QUICK START GUIDE. MAY 2011 Automating Cloud Security with Centrify Express and RightScale How to secure cloud systems by joining them to your Active Directory infrastructure Abstract This Quick Start Guide shows how to use Centrify DirectControl Express with RightScale to join hosted Linux systems to Active Directory in order to centrally manage user authentication. Centralizing user accounts in Active Directory simplifies user access and administration of your cloud infrastructure by leveraging a common set of user accounts and a single place to administer user accounts. Centrify provides a set of RightScripts that can be added to any RightScale ServerTemplate in order to install DirectControl Express and join the hosted Linux system to Active Directory. This guide shows how to configure your environment and use these RightScripts within your own RightScale ServerTemplates. 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 1
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation. Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2011 Centrify Corporation. All rights reserved. Centrify, DirectControl and DirectAudit are registered trademarks and Centrify Suite, DirectAuthorize, DirectSecure and DirectManage are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. RightScale is a registered trademark of RightScale, Inc.; ServerTemplates and RightScripts are trademarks of RightScale, Inc. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. [AN-013-2011-5-06] 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 2
Contents Contents... 3 Introduction... 4 Centrify Express... 4 Centrify Express RightScripts for RightScale... 4 Centrify DirectManage Express... 6 Setting up the Required Environment... 6 Active Directory Domain Services... 6 Set Up Accounts within Active Directory... 7 User Accounts... 7 User Groups... 7 Computer Accounts... 7 Amazon Web Services Account... 9 RightScale Account... 9 Creating a RightScale ServerTemplate... 10 MultiCloud Image... 10 ServerTemplate... 11 Adding Centrify RightScripts to your ServerTemplate... 12 Add your ServerTemplate to a Deployment... 13 Launching Cloud Servers in a RightScale Deployment... 14 Accessing the New AMI Instances... 17 Active Directory User Single Sign-on using PuTTY... 17 Privileged Command Execution Using Sudo... 19 Using DirectManage Express to Access and Manage Centrify Express Instances20 Adding EC2 Instances... 20 Accessing and Managing EC2 Instances... 22 Benefits of Upgrading to Centrify Suite Standard, Enterprise or Platinum Editions... 22 Frequently Asked Questions... 24 How to Contact Centrify... 24 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 3
Introduction One of the primary benefits of using cloud servers is the extremely short time between a decision to use another server to its production usage. Cloud services providing Infrastructure as a Service offerings such as Amazon enable their customers to simply clone an existing Linux or Windows machine image with a few pre-defined settings and, upon completion of the clone and launch of the image, the new cloud server instance is available for use. However, the customer will need to login with the pre-configured account and create additional user accounts as needed. This Quick Start Guide shows how to leverage Active Directory to both manage the existing pre-defined accounts on these cloud servers as well as to dynamically control user accounts, access and privileges through centralized management within Active Directory. Centrify Express Centrify Express is a free version of the same Active Directory integration technology that 3000+ enterprise customers currently have in production on hundreds of thousands of servers. Centrify Express consists of: Centrify DirectControl Express. An authentication agent that enables Active Directory-based user account administration and password management as well as single sign-on for UNIX, Linux and Mac systems. Centrify DirectManage Express. A central management console to discover non-windows systems, install DirectControl Express and join them to Active Directory. Once the systems are joined to Active Directory the console provides an interface to manage script execution as well as establish single sign-on enabled remote sessions. Centrify-enabled Open Source Tools. Enhances productivity with painless remote terminal access with OpenSSH as well as remote file system access through Samba where both are tightly integrated with Active Directory. Centrify Cloud Tools. Provides both preconfigured Amazon Machine Images with Centrify Express pre-loaded as well as configuration scripts and guidance on how to integrate cloud servers with Active Directory. Centrify Insight. Centrify provides additional reports and dashboards on top of the Splunk platform. Centrify Express provides the necessary Active Directory integration to enable centralized control of user accounts, access controls and privilege authorizations. This guides shows you how to use Centrify Express and Active Directory to control Amazon AMI instances. Centrify Express RightScripts for RightScale As part of Centrify Cloud Tools, Centrify has created four RightScripts for use with RightScale in order to automate the installation and configuration of Centrify DirectControl Express on any ServerTemplate in order to join Active Directory and enforce Active Directory-based user 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 4
authentication and privilege policies. There are four RightScripts provided as described below which you will find in the RightScript Library if you search for Centrify as the publisher. Centrify Install Centrify Suite Express. This RightScript can be added as a boot script to any ServerTemplate to determine the operating system of the cloud server that was launched, then download directly from Centrify the latest version of Centrify Express and then install Centrify DirectControl Express and Centrify OpenSSH on the supported cloud server instance. Centrify Join Active Directory. After Centrify Suite Express has been installed, this RightScript is run as a Boot Script to join the new cloud server instance to your Active Directory domain. Once this script has executed, the system will be configured to allow any of your Active Directory users to login with their Active Directory user ID and password to the new cloud server instance. Centrify Setup Active Directory Access and Privilege Management. This script will configure the system to require Active Directory group membership in order for your Active Directory users to be able to login or execute commands with privileges. The local root account is configured to require the Active Directory password for the cloud.root account upon login as root. This configuration ensures that your Active Directory infrastructure is in control of the root login to the newly created cloud server instance once it has been joined to Active Directory. In order to control user access to the new cloud server instance, this script will ask for the name of an Active Directory group whose members will be granted rights to login. Since some users who login may need root privileges, this script will ask for the name of an Active Directory group whose members will be granted privileges through sudo. 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 5
Centrify Leave Active Directory. This decommission script will terminate the relationship of the cloud server and Active Directory and reset the computer account so that the next new instance can reuse the computer account. Centrify DirectManage Express DirectManage Express provides an interface to make it easier to manage your cloud server instances. It supports calling the EC2 APIs in order to perform initial discovery as well as to refresh the currently running instances within Amazon EC2. Once the EC2 instances have been added to this management tool, you can more easily perform various remote administrative tasks such as initiate a PuTTY or WinSCP session through a right-click task menu or to perform more advanced operations such as to run customer scripts across one or more systems. Setting up the Required Environment Active Directory Domain Services While most organization will have their Active Directory set up and running within the enterprise, there are several ways to configure your existing Active Directory to support the management of systems in the DMZ or on public networks such as the Amazon Web Service cloud. This Quick Start Guide will keep things simple by showing you how to use an isolated Active Directory domain that is set up outside the firewall, completely independent of any existing internal Active Directory. For this exercise, we simply need the common authentication infrastructure that Active Directory provides to centralize account administration across the AMI instances that you will create in the cloud. Additionally, you can configure a one-way trust with existing Active Directory domains in order to leverage the existing user accounts you may already have set up within the firewall. For additional reading on how to leverage your existing Active Directory user accounts for login to these hosted servers, Microsoft has documented guidance on several configuration options: Active Directory Domain Services in the Perimeter Network (Windows Server 2008) (http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&familyid=c1d0fd00- bf31-4b20-95c6-279a4ce7c2b4#tm ) You also need to set up a DNS server running on your domain controller configured to require authentication for any DNS updates and service the new cloud.company.com domain forwarding any other requests to your existing DNS servers. We will use this DNS server later as the AMIs are configured to securely auto-update their public IP address with the hostname of the joined computer account. The remainder of this document assumes that you have a working Active Directory domain controller that is hardened and publicly accessible (either running in your DMZ or hosted on a Windows Server in EC2) by the instances that will be launched in the cloud. 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 6
Set Up Accounts within Active Directory In order to control the users who are allowed to log into your new cloud server instances, you need to create both end-user accounts within your Active Directory as well as an account to be used to control the password for the root account on each of the new cloud server instances. User Accounts To set up the account that will control the local root user s password, create a cloud.root user account within Active Directory and set the password. If you want to disable the ability to su to root, then simply disable the Active Directory account for cloud.root. Also, create an Active Directory account for any end-users you want to grant login rights to your cloud server instances and set an initial password. No other data is needed because the local UNIX profile will be created automatically at login, as will the home directory. User Groups In order to grant Active Directory users the rights to login to these cloud server instances, you need to add the end-users to an Active Directory group; for this example, I ve used the Active Directory group cloud.access. Create an Active Directory global security group called cloud.access and add your authorized users to this group. The Centrify RightScript will ask you for the name of this Active Directory group to use for ACCESS_GROUP. Additionally, you may have some users whose responsibilities require root privileges, and you can also centrally control which users are granted sudo permissions to run commands as root. You simply need to create an Active Directory global security group; for this example, I ve used the Active Directory group cloud.admins. Just add the Active Directory user accounts for your administrators to this group. Anyone who is a member of this group can use the sudo command to run any command with root privileges after validating their Active Directory password. The Centrify RightScript will ask you for the name of this Active Directory group to use for PRIVILEGE_GROUP. Computer Accounts There are several ways to set up the cloud servers to join Active Directory upon first boot, and there are security tradeoffs with each of the possible approaches. Auto-join possible approaches: The user ID and password for an account that is authorized to join the system to Active Directory could be handed off to the instance upon launch and a RightScript could prompt for this user account and password to provide to the new instance. However, there is no easy way to ensure the privacy of the password since it must be provided to the instance over an insecure channel. A Kerberos credential (in the form of either a Keytab or valid ticket within a Kerberos ticket cache) for an account that is authorized to join the system to Active Directory could also be provided upon launch. DirectControl 4.4.3 has been enhanced to support a Kerberos- 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 7
authenticated join to Active Directory, which could be used for automation within the enterprise. However, again there is no easy way to ensure privacy of this credential during the launch of an EC2 instance. Another option is to configure the cloud server instances to perform a self-service join into a pool of pre-created computer accounts. In this model, there is no need to provide join credentials to the new instance because it will try to join an existing computer account within the pool of sequential accounts until it succeeds. This has the added benefit that, upon successful join to Active Directory, you will know the computer hostname. We will use this model for the example presented since it is the simplest to manage. Active Directory Computer Account Pool The primary purpose of the first two Centrify RightScripts is to install Centrify Express and auto-join using the self-service join process at boot or reboot in order to join the next available computer account in the Active Directory pool of computer accounts setup for these cloud server Instances. You will need to pre-create the pool of computer accounts in Active Directory using a common hostname prefix followed by an incrementing number from 1 to 100. The Centrify Join Active Directory RightScript will prompt you for the HOSTNAME_PREFIX as part of the Join process. To pre-create the pool of computer accounts in Active Directory you will need to pre-create the computer accounts as well as to grant the computer accounts rights to reset their own password using the following procedure. Precreate Computer Accounts. Right-click on the Computers container and select New, then Computer. Provide the name of the computer, such as ec2host,1 and click OK. Set the Permissions for Self Join. Select the new computer account, open the Properties and select the Security tab. Then in the first box select SELF and, in the Permissions window, scroll down and grant the Reset password right and click Apply. This enables the new cloud server 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 8
instances to reset their computer account as they leave the domain during termination as directed by the Decommissioning RightScript. Amazon Web Services Account You will need to make sure that you have an AWS account set up so that you can launch new Amazon EC2 hosted cloud servers. Simply browse to http://aws.amazon.com/ and click on the Sign Up Now button in order to create your own AWS account. You will need your Amazon-assigned Access Key as well as the corresponding Secret Key in order to enable the RightScale system to manage your EC2 cloud servers. RightScale Account You will also need an account at RightScale in order to create your own RightScale ServerTemplate to launch a cloud server instance of your choice along with the Centrify RightScripts to join these servers to Active Directory. Simply browse to http://www.rightscale.com/products/free_edition.php and sign up for the Free Edition to get started. Once you have an account, just sign into the RightScale Dashboard at https://my.rightscale.com/ using your new RightScale account. 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 9
At first login to RightScale you will be prompted to enter your Amazon AWS credentials so that RightScale can help you manage your cloud infrastructure. Creating a RightScale ServerTemplate Now that you have an account and have logged into the RightScale dashboard, you need to create a ServerTemplate that you can launch later within your default deployment. You can learn more about ServerTemplates on RightScale s site at http://www.rightscale.com/products/advantages/cloudready-servertemplates.php. However, for this example, we will use the ServerTemplate to create dynamically configured cloud servers that are defined independent of a specific hosting provider. MultiCloud Image First, we ll need to import a MultiCloud Image, sometimes called a RightImage, which describes a cloud server image on a particular hosting provider so that we can add it to a new ServerTemplate. Click on the Design drop-down menu item and then MultiCloud Images under the Library section. Search for Ubuntu and then select one of the RightImage_Ubuntu_10.04 MultiCloud Images. Click the green Import button to import it to your Library. If you click on the Cloud tab, you will see the description of all the cloud images that this MultiCloud Image refers to and is capable of launching. 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 10
ServerTemplate To create your first ServerTemplate, from the RightScale Dashboard just click on Design and then ServerTemplate. On this page, click the New button. Then you simply need to provide a Name for the ServerTemplate and Description. You also need to select an existing MultiCloud Image to use for the base Operating System, Click on Design drop down menu item and then ServerTemplate. Click on the New button Provide a name for the new ServerTemplate, such as MyUbuntuServer. Then select the radio button for Select an existing MultiCloud Image and click on the Select ad Image button. To select the RightImage that we just imported above, click on RightScale as the publisher, then click on the name of the MultiCloud Image that we imported such as RightImage_Ubuntu_10.04_x64_v5.6_EBS [rev 10], then click Select Now click on the Save button 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 11
Adding Centrify RightScripts to your ServerTemplate Now that you have a ServerTemplate defined that contains a MultiCloud Image, you need to import the Centrify RightScripts so that you can add them to this ServerTemplate as Boot and Decommission scripts to control how this server is configured at launch. Click on the Design drop-down menu item and then RightScripts under the Library section. In the Search dialog, enter Centrify and select the Publisher under Search in: option. You will see four Centrify RightScripts that all need to be imported. For each of the Centrify RightScripts, click on the title to see the properties for the RightScript and then click the green Import button to import it to your Library. You can use your browser s back button twice to get back to the search results to import the other RightScripts. At this point, you are ready to add the RightScripts to your ServerTemplate. To get back to your ServerTemplate, click the Design menu item and then ServerTemplates, then click on the name of the ServerTemplate that you created earlier MyUbuntuServer. Now click on the Scripts tab. Under the heading Boot Scripts, click on Add Script and select Centrify as the publisher and select the Centrify Install Centrify Suite Express RightScript and click Select. Under the heading Boot Scripts, click on Add Script and select Centrify as the publisher and select the Centrify Join Active Directory RightScript and click Select. 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 12
Under the heading Boot Scripts, click on Add Script and select Centrify as the publisher and select the Centrify Setup AD Access and Privilege Management RightScript and click Select. Under the heading Decommission Scripts, click on Add Script and select Centrify as the publisher and select the Centrify Leave Active Directory RightScript and click Select. Now if you click on the Inputs tab, you will see the data inputs that these RightScript will need when you launch the ServerTemplate. You will fill in the data later when you launch. Add your ServerTemplate to a Deployment The last step is to add this ServerTemplate to your deployment so that we can launch this server. Click on the Add to Deployment button. In the Add Server dialog, select one of the Amazon clouds to launch the server in, such as AWS US-West and then click Continue. Check all the parameters for the Cloud settings. Deployment should be Default. 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 13
Check that your SSH key is the one that you imported earlier. Select a security group such as default. Leave Availability Zone set to Any. Leave all other settings set to the default and click Add. Now the server is in your default deployment environment, and you can proceed to launching the server. Launching Cloud Servers in a RightScale Deployment Now that you ve defined the ServerTemplate with the Centrify RightScripts and added it to your default deployment, you can launch the cloud server. As the server boots, it will execute the Centrify RightScripts in order to install the latest version of Centrify Express from the Centrify Download Center, join the server to your Active Directory, and configure it to grant access to the users that are a member of your access control group and privileges to your admin group. From the Manage menu, select Deployments, then click on the Deployment Nicknamed Default. 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 14
You should see your ServerTemplate listed and to the right under Actions. You will see a blue button with a mouse-over label of Launch. Click on this Blue launch button. Next you will see a page with launch inputs for your ServerTemplate. You will need to provide the following information so that the new cloud server can find and join your Active Directory domain. 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 15
ACCESS_GROUP. Enter the Active Directory group that you will use to control which of your Active Directory users