Setup Properties Page is used to activate the Centrify Property Pages in all Active
Directory Administration Screens.
By default, the Property pages are active using the current user credentials (Enterprise
Admin Privilege compliant).
No change is required. Click Next.
18
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
18. Connector Configuration requires read permission to Deleted Objects in Active
Directory.
Select the domain (omicron.lab) and Click Next.
To confirm the change, users will need to be owners of the Deleted Objects container.
Click Yes to confirm the change and continue.
19. The connector will use the configuration specified and register with the Centrify Identity
Platform.
Click Finish.
20. Click Close to close the Centrify Connector Control Panel.
PART III: Verify Centrify Connector Registration
21. In the Admin Portal, Click Close to close the Add Centrify Connector option.
22. Refresh the Centrify Connector Page by clicking the Admin Profile found at the top
right and Click Reload.
The newly installed connector will be displayed.
19
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
This page is intentionally left blank.
20
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Lab 3 - Customize and Configure the
Portal
In this exercise, you will customize the User Portal. Each user will have
specific web applications added to their portal but can also add their own applications.
Additionally, you will configure the portal with a custom color and logo.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows server (centrify.omicron.lab), and the Windows Application Server
(appserver.omicron.lab).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
2. Open the Internet browser and navigate to the Admin Portal.
https://centrify.omicron.lab
3. Login to the Admin Portal using the Centrify administrator account
Username: afoster@omicron.lab
Password: Centr1fy
PART I: Customize the Color and Logo
4. Under Settings, Click General
5. Click Account Customization
6. Under General Options, Change the Color of the Portal Ribbon Accent Color
7. Under Login Image, Click Upload
8. Select the Login image found in the folder c:\Centrify
9. Under Portal Image, Click Upload
10. Select the Logo image found in the folder c:\Centrify
21
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
11. Change the Company Name
Type Omicron Equipment Company
12. Click Save
PART II: Configure Global Security Questions
13. Under Settings, Click Authentication
14. Click Security Questions
15. Click Add
16. Type in the question What is your Favorite Color?
Click OK
17. Click Add to add another question
18. Type the question What is your Favorite Sport?
Click OK
19. Under Access, Click Policies
20. Click Default Policy
21. Under User Security Policies, Click User Account Settings
22. Change the Enable Users to Configure Security Questions to Yes
23. Change the Required Number of Admin-Defined Questions to 2
24. Click Save
PART III: Confirm Configuration Changes
25. Complete the Security Questions for Alex Foster.
Once completed, logout of the portal.
22
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
26. Login to the Portal as the identities below and complete the Security Questions.
•
•
•
•
Joe Miller (jmiller)
Kim Rogers (krogers)
Laura Bennett (lbennett)
Linda Scott (lscott)
For Training Purposes, it is recommended you use the same answers to the security
questions. Use the space below to note your Security Questions and Answers.
1. What is your Favorite Color?
ANSWER: _________________________________________________________
2. What is your Favorite Sport?
ANSWER: _________________________________________________________
3. Custom Security Question: _______________________________________
ANSWER: _________________________________________________________
23
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
This page is intentionally left blank.
24
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Lab 4 - Complete Global Configuration
Settings
In this exercise, you will configure the global settings for the new
installation. This will include creating a new Centrify Directory Administrator, assigning global
account and system permissions, and global security settings.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows server (centrify.omicron.lab), and the Windows Application Server
(appserver.omicron.lab).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
2. Open the Internet browser and navigate to the Admin Portal.
https://centrify.omicron.lab
3. Login to the Admin Portal using the Centrify administrator account
Username: admin@omicron.lab
Password: Centr1fy
PART I: Create a New Centrify Directory User
4. Under Access, Click Users
5. Click Add User
6. Enter the required information for the new directory user:
Login Name:
OmicronSupport
E-Mail Address:
support@omicron.lab
Display Name:
Omicron Support Admin
25
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Password (and Confirmation):
Centr1fy
Status:
Check Password never expires
Click Create User
7. Under Access, Click Roles
8. Click System Administrator
9. Click Members
10. Click Add
11. Search for the new user (OmicronSupport)
Click Add
12. Click Add
13. Search for user Alex Foster (afoster@omicron.lab)
Click Add
14. Click Save
PART II: Assign Global Account Permissions
15. Under Access, Click Global Account Permissions
16. Click Add
17. Add Omicron_GRP_Security Group
18. Check the following permissions for the added group:
Grant, View, Checkout, Login, Edit, Delete, Update Password, Rotate
19. Click Save
26
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
PART III: Assign Global System Permissions
20. Under Access, Click Global System Permissions
21. Click Add
22. Add Omicron_GRP_Security Group
23. Check the following permissions for the added group:
Grant, View, Manage Session, Edit, Delete
24. Click Save
PART IV: Configure Security Settings
25. Under Settings, Click Resources
26. Click Security Settings
27. Under Global Account Security, Enable periodic password rotation at specified interval
for 90 days.
28. Under Global System Security, check the box to allow access from a public network
(web client only)
29. Click Save
PART V: Grant Permissions to Domain
30. Under Resources, Click Domains
31. Click the omicron.lab domain
32. Click Permissions
33. Click Add
34. Add Omicron_GRP_Security Group
27
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
35. Check the Add Account permission for the added group.
36. Click Save
28
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Lab 5 - Configure Domain Administrative
Account
In this exercise, you will need to configure a Domain Administrative
Account.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows server (centrify.omicron.lab), and the Windows Application Server
(appserver.omicron.lab). Approximate time to complete (5-10 minutes)
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
2. Open the Internet browser and navigate to the Admin Portal.
https://centrify.omicron.lab
3. Login to the Admin Portal using the Centrify administrator account
Username: afoster@omicron.lab
Password: Centr1fy
4. Under Resources, Click Domains
5. Click the omicron.lab domain
6. Click Settings
7. Click Select
8. Select Active Directory Option and Click Select
9. Search for and add Alex Foster (afoster@omicron.lab)
10. Enter the password for Alex (Centr1fy)
11. Click the blue Select button to save the changes.
12. Click Save
29
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
This page is intentionally left blank.
30
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Lab 6 - Create and Configure Roles with
Administrative Rights
In this exercise, you will configure roles with Administrative Rights for
selective Active Directory Groups.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows server (centrify.omicron.lab), and the Windows Application Server
(appserver.omicron.lab).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
2. Open the Internet browser and navigate to the Admin Portal.
https://centrify.omicron.lab
3. Login to the Admin Portal as Alex Foster
Username: afoster@omicron.lab
Password: Centr1fy
PART I: Create Privilege Access Admin Role
4. Under Access, Click Roles
5. Click Add Role
6. Type in the name of the role Privilege Access Admins
7. Type in the description
Full administrative rights for Privilege Access
8. Click Members
9. Click Add
10. Add Domain Admins
31
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
11. Click Administrative Rights
12. Click Add
13. Select Privilege Access Service Administrator
This administrative right grants members access to all Infrastructure tab menus and permissions
in the Admin Portal. Members will be granted view, add, and remove system and account
permissions. Additionally, members can grant permissions to other users for specific systems
and accounts they add to the identity platform.
14. Click Add
15. Click Save
PART II: Create Privilege Access Power Users Role
16. Under Access, Click Roles
17. Click Add Role
18. Type in the name of the role Privilege Access Power Users
19. Type in the description
Limited administrative rights for Privilege Access
20. Click Members
21. Click Add
22. Add Omicron_GRP_Helpdesk
23. Click Administrative Rights
24. Click Add
25. Select Privilege Access Service Power Users
This limited administrative right grants members access to all Infrastructure tab menus and
permissions in the Admin Portal. Members will be granted view all system and account
permissions. Users cannot add systems or account information and either need to request
access to accounts via workflow or be granted explicit permissions by a user with grant
permissions.
32
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
26. Click Add
27. Click Save
PART III: Create Privilege Access Service User Role
28. Under Access, Click Roles
29. Click Add Role
30. Type in the name of the role Privilege Access Service Users
31. Type in the description
Limited administrative rights for Windows Services and UNIX Systems
32. Click Members
33. Click Add
34. Add Omicron_GRP_Contractors and Omicron_GRP_Finance
35. Click Administrative Rights
36. Click Add
37. Select Privilege Access Service Users
This right grants members access to a limited set of Infrastructure tab menus and permissions
in the Admin Portal. Members will be granted view only system and account permissions they
have been explicitly granted. Users cannot add systems or account information.
38. Click Add
39. Click Save
33
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
This page is intentionally left blank.
34
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Lab 7 - Create and Configure
Authentication Profiles
In this exercise, you will prepare the environment to use Multifactor
Authentication (MFA).
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows server (centrify.omicron.lab), and the Windows Application Server
(appserver.omicron.lab).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
2. Open the Internet browser and navigate to the Admin Portal.
https://centrify.omicron.lab
3. Login to the Admin Portal using the Centrify administrator account
Username: afoster@omicron.lab
Password: Centr1fy
4. Under Settings, Click Authentication
5. Click Authentication Profiles
6. Click Add Profile
7. Name the Profile Omicron MFA Profile
8. Under the Authentication Mechanisms:
Set Challenge 1 – Click Password
Set Challenge 2 – Click Security Questions leaving the default number of questions set
at one (1).
Change the Challenge Pass-Through Duration to No Pass Through
9. Click OK
35
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
This page is intentionally left blank.
36
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Lab 8 - Import Systems using Bulk Import
Template
Now it is time to bring systems into the Centrify Identity Platform. In this
exercise you will use the Bulk Import Template to import domain controller.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows server (centrify.omicron.lab), and the Windows Application Server
(appserver.omicron.lab).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
2. Open the Internet browser and navigate to the Admin Portal.
https://centrify.omicron.lab
3. Login to the Admin Portal using the Centrify administrator account
Username: afoster@omicron.lab
Password: Centr1fy
4. Under Resources, Click Systems
5. Click Import
6. Click the link to download the Bulk System Import Template
Leave the browser open to this section – we will revisit it to complete the import.
7. Open the file using Notepad and add to the bottom the following information:
appserver.omicron.lab, appserver.omicron.lab, Windows, Windows Application Server
and Centrify Connector,,,,Administrator,Centr1fy,FALSE,FALSE,Applications for
Omicron
8. Remove all other hosts leaving only the header line and the Appserver information.
9. Save the file C:\Centrify\servimport.csv
10. Return to the Admin Portal, click browse and select the updated template file
37
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
11. Click import
12. Use the profile menu at the top right to reload the page and confirm the system has been
added.
38
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Lab 9 - Configure Discovery Profiles
In this exercise, you will import systems into the Centrify Identity
Platform using a Discovery Profile.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows
server
(centrify.omicron.lab),
the
Windows
Application
Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
2. Open the Internet browser and navigate to the Admin Portal.
https://centrify.omicron.lab
3. Login to the Admin Portal using the Centrify administrator account
Username: afoster@omicron.lab
Password: Centr1fy
4. Under Discovery, Click System and Accounts
5. Click Profiles
PART I: Configure Active Directory Discovery
6. Click Add Profile
7. Name the Profile Discovery Active Directory Systems
8. Under Discovery Method, Active Directory
9. Click Select button to add the account to facilitate the discovery
10. Search and Select afoster@omicron.lab
11. Check the domain that will be the scope of the discovery.
12. Click Save
39
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
PART II: Configure Network Scan Discovery
13. Click Add Profile
14. Name the Profile Discovery Network Scan Discovery
15. Under Discovery Method, Port Scan
16. Click Add
17. Under Scope Method, choose IP Range and add 10.160.0.30 to 10.160.0.31
18. Under Discovery Accounts, use the dropdown and select Add Discovery Account
19. Name the Discovery Account UNIX ROOT
20. Enter the username and password of the UNIX root account.
Username: root
Password: password1
21. Click Done
22. Click Add to add UNIX ROOT to the Account List
23. Click Done
24. Click Save
25. Right click on each Discovery Profile and Select Run
The status of the process will be shown at the far right. Use the User Profile Menu to reload the
page. Only one profile can be run at a time. This process will take a couple of minutes, PLEASE
BE PATIENT. After the first is completed you can run the second profile.
26. Once the Discovery Profile has a Ready Status, navigate to Resources and Click
Systems
The system appserver.omicron.lab is already shown in the list.
Confirm that
centrify.omicron.lab, database.omicron.lab, helpdesk.omicron.lab, payroll.omicron.lab, and
dc.omicron.lab are also listed.
Use the User Profile Menu at the top right to reload the page.
40
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Lab 10 - Create New Sets
Now that you have our systems in the Centrify Identity Platform, you can
now group them into sets. In this exercise, you will group the Windows
systems into a specific set and the UNIX systems into a separate set.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows
server
(centrify.omicron.lab),
the
Windows
Application
Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
2. Open the Internet browser and navigate to the Admin Portal.
https://centrify.omicron.lab
3. Login to the Admin Portal using the Centrify administrator account
Username: afoster@omicron.lab
Password: Centr1fy
PART I: Create New Sets
4. Under Resources, Select Systems
5. On the right-hand side of the systems list is a Sets list. Click Windows Systems to
confirm the system list is filtered to only display Windows servers.
6. Click the Add button to Add a New Set
7. Name the Set Omicron UNIX Systems
8. Click Save
9. Click the Add button again to add another New Set
10. Name the Set Omicron Domain Controllers
11. Click Save
41
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
12. Select the Helpdesk and Payroll system and Use the Blue Actions button to Add to Set
13. Using the Sets Drop Down, Select Omicron UNIX Systems
14. Click Save
15. Click the dc.omicron.lab system and select Add to Set
16. Using the Sets Drop Down, Select Omicron Domain Controllers
17. Click Save
PART II: Apply Member Permissions to Sets
18. Domain Controllers should only be available to Domain Admins. Right Click on the
Omicron Domain Controllers Set and select Modify
19. Click Member Permissions and Click Add
20. Search and Add Domain Admins
21. Grant the View and Manage Session permissions to the Domain Admins Group
22. Click Save.
23. Right Click on the Omicron UNIX Systems Set and Select Modify
24. Click Member Permissions and Click Add
25. Search and Add Omicron_GRP_Helpdesk and Privilege Access Service User Role
26. Confirm the View Permission to the Omicron_GRP_Helpdesk and Privilege Access
Service User Role
27. Click Save
PART III: Confirm Visibility to Sets
28. Logout of the Admin Portal as Alex Foster (afoster)
29. Login in as Omicron_GRP_Helpdesk member Joe Miller (jmiller@omicron.lab)
42
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
30. Under Resources, Click Systems
31. Examine the list of systems
a. How many systems are shown in the list?
(answer should be 6)
b. Is there a Set for Omicron UNIX Systems?
(answer should be NO)
c. Is there a Set for Omicron Domain Controllers?
(answer should be NO)
PART IV: Assign Permissions to the Set
32. Logout of the Admin Portal and Re-Login as Alex Foster (afoster)
33. Under Resources, Click Systems
34. Right Click on Omicron Unix Systems and select Modify
35. Click Permissions
36. Click Add
37. Search and Add Omicron_GRP_Helpdesk
38. Confirm the View Permissions to the Omicron_GRP_Helpdesk
39. Click Save
40. Repeat Steps 29-32 (Part III)
Did your original answers change? (Hint… They should slightly)
a. How many systems are shown in the list?
SIX (6). The systems are visible because Omicron_GRP_Helpdesk was assigned the
Privilege Access Power Users Role which gives them visibility to all systems.
b. Is there a Set for Omicron UNIX Systems?
Yes. The Permission changes have made the set visible to the members of the group.
c. Is there a Set for Omicron Domain Controllers?
No. No permission changes were made to this set.
43
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
This page is intentionally left blank.
44
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Lab 11 - Configure Properties for Local
and Shared Accounts
In this exercise, you will configure local and shared accounts with
permissions for specific groups.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows
server
(centrify.omicron.lab),
the
Windows
Application
Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
2. Open the Internet browser and navigate to the Admin Portal.
https://centrify.omicron.lab
3. Login to the Admin Portal using the Centrify administrator account
Username: afoster@omicron.lab
Password: Centr1fy
4. Under Resources, Click Systems
PART I: Configure a Local Windows Account
5. Click on the appserver system and under Accounts, Click Add
6. Add the Omicron-A Username and Password
Username: Omicron-A
Password: Centr1fy
7. Click the checkbox to Manage The Password
8. Click Add
9. Click on the new Local Account
45
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
10. Under Permissions, Click Add
11. Add the Privilege Access Power Users role
12. Add the view, checkout and login permissions to the Privilege Access Power Users role
13. Click Save
PART II: Configure Local UNIX Account
Note: You must also set the view permissions to the server in order to use the privilege
Account.
14. Under Resources, Click Systems.
Click the helpdesk.omicron.lab system
15. Under Permissions, confirm Privilege Access Service Users has View Permissions
16. Under Resources, Click Systems
Click the payroll.omicron.lab system
17. Under Permissions, confirm Privilege Access Service Users has View Permissions
18. Click Accounts, Click Add
19. Add the root account username and password (Password: password1)
20. Do Not Check the Manage This Password Option
21. Click Add
22. Click on the new root account
23. Under Permissions, Click Add
24. Add the Privilege Access Users role
25. Add the view and login permissions to the Privilege Access Users role
26. Click Save
46
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
27. Under Resources, Click Systems.
28. Click on the helpdesk.omicron.lab system and under Accounts, Click Add
29. Add the root account username and password (Password: password1)
30. Check the Manage This Password Option
31. Click Add
32. Click on the new root account
33. Under Permissions, Click Add
34. Add the Privilege Access Users role
35. Add the view and Checkout permissions to the Privilege Access Users role
36. Click Save
PART III: Confirm Configuration
37. Logout of the Admin Portal
38. Login as Joe Miller (Jmiller@omicron.lab) (Password:Centr1fy)
39. Under Resources, Click Accounts
40. Right click on the Appserver/ Omicron-A account and select Checkout
41. Click Show Password
Since the password is managed, the original password used has been changed.
42. Close the password dialog and right click the account once again and select check-in
43. Logout of the Admin Portal
44. Login as Kim Rogers (krogers@omicron.lab) (Password:Centr1fy)
45. Under Resources, Click Accounts
46. Right Click on the payroll/Root account and select Login
47
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
47. If successful a secure remote login session will be established without relinquishing the
root password to the user.
48. Close the remote session and logout of the Admin Portal
48
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Lab 12 - Configure Secrets
The Helpdesk team currently distributes software license keys to users upon
request and approval. In this exercise, you will add software license keys to
the Centrify Identity Platform as Secrets – providing permissions to the
Contractors and IT groups.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows
server
(centrify.omicron.lab),
the
Windows
Application
Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
2. Open the Internet browser and navigate to the Admin Portal.
https://centrify.omicron.lab
3. Login to the Admin Portal using the Centrify administrator account
Username: afoster@omicron.lab
Password: Centr1fy
PART I: Create Secret Text
1. Under Resources, Navigate to Secrets and Click Add Secret
2. Name the secret Office 365 License
3. Add a Description Office 365 Local Installation License Key
4. Change the Type to Text and Click Enter Text
5. Type F1Y0U-AR3NT-VA1LD-S33D3-K3YXX in the Secret Text Area
6. Click Permissions
7. Click Add
8. Add Omicron_GRP_Contractors
49
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
9. Grant the Omicron_GRP_Contractors Group View and Retrieve Secret Permissions
10. Click Save
PART II: Creating a Secret File
11. Click Add Secret
12. Name the Secret Centrify License
13. Click Select File
14. Locate the LicenseKey.txt file used during the installation of the Identity Platform
(C:\Centrify)
15. Click Save
PART III: Creating Secret Folders
16. Click Add Folder
17. Name the Folder Software Licenses
18. Add a Description “Folder for Software License Keys”
19. Click Folder Permissions
20. Click Add
21. Add Omicron_GRP_IT with View and Add Permissions
22. Click Member Permissions
23. Click Add
24. Add Omicron_GRP_IT with View, Edit and Retrieve Secret Permissions
25. Click Save
26. Click on each secret and select Move
27. Move the secrets to the Software Licenses Folder
50
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
PART IV: Confirm Configuration
28. Logout of the Admin Portal and login as Joe Miller (jmiller) (Password: Centr1fy)
29. Under Secrets, Click Software Licenses
QUESTION #1: Does Joe have access to both Secrets?
YES
OR
NO
YES. Joe, a member of the Omicron_GRP_IT group provided him access to the secrets as a
member of the folder.
30. Logout of the Admin Portal and login as Laura Bennett (lbennett) (Password: Centr1fy)
31. Right click on the Office 365 Secret and select Retrieve Secret
32. Click Show Text
33. QUESTION #2: Can Laura view the Software Licenses Folder?
YES
OR
NO
NO. Laura had permission to see secrets, not the folder.
QUESTION #3: How many Secrets does Laura have access to?
___________
One (1). Laura was only given permission to see one secret, not both
34. Click Cancel and logout of the Admin Portal.
.
51
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
This page is intentionally left blank.
52
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Lab 13 - Configure Multifactor
Authentication for Secure Remote Login
In this exercise, you will configure a policy with an Authentication Profile
with multifactor authentication for all users accessing the application
(appserver.omicron.lab).
server
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows
server
(centrify.omicron.lab),
the
Windows
Application
Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
2. Open the Internet browser and navigate to the Admin Portal.
https://centrify.omicron.lab
3. Login to the Admin Portal using the Centrify administrator account
Username: afoster@omicron.lab
Password: Centr1fy
4. Under Resources, Click Systems
5. Click appserver.omicron.lab
6. Click Policy
7. Under Default System Login Profile Use the Drop Down and Select Omicron MFA
(Authentication Profile created in Lab 7)
8. Click Save
9. Logout of the Admin Portal
10. Login to the User Portal as Joe Miller (JMiller@omicron.lab) (Password:Centr1fy)
11. Under Resources, Click Systems
53
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
12. Right Click appserver.omicron.lab and click Select/ Request Account
13. Click on Omicron-A and Click Select
14. Prior to logging in you will be prompted to answer a Security Question
15. Once you answer the security question, enter your password and confirm you are
securely logged in to the system.
16. Close the Remote session
17. Logout of the Admin Portal
54
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Lab 14 - Configure Multifactor
Authentication for Password Checkout
In this exercise, you will configure multifactor authentication for the root
account of the payroll system.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows
server
(centrify.omicron.lab),
the
Windows
Application
Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
2. Open the Internet browser and navigate to the Admin Portal.
https://centrify.omicron.lab
3. Login to the Admin Portal using the Centrify administrator account
Username: afoster@omicron.lab
Password: Centr1fy
4. Under Resources, Click Accounts
5. Click helpdesk.omicron.lab/ root account
6. Click Policy
7. Under Default System Login Profile Use the Drop Down and Select Omicron MFA
(Authentication Profile created in Lab 7)
8. Click Save
9. Logout of the Admin Portal
10. Login to the Admin
(Password:Centr1fy)
Portal
as
Laura
Bennett
(lbennett@omicron.lab)
11. Under Resources, Click Accounts
55
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
12. Right Click helpdesk.omicron.lab/root account and Checkout
13. Prior to having the options to view or copy the password, you will be prompted to answer
a Security Question
14. Once you answer the security question, enter your password and confirm you can
retrieve the password.
15. Right Click helpdesk.omicron.lab/root account and Checkin
16. Logout of the Admin Portal
56
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Lab 15 - Configure Request Workflow
In this exercise, you will configure request workflow to the finance team to
perform secure remote login into the payroll system – without providing
the shared account password.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows
server
(centrify.omicron.lab),
the
Windows
Application
Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
2. Open the Internet browser and navigate to the Admin Portal.
https://centrify.omicron.lab
3. Login to the Admin Portal using the Centrify administrator account
Username: afoster@omicron.lab
Password: Centr1fy
PART I: Configure Workflow on Privilege Accounts
4. Under Resources, Click Systems
5. Click on appserver.omicron.lab
6. Click on Permissions
7. Click Add
8. Add Privilege Access Users with View Permissions
9. Click on Accounts
10. Click Omicron-A account
11. Click Permissions
57
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
12. Click Add
13. Add Privilege Access Users with View and Checkout Permissions
14. Click Save
PART II: Configure Windows Account for Workflow
15. Click appserver.omicron.lab/ Omicron-A account
16. Click Workflow
17. Change Enable Account Workflow to Yes
18. Click Add
19. Change the Approver Type to Specified User or Role
20. Click Add
21. Search and add Alex Foster AFoster@omicron.lab
22. Click Save
PART III: Configure UNIX ROOT Account for Workflow
23. Under Resources, Click Accounts
24. Click payroll.omicron.lab/ root account
25. Click Workflow
26. Change Enable Account Workflow to Yes
27. Click Add
28. Change the Approver Type to Specified User or Role
29. Click Add
30. Search and add Alex Foster (afoster)
58
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
31. Click Save
PART IV: Test Workflow
32. Logout of the Admin Portal
33. Login as Laura Bennett (LBennett)
34. Under Resources, Click Systems
35. Right Click on appserver.omicron.lab and Click Select/ Request Account
36. Click on Omicron-A and click Select
37. Fill out the Request Login Form and Click Submit
38. Logout of Admin Portal
39. Login to Admin Portal as Kim Rogers (krogers)
40. Under Resources, Click Accounts
41. Right Click on payroll/ root account and select Request Checkout
42. Fill out the Request Checkout Form and Click Submit
43. Logout of Admin Portal
44. Login as Alex Foster (AFoster)
45. Under Access, Click Requests
46. Click on each Pending Request
47. Click Approve (Each request must be addressed individually)
48. Click Submit
49. Logout of Admin Portal
50. Login as Laura Bennett (LBennett)
51. Under Access, Click Requests
59
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
52. Confirm the Request has been approved
53. Under Resources, Click Accounts
54. Right click on appserver.omicron.lab/ Omicron-A account and Select Login
A Secure Remote Session will now be established.
55. Close the Session
56. Logout of Admin Portal
57. Login as Kim Rogers (KRogers)
58. Under Access, Click Requests
59. Confirm the Requests have been approved
60. Under Resources, Click Accounts
61. Right Click on the payroll/ root account and Click Checkout
62. Click Show Password to see the current password.
63. Click Close
64. Right Click the payroll/ root account and Click Checkin
65. Log Out of Admin Portal
60
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Lab 16 - Configure Account Unlock and
Self-Service
In this exercise, you will configure account unlock and password self-service
using multifactor authentication.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows
server
(centrify.omicron.lab),
the
Windows
Application
Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
2. Open the Internet browser and navigate to the Admin Portal.
https://centrify.omicron.lab
3. Login to the Admin Portal using the Centrify administrator account
Username: afoster@omicron.lab
Password: Centr1fy
4. Under Access, Click Policies
5. Click Default Policy
6. Under User Security Policies, Click Self Service
7. Under Account Unlock, Click Enable Account Unlock
8. Click Allow for Active Directory
9. Use the Drop-Down Menu to select the Account Unlock Authentication Profile.
Select Add New Profile
10. Name the New Profile Omicron Account Unlock
11. Set Challenge 1 to use two (2) Security Question
61
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
12. Do not set Challenge 2
13. Set the Challenge Pass-through to 10 minutes.
14. Click Ok
15. Click Save
16. Under Active Directory Self Service Settings, Select the Use These Credentials option
and enter the username and password for Alex Foster.
Username: afoster
Password: Centr1fy
17. Click Save
Switch to appserver.omicron.lab
18. Login to the system using the wrong password for jmiller until the account is locked.
Switch to centrify.omicron.lab
19. Login to the Admin Portal as JMiller
20. Confirm the Security Question was requested after the password.
What about users whose accounts were locked and need their password
reset?
21. Logout of the Admin Portal
22. Login to the Admin Portal as Alex Foster (afoster)
23. Under Access, Click Policies
24. Click Default Policy
25. Under User Security Policies, Click Self Service
26. Under Password Reset, Enable Password Reset for Active Directory Users
62
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
27. Use the Drop-Down menu to select the Password Reset Authentication Profile.
Select Omicron Account Unlock
28. Click Save
Switch to appserver.omicron.lab
29. Login to the system using the wrong password for jmiller until the account is locked.
Switch to centrify.omicron.lab
30. Logout of the Admin Portal
31. Login to the Admin Portal as Joe Miller (JMiller)
32. Click Forgot Password
33. Answer the Security Questions and Click Next
34. Type and Confirm New Password ZeroTru5t
35. Once your Password is changed, Click Start Over to relogin
36. After entering your password, you will be prompted to answer the security question
again, to unlock the account.
Switch to appserver.omicron.lab
37. Login to the system using the NEW password for Joe Miller (jmiller) to confirm the
successful login.
63
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
This page is intentionally left blank.
64
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Lab 17 - Manage Active Sessions
In this exercise you will open an active session to monitor the live activity
and terminate all sessions still active.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows
server
(centrify.omicron.lab),
the
Windows
Application
Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
1. Login to appserver.omicron.lab
Username: afoster
Password: Centr1fy
2. Login to the Admin Portal as Kim Rogers (KRogers)
3. Under Resources, Click Accounts
4. Right Click on the payroll/ root account and select Login.
A secure remote session will be displayed.
Switch to centrify.omicron.lab
5. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
6. Open the Internet browser and navigate to the Admin Portal.
https://centrify.omicron.lab
7. Login to the Admin Portal using the Centrify administrator account
Username: afoster@omicron.lab
Password: Centr1fy
8. Click Dashboards
9. Change the Dashboard to Overview
65
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
10. In the lower right corner are the active sessions.
Click on the session and use the blue Actions button to watch the active session.
You can switch back to the appserver and type common UNIX commands and they will
appear in the monitored session.
Terminate the Active Session
11. Leave the active session open and return to the Admin Portal.
12. Select the active session and use the blue Actions button to terminate the session.
A message will appear on both the monitored session and on the secure remote session
running on the appserver indicating the session has been closed by the administrator.
66
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Lab 18 - Configure and Run Reports
In this exercise, you will need to run selective reports.
For this exercise you will need to power up the domain controller
(dc.omicron.lab), the new Windows server (centrify.omicron.lab), the Windows Application
Server (appserver.omicron.lab), the Windows database Server (database.omicron.lab), and
the two (2) UNIX systems (helpdesk and payroll).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
2. Open the Internet browser and navigate to the Admin Portal.
https://centrify.omicron.lab
3. Login to the Admin Portal using the Centrify administrator account
Username: afoster@omicron.lab
Password: Centr1fy
4. Click Reports
5. Click Built-in reports
6. Click Effective Rights
7. Click User to Object and Check Systems
8. Use the blue Actions button and click Export Report
9. Select CSV Format and enter a name for the report.
10. From the list of available systems, select the appserver
11. Click OK
The report will be generated and downloaded. Open the report to view the report details.
67
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
This page is intentionally left blank.
68
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
Lab 19 - Dedicate Centrify Connector
In this exercise you will dedicate the payroll system with the specific Centrify
Connector.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows
server
(centrify.omicron.lab),
the
Windows
Application
Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
2. Open the Internet browser and navigate to the Admin Portal.
https://centrify.omicron.lab
3. Login to the Admin Portal using the Centrify administrator account
Username: afoster@omicron.lab
Password: Centr1fy
4. Under Resources, Click Systems
5. Click the payroll.omicron.lab system
6. Click Connectors
7. Change the Connector option to choose and select the appserver.
8. Click Save.
69
©2019 Centrify Corporation. All Rights Reserved
Centrify Zero Trust Privilege – Lab Guide
This page is intentionally left blank.
70
©2019 Centrify Corporation. All Rights Reserved
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
©2019 Centrify Corporation. All Rights Reserved
©2019 Centrify Corporation. All Rights Reserved
Related documents
Centrify DirectManage: Group Policy Management
Centrify DirectManage: Group Policy Management
From Paper to Submission KON at Cal U
From Paper to Submission KON at Cal U
Omicron Tau Chapter Sigma Theta Tau International Scholarship and Research Grant Agreement Form
Omicron Tau Chapter Sigma Theta Tau International Scholarship and Research Grant Agreement Form
Jacqueline Ostrander Major: Carol Schaefer Award
Jacqueline Ostrander Major: Carol Schaefer Award
Download
advertisement