Centrify PAM Administration
Technical Training
Lab Guide
Revision 2021-Q2-v21
©2020 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
This page is intentionally left blank.
Centrify Corporation
http://www.centrify.com
2
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Legal notice
This document and the software described in this document are furnished under and are subject to the
terms of a subscription license agreement or a non-disclosure agreement. Except as expressly set forth
in such subscription license agreement or nondisclosure agreement, Centrify Corporation provides this
document and the software described in this document “as is” without warranty of any kind, either express
or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular
purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions;
therefore, this statement may not apply to you.
This document and the software described in this document may not be lent, sold, or given away without
the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as
expressly set forth in such subscription license agreement or non-disclosure agreement, no part of this
document or the software described in this document may be reproduced, stored in a retrieval system,
or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written
consent of Centrify Corporation. Some companies, names, and data in this document are used for
illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically
made to the information herein. These changes may be incorporated in new editions of this document.
Centrify Corporation may make improvements in or changes to the software described in this document
at any time.
© 2021 Centrify Corporation. All rights reserved. Portions of Centrify software are derived from third party
or open source software. Copyright and legal notices for these sources are listed separately in the
Acknowledgements.txt file included with the software.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf
of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in
accordance with 48 C.F.R. 227.7202-1 through 227.7202-4 (for Department of Defense (DOD)
acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the software and
documentation are being licensed to U.S. Government end-users (a) only as Commercial Items and (b)
with only those rights as are granted to all other end-users pursuant to the terms and conditions of the
subscription license agreement.
Centrify, Centrify Express, Centrify for Mobile, Centrify for SaaS, Centrify Identity Service, Centrify
Privilege Service, Centrify Server Suite, Centrify Suite, Centrify User Suite, DirectAudit, DirectAuthorize,
DirectControl, DirectControl Express, DirectManage, DirectManage Express and DirectSecure are
registered trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active
Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks
of Microsoft Corporation in the United States and other countries. Centrify Suite is protected by U.S.
Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,442,962 and 9,378,391.
The names of any other companies and products mentioned in this document may be the trademarks or
registered trademarks of their respective owners. Unless otherwise noted, all the names used as
examples of companies, organizations, domain names, people and events herein are fictitious. No
association with any real company, organization, domain name, person, or event is intended or should
be inferred.
3
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
This page is intentionally left blank.
4
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
About this Guide
This hands-on exercise guide will walk you through the fundamental features and functionality
of Centrify Vault Suite Centrify Cloud Suite and Centrify Server Suite. You will be working with
several computer systems as you complete each exercise, however not all systems will need to
be powered during each lab exercise. Before each lab begins you will be provided initial
instructions related to required systems. This is done to conserve resources in the virtual
environment.
If you plan to use the training materials for in-house training, you can configure a training
environment in your network, but it is recommended to consider your network configurations and
security practices. This environment is for training purposes and will not match your network
environment. Use the Appendix in the Student Guide to read more about the training
environment and how it is configured.
During this training, you will be working with Greensafe Payroll Services. Alex Foster is the
primary administrator of the Infrastructure. Greensafe’s network includes a Windows Active
Directory domain controller, one (A) Windows Application Server, one (1) Microsoft SQL Server,
and two (2) UNIX servers. A “cloud” environment is also used for DevOps and includes two
independent non-AD joined servers. As part of the purchase of Centrify solution, a SaaS based
Centrify Identity Platform (tenant) has been provided to facilitate the management of the
environment.
For this training, the isolated network will be used to simulate a cloud environment (similar to
that of an AWS or Azure environment).
5
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
This page is intentionally left blank.
6
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Table of Contents
Part I: Centrify Identity Platform
1.
Customize the Centrify Identity Platform
…….…………………………………
9
2.
Create Centrify Directory Service Users
....…….………………………………
10
3.
Create Privileged Roles
…….…………………………………
11
4.
Install and Configure the Centrify Connector
…….…………………………………
14
5.
Configure Role-Based Permissions
.………………………………………
16
6.
Configure a Domain Administrative Account
…………..……………...……………
20
7.
Configure System Discovery Profiles
…... .…………………………………
21
8.
Configure System Sets
…….…………………………………
23
9.
Configure Shared Privilege Accounts
…….…………………………………
28
10.
Secure Remote Login
…….…………………………………
34
11.
Secure Password Checkout
……………..……………...…………
36
12.
Configure Secrets
……………………….………………
37
13.
Configure Access Request & Approval Workflow ………………………………………
40
14.
Configure Multifactor Authentication
…….…………………………………
45
15.
Configure Self Service Options
…….…………………………………
49
Part II: Centrify Client (CClient) Operations
16.
Install Centrify Client (CClient)
…….…………………………………
52
17.
Enroll Systems for Client Side Features
…….…………………………………
53
18.
Configure Use My Account
…….…………………………………
55
19.
Configure Brokered Authentication
…….…………………………………
57
20.
Configure Password Reconciliation
…….…………………………………
63
7
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Part III: Centrify Server Suite - Authentication and Privilege
21.
Install Centrify Authentication and Privilege
…….…………………………………
65
22.
Configure Centrify Access Manager
…….…………………………………
66
23.
Create Centrify Zones
…….…………………………………
68
24.
Prepare Zone Server Objects
…….…………………………………
71
25.
Manage Local and Domain Users
…….…………………………………
73
26.
Configure a Centrify Zone Provisioning Agent
…….…………………………………
76
27.
Install and Configure the Centrify Agent
…….…………………………………
80
28.
Configure UNIX Login Role
…….…………………………………
82
29.
Configure Windows Zone Role
…….…………………………………
84
30.
Configure Computer Roles
…….…………………………………
88
31.
Centrify Server Suite Group Policies
…….…………………………………
94
32.
Configure MFA for Privilege Elevation
…….…………………………………
96
Part IV: Reporting and Troubleshooting
33.
Configure Centrify Reporting Service
…….…………………………………
100
34.
Review Centrify Reports
…….…………………………………
102
35.
Troubleshooting Licensing
…….…………………………………
104
36.
Analyze the Environment
…….…………………………………
105
Part V: Audit and Monitoring
37.
Install Centrify Audit Architecture
……….………………………………
106
38.
Configure Centrify Auditing
…….…………………………………
108
39.
Review Audit Sessions
………………………………………
110
40.
Manage Live Remote Sessions
…….…………………………………
113
8
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 1: Customize Centrify Identity Platform
Greensafe Payroll Services has recently purchased the Centrify Solution. Alex Foster has
been identified as the project engineer in charge of implementing the solution. In this
exercise, Alex (you) will login to the Centrify Identity Platform and perform initial configuration
to “brand” the platform with Greensafe Logos and colors.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
Estimated time to complete this lab: 10 minutes
1. Login to apps-server.greensafe.lab with the following credentials:
Username: afoster
Password: Centr1fy
2. Launch Google Chrome and browse to your unique Identity Platform URL:
https://<tenant_ID>.my.centrify.net
3. Login to your unique Identity Platform with the following credentials:
Username: admin@lab.<tenant_ID>
Password: Centr1fy
4. On the Welcome Message, check the box “Do not show again” and click Cancel.
5. Use the Main Menu on the left to navigate to Settings
General
6. Under Account Customization
General Options,
change the Portal Ribbon Accent Color.
7. Click the Upload button to change the Portal Image.
Select C:\Share\Greensafe Portal.png
8. Under Login Customization, click the Upload button to change the Login Image.
Select C:\Share\Greensafe Login.png
9. Under Message Customization, click the Upload button to change the E-Mail Image.
Select C:\Share\Greensafe Portal.png
10. Click Save
9
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 2: Creating Centrify Directory Service Users
Part of the initial configuration includes creating Centrify Directory Service User Accounts that
will be used for specific privileged access to Greensafe servers without requiring specific
domain identities. In this exercise, Alex (you) will create an account that will manage Centrify
Connectors and a second account that will be used by 3 rd party contractors who support
specific Greensafe servers.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
Estimated time to complete this lab: 10 minutes
1. From the Centrify Identity Platform, use the main menu on the left to navigate to
Access
Users
2. Click Add User
3. Enter the required information to create a new Centrify Directory Service User for
Centrify Connector Management.
Username: ConnectorMgr
E-Mail Address: ConnectorMgr@greensafe.lab
Display Name: Centrify Connector Manager
Password: Centr1fy
Uncheck the box to set the password NOT to expire
Uncheck the box NOT to Send e-mail invite for user profile setup
4. Click Create User
5. Click Add User button to create a second CDS user.
6. Enter the required information to create a new Centrify Directory Service User for 3 rd
Party Contractor Support.
Username: zContractor
E-Mail Address: contractors@greensafe.lab
Display Name: Contractor Support Account
Password: Centr1fy
Uncheck the box to set the password NOT to expire
Uncheck the box NOT to Send e-mail invite for user profile setup
7. Click Create User
10
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 3: Create Privileged Roles
Privileged roles are created to group privilege to the infrastructure. Roles can be assigned to
users, groups, systems and other roles. In this exercise, Alex (you) will create specific
Privileged Access Roles that will be used during the implementation and day to day
management of the solution.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
Estimated time to complete this lab: 15 minutes
1. From the Centrify Identity Platform, use the main menu on the left to navigate to
Access
Roles.
2. Click Add Role
3. Name the Role Connector Manager Role
4. Click Administrative Rights
5. Click Add
6. This role requires the privilege to register and manage Centrify Connectors.
Select Register and Administer Connectors
7. Click Add
8. Click Members
9. Click Add
10. Search for and add ConnectorMgr@lab.<tenant_ID>
11. Click Save
12. Click Add Role to add a second role.
13. Name the Role Contractor Role
14. Click Administrative Rights
15. Click Add
16. This role requires privilege assigned by an administrator and should be limited to
servers that are specifically assigned to the role. Greensafe has contractors that
manage Greensafe database servers.
Select Privilege Access User
11
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
17. Click Add
18. Click Members
19. Search for and add zContractor@lab.<tenant_ID>
20. Click Save
21. Click Add Role to add a third role.
22. Name the Role PAS Admin Role
23. Click Administrative Rights
24. Click Add
25. This role provides members privilege to administer all resources within the Centrify
Identity Platform.
Select Privilege Access Service Administrator
26. Click Add
27. Click Save (members will be added later)
28. Click Add Role to add a fourth role.
29. Name the Role PAS Power User Role
30. Click Administrative Rights
31. Click Add
32. This role provides members privilege to administer resources they explicitly add to the
Centrify Identity Platform and have limited privilege to administer currently added
resources.
Select Privilege Access Service Power User
33. Click Add
34. Click Save (members will be added later)
35. Click Add Role to add a fifth role
36. Name the Role PAS User Role
37. Click Administrative Rights
38. Click Add
12
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
39. This role provides members privilege to access resources that are explicitly added to
this role with no privilege to add resources to the Centrify Identity Platform.
Select Privilege Access Service User
40. Click Add
41. Click Save (members will be added later)
13
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 4: Install and Configure Centrify Connector
Centrify Connectors are deployed in the environment to facilitate specific access between the
Centrify Identity Platform and Greensafe Infrastructure Resources. In this exercise, Alex
(you) will install the Centrify Connector software and configure it to communicate with the
Centrify Identity Platform and Greensafe Active Directory environment.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
Estimated time to complete this lab: 15 minutes
1. From the Centrify Identity Platform, use the main menu on the left to navigate to
Settings
Network
Centrify Connectors
2. Click Add Centrify Connector
3. Click the 64-bit link to download the Centrify Connector installation package
4. Extract the installation package and launch the application.
5. At the Welcome Message, click Next
6. Accept the EULA and click Next
7. Keep the default features selected and click Next
8. Click Install
9. When completed, click Finish
(The Connector Configuration Wizard will start automatically)
10. At the Welcome Message, click Next
11. Maintain strong encryption options and click Next
12. Greensafe is not using a proxy server and no changes are needed.
Click Next
13. Change the Tenant URL with your unique platform URL.
https://<tenant_ID>.my.centrify.net
(You can copy and paste the URL directly from the address bar of the browser.)
14. Click Next
14
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
15. You will be prompted to login to the Centrify Identity Platform to register the
Connector. Login using the following credentials:
Username: ConnectorMgr@lab.<tenant_ID>
Password: Centr1fy
16. Click Next to accept the default AD Properties Page Settings
17. Check the box associated to the greensafe.lab domain and click Next.
18. Permissions are required to domain deleted objects.
Click Yes to assign the permissions.
19. The Connector will run a number of tests before completing the registration.
Once the tests are completed successfully, click Next.
20. After the connector has been configured successfully and registered with the Centrify
Identity Platform, Click Finish.
21. The Centrify Connector Control Panel will be displayed indicating the current status
and connection with the Centrify Identity Platform. You can close the Control Panel
and return to the Centrify Identity Platform.
22. Close the Centrify Connector Download window and refresh the Centrify Identity
Platform. The Centrify Connector (apps-server.greensafe.lab should be displayed as
an available connector.
15
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 5: Configure Role-Based Permissions
Now that Privilege Roles have been established and the Centrify Connector has been
deployed, we can now assign privilege to Active Directory Users and Groups. In this
exercise, Alex (you) will assign AD groups to recently created roles and configure global
security settings and permissions.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
Estimated time to complete this lab: 15 minutes
1. From the Centrify Identity Platform, use the main menu on the left to navigate to
Access
Roles
2. Click the System Administrators Role
3. Click Members
4. Click Add
5. Search for and add Team_Security
6. Click Save
7. From the Centrify Identity Platform, use the main menu on the left to navigate to
Access
Roles
8. Click the PAS Admin Role
9. Click Members
10. Click Add
11. Search for and add Domain Admins
12. Click Save
13. From the Centrify Identity Platform, use the main menu on the left to navigate to
Access
Roles
14. Click the PAS Power Users
15. Click Members
16. Click Add
16
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
17. Search for and add Team_Helpdesk
18. Click Save
19. From the Centrify Identity Platform, use the main menu on the left to navigate to
Access
Roles
20. Click the PAS User Role
21. Click Members
22. Click Add
23. Search for and Add the following groups:
Team_Sales
Team_Finance
24. Click Save
25. From the Centrify Identity Platform, use the main menu on the left to navigate to
Access
Roles
26. Click the Contractor Role
27. Click Members
28. You will notice one member (zContractor) which was added earlier.
Click Add
29. Search for and add Team_Contractors
30. Click Save
31. Use the main menu on the left to navigate to Settings
Global Account Permissions
Resources
Security
32. Global Account Permissions identifies privileged account permissions granted to
users, groups and roles in the Centrify Identity Platform. Greensafe has decided to
grant specific privilege to administrators and power users.
Click Add
33. Search for and add PAS Admin Role
34. Check the boxes for the role to provide the following permissions:
Grant, View, Checkout, Login, Edit, Delete, Update Password, and Rotate
17
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
35. Click Add
36. Search for and add PAS Power User Role
37. Check the boxes for the role to provide the following permissions:
View and Login
38. Click Save
39. Use the main menu on the left to navigate to Settings
Global System Permissions
Resources
Security
40. Global System Permissions identifies privileged system permissions granted to users,
groups and roles in the Centrify Identity Platform. Greensafe has decided to grant
specific privilege to administrators and power users.
Click Add
41. Search for and add PAS Admin Role
42. Check the boxes for the role to provide the following permissions:
Grant, View, Manage Session, Edit, Delete, Add Account, and Unlock Account
43. Click Add
44. Search for and Add PAS Power User Role
45. Check the boxes for the role to provide the following permissions:
View, Manage Session, Unlock Account
46. Click Save
47. Use the main menu on the left to navigate to Settings
Resources
Security
48. Under Security Settings
Global Account Security, check the box to enable periodic
password rotation at specified interval (days). Use the default duration of 90 days.
49. Under Global System Security, check the box to allow access from a public network
(web clients only)
50. Click Save
51. Use the main menu on the left to navigate to Resources
Domains
52. Click the greensafe.lab domain
53. Under Permissions, click Add
18
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
54. Search for and add PAS Admin Role
55. Check the boxes for the role to provide the following permissions:
View, Edit, Unlock Account and Add Account
56. Click Save
19
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 6: Configure a Domain Administrative Account
Centrify Identity Platform can be configured to facilitate domain tasks. In this exercise, Alex
(you) will configure a domain administrative account to perform these tasks. This training
environment has been preconfigured with a domain account (cfyadmin@greensafe.lab) to act
in this capacity.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
Estimated time to complete this lab: 10 minutes
1. Logout of the Centrify Identity Platform
2. Login back into the Centrify Identity Platform using the following credentials:
Username: afoster@greensafe.lab
Password: Centr1fy
3. On the Welcome Message, check the box “Do not show again” and click Cancel.
4. Use the main menu on the left to navigate to Resources
Domains
5. Click the greensafe.lab domain
6. Click Advanced
7. Under Administrative Account Settings, click the Select button to identify the Domain
Administrative Account.
8. Select the option for Active Directory and click the Select button to add the account.
9. Search for and select cfyadmin@greensafe.lab
10. Enter the password (Centr1fy) and click Select
11. Under Reconciliation Options, check the boxes for Manual Unlock of Domain and
Windows Local Accounts.
12. Click Save
20
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 7 – Configure System Discovery Profiles
Now that role-based permissions and privilege has been established, it is time to locate and
add systems to the Centrify Identity Platform. In this exercise, Alex (you) will create two
distinct discovery profiles so systems can be found and added to the platform, and privilege
can be administered.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 15 minutes
1. Use the main menu on the left to navigate to Discovery
Profiles
Systems and Accounts
2. Click Add Discovery Profile
3. Name the profile Domain Server Discovery
4. Under Discovery Method, Select Active Directory
5. Click the Select button to select a domain account that can read the domain objects.
6. Search for and select cfyadmin@greensafe.lab
7. Under Scope of Search, check the greensafe.lab domain
8. Click Save
9. Right click the newly created discovery profile and click Run
10. While the discovery is running, click Add Discovery Profile to add a second discovery
profile.
11. Name the profile Network Port Scan Discovery
12. Under Discovery Method, Select Port Scan
13. Click Add
14. Select IP Range and enter 10.0.0.30-10.0.0.35
15. Under Discovery Accounts, Click Add
16. Use the drop-down menu and select Add Discovery Account
21
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
17. Name the account UNIX Admin
18. Enter the Username: cfyadmin
19. Enter the password: Centr1fy
20. Click Done
21. Click Add to add the new UNIX Admin Discovery Account.
22. Click Done
23. Click Save
24. Right click the newly created discovery profile and click Run
25. Use the main menu on the left to navigate to Resources
Systems
Once the discovery profiles are completed the following systems should be listed (it
may be necessary to refresh the page or use the user profile menu at the top right and
select Reload Rights:
apps-server.greensafe.lab
apps-unix.greensafe.lab
db-server.greensafe.lab
db-unix.greensafe.lab
dc.greensafe.lab
22
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 8: Configure System Sets
Systems have been added into the Centrify Identity Platform and while global and role-based
permissions have been applied, there will be instances where systems need to be grouped
based on their role within the organization. In this exercise, Alex (you) will create a number of
system sets that will be configured and shared with other privileged users. Additionally, you
will understand how to apply role-based permissions to the members of the set as well as the
set itself.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 20 minutes
1. Using the main menu on the left to navigate to Resources
systems.
Systems to display all
2. Using Google Chrome Menu, establish a New Incognito Window so you can login as
different users and confirm the information in the table below:
Username
AD Group
Centrify Role
Available Systems
jmiller@greensafe.lab
Domain Admins
PAS Admin Role
apps-server.greensafe.lab
apps-unix.greensafe.lab
db-server.greensafe.lab
db-unix.greensafe.lab
dc.greensafe.lab
bhughes@greensafe.lab
Team_Helpdesk
PAS Power User
Role
apps-server.greensafe.lab
apps-unix.greensafe.lab
db-server.greensafe.lab
db-unix.greensafe.lab
dc.greensafe.lab
krogers@greensafe.lab
Team_UnixAdmins
Pas User Role
No Systems
N/A CDS User
Contractors Role
No Systems
Team_Contractors
Contractors Role
No Systems
zContractor@lab.<tenant_ID>
lbennett@greensafe.lab
You will notice that due to role based administrative rights applied earlier, the main
menu at the left will look different for specific users.
You will also notice that due to global system permissions applied earlier, systems are
viewable to Joe Miller (jmiller@greensafe.lab) and Bob Hughes
(bhughes@greensafe.lab).
23
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
3. Return to the Centrify Identity Platform (logged in as Ales Foster) and under Systems,
click the Add button on the far right under Sets.
4. Name the new system set Greensafe Domain Controllers
5. Click Save
6. Under Systems, click the Add button on the far right under Sets, to create a second
set.
7. Name the new system set Greensafe Windows Servers
8. Click Save
9. Under Systems, click the Add button on the far right under Sets, to create a third set.
10. Name the new set Greensafe Unix Servers
11. Click Save
12. Under Systems, click the Add button on the far right under Sets, to create a fourth set.
13. Name the new set Greensafe Contractor Supported
14. Click Save
15. Use the table below to add the servers to the specific system sets.
System Set
Assigned Systems
Greensafe Domain Controllers
dc.greensafe.lab
Greensafe Windows Servers
apps-server.greensafe.lab
db-server.greensafe.lab
Greensafe Unix Servers
apps-unix.greensafe.lab
db-unix.greensafe.lab
Greensafe Contractor Supported
db-server.greensafe.lab
db-unix.greensafe.lab
To add a system to a set, select the systems and use the actions button and select
Add to Set.
Once completed, the sets are currently available to Alex Foster (you). The next steps
will be to assign permissions to others to see the set and to set explicit permissions to
the members of the sets without assigning the permission to each system individually.
16. Right Click on the Greensafe Domain Controllers set and click Modify.
24
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
17. Under Permissions, click the Add button.
18. Search for and add PAS Admin Role
19. Under PAS Admin Role permissions, assign View permissions
20. Click Save.
This change will grant PAS Administrators permission to see the system set when
they login.
21. Use the main menu on the left to navigate to Resources
Systems
22. Right Click on the Greensafe Windows Servers set and click Modify.
23. Under Permissions, click the Add button.
24. Search for and add PAS Admin Role and PAS Power User Role
25. Under each of the roles added, confirm the View permissions has been added.
26. Click Save
This change will grant PAS Administrators and PAS Power Users permission to see
the system set when they login.
27. Use the main menu on the left to navigate to Resources
Systems
28. Right Click on the Greensafe Unix Servers set and click Modify.
29. Under Permissions, click the Add button.
30. Search for and add PAS Admin Role and PAS Power User Role
31. Under each of the roles added, confirm the View permissions has been added.
32. Click Save
This change will grant PAS Administrators and PAS Power Users permission to see
the system set when they login
33. Use the main menu on the left to navigate to Resources
Systems
34. Right Click on the Greensafe Contractor Supported set and click Modify.
35. Under Permissions, click the Add button.
36. Search for and add PAS Admin Role and PAS Power User Role
37. Under each of the roles added, confirm the View permissions has been added.
25
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
38. Click Save
This change will grant PAS Administrators and PAS Power Users permission to see
the system set when they login
Now that permissions are assigned to view the set, let’s assign permissions to
members of specific sets.
39. Use the main menu on the left to navigate to Resources
Systems
40. Right Click on the Greensafe Unix Servers set and click Modify.
41. Under Member Permissions, click the Add button
42. Search for and add Team_UnixAdmins
43. Under the Team_UnixAdmin Permissions, confirm the View permissions has been
added.
44. Click Save
45. Use the main menu on the left to navigate to Resources
Systems
46. Right Click on the Greensafe Contractor Supported set and click Modify.
47. Under Member Permissions, click the Add button
48. Search for and add Contractor Role
49. Under the Contractor Role Permissions, confirm the View permissions has been
added.
50. Click Save
Now permissions have been assigned to specific groups to see specific sets. We
have also assigned member permissions to specific groups so individual system
permissions do not need to be assigned individually.
Now let’s confirm the permissions, using the same accounts we worked with at the
beginning of the exercise.
51. Using Google Chrome Menu, establish a New Incognito Window so you can login as
each of the users (on the following page) to confirm the information in the table.
26
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Username
jmiller@greensafe.lab
Centrify Role or
AD Group
PAS Admins
Available Systems
Available Sets
apps-server.greensafe.lab
apps-unix.greensafe.lab
db-server.greensafe.lab
db-unix.greensafe.lab
dc.greensafe.lab
Greensafe Domain
Controllers
Greensafe Windows
Servers
Greensafe Unix
Servers
Greensafe Contractor
Supported
bhughes@greensafe.lab
PAS Power Users
apps-server.greensafe.lab
apps-unix.greensafe.lab
db-server.greensafe.lab
db-unix.greensafe.lab
dc.greensafe.lab
Greensafe Windows
Servers
Greensafe Unix
Servers
Greensafe Contractor
Supported
Team_UnixAdmins
apps-unix.greensafe.lab
db-unix.greensafe.lab
No Sets
zContractor@lab.<tenant_ID>
Contractors Role
db-server.greensafe.lab
db-unix.greensafe.lab
No Sets
lbennett@greensafe.lab
Contractors Role
db-server.greensafe.lab
db-unix.greensafe.lab
No Sets
krogers@greensafe.lab
As you can see, permissions can be granted to systems without giving access to view
the set or by granting permission to each system individually.
27
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 9: Configure Shared Privileged Accounts
Systems have been added and permissions have been granted to see them, but they can
only login using accounts that exist within the domain or locally that they are aware of and this
poses a critical security vulnerability. It has been decided to vault shared privileged accounts
and “vaulting” them, so passwords are rotated to a secured high entropy password. In this
exercise, Alex (you) will add local and domain accounts to the Centrify Identity Platform and
“vault” passwords, so they are rotated and secured.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 20 minutes
1. Use the main menu on the left to navigate to Resources
Systems
2. Click apps-server.greensafe.lab
3. Click Accounts
4. Click the Add button to add a shared privileged account.
5. Enter the information below to add the shared privileged account to “the vault”
Username: helpdesk-a
Password: Centr1fy
DO NOT CHECK Manage This Credential
6. Click Add
7. Repeat this process to add the shared privileged accounts for the following systems:
Server
Username
Password
db-server.greensafe.lab
helpdesk-a
Centr1fy
db-unix.greensafe.lab
helpdesk-a
Centr1fy
db-unix.greensafe.lab
root
password1
apps-unix.greensafe.lab
helpdesk-a
Centr1fy
apps-unix.greensafe.lab
root
password1
28
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
At this point we have added the accounts in their current state, so it does not interrupt
production or management operations. This gives the organization time to alert
privileged users of these accounts that a new method for utilizing them is on the way.
Now let’s move from local shared privileged accounts to a domain shared privilege
account.
8. Using the main menu on the left to navigate to Resources
Domains.
9. Click the greensafe.lab domain.
10. Click Accounts
11. Click the Add button to add a domain shared privileged account.
12. Enter the information below to add a domain shared privileged account to “the vault”
Username: helpdesk-d
Password: Centr1fy
DO NOT CHECK Manage This Credential
13. Click Add
14. Click Save
Now that shared privileged accounts have been added, let’s examine how privileged
users can interact with them. Please note that we have only added accounts and
individual account permissions have not been established.
15. Use the Google Chrome Incognito window to login as the users below to confirm the
current visibility and access to shared privileged accounts.
Username
Centrify Role/
AD Group
Server
jmiller@greensafe.lab
PAS Admin
Role
apps-server.
greensafe.lab
bhughes@greensafe.lab
PAS Power
User Role
apps-unix.
greensafe.lab
krogers@greensafe.lab
Team_Unix
Admins
db-unix.
greensafe.lab
zContractor@lab.<tenant_ID>
Contractors
Role
db-unix.
greensafe.lab
Shared
Privileged
Account
Helpdesk-a
(local
account)
Helpdesk-a
(local
account)
Helpdesk-a
(local
account)
Helpdesk-a
(local
account)
View
Login
Check
Out
YES
YES
YES
YES
YES
NO
NO
NO
NO
NO
NO
NO
a. To view available accounts, use the main menu on the left to navigate to
Resources
Accounts.
b. If the shared account is viewable in the list, right click on the account to determine
if Login and/ or Checkout permissions are available.
29
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Joe Miller and Bob Hughes have privilege because global account and system
permissions were applied earlier, to the role they are members of.
Kim Rogers and the Contractor Support Account are members of specific roles, but
the roles for accounts have no privilege at this point.
Greensafe has made the decision to rotate the helpdesk-a local shared accounts on
all systems and provide the following role-based permissions:
Login
Password
Checkout
Server(s)
System Administrator
Yes
Yes
All Systems
PAS Admin Role
Yes
Yes
All Systems
PAS Power User Role
Yes
Yes
All Systems
Team_UnixAdmins
Yes
Yes
db-server.greensafe.lab
db-unix.greensafe.lab
Contractors Role
Yes
No
db-server.greensafe.lab
db-unix.greensafe.lab
Centrify Role or AD group
In order to facilitate these permissions, we will use an account set to administer
permissions and “vault” or manage each of the local accounts.
16. Return to the Centrify Identity Platform (logged in as Alex Foster) and under
Resources
Accounts, click the Add button on the far right under Sets.
17. Name the new account set Greensafe Shared Local Accounts
18. Click Members
19. Click the Add button
20. Search for Helpdesk-a
An account for each of the following servers should be listed:
• apps-server.greensafe.lab
• db-server.greensafe.lab
• db-unix.greensafe.lab
• apps-unix.greensafe.lab
21. Select all accounts and click Add.
22. Click Save
With the set in place, we can now rotate the passwords for each account.
23. Click on the Helpdesk-a shared account for db-server.greensafe.lab
24. Click Settings.
30
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
25. Check the box to Managed This Credential.
26. Click Save
27. Use the main menu on the left to navigate to Resources
Accounts
28. Filter the list by clicking the Greensafe Shared Local Accounts
29. Click on the Helpdesk-a shared account for db-unix.greensafe.lab
30. Click Settings.
31. Check the box to Managed This Credential.
32. Click Save
33. Use the main menu on the left to navigate to Resources
Accounts
34. Filter the list by clicking the Greensafe Shared Local Accounts
35. Click on the Helpdesk-a shared account for apps-unix.greensafe.lab
36. Click Settings.
37. Check the box to Managed This Credential.
38. Click Save
39. Use the main menu on the left to navigate to Resources
Accounts
40. Filter the list by clicking the Greensafe Shared Local Accounts
41. Click on the Helpdesk-a shared account for apps-server.greensafe.lab
42. Click Settings.
43. Check the box to Managed This Credential
44. Click Save
The passwords for these accounts have now been rotated to high entropy secured
passwords. To confirm the change, right click on each of the accounts and select
Checkout. Once confirmed, Right Click the account again and select Checkin.
Now that the accounts are more secure, we can apply the specific role-based
privilege.
45. Right click the Greensafe Shared Local Accounts set and click Modify.
46. Under Permissions, click the Add button.
31
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
47. Search for and add the PAS Admin Role and PAS Power User Role.
48. Under each of the roles added, confirm the View permissions has been added.
49. Click Save
50. Click Member Permissions
51. Click Add
52. Search for and add System Administrator and PAS Admin Role.
53. Under each of the roles added, add the following permissions:
View, Checkout, Login, Edit, Update Password, Rotate
54. Click Save
Since the Contractors and UNIX admins do not require access to one of the shared
local accounts, we can configure role-based permissions for the two database servers
individually or create a second set with the appropriate privileges. For the rest of this
exercise, we will apply role-based permissions on each system.
55. Click on the Heldpesk-a account for db-unix.greensafe.lab
56. Under Permissions, click the Add button.
57. Search for and Add Team_UnixAdmins
58. Under the permissions of Team_UnixAdmins assign the following permissions:
View, Checkout, and Login
59. Click Save
Use Steps 55-59 to apply View, Checkout, and Login permissions to
Team_UNIXAdmins for the helpdesk-a account on apps-unix.greensafe.lab
60. Click on the Heldpesk-a account for db-unix.greensafe.lab, Under Permissions, click
Add
61. Search for and add Contractors Role
62. Under the permissions of the Contractors Role assign the following permissions:
View and Login
63. Click Save
64. Click on the Helpdesk-a account for db-server.greensafe.lab
32
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
65. Under Permissions, click the Add button.
66. Search for and Add Contractor Role
67. Under the permissions of the Contractors Role assign the following permissions:
View and Login
68. Click Save
Once completed, use the Google Chrome Incognito window to login as the user’s
below and confirm the permissions were applied accurately.
Centrify Role/
AD Group
Server
jmiller@greensafe.lab
PAS Admin
Role
apps-server.
greensafe.lab
bhughes@greensafe.lab
PAS Power
User Role
apps-unix.
greensafe.lab
krogers@greensafe.lab
Team_Unix
Admins
db-unix.
greensafe.lab
zContractor@lab.<tenant_ID>
Contractors
Role
db-server.
greensafe.lab
Username
Shared
Privileged
Account
Helpdesk-a
(local
account)
Helpdesk-a
(local
account)
Helpdesk-a
(local
account)
Helpdesk-a
(local
account)
View
Login
Check
Out
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
NO
c. To view available accounts, use the main menu on the left to navigate to
Resources
Accounts.
d. If the shared account is viewable in the list, right click on the account to determine
if Login and/ or Checkout permissions are available.
33
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 10: Secure Remote Login
With local shared account passwords “vaulted”, users with the old password will not be able
to login to the servers without accessing the Centrify Identity Platform to performing a Secure
Remote Login or a Secure Password Checkout. In this exercise, privileged users will login to
servers using the Secure Remote Login method.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 10 minutes
1. Using the Google Chrome Incognito Window, login to the Centrify Identity Platform
with the following credentials:
Username: Lbennett@greensafe.lab
Password: Centr1fy
2. Use the main menu on the left to navigate to Resources
Systems
3. Right click on the db-server.greensafe.lab server and under Login, select Enter
account.
4. Login to the server with the following credentials.
Username: Lbennett@greensafe.lab
Password: Centr1fy
5. Once the remote session is established, use the start menu to launch the Windows
Administrative Tools.
6. Launch Windows Firewall with Advanced Security
You will notice that the firewall settings cannot be changed because Laura Bennet
does not permissions to change them and privilege is required.
7. Sign out of the remote session
Now Laura will login using a shared privilege account she has permission to use.
8. Use the main menu on the left to navigate to Resources
Accounts
9. Right click on the Helpdesk-a account for db-server.greensafe.lab and select Login
You will notice that the remote connection was completed without the password being
revealed.
34
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
10. Use the start menu to launch the Windows Administrative Tools
11. Launch Windows Firewall and Advanced Security
You will notice that the firewall settings can be changed since the Helpdesk-a account
is a local administrator of the server.
12. Sign out of the remote session and logout of the portal as Laura Bennett.
Shared Privileged accounts have been applied to both Windows and UNIX based
systems. Let’s repeat the process for a Unix system
13. Using the Google Chrome Incognito Window, login to the Centrify Identity Platform
with the following credentials:
Username: zcontractor@lab.<tenant_ID>
Password: Centr1fy
14. Use the main menu on the left to navigate to Resources
Accounts
15. Right click on the Helpdesk-a account for db-unix.greensafe.lab server and select
Login.
16. Once the remote session is established, type the following command:
sudo cat /etc/shadow
You will notice this administrative command requires a password to be entered. Since
the password has been vaulted and was not revealed, it will have to be checked out.
This is another layer of security that protects the server from unauthorized use.
17. Logout of the remote session.
35
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 11: Secure Password Checkout
In the previous exercise, we examined how shared privileged accounts could be used without
compromising the password. In this exercise, we will examine how passwords can be
checked out and used in a 3 rd party client to login and perform administrative tasks, then
rotated after check in.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 10 minutes
1. Using the Google Chrome Incognito Window, login to the Centrify Identity Platform
with the following credentials:
Username: krogers@greensafe.lab
Password: Centr1fy
2. Use the main menu on the left to navigate to Resources
Accounts
3. Right click on the Helpdesk-a account for db-unix.greensafe.lab and select Checkout.
4. Click Show Password to see the high entropy password.
5. Click Copy to copy the password to the clipboard.
6. Use the start menu or desktop shortcut to launch PuTTY and
login to db-unix.greensafe.lab with the following credentials:
Username: helpdesk-a
Password: right click to paste the checked-out password
(nothing will appear in the remote session window)
Press Enter to complete the login.
7. Once the remote session is established, type the following command:
sudo cat /etc/shadow
You will notice this administrative command requires a password to be entered.
Right click when prompted for the password (it will not be displayed in the remote
session window).
Press Enter to complete the task.
8. Logout of the session.
36
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 12: Configuring Secrets
Another element of the vault is storing secure information. In this exercise, Alex (you) will
create secrets, group them into sets and assign role-based permissions to personnel to those
who require access to the information.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 15 minutes
1. Using the main menu on the left to navigate to Resources
Secrets
2. Click Add Secret
3. Name the secret Alarm System Emergency Password
4. Click Enter Text
5. In the space provided type By The Numbers
6. Click OK
7. Click Save
8. Click Add Secret to add a second secret
9. Name the secret Accountant License Numbers
10. Use the drop-down menu and select File
11. Click Select File
12. Browse and add C:\Share\Accountant License Numbers.txt
13. DO NOT ENTER A PASSWORD and click OK.
14. Click Save
37
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Greensafe has decided on the permissions below for the secret retrieval.
Secret
Retrieval Permissions
Alarm System Emergency Password
System Administrator
Accountant License Numbers
System Administrator
Team_Finance
15. Click the Add button on the right under Sets
16. Name the new set, Greensafe Secrets
17. Click Save
18. Right click on each of the secrets and add them to the new set.
19. Right Click on the Greensafe Secrets set and click Modify
20. Click Permissions
21. Under System Administrator permissions, confirm the View permission has been
assigned.
22. Click Member Permissions
23. Click Add
24. Search for and add System Administrator
25. Under System Administrator permissions, assign View and Retrieve Secret
permissions.
26. Click Save
This will group the secrets into a set for system administrators and grant them ability
to retrieve any secret in the set.
Now we will apply permissions to the secrets individually.
27. Using the main menu on the left to navigate to Resources
Secrets
28. Click the Accountant License Numbers secret.
29. Under Permissions, click Add
30. Search for and add Team_Finance
31. Under Team_Finance permissions, assign View and Retrieve Secret permissions.
38
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
32. Click Save.
Let’s now take a look at how privileged users interact with secrets.
33. Using the Google Chrome Incognito Window, login to the Centrify Identity Platform to
confirm the information below:
Login As
Set Visible
Secret Available
krogers@greensafe.lab
No
Accountant License Numbers
admin@lab.<tenant_id>
Yes
Accountant License Numbers
Alarm System Emergency Password
39
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 13: Configure Access Request and Approval Workflow
For auditing and security purposes, Greensafe requires a documented approval workflow for
privileged resource requests. In this exercise, Alex (you) will configure approval request
workflow for Secure Remote Login, Password Checkout and Secret Retrieval.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 20 minutes
1. The Auditors require access to all database systems, database shared privileged
accounts and all secrets during their auditing period. Currently they are not assigned
a role granting any access and a new role will need to be created with minimal
privilege.
Use the main menu at the left to navigate to Access
Roles
2. Click Add Role
3. Name the new role Auditor Role
4. Click Administrative Rights
5. Click Add
6. Select Privilege Access Service User
7. Click Add
8. Click Members
9. Click Add
10. Search for and add Team_Auditors
11. Click Save
12. Use the main menu at the left to navigate to Resources
Systems
13. The database servers are grouped in a set for contractors.
Right Click the Greensafe Contractor Supported set and click Modify.
14. Click Member Permissions
40
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
15. Click Add
16. Search for and Add Auditor Role
17. Under the permissions of the Auditor Role, confirm the View Permissions have been
assigned.
18. Click Save
Now we need to assign permissions to database server shared privilege accounts
19. Use the main menu at the left to navigate to Resources
Accounts
20. Right Click the Greensafe Helpdesk Accounts set and click Modify
21. Under Member Permissions, click the Add button.
22. Search for and add Auditor Role
23. Under the permissions of the Auditor Role, confirm the view permissions have been
assigned.
24. Click Save
Now we need to grant visibility to the Auditors for secrets.
25. Use the main menu at the left to navigate to Resources
Secrets
26. Secrets are currently stored in a set.
Right click on the Greensafe Secrets set and Click Modify.
27. Click Member Permissions
28. Click Add
29. Search for and Add Auditor Role
30. Under the permissions of the Auditor Role, confirm the View permissions have been
assigned.
31. Click Save
Now we can configure the Workflow, which is done on individual resources.
32. Click on the secret Accountant License Numbers
33. Click Workflow
34. Use the drop-down menu to enable workflow.
41
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
35. Click Add
36. Use the Approver List drop-down menu to select a specified user or role
37. Click Add
38. Alex Foster will be the only approver.
Search and add afoster@greensafe.lab
39. Click Save
40. Use the main menu at the left to navigate to Resources
Accounts
41. Click the Helpdesk-a account for db-server.greensafe.lab
42. Click Workflow
43. Use the drop-down menu to enable workflow
44. Under Approver List, click Add
45. Search and add afoster@greensafe.lab
46. Click Save
Repeat Steps 40-46 to configure workflow for the Helpdesk-a account on dbunix.greensafe.lab
Now let’s test out the workflow process.
47. Using the Google Chrome Incognito Window, login to the Centrify Identity Platform
with the following auditor credentials:
Username: ahouston@greensafe.lab
Password: Centr1fy
48. Use the main menu on the left to navigate to the Resources
Systems
Amy should only see two database servers
49. Use the main menu on the left to navigate to the Resources
Accounts
Amy should only see two shared privileged accounts
POP QUIZ: Why can Amy Houston only see two accounts when member permissions
were applied at the set level?
50. Right click on Helpdesk-a account for db-server.greensafe.lab and click Request Login
51. Enter a reason for requiring login privileges and click Submit.
42
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
52. While the request is waiting to be reviewed, right click on the Helpdesk-a account for
db-unix.greensafe.lab and click Request Checkout.
53. Enter a reason for requiring checkout privileges and click Submit.
54. While requests are waiting to be reviewed, use the main menu at the left to navigate to
Resources
Secrets
Amy should see two secrets
55. Right click on the Accountant License Numbers secret and click Request Retrieval
Access
56. Enter a reason for requiring checkout privileges and click Submit.
Now let’s go review the requests
57. Return to the Centrify Identity Platform (logged in as Alex Foster) and use the main
menu on the left to navigate to Access
Requests
58. Review the individual requests and use the information below to respond to each
request.
Approved or
Rejected
Request
Reason
Login to db-server.greensafe.lab
Approved
N/A
Checkout of Helpdesk-a for
db-unix.greensafe.lab
Rejected
Password Checkout is reserved
IT and Administrators Team
Members
Secrets Retrieval
Approval
N/A
After responding to each request, return to the Google Chrome Incognito window to
see how the responses affect Amy’s ability to use the resources.
59. Use the main menu on the left to navigate to Access
Requests
60. Review the requests.
61. Use the main menu on the left to navigate to Resources
Accounts
62. Right Click on Helpdesk-a for db-server.greensafe.lab and click Login
A secure remote login session should be started.
63. Sign out of the session.
64. Use the main menu on the left to navigate to Resources
43
Secrets
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
65. Right click on the Accountant License Numbers secret and click Retrieve.
The file should be downloaded and can be opened.
66. Use the main menu on the left to navigate to Resources
Accounts
67. Right Click on Helpdesk-a for db-unix.greensafe.lab
You will notice there is no option to checkout the password without submitting a
request.
Answer to the Pop Quiz:
Why can Amy Houston only see two accounts when member permissions were applied at the
set level?
While there were four accounts added to the set, Amy was only able to see the accounts to the
systems she had visibility into. Since Amy was not granted View permissions to the apps-server
and apps-unix server, the helpdesk-a accounts for those servers were also not visible.
44
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 14: Configuring Multifactor Authentication
With all resources in place and privilege assigned, it is time to validate the user’s identity
before access is granted. In this exercise, Alex (you) will configure multifactor authentication
for specific resources.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 20 minutes
1. Greensafe has decided to use Security Questions as one of the challenges of
satisfying MFA (each user must answer two administrator defined questions and one
user defined question). To configure this requirement, Alex (you) must configure the
administrator defined questions, then adjust the policy for all users to answer them.
Use the main menu on the left to navigate to Settings
Authentication
2. Under Security Questions, click the Add button
3. Type the question, What is your favorite color?
4. Click OK
5. Click Add again to add the second question.
6. Type the question, What is your favorite sport?
7. Click OK
Now it is time to adjust the Default User Policy.
8. Use the main menu on the left to navigate to Access
Policies
9. Click Add Policy Set
10. Name the new policy Greensafe Security Policy
11. Under Policy Assignment, click Specified Roles
12. Click the Add button
45
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
13. Select each of the roles listed below and click Add.
•
•
•
•
•
Auditor Role
Contractor Role
PAS Admin Role
PAS Power Role
PAS User Role
14. Click User Security
15. Click User Account Settings
16. Use the drop-down menu to enable users to configure Security Questions.
17. Set the number of required user defined questions to 1
18. Set the number of required admin-defined questions to 2
19. Click Save
Now you can answer the security questions for Alex Foster.
20. Click the Profile Menu at the upper right and click Profile.
21. Click Security Questions
22. Use the drop-down menu to select the admin-defined questions. It is recommended
(for training only) to use the same answers for all users. You can use the answers
below or use your own answers.
What is your Favorite Color? RED
What is your Favorite Sport? GOLF
23. Create the final question and answer it for Alex. It is recommended (for training only)
to use the same answers for all users. You can use the question and answer below or
customize it for each user.
What city were you born? ROME
Remember that answers are CaSe SeNsItIvE and you will be required to answer them
as you typed them in.
24. Click Save
25. Click Close to close the Profile
46
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
26. Using the Google Chrome Incognito Window, login as each of the users listed below
and configure the Security Questions.
User
Favorite Color?
Favorite Sport?
Where were
your born?
jmiller@greensafe.lab
Red
Golf
Rome
bhughes@greensafe.lab
Red
Golf
Rome
krogers@greensafe.lab
Red
Golf
Rome
ahouston@greensafe.lab
Red
Golf
Rome
lbennett@greensafe.lab
Red
Golf
Rome
badams@greensafe.lab
Red
Golf
Rome
zContractor@lab.<tenant_ID>
Red
Golf
Rome
Once the Security Questions have been answered, we can now create the
Authentication Profile establish MFA Challenges.
27. Return to the Centrify Identity Platform (logged in as Alex Foster) and use the main
menu on the left to navigate to Settings
Authentication
Authentication Profiles
28. Click Add Profile
29. Name the new profile Greensafe MFA Profile
30. Under Challenge 1, check Password and under Challenge 2, check Security
Questions and leave the default number of questions to be answered at 1.
31. Use the drop-down menu to set the Challenge Pass-through duration to No Passthrough.
32. Click OK
Now we can configure MFA on individual resources.
33. Use the main menu on the left to navigate to Resources
Accounts
34. Click the Helpdesk-a account for db-unix.greensafe.lab
35. Click Policy
36. Use the drop-down menu to change the Default Password Checkout Profile to
Greensafe MFA Profile.
37. Click Save
Now that we have configured MFA for password checkout, let’s configure MFA on a
different server for secure remote login.
47
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
38. Use the main menu on the left to navigate to Resources
Systems
39. Click db-server.greensafe.lab
40. Click Policy
41. Use the drop-down menu to change the Default System Login Profile to Greensafe
MFA Profile.
42. Click Save
Now let’s configure Secrets for MFA
43. Use the main menu on the left to navigate to Resources
Secrets
44. Click the Accountant License Numbers Secret
45. Click Policy
46. Use the drop-down menu to change the Default Secret Challenge Profile to Greensafe
MFA Profile.
47. Click Save
Now let’s see how users access the Centrify Identity Platform and privileged
resources.
48. Using the Google Chrome Incognito Window, login as each of the users listed below
and determine if each user is prompted for MFA.
Secure Remote
Login?
Password Checkout?
Secret
Retrieval?
db-server
.greensafe.lab
Helpdesk-a
db-unix
.greensafe.lab
Accountant License
Numbers
afoster@greensafe.lab
YES
YES
YES
bhughes@greensafe.lab
YES
YES
YES
krogers@greensafe.lab
NOT VISIBLE
YES
YES
ahouston@greensafe.lab
REQUEST LOGIN
REQUEST CHECKOUT
YES
zcontractor@lab.<tenant_ID>
YES
REQUEST CHECKOUT
NOT VISIBLE
Amy Houston and the Contractor Support Account must request privilege because the
systems are configured for workflow. Once the requests are approved, MFA will be
prompted when the privilege is utilized.
Visibility for Kim Rogers and the Contractor Support Account are based on role-based
permissions applied earlier in this course.
48
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 15: Configure Self-Service Options
Greensafe Management has recognized a high number of helpdesks requests related to
password resets and account unlocks. In this exercise, Alex (you) will configure self-service
options in the Centrify Identity Platform, so users can use the platform and multifactor
authentication to unlock their account or reset their password.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 20 minutes
It is important to note that Active Directory must be configured for Account Lockout
before configuring the self-service options within the Centrify Identity Platform. This
training environment has been preconfigured via GPO for account lockout for 10
minutes after 3 failed login attempts.
1. Use the main menu at the left to navigate to Settings
Authentication Profiles
Authentication
2. Click Add Profile
3. Name the new profile, Greensafe Self Service Profile
4. Under Challenge 1, check Security Questions and leave the default number of
questions to be answered at 2.
5. Use the drop-down menu to set the Challenge Pass-through duration to No Passthrough.
6. Click OK
7. Use the main menu at the left to navigate to Access
Policies
8. Click the Greensafe Security Policy
9. Click User Security
10. Click Self Service
11. Use the drop-down menu to enable account self-service controls.
12. Under Password Reset, click the checkbox to allow password reset for Active
Directory users
49
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
13. Use the drop-down menu to change the Password Reset Authentication Profile to
Greensafe Self Service Profile
14. Under Account Unlock, click the checkbox to enable account unlock.
15. Click the checkbox to allow account unlock for Active Directory users.
16. Click the checkbox to show a message to users that the account is locked.
17. Use the drop-down menu to change the Account Unlock Authentication Profile to
Greensafe MFA Profile
18. Under Active Directory Self Service Settings, click Use these credentials and enter the
username and password below:
Username: cfyadmin@greensafe.lab
Password: Centr1fy
19. Click Save
Now let’s see how self-service options work for users.
20. Switch machines to the db-server.greensafe.lab and login with the following
credentials. Hint… the password is incorrect
Username: ahouston@greensafe.lab
Password: Houston123
Attempt to login multiple times until the account is locked.
21. Switch back to app-server.greensafe.lab and launch Active Directory Users and
Computers (ADUC).
22. Locate and open the properties of Amy Houston’s user account.
23. Click the Account Tab and confirm the account is currently locked.
DO NOT UNLOCK IT. This will be done using the Centrify Identity Platform.
Close the user account properties, but leave ADUC open as we will return to it.
24. In the Centrify Identity Platform, use the main menu on the left to navigate Access
Users
25. Right click on Amy Houston’s account and click Reload Rights. Once reloaded,
refresh the page to show the account in a suspended state.
50
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
26. Using the Google Chrome Incognito Window, login with the following credentials:
Username: ahouston@greensafe.lab
CORRECT Password: Centr1fy
You will notice Amy was prompted for a security question. This is because the
account is currently locked and additional validation is required. Once answered, Amy
can login to the platform.
Return to Active Directory Users and Computers (ADUC) and check the properties of
Amy’s account again and you will notice it is no longer locked. Refresh the page in the
Centrify Identity Platform to show that Amy’s account is no longer suspended.
Now let’s change a password.
27. Logout of the Platform as Amy Houston.
28. Enter Amy’s username again. (ahouston@greensafe.lab)
29. Do not enter the password, click Forgot Password.
30. You will notice Amy was now prompted for two (2) security questions.
This is because the policy is set to prompt for MFA when a user wants to change their
password.
31. Answer the Security Questions and click Next
32. Change the password to Centrify#2021 and once completed, you will be able to login
to the platform.
Since this was only a password reset, there is no need to login unless you want to
confirm the password change was successful. You can also switch systems to login
to another server with the new password to confirm the new password is successful.
51
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 16: Install Centrify Client (CCLient)
In this exercise, Alex (you) will prepare systems for Centrify client side features by installing
the Centrify Client on existing systems.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 10 minutes
1. Use the main menu on the left to navigate to Downloads
2. Locate the Centrify Client for Windows and click the download link (do not download
the Audit Extension)
3. Launch the installer (cagentinstaller.msi)
4. On the Welcome Message, click Next.
5. When prompted to enter enrollment parameters, click Next (these parameters will be
entered later.)
6. Under the Manual Enrollment message, click Next.
7. Click Install.
8. Click Finish
Now let’s install CClient on a UNIX-based system.
9. Establish a remote session into the apps-unix.greensafe.lab server (using PuTTY or
the Centrify Identity Platform. Login using the following credentials:
Username: root
Password: password1
10. Run the following command to confirm the Centrify Client is not currently installed.
yum list CentrifyCC
11. Run the following command to install the Centrify Client.
yum install CentrifyCC -y
52
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 17: Enroll Systems for Client Side Features
In this exercise, Alex (you) will use the command line utility (cenroll) to register existing
systems for client side features. This exercise will include creating an enrollment code
required to register/ enable the client-side features systems.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 10 minutes
1. Use the main menu on the left to navigate to Settings
Enrollment
2. Under Enrollment Codes, click Add.
3. Set the Enrollment Code Expiration to Never
4. Set the Max Joinable Servers to 5.
5. Under the Owner, click the Select button.
6. Click to select PAS Admin Role and click Select.
7. Click Save
8. Click Copy to copy the enrollment code to the clipboard.
Let’s now register the client on the windows system using PowerShell.
9. Open PowerShell.
10. Run the following command to register and enable client side features.
cenroll -t <tenant url> -F all -c <paste the enrollment code> -f
Tenant URL example: https://aaa1234.my.centrify.net
11. Return to the Centrify Identity Platform and locate and click on the appsserver.greensafe.lab server.
12. Click Client Profile to confirm the CClient version and enabled features.
Let’s now register the client on a UNIX-based system.
53
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
13. Using PuTTY, establish a remote session into the apps-unix.greensafe.lab server.
Login using the following credentials:
Username: root
Password: password1
14. Run the following command to register and enable client side features.
cenroll -t <tenant url> -F all -c <paste the enrollment code> -f
Tenant URL example: https://abc1234.my.centrify.net
15. Return to the Centrify Identity Platform and locate and click on the appsunix.greensafe.lab server.
16. Click Client Profile to confirm the CClient version and enabled features.
54
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 18: Configure Use My Account
In this exercise, Alex (you) will configure systems to use the “Use My Account” feature to
establish secure remote login sessions.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 15 minutes
1. Open a remote session to apps-unix.greensafe.lab using PuTTY or the Centrify
Identity Platform. Login with the following credentials:
Username: root
Password: password1
2. Run the following command to list user profiles:
cut -d: -f1 /etc/passwd
You will notice at the end of the list the following user profiles exist.
•
•
•
•
•
afoster-a
cfyadmin
helpdesk-a
kim
sam
All other profiles are created as part of the default installation of the operating system.
3. Run the following command to download the “Use My Account” Master SSH key.
curl <tenant URL>/servermanage/getmastersshkey --output /etc/ssh/cps_ca.pub
Tenant URL example: https://aaa1234.my.centrify.net
4. Run the following command to restart the SSHD service.
systemctl restart sshd
5. Return to the Centrify Identity Platform and navigate to the apps-unix.greensafe.lab
server and click on the server to open the properties.
6. Click Settings
55
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
7. Click the checkbox to indicate “Use My Account” is configured on the system.
8. Click Permissions
9. Under the permissions for the PAS Admin Role, add the AgentAuth Permission.
10. Click Save
11. Open a Google Chrome Incognito Window and browse to the Centrify Identity
Platform. Login with the following credentials:
Username: jmiller
Password: Centr1fy
12. Use the main menu on the left to navigate to Resources
Systems
13. Right Click on the apps-unix.greensafe.lab server and click Use My Account.
14. Once the secure remote session is open, run the following command:
whoami
15. Run the following command again to view a list of user profiles on the system.
cut -d: -f1 /etc/passwd
You will notice at the end of the list the following user profiles exist.
•
•
•
•
•
afoster-a
cfyadmin
helpdesk-a
kim
sam
You will also notice that jmiller is not listed. This is because he is logging in with a
master SSH key which he has privilege to use to login to the system.
16. Logout of the secure remote session.
56
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 19: Configure Brokered Authentication
In this exercise, Alex (you) will configure brokered authentication for systems on an isolated
network. This will include the prerequisite configurations in the Centrify Identity Platform, the
deployment of a second Centrify Connector, the installation and configuration of the Centrify
Client.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
Use the Skytap Navigation dashboard to power on the following systems:
devops-win
devops-unix
Estimated time to complete this lab: 25 minutes
Part One: Deploy Centrify Connector
1. Open the DevOps-Win system (in Skytap) and login with the following credentials:
Username: afoster-a
Password: Centr1fy
2. Use the browser to login to the Centrify Identity Platform with the following credentials:
Username: afoster@greensafe.lab
Password: Centr1fy
3. Use the main menu on the left to navigate to Settings
Network
4. Click Registration Codes
5. Click Add
6. Configure a new Registration Code for the deployment of Centrify Connectors
Name: Greensafe Connector Code
Code Expiration = Never
Registration Max = 5
7. Right Click on Greensafe Connector Code and click Retrieve Code.
8. Click Copy to copy the Registration Code to the clipboard.
9. Click Centrify Connectors
10. Click Add Centrify Connector
57
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
11. Click the 64-bit link to download the Centrify Connector installation package
12. Extract the installation package and launch the Cloud-Mgmt-Suite Installation.
13. At the Welcome Message, click Next.
14. Accept the EULA and click Next.
15. At the Feature Selections, click Next.
16. Click Install
17. Click Finish
The Centrify Connector Configuration Wizard will automatically launch.
18. At the Welcome Message, Click Next.
19. At the Connector Configuration option for strong encryption, maintain the default
setting and click Next.
20. A Web Proxy will not be used in this exercise. Maintain the default option and click
Next.
21. Under the Connection and Registration, type in the Tenant URL in the space provided.
Tenant URL example: https://aaa1234.my.centrify.net
22. Click the checkbox for the registration code and paste the registration code in the
space provided.
23. Click Next
You will notice that unlike the first Centrify Connector installed earlier in this course,
this installation did not prompt for Active Directory options. This is because the
system is a stand-alone system with no visibility into the Greensafe AD environment.
24. After the tests are complete, Click Next
25. Once the Centrify Connector is registered, click Finish and return to the Centrify
Identity Platform to confirm the second Connector has been added.
Part Two: Create a Role for Brokered Authentication
26. Use the main menu on the left to navigate to Access
Roles
27. Click Add Role
58
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
28. Name the new Role Identity_Broker_Role
(Use the underscore in the name for UNIX supported command line options)
29. Click Members
30. Click Add
31. Search for and add the existing roles below:
•
•
•
•
PAS Admin Role
PAS Power User Role
PAS User Role
Contractor Role
32. Click Administrative Rights
33. Click Add
34. Select Computer Login and Privilege Elevation
35. Click Save
Part Three: Create an Authentication Profile for Brokered Authentication
36. Use the main menu on the left to navigate to Settings
Authentication Profiles
Authentication
37. Click Add Profile
38. Name the new Profile Identity_Broker_Profile
(Use the underscore in the name for UNIX supported command line options)
39. Under Challenge 1, click Password
40. Under Challenge 2, click Security Questions
41. Set the number of required questions to 1
42. Set the Challenge Passthrough to No Pass Through.
43. Click Ok to save the profile.
Part Four: Create a New Policy for Brokered Authentication
44. Use the main menu on the left to navigate to Access
59
Policies
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
45. Click Add Policy Set
46. Name the new Policy Identity_Broker_Policy
(Use the underscore in the name for UNIX supported command line options)
47. Change the Policy Assignment to specified roles.
48. Click Add
49. Select the Identity_Broker_Role to add it to the new policy.
50. Click Authentication
51. Click Centrify Services to configure authentication controls for Platform Established
Authentication
52. Use the drop-down menu to enable Authentication Policy Controls
53. Under the default profile, use the drop-down menu to select the
Identity_Broker_Profile.
54. Click Centrify Clients
Login to configure authentication controls for console access
for servers installed with the Centrify Client.
55. Use the drop-down menu to enable Authentication Policy Controls
56. Under the default profile, use the drop-down menu to select the
Identity_Broker_Profile.
57. Click Save
Part Five: Configure Global Permissions for Brokered Authentication
58. Use the main menu on the left to navigate to Settings
Global Account Permissions.
Resources
Security
59. Click Add
60. Search for and select Identity_Broker_Role
61. Confirm the permissions for the Identity_Broker_Role are set to View.
62. Click Save
63. Use the main menu on the left to navigate to Settings
Global System Permissions.
Resources
Security
64. Click Add
60
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
65. Search for an select Identity_Broker_Role
66. Under the permissions for the Identity_Broker_Role, grant the View and AgentAuth
permissions.
67. Click Save.
These global permissions provide visibility to all members of this role. This will include
users who have privilege to use brokered authentication and the systems configured
for brokered authentication.
Part Six: Prepare Systems for Brokered Authentication
68. Use the main menu on the left to navigate to Downloads.
69. Locate and download the Centrify Client for Windows (do not install the audit
extension).
70. Launch the downloaded client installation package (cagentinstaller.msi)
71. On the Welcome Message, click Next.
72. When prompted to enter enrollment parameters, click Next (these parameters will be
entered later.)
73. Under the Manual Enrollment message, click Next.
74. Click Install.
75. Click Finish
76. In the Centrify Identity Platform, use the main menu on the left to navigate to
Settings
Enrollment
77. Right Click on the Enrollment Code and click View Enrollment Code
78. Click Copy to copy the enrollment code to the clipboard.
79. Open PowerShell
80. Run the following command to register the system in the Centrify Identity Platform,
assigning it the appropriate features and to the appropriate role.
cenroll -t <tenant URL> -F agentauth -c <paste enrollment code>
Tenant URL example: https://aaa1234.my.centrify.net
81. In the Centrify Identity Platform, use the main menu to navigate to Resources
Systems to confirm the system devops-win has been added.
61
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Add the System as a member of the Identity_Broker_Role
Let’s now repeat the process for a UNIX-based system.
82. Launch PuTTY to establish a remote session into the devops-unix server. Login using
the following credentials:
Username: root
Password: password1
83. Run the following command to install the Centrify Client.
yum install CentrifyCC -y
84. Once installed, run the following command to register the system in the Centrify
Identity Platform, assigning it the appropriate features and to the appropriate role.
cenroll -t <tenant URL> -F agentauth -c <paste enrollment code>
Tenant URL example: https://aaa1234.my.centrify.net
85. In the Centrify Identity Platform, use the main menu to navigate to Resources
Systems to confirm the system devops-unix has been added.
Add the System as a member of the Identity_Broker_Role
Part Seven: Test the Configuration for Brokered Authentication
86. Logout of DevOps-Win server (using Skytap) and re-login with the following
credentials:
Username: badams@greensafe.lab
Password: Centr1fy
Were you prompted for MFA?
Where you able to login successfully?
YES
YES
NO
NO
87. Open PuTTY and open a remote connection to DevOps-UNIX server
(IP Address 172.16.0.30) and login with the following credentials:
Username: zcontractor@lab.<tenant_ID>
Password: Centr1fy
Were you prompted for MFA?
Where you able to login successfully?
62
YES
YES
NO
NO
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 20: Password Reconciliation
In this exercise, Alex (you) will use Centrify Identity Platform to prevent an interruption when a
shared privileged account is changed and no longer synchronous with the vault.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 15 minutes
1. Use the main menu on the left to navigate to Resources
Accounts
2. Click the helpdesk-a account for db-unix.greensafe.lab
3. Under settings confirm the account is managed (vaulted).
4. Use the Actions link and click Checkout.
5. Click Show Password.
Notice the password is currently a high entropy password that is difficult to guess or
remember.
Let’s confirm we can login with this password.
6. Use the actions link again and click Checkin
7. Use the Actions link and click Login.
Once the session is opened successfully, you can log out so we can proceed to the
next step. The next step will be to change the password for this account. This can be
done through a remote session in the Identity Platform or using a 3 rd party remote tool.
8. Use the main menu on the left to navigate to Resources
Accounts
9. Right click the root account for db-unix.greensafe.lab and select Login
10. Execute the following command:
Passwd helpdesk-a
Change the password to Centr1fy and logout of the session
11. Return to the Identity Platform
63
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
12. Log back into the db-unix server from the Identity Platform using the Helpdesk-a
account.
You will notice you are unable to because the password in the vault is no longer valid
on the system.
Let’s now configure the account to correct this issue the next time someone tries to log
into this system.
13. Use the main menu on the left to navigate to Resources
Systems
14. Click the db-unix.greensafe.lab server
15. Click Advanced
16. Under Account Reconciliation, use the drop-down menu to enable automatic local
account maintenance and click the Set button to establish a Local Administrative
Account.
17. Search for and select the root account
18. Click Save
The password is still out of sync, but now that we have configured Account
Reconciliation, the next time we attempt a login from the Centrify Identity Platform, the
password will be rotated and correctly synchronized in the vault.
19. Click Accounts
20. Click the helpdesk-a account
21. Click Activity
You will notice the last activity on the account was the failed login.
22. Use the Actions link and click Login.
The remote session will start but took a few seconds longer.
Logout of the session and look at the updated activity of the helpdesk-a account. You
will see the password was successfully reset and the login permitted.
64
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 21: Install Centrify Authentication and Privilege
Greensafe Payroll Services has recently purchased Centrify Server Suite. Alex Foster has
been identified as the project engineer in charge of implementing the solution. In this
exercise, Alex (you) will install Centrify Authentication and Privilege.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
Estimated time to complete this lab: 10 minutes
11. Login to apps-server.greensafe.lab with the following credentials:
Username: afoster
Password: Centr1fy
12. Open Windows Explorer and navigate to C:\Share\CSS2020.
13. Launch the Autorun application and click Authentication and Privilege.
14. When prompted to install Microsoft SQL Compact 4.0 for support of the Sudoers
Import process, click NO.
15. At the Welcome Message, click Next.
16. Accept the EULA and click Next.
17. Enter the Company Name Greensafe Payroll Services
18. Under Property Components, expand Centrify Utilities and click the checkbox next to
Zone Provisioning Agent.
19. Click Next.
20. Under the Destination folder, click Next.
21. Under Confirm Settings, click Next.
22. Once completed, UNCHECK the options to configure the following products:
•
•
Centrify Reporting Services
Centrify Zone Provisioning Agent
23. Click Finish
Click Yes when prompted about using a Local system account to manage the ZPA.
24. Close the Centrify Server Suite Installation Package.
65
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 22: Configure Centrify Access Manager
In this exercise, Alex (you) will complete the initial configuration of the solution using the
management console, Centrify Access Manager. This configuration will include the creation
of an active directory deployment structure and licensing.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
Estimated time to complete this lab: 10 minutes
1. Open Windows Explorer and navigate to C:\Share.
2. Open Training License Keys and copy the DirectControl License Key to the clipboard.
3. Close the file.
4. Launch Centrify Access Manager from the Desktop shortcut.
5. Click OK to connect to dc-server.greensafe.lab
6. At the Welcome Message, click Next.
7. Under User Credentials, maintain the default setting and click Next.
8. Under Generate Centrify Recommended Deployment Structure, Click the checkbox to
generate the structure and click Next.
9. Under Choose Container, click Browse.
10. Select greensafe.lab
11. Click Next.
12. Click Next once the deployment structure container has been populated.
13. When the deployment structure has been created successfully, click Next.
14. Under Install License, maintain the default container and click Next.
15. When prompted, click yes to grant all users read permissions to the license container.
16. Paste the License key (copied earlier) in the space provided and click Add.
17. Click Next.
18. Under the Default Container for Zones, maintain the default settings and click Next.
66
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
19. Under Delegate Permission, maintain the default settings and click Next.
20. Under AD Admin Notification Handler, maintain the default settings and click Next.
21. Under Setup Properties Pages, maintain the default settings and click Next.
22. Under Summary, Click Next.
23. Click Finish to complete the initial configuration wizard.
67
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 23: Create Centrify Zones
In this exercise, Alex (you) will continue the initial configuration of the Centrify solution by
assigning Centrify Administrators and creating Parent and Child Zones for Centrify privilege
management. There will be one Global Zone for all users, and two child zones based on
server operating systems.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
Estimated time to complete this lab: 15 minutes
1. Open Active Directory Users and Computers (ADUC).
2. Navigate to Centrify
Centrify Administration
3. Open the AD group cfyA_Global_CentrifyAdmins.
4. Click Members.
5. Click Add.
6. Add Team_Security and close the group properties.
7. Close ADUC.
Let’s now create the Parent Zone
8. Open Centrify Access Manager.
9. Expand Centrify Access Manager (dc-server.greensafe.lab).
10. Right Click on Zones and select Create New Zone.
11. Name the new zone Global Zone.
12. Click Next
13. Click Finish
Let’s now delegate zone controls to the appropriate administrators
14. Right Click the new Global Zone and select Delegate Zone Control.
15. Click Add.
16. Search for and add the AD group cfyA_Global_CentrifyAdmins.
68
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
17. Click Next.
18. Under Tasks to Delegate, click All.
19. Click Next.
20. When prompted about the msDS-azScope objects, click Yes.
21. Click Finish.
Let’s now create the Child Zones.
22. Right Click Global Zone and select Create Child Zone.
23. Name the new child zone UNIX Zone.
24. Click Next.
25. Click Finish.
We have to remember to delegate zone controls to each zone. In some cases, you
may have different administrators responsible for each zone.
26. Right Click the new UNIX Zone and select Delegate Zone Control.
27. Click Add.
28. Search for and add the AD group cfyA_Global_CentrifyAdmins.
29. Click Next.
30. Under Tasks to Delegate, click All.
31. Click Next.
32. When prompted about the msDS-azScope objects, click Yes.
33. Click Finish.
Let’s now create the Windows Child Zones.
34. Right Click Global Zone and select Create Child Zone.
35. Name the new child zone Windows Zone.
36. Click Next.
37. Click Finish.
Don’t forget to delegate zone controls for this zone.
69
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
38. Right Click the new Windows Zone and select Delegate Zone Control.
39. Click Add.
40. Search for and add the AD group cfyA_Global_CentrifyAdmins.
41. Click Next.
42. Under Tasks to Delegate, click All.
43. Click Next.
44. When prompted about the msDS-azScope objects, click Yes.
45. Click Finish.
70
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 24: Prepare Zone Server Objects
As part of your preparations to implement Centrify Server Suite features to the infrastructure,
you can prepare the objects prior to the implementation of each server. This will avoid any
interruptions in service and provide you the opportunity to confirm effective security rights are
accurate. In this exercise, Alex (you) will use Centrify Access Manager to create the AD
objects in the appropriate Centrify Zones so they are organized properly and effective rights
are applied prior to the server being joined.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
Estimated time to complete this lab: 10 minutes
1. Using Centrify Access Manager, expand Child Zones.
2. Expand Unix Zone.
3. Right click Computers and select Prepare UNIX Computer.
4. Under Prepare Computer, maintain the default settings and click Next.
5. Under specify computer, click Next to add a new computer object.
6. Name the computer db-unix.
7. Click Change to change the computer container.
8. Navigate to greensafe.lab
Centrify
Computers and Click OK.
9. Click Next.
10. Under Read Only Domain Controller settings, maintain the default settings and license
selection and click Next.
11. Under SPN Configuration, maintain the default settings and click Next.
12. Under Delegate Join Permissions, maintain the default setting to allow the computer to
join itself to the zone and click Next.
13. Under Delegate Machine Overrides, click Browse to change the AD group.
14. Search for and select cfyA_Global_CentrifyAdmins.
15. Click Next.
16. Click Next to confirm the configuration.
71
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
17. Click Finish.
Let’s now add a domain joined system to a Centrify Zone.
18. Expand Windows Zone.
19. Right click Computers and select Prepare Windows Computer.
20. Search for and Add db-server.greensafe.lab.
21. Click OK
72
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 25: Manage Local and Domain Users
In this exercise, Alex (you) will add domain accounts for privilege to UNIX systems and
consolidate local profiles with an exist active director user.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
Estimated time to complete this lab: 15 minutes
1. Using Centrify Access Manager, expand Child Zones.
2. Expand Unix Zone.
3. Expand Computers.
First, we will manually add a domain user as an authorized user of the system.
4. Right Click the db-unix server and select Add User.
5. Select Active Directory user and click Next.
6. Click Browse
7. Search for and Add Linda Scott (lscott@greensafe.lab).
8. Click Next
9. Under Add User to Zone, click Next.
10. Under Define User UNIX Profile, click Next.
11. Under Assign Roles, click Next.
12. Under Confirm Selection, click Next.
13. Click Finish.
Let’s now import users that are currently installed on the local system. The
/etc/passwd and /etc/group files were downloaded to this server and will be used for
the next series of steps.
14. Right Click on the db-unix server and select Import from UNIX.
15. Select UNIX Configuration Files.
16. Click the top Browse button to select the /etc/passwd file that was downloaded to the
C:\Share folder.
73
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
17. Click the bottom Browse button to select the /etc/group file that was downloaded to the
C:\Share folder.
18. Click Next
19. Under Select Import Objects, click Next.
20. Under Select Destination, click Next.
21. Click Finish
22. Under the db.unix server, expand UNIX Data.
23. Expand Users and click Pending Users.
There will be a list of users that have been imported but are not yet accepted. At the
bottom of the list will be the following users:
afoster-a
cfyadmin
helpdesk-a
kim
sam
24. Select users Kim and Sam, right click and select Check Status.
This process will check the identities against active directory to look for a matching
user candidate.
25. When prompted to select a domain, click OK to accept greensafe.lab.
26. In the AD User Candidate column, you will notice an AD user has been identified as a
POSSIBLE match for the local profile that was imported.
kim
sam
greensafe.lab/staff/krogers (Kim Rogers)
greensafe.lab/staff/snguyen (Sam Nguyen)
27. Select the same accounts, right click and click Accept.
This will consolidate the local profile with the domain account, permitting the domain
account to be used to login once a role has been assigned.
All remaining Pending Users can be deleted.
Let’s now create a new AD group based on the UNIX local users group.
28. Expand Groups under UNIX Data for the db-unix server.
29. Click Pending Groups.
74
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
30. Right Click on the users group and select Create New AD group.
31. Under Location of Container, click Browse.
32. Select greensafe.lab
Centrify
Unix Groups
33. Click Next.
34. Name the group name (Windows and Pre-Windows 2000) cfyG_db-unix_users
35. Under Group Scope, select Global and click Next
36. Click Next to confirm the settings.
37. Click Finish.
All remaining Pending Groups can be deleted.
Let’s now add the imported users and Linda Scott who was added manually to the
new AD group.
38. Click Users under UNIX Data of db-unix.
39. Select all users, right click and select Add to a Group.
There are multiple users and you may need to refresh the console window to see all
users.
40. Search for and select cfyG_db-unix-users
75
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 26: Configure a Centrify Zone Provisioning Agent
In this exercise, Alex (you) will configure the Centrify Zone Provisioning Agent to
automatically provision and deprovision users and groups for access to privileged resources.
This will include the configuration of a domain service account that will facilitate this
automation as users are added to monitored groups.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
Estimated time to complete this lab: 20 minutes
1. Open Active Directory Users and Computers (ADUC)
2. Navigate to greensafe.lab
Centrify
Service Accounts
3. Create a new AD account:
First Name: Centrify
Last Name: Zone Provisioning Agent
User logon name: cfyS_zpa
4. Click Next
5. Set the password to Centr1fy
UNCHECK User must change password at logon
CHECK User cannot change password
CHECK Password never expires
6. Click Next
7. Click Finish
8. Navigate to Centrify
Provisioning Groups
9. Create two new AD groups that will be used for auto provisioning and deprovisioning.
•
•
cfyP_Global_Users
cfyP_Global_Groups
10. Close ADUC
Let’s now configure the Centrify ZPA service.
11. Open Services.
76
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
12. Open the properties of the Centrify Zone Provisioning Agent.
13. Click the Log On tab.
14. Change the Log in account from Local System Account to This Account:
Click Browse
15. Change the search Location to the Entire Directory.
16. Search for and select cfyS_zpa
17. Once selected, type in the account password and click apply to confirm the account
will be used to Log On as a Service.
18. Save the Changes and close Services.
Let’s configure the Zone Provisioning Agent.
19. Use the Start Menu to navigate to Centrify Infrastructure Services Zone Provisioning
Agent Configuration Panel.
20. Click the Add button.
21. Navigate and select greensafe.lab
Centrify
Zones and click OK.
22. Select and Remove the Entire Forest from the list (Leaving the Centrify Zones
Container).
23. Under the Event Log, select Write the UNIX Profiles for the provisioned users and
groups to the Event Log.
24. Confirm the ZPA service Account is correct (cfyS_zpa) and click Start to start the
service.
25. Click Apply to save the changes .
26. Click Close to exit the Configuration Panel.
We can now configure the Zones to be automatically provisioned starting with
delegating zone controls to the service account.
27. Open Centrify Access Manager.
28. Right click the Global Zone and select Delegate Zone Control.
29. Click Add.
30. Search for and add the AD group cfyS_zpa
77
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
31. Click Next
32. Click the following administrative tasks to be applied to the ZPA service account.
•
•
•
•
Add Users
Add Groups
Remove Users
Remove Groups
ZPA does not require all administrative tasks – only those tasks that the service
account will be performing.
Click Next.
33. When prompted about the UID/GID auto-increment functionality, CLICK NO
34. Click Finish
Let’s complete the configuration by assigning the provisioning to the zone.
35. Using Access Manager, Right Click on Global Zone and Select Properties.
36. Click the Provisioning Tab and Enable auto provisioning of User Profiles
37. Click the button to select a User Profiles Source Group
38. Find and select cfyP_Global_Users and Click OK
39. Under the provisioning tab, Enable auto provisioning of Group Profiles.
40. Click the button to select a Group Profiles Source Group.
41. Find and select cfyP_Global_Groups
42. Click OK to save the changes
Let’s test the auto provisioning by adding AD users to the zone, creating UNIX Profiles
for each of them.
43. Launch Active Directory Users and Computers (ADUC)
44. Navigate to Centrify
Provisioning Groups
45. Open the properties of cfyP_Global_Users
78
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
46. Click the Members Tab
47. Click Add
48. Find and Select the following groups:
•
•
•
•
•
•
Team_Contractors
Team_Finance
Team_Helpdesk
Team_IT
Team_Sales
Team_Security
49. Close ADUC
50. To speed up the process, we will use the zoneupdate utility.
51. From the Start Menu, open the Zone Provisioning Agent Command Prompt.
Type and run zoneupdate /p “Global Zone”
You will see a preview of a number of users that are going to be provisioned by ZPA.
52. Type and zoneupdate “Global Zone” to commit the changes immediately.
53. Using Access Manager Expand UNIX Data under Global zone
54. Click Users
Users from the groups we added will now be configured with UNIX Profiles under the
Global zone
UNIX Data
Users.
79
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 27 – Install and Configure the Centrify Agent
Now that we have preconfigured our system objects, we can now join them to the
domain. In this exercise, Alex (you) will install the Centrify DirectControl Client on Windows
and UNIX systems.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
apps-unix.greensafe.lab
Estimated time to complete this lab: 15 minutes
1. Open PuTTY and login to db-unix with the following credentials.
Username: root
Password: password1
2. Run the following command to install the Centrify DirectControl Agent.
yum install CentrifyDC -y
3. Once completed, run the following command to check the domain and zone
connection status for the system:
adinfo
You will notice that installing the client did not automatically join the system to the
zone.
4. Run the following command to join the system to the zone:
adjoin -S greensafe.lab
During the process you will notice that the system was automatically joined ot the
correct UNIX zone because the system was precreated and matched the DNS record.
5. Run the following command to reboot the server:
reboot
Now that the UNIX system is complete, let’s join the Windows system to the Centrify
Zone.
6. Use the Skytap navigation to open db-server and login with the following credentials:
Username: afoster
Password: Centr1fy
80
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
7. Open the Agent folder on the desktop and launch the Centrify Agent for Windows
application.
8. On the Welcome Message, click Next.
9. Accept the EULA and click Next.
10. Under the destination folder, click Next.
11. Click Install
12. When the installation is complete, click Finish.
The Agent Configuration Wizard will automatically run.
13. Click Add Service
14. Click Centrify Privilege Elevation Service
15. Click OK
16. Join the system to the Windows Zone and click Next.
17. When prompted, select Yes to create a Windows Login Role for the Domain Admins
group so they can continue to login to the system.
If/ When prompted about multifactor authentication enrollment, click Yes to skip
the enrollment and continue the configuration.
18. When prompted to restart the system, click Yes.
How did installing the Centrify software affect the ability to log into the servers?
19. Login with the users listed below and confirm the ability to login.
Username
Password
System
afoster
Centr1fy
db-unix
afoster
Centr1fy
db-server
badams
Centr1fy
db-server
Login Successful?
No
(No Local Profile or Centrify role)
Yes
(Domain Admin Role is applied)
No
81
(badams is not assigned a
Centrify role)
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 28: Configure UNIX Login Role
As we have examined, privileged directory service users must have roles assigned to them
before they can do anything on the system. This includes the login process. Roles can be
assigned at different levels of the Centrify Zone structure – at zone levels, at computer group
levels and at an individual server level. In this exercise, Alex (you) will create and assign a
zone roles to permit privileged users to any system in the zone.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
apps-unix.greensafe.lab
Estimated time to complete this lab: 15 minutes
52. Using Access Manager, expand the UNIX Zone.
53. Under Authorization, right click on Role Assignments and select Assign Role.
54. Locate and select the UNIX Login for the UNIX Zone.
Use the filters at the top of the window to identify the correct zone.
55. Click Add AD Account…
56. Add the following AD Groups to this role assignment.
•
•
•
•
•
•
Team_Contractors
Team_Finance
Team_Helpdesk
Team_IT
Team_Sales
Team_UNIXAdmins
57. Click OK
58. Right Click on db-unix and select Show Effective User Rights
59. Use the Role Assignments Tab to confirm the effective rights for each AD user listed
below.
User
AD Group
Does this user have the right to login?
afoster
Team_IT
Yes
badams
Team_Sales
Yes
krogers
Team_UNIXAdmins
Yes
snguyen
Domain Users
No
ahouston
Team_Auditors
No
82
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Sam Nguyen (snguyen) can be viewed by click the Show omitted users option)
Pop Quiz: Why is Sam displayed and Amy Houston (ahouston) is not?
60. Open Putty and login to db-unix with the following credentials:
Username: root
Password: password1
61. Run the following command to clear the zone cache.
adflush
Logout of the session.
62. Use PuTTY to confirm the effective rights found in the step 8.
User
AD Group
Could the user login
to apps-unix?
afoster
Team_IT
Yes
badams
Team_Sales
Yes
krogers
Team_UNIXAdmins
Yes
snguyen
Domain Users
No
ahouston
Team_Auditors
No
Answer to the Pop Quiz:
Why is Sam displayed and Amy Houston (ahouston) is not?
The user Sam is displayed because the local profile is listed under the system’s user UNIX
Data. Sam is listed as an omitted user, because a role has not been assigned. Amy Houston
(ahouston) is not listed because the AD user has not been added as an authorized user of a
zone or the local machine.
83
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 29: Configure Windows Zone Role
Windows Roles are slightly different as privilege will come in the form of the use of specific
applications. Generally, assigning privilege to a user to access an application or administer a
system results in local identities on the system that have the necessary privilege or moving
the AD user into a group that not only has elevated privilege to the individual system or the
application, but instead to a group of systems and all applications. In this exercise, Alex (you)
will create and assign roles to the Windows Zone that include the login and elevated privilege
to run a specific windows application with privilege, without the need of a local identity or
shared privileged account.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
apps-unix.greensafe.lab
Estimated time to complete this lab: 20 minutes
1. Use the Start Menu to navigate and open Windows Administrative Tools.
2. Launch Windows Firewall and Advanced Security
Minimize the Firewall Window to leave it running. We will be using this later in the
exercise.
3. Using Access Manager, expand the Windows Zone
4. Expand Authorization.
5. Expand Windows Right Definitions
6. Right Click on Applications and select New Windows Application
7. Name the New Application Windows Firewall Management
8. Click the Match Criteria Tab
9. Click Add
10. Click the Import Process button.
11. Under the Import From Running Process, select the mmc.exe Image name that relates
to the command line for the Windows Firewall.
“C:\Windows\system32\mmc.exe” “C:\Windows\system32\WF.msc”
12. Click OK
13. Change the Description to Windows Firewall and Click OK
84
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
14. Click the Run As tab.
15. Click Add AD Groups
16. Search for and add Domain Admins
17. Click OK to Save the New Windows Application Right.
Let’s now create a role for this new right.
18. Right Click on Role Definitions and select Add Role
19. Name the Role Firewall Management
20. Click OK
Let’s now add the Right to the Role.
21. Right Click the Firewall Management Role and select Add Right
22. Locate and Select Windows Firewall Management
23. Click OK
Let’s now assign Login and Firewall Management Roles to privileged users.
24. Right Click on Role Assignments and select Assign Role
25. Select Windows Login for the Windows Zone
26. Click OK
27. Click Add AD Account…
28. Add the following AD groups to this role assignment:
•
•
•
•
•
Team_Contractors
Team_Finance
Team_Helpdesk
Team_IT
Team_Sales
29. Click OK to save the role assignment.
Let’s now give more privilege to the IT and Helpdesk to manage the Windows Firewall.
30. Right Click on Role Assignments and select Assign Role
31. Select Firewall Management.
85
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
32. Click OK
33. Click Add AD Account…
34. Add the following AD Groups to this role assignment
•
•
Team_Helpdesk
Team_IT
35. Click OK to save the role assignment.
Let’s now confirm the changes.
36. Use the Skytap navigation to open db-server and login as Alex Foster. Once logged
in, open PowerShell and type dzflush to refresh the cache.
37. We have already established that since Alex Foster is a domain admin, he has
privilege to login and access the firewall. Logout of db-server and log back in as each
of the users listed below to confirm the roles you have assigned.
AD Group
Can the user
login?
Can the user
see firewall
settings?
Can the user
see firewall
settings with
Privilege.
bhughes
Team_Helpdesk
Yes
No
Yes
badams
Team_Sales
Yes
No
No
krogers
Team_Finance
Yes
No
No
lbennett
Team_Contractors
Yes
No
No
lscott
Team_IT
Yes
No
Yes
User
Running the Windows Firewall without Privilege should result in the following
message:
86
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
To run the application with privilege, right click on the application and select Run With
Privilege.
If the user has been granted privilege, they should see the Windows Firewall options
shown below.
87
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 30: Configure Computer Roles
The current zone structure has systems grouped by operating system, but not all systems
have the same role within the organization. Computer roles are configured so privilege can be
granted automatically when a new server is added to the role or removed when a system is
retired or removed from the role. In this exercise, Alex (you) will configure a computer role
that will grant privilege to users of server members of the role.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 25 minutes
Greensafe has made the decision to add additional database servers. The new servers will
have the same configuration as db-unix.greensafe.lab but will be added over the course of
several months. In order to ensure the configuration is completed ahead of time, the new
computers will be precreated and a computer role will be established.
Part One: Precreate New Systems
1. Using Centrify Access Manager, expand Child Zones.
2. Expand Unix Zone.
3. Right click Computers and select Prepare UNIX Computer.
4. Under Prepare Computer, maintain the default settings and click Next.
5. Under specify computer, click Next to add a new computer object.
6. Name the computer db2-unix.
7. Click Change to change the computer container.
8. Navigate to greensafe.lab
Centrify
Computers and Click OK.
9. Click Next.
10. Under Read Only Domain Controller settings, maintain the default settings and license
selection and click Next.
11. Under SPN Configuration, maintain the default settings and click Next.
12. Under Delegate Join Permissions, maintain the default setting to allow the computer to
join itself to the zone and click Next.
88
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
13. Under Delegate Machine Overrides, click Browse to change the AD group.
14. Search for and select cfyA_Global_CentrifyAdmins.
15. Click Next.
16. Click Next to confirm the configuration.
Click Finish.
Repeat Steps 1-17 to precreate db3-unix and db4-unix
Part Two: Create AD Groups for the Computer Role
17. Open Active Directory Users and Computers (ADUC).
18. Navigate to Centrify
Computer Roles
19. Create a new AD group with a Global group scope named cfyC_Unix_Systems
20. Create three additional AD groups with Global group scopes.
•
•
•
cfyU_Unix_UnixLogin
cfyU_Unix_ServiceMgr
cfyU_Unix_UnixAdmin
21. Open the cfyU_Unix_UnixAdmin group and add the following AD groups as members:
•
•
•
Team_Helpdesk
Team_IT
Team_UnixAdmins
22. Open the cfyU_Unix_ServiceMgr group and add the following AD groups as members.
•
Team_Contractors
23. Open the cfyU_Unix_UnixLogin group and add the following AD groups as members:
•
•
•
•
Team_Contractors
Team_Helpdesk
Team_IT
Team_UnixAdmins
24. Close ADUC
89
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Part Three: Create Command Rights
25. Using Access Manager, expand Unix Zone.
26. Expand Authorization
27. Expand Unix Right Definitions
28. Right Click Commands and select New Command.
29. Name the new command right ALL with a description of Root Equivalent Command
Rights.
30. Under Command, type an asterisk (*)
31. Select Specify Path and type an asterisk (*)
32. Click OK
Let’s now create the Services Command Right
33. Right Click Commands and select New Command Right
34. Name the new command right Service Restart.
35. Under Command, type systemctl restart*
36. Select Specify Path and type an asterisk (*)
37. Click OK
Part Four: Create Privileged Role Definitions
38. Right Click on Role Definitions and select Add Role
39. Name the new role UNIX Admin
40. Click OK
Let’s now create the Service Manager Role
41. Right Click on Role Definitions and select Add Role
42. Name the new role Unix Service Manager
43. Click OK
90
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Part Five: Add the Rights to the Roles
44. Right Click on the UNIX Admin Role and select Add Right
45. Select the ALL command right created in Part Three.
46. Click Ok
47. Right Click on the UNIX Service Manager Role and select Add Right
48. Select the Service Restart command right created in Part Two.
49. Click OK
Part Six: Create the Computer Role
50. Right Click Computer Roles and select Create Computer Role
51. Name the Computer Role Greensafe_UNIX_Systems
52. Use the drop-down menu under computer groups and select <…> to browse for the
AD group created in Part One.
53. Search and select cfyC_Unix_Systems
54. Click Ok to save the computer role.
Part Seven: Assign the Role Definitions to the Computer Role
55. Expand the Greensafe_UNIX_Systems Computer Role
56. Right Click on Role Assignments and select Assign Role
57. Select UNIX Login for Unix Zone and click OK
58. Click Add AD Account…
59. Search for and select cfyU_Unix_UnixLogin
60. Click Ok to save the Role Assignment
61. Select UNIX Admin and click OK
62. Click Add AD Account…
63. Search for and select cfyU_Unix_UnixAdmin
64. Click Ok to save the Role Assignment
91
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
65. Right Click on Role Assignments and select Assign Role to assign the Unix Service
Manager Role.
66. Select UNIX Service Manager and Click OK.
67. Click Add AD Account…
68. Search for and select cfyU_Unix_ServiceMgr
69. Click OK to save the Role Assignment
Now that we have configured the computer roles, we can add machines to the
computer group and add users to the role based groups.
Part Eight: Add System to the Computer Role
70. Under the Greensafe_Unix_Systems Computer Role, right click on members and
select Add Computer.
71. Search for and add all of the systems below:
•
•
•
•
db-unix
db2-unix
db3-unix
db4-unix
Part Nine: Check Effective Rights and Test Roles
72. Check the Effective Unix Effective User Rights to determine role based privilege
below:
AD Group
Server
Can the User
Login?
Can the User
Restart
Services?
bhughes
Team_Helpdesk
db2-unix
Yes
Yes
badams
Team_Sales
db2-unix
Yes
No
krogers
Team_Finance
Team_UNIXAdmins
db2-unix
Yes
Yes
lbennett
Team_Contractors
db2-unix
Yes
Yes
ahouston
Team_Auditors
db2-unix
No
No
Username
92
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Now let’s test the environment.
Use PuTTY to login to the db-unix server to confirm the results listed below:
Use the command dzdo systemctl restart sshd
AD Group
Server
Can the User
Login?
Can the User
Restart
Services?
bhughes
Team_Helpdesk
db2-unix
Yes
Yes
badams
Team_Sales
db2-unix
Yes
No
krogers
Team_Finance
Team_UNIXAdmins
db2-unix
Yes
Yes
lbennett
Team_Contractors
db2-unix
Yes
Yes
ahouston
Team_Auditors
db2-unix
No
No
Username
73. Logged in as lbennett, execute the following command:
dzdo cat /etc/shadow
This demonstrates how the role permits just enough privilege to restart services, but
not run other elevated commands.
93
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 31: Centrify Server Suite Group Policies
In this exercise, Alex (you) will apply Centrify Group Policies on zone joined systems.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 15 minutes
1. Use the Desktop Shortcut to launch Group Policy Management
2. Navigate to greensafe.lab
Centrify
3. Right Click Centrify and Select Create a GPO in this domain and Link it here.
4. Name the new GPO Centrify GPO and click OK
5. Right Click the Centrify GPO and click Edit.
6. Expand Computer Configuration
Policies
7. Right Click Centrify Settings and click Add/Remove Templates
8. Click Add
9. Select all Centrify Templates and click Open.
10. Click OK
11. Expand DirectControl Settings.
12. Click Password Prompts
13. Open the properties of Set login password prompt.
14. Enable the option and set the login password prompt to Enter your AD Password:
15. Click OK
16. Use PuTTY to login to the apps-unix server with the following credentials:
Username: root
Password: password1
17. Execute adgpupdate to update group policies on the system.
94
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
18. Logout as root. Log back in using the following credentials:
Username: badams@greensafe.lab
Password: Centr1fy
You should notice the password prompt has been changed.
19. Logout of the session.
20. Use the Skytap Navigation to open the apps-unix server.
21. From the GUI Login interface, click Not Listed.
22. Enter the username badams and you will notice the password prompt is the same as
the terminal window login.
95
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 32: Configure Multifactor Authentication for
Privilege Elevation
In this exercise, Alex (you) will configure systems to validate users with multifactor
authentication when logging in at the console or when using a 3 rd party remote access tool.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 25 minutes
Let’s start by downloaded the IWA certificate needed to configure the systems for MFA.
1. Using the Centrify Identity Platform, login as Alex Foster (afoster).
2. Use the main menu on the left to navigate to Settings
Network
Centrify Connectors
3. Click the apps-server Centrify Connector.
4. Click IWA Service
5. Click the Blue link to download the IWA root CA certificate.
6. Click Cancel to close the properties of the Connector.
Let’s now configure the Centrify Identity Platform Authentication Profile for client side
login with MFA.
7. Use the main menu on the left to navigate to Settings
Authentication Profiles
Authentication
8. Click Add Profile
9. Name the Profile CSS_MFA_Profile
10. Set Challenge #1 equal to 1 Security Question
11. Set the Passthrough duration to No Passthrough
12. Click Ok to save the new profile.
Let’s now configure the Centrify Identity Platform Privilege Role for client side login with
MFA.
13. Use the main menu on the left to navigate to Access
96
Roles
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
14. Click Add Role
15. Name the new role CSS_MFA_Role
16. Click Members
17. Search for and add the following AD Groups and Computers
•
•
•
•
•
•
db-unix.greensafe.lab
db-server.greensafe.lab
Team_Contractors
Team_Helpdesk
Team_IT
Team_UnixAdmins
18. Click Administrative Rights
19. Click Add
20. Click and Select Computer Login and Privilege Elevation.
21. Click Save
Let’s now configure the Centrify Identity Platform Policy for client side login with MFA
22. Use the main menu on the left to navigate to Access
Policies
23. Click Add Policy Set
24. Name the new policy CSS_MFA_Policy
25. Under Policy Assignment, click Specified Roles and add the CSS_MFA_Role
26. Expand Authentication
27. Expand Centrify Server Suite Agents
28. Click Linux, Unix, and Windows Servers
29. Use the drop-down menu to enable the authentication policy controls.
30. Use the drop-down menu to change the Default Profile to CSS_MFA_Profile
31. Click Privilege Elevation
32. Use the drop-down menu to enable the authentication policy controls.
33. Use the drop-down menu to change the Default Profile to CSS_MFA_Profile
97
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Click Save to save the policy
Let’s now configure GPO to push the certificate to all systems.
34. Open Group Policy Management Editor.
35. Navigate to the Centrify GPO created in Lab #31
36. Right Click the GPO and click Edit.
37. Navigate to Computer Configuration
Settings
Public Key Policies
Policies
Windows Settings
Security
38. Right Click the Trusted Root Certificate Authorities and select Import
39. Confirm the certificate import store location is Local Machine and click Next.
40. Click Browse and select thee IWA certificate downloaded in step 5.
41. Click Next
42. Confirm the store location (Trusted Root Certificate Authorities) and click Next
43. Click Finish
Let’s now configure an existing command right to require MFA
44. In Access Manager, expand the Unix Zone
45. Expand Authorization
46. Expand Unix Right Definitions
47. Under Commands, double click on the Service Restart Command Right created earlier
in the course
48. Click the Attributes Tab
49. Select Re-authenticate current user and UNCHECK use password and CHECK Require
multi-factor authentication.
50. Click Okay to save the changes.
Let’s now update the group policies on systems and test the MFA settings.
51. Launch PuTTY and login to db-unix with the following credentials:
Username: root
Password: password1
98
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
52. Run adflush to clear the zone cache.
53. Run adgpupdate to update the group policies on the system.
54. Logout of the session
55. Relogin to the db-unix system using the credentials below:
Username: lbennett@greensafe.lab
Password: Centr1fy
Was Laura Bennett permitted to login?
YES, Without MFA.
YES, With MFA.
NO.
56. Run dzdo systemctl restart firewalld
Was Laura Bennett permitted to run this command?
YES, Without MFA.
YES, With MFA.
99
NO.
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 33: Configure Centrify Reporting Service
In this exercise, Alex (you) will configure Centrify Reporting Service to report on Centrify
Server Suite management tasks.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 10 minutes
1. From the start menu Launch the Configuration Wizard.
2. Click Next
3. Under Database Type, use the dropdown menu and select SQL Server and Click Next.
4. Use the drop-down menu and select for Browse for more…
5. Click the Network Servers Tab.
6. Select Use an Existing SQL Server Instance (DB-SERVER\CENTRIFY)
7. Click Next
8. Confirm the selection Deploy Centrify Reports and URL Addresses:
Web Service URL: http://DB-SERVER /ReportServer_CENTRIFY
Report Manager URL: http://DB-SERVER /Reports_CENTRIFY
Click Next
9. Under Synchronization Mode, select Zone Based mode and Click Next.
10. Under Hierarchical Zones, select Monitor all hierarchical zones… and Click Next.
11. Under Classic Zones, select Monitor all classic zones… and Click Next.
12. Under the domain controllers, Click Add.
13. Select the dc.greensafe.lab domain controller and Click OK.
14. Under the Synchronization Schedule, maintain the default settings, making no changes
and Click Next.
100
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
15. Under Report Services Option, Select Use Built-In Account (Local System) and click
Next.
16. Permissions will be verified, identifying successes and failures.
Click Close.
17. Under Summary, Click Next
Please be patient as the database is configured.
18. Check the option to Start synchronizing data from Active Directory and Click Finish to
close the Report Configuration Wizard.
19. Open Internet Explorer and browse to http://DB-SERVER/Reports_CENTRIFY
20. Login as Alex Foster (Afoster) (Password: Centr1fy)
21. Confirm Centrify Report Services Folder is displayed
Leave the Browser window open to complete the next lab exercise
101
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 34: Review Centrify Reporting
In this exercise, Alex (you) will use Centrify Reporting Services and Centrify Identity Platfrom
to examine specific reports.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 15 minutes
1. From the Centrify Reporting Services (SRSS) website, click Details View.
2. Click Centrify Reporting Services
3. Click Access Manager Reports
4. Click Delegation Report
This reports on AD groups with assigned Zone Delegation tasks
5. Under Trustee filter, remove the check mark under Null and enter in the space
provided cfyS_ZPA.
We delegated specific zone tasks to this account as part of automated provisioning
through the ZPA.
6. Close the web page and return to the Centrify Identity Platform, logged in as Alex
Foster.
7. Use the main menu on the left to navigate to Reports
8. Expand Builtin Reports
9. Expand Security
10. Click Users Security Question State
11. Click OK to view the report
This report will indicate who has and who has not satisfied the MFA challenge the
company now requires to access company servers.
12. Use the main menu on the left to navigate to Reports
13. Expand Builtin Reports
102
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
14. Expand Effective Rights
15. Expand Role to Object
16. Click Systems
17. Select a system in the list to view the current role-based privilege that has been
granted to the single system.
This will help determine if too much privilege is being granted to critical systems.
103
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 35: Troubleshooting Centrify Licensing
In this exercise, Alex (you) will use the Centrify Licensing Service to examine the installed
licensing applied to the environment..
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 10 minutes
57. Using the Start menu, Launch the Centrify Licensing Service Control Panel.
58. Confirm service is running.
59. Click DC/DZ Deployment Tab to determine # of devices currently licensed.
60. Click Troubleshooting Tab.
61. Click Export Diagnostic Data
62. Navigate to Desktop and Click OK
63. Click Ok
64. Close Centrify Licensing Service Control Panel
65. Open the saved diagnostic data file.
66. Review the files included in the zip file.
Close the explorer window.
67. Using the Start menu, launch the Licensing Report.
68. Confirm the Domain Controller dc.omicron.lab and Click Next
69. Select the default location to store the report and leave the Hide host, zone and
installation names from the report and Click Next
70. Click Next to run the report
71. Leave “Open the output report” checked and click Exit.
72. Click OK
104
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 36: Analyzing the Environment
In this exercise, Alex (you) will use Centrify Access Manager to examine possible issues with
the health of the environment.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 10 minutes
1. Using Access Manager, right click Centrify Access Manager and select Analyze
2. Click All
3. Click Next
4. Click Finish
5. Click Analysis Results from the Navigational Tree on the left of the Access Manager
Console.
6. Open the issue to review the details.
Check whether the computer object in Active Directory has sufficient permission to
update the version number property of the operating system in the computer’s
serviceConnectionPoint
object.
If the computer object does not have permission to change this property, the operating
system version number cannot be displayed.
7. Click Ok to close the Issue Details.
105
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 37: Installing Audit Architecture
Greensafe is required to have audit records of sessions and users. In this exercise, Alex
(you) will install and configure the Centrify Audit and Monitoring components for vault-based
auditing.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 15 minutes
1. Use Windows Explorer to navigate to C:\Share\CSS2020.
2. Launch the Autorun application
3. Click Audit and Monitor
4. Click Next at the Welcome Message
5. Accept the EULA and click Next
6. Maintain the default features and click Next
7. Maintain the default installation folder and click Next
8. Review the installation options and click Next.
9. When the installation is completed, Click Finish
The Audit Configuration Wizard will launch automatically.
10. Click Next at the Welcome Message
11. Click Next to create a new installation
12. Using Windows Explorer to navigate to C:\Share and open the Training License
Keys.txt
Copy the Audit License Key (DirectAudit) to the clipboard.
13. Paste the key in the space provided in the Configuration Wizard and click Add
14. Click Next
15. Maintain the default publication location and click Next
106
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
16. Click Use an existing SQL Server instance and use the drop-down menu to browse for
the SQL Server.
17. Click the Network tab
Be patient while the network is browsed for available SQL servers
18. Click DB-SERVER\CENTRIFY
19. Click OK
20. Once the SQL Server is selected, click Next
Please be patient while the database is configured for audit and monitoring.
21. Click Finish
22. Close the Installation Wizard.
107
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 38: Configure Centrify Auditing
In this exercise, Alex (you) will configure Audit Roles and configure the Centrify Identity
Platform to audit all registered systems.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 20 minutes
1. Using the desktop shortcut, launch Audit Manager
2. Expand the Default Installation
3. Expand Audit Roles.
There is a default role (Master Role). We will now add the Security Team as Master
Auditors.
4. Right click the Master Auditor and click Add users and Groups
5. Add Team_Security and click OK
We will now create a secondary role for the Auditors team and grant them all
permissions except the ability to delete recorded sessions.
6. Right Click on Audit Roles and click Add Audit Role
7. Name the audit role Greensafe Auditors
8. Click Next
9. Maintain all selected machine types and criteria settings and click Next.
10. Uncheck the Delete privilege and click Next.
11. Review the summary and click Next
12. Once completed, click Finish to assign users and groups to the new role.
13. Add Team_Auditors and click OK
Now that Audit Roles are created, we can configure the Centrify Identity Platform to
audit systems using Gateway and Vault-Based Auditing.
108
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
14. Open the Centrify Identity Platform and login in as Alex Foster
(afoster@greensafe.lab)
15. Using the main menu on the left to navigate to Settings
Service
Resources
Auditing
16. Check the box to Enable Auditing
17. The Centrify DirectAudit Installation Name will be displayed. If it is different from what
you entered during the initial implementation, change the name.
18. Click Save
Let’s now configure systems inside the AD environment for Host Based Auditing
19. Use the Skytap Navigation to login to the db-server.greensafe.lab server with the
following credentials:
Username: afoster@greensafe.lab
Password: Centr1fy
20. Use the Start Menu to launch the Centrify Agent Configuration.
21. Click Add Service
22. Select Centrify Audit and Monitoring Service and Click OK.
23. Select DefaultInstallation and click Next.
24. Close the Centrify Agent Configuration.
Let’s now prepare a Unix system for Host Based Auditing.
25. Use the Skytap Navigation to return to the apps-server.greensafe.lab server.
26. Launch PuTTY and login to db-unix.greensafe.lab with the following credentials:
Username: root
Password: password1
27. Run the following command to install the Centrify DirectAudit Agent:
yum install CentrifyDA -y
28. Once completed, reboot the server.
109
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 39: Review Audit Sessions
In this exercise, Bob Hughes will use Centrify Identity Platform to open secure remote
sessions that will be audited. Alex (you) will then review the sessions, create specific queries
and document sessions.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 15 minutes
1. Using the Google Chrome Incognito Window, login with the following credentials:
Username: bhughes@greensafe.lab
Password: Centr1fy
2. Use the main menu on the left to navigate to Resources
Systems
3. Right Click on db-server.greensafe.lab and click Enter Account
4. Enter the following credentials to log into the server.
Username: bhughes@greensafe.lab
Password: Centr1fy
5. In the open session, use the start menu to launch PowerShell and run the following
commands:
•
•
gpupdate /force
ipconfig
Once completed, exit PowerShell
6. Use the Start Menu and launch the Windows Administrative Tools
7. Launch Windows Firewall and Advanced Security
8. Logout of the session.
Let’s open another session using a UNIX system.
9. Exit the Centrify Identity Platform
10. Launch PuTTY and login to the db-unix.greensafe.lab server with the following
credentials:
110
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Username: lbennett@greensafe.lab
Password: Centr1fy
11. In the open session, execute the following commands:
•
•
•
•
•
cat /etc/passwd
ifconfig
clear
history
logout
Let’s review recorded audit sessions.
12. Use the desktop shortcut to launch Audit Analyzer.
13. Expand Audit Sessions and Click Today to see a list of recorded sessions.
14. Double click on the session for db-server.greensafe.lab
Let’s document this session so other auditors and management have the auditor’s
notes.
15. Use the Session menu to update the review status to Reviewed.
16. Add notes related to the session that you witnessed and click OK
You can then close this session.
Now let’s look at a UNIX session.
17. Double click on the session for db-unix.greensafe.lab
Let’s document this session so other auditors and management have the auditor’s
notes.
18. Use the Session menu to update the review status to Pending for Action
19. Add notes and instructions of the actions that need to be taken and click OK.
For example: Security permissions need to be reviewed for this logged in user.
You can now close this session.
Let’s now group sessions based on specific executed commands.
20. Right Click on Audit Sessions and select New Private Query.
21. Name the new query UNIX cat Command Execution
22. Under Definition Type, uncheck Windows systems
111
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
23. Under Criteria, click the Add button
24. Use the Attributes drop-down menu to select UNIX Output and Commands
25. Use the Criteria drop-down menu to select Contains any of…
26. In the space provided, type cat (lowercase)
27. Click OK to save the query
28. Under Audit Sessions, expand Private Queries
29. Click UNIX cat Command Execution
112
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
Lab 40: Manage Live Remote Sessions
Current procedures dictate a maintenance period that takes place over every weekend. This
currently involves administrators informing users to logout of servers that are included in the
maintenance schedule; however, there continues to be sessions left open by users that must
be closed. In this exercise, Alex (you) will use Centrify Identity Platform to open secure
remote sessions to watch current activity and terminate if necessary.
Systems used in this lab:
dc.greensafe.lab
apps-server.greensafe.lab
db-server.greensafe.lab
apps-unix.greensafe.lab
db-unix.greensafe.lab
Estimated time to complete this lab: 10 minutes
1. Using the Google Chrome Incognito Window, login with the following credentials:
Username: bhughes@greensafe.lab
Password: Centr1fy
2. Use the main menu on the left to navigate to Resources
Systems
3. Right Click on db-server.greensafe.lab and click Enter Account
4. Enter the following credentials to log into the server.
Username: bhughes@greensafe.lab
Password: Centr1fy
5. Leave the session open and return to the Centrify Identity Platform logged in as Alex
Foster (afoster).
6. Use the main menu on the left to navigate to Dashboards
7. Use the drop-down box to change the dashboard from Security Overview to Overview.
In the lower right portion of the dashboard, you will see all active sessions.
8. Right click on the active session and click Watch.
Move the open session so it is side by side with the watched session.
9. Type history in the open session and it will instantly be displayed in the watched
session; giving the administrator watching the opportunity to determine if the session
can be terminated safely.
113
©2021 Centrify Corporation. All Rights Reserved
Centrify PAM Administration – Lab Guide
10. Close the watched session.
11. Return to the dashboard and right click on the active session and click Terminate.
You will notice the active session is closed with a message indicating the session was
closed by the administrator.
114
©2021 Centrify Corporation. All Rights Reserved
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
©2021 Centrify Corporation. All Rights Reserved
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
©2021 Centrify Corporation. All Rights Reserved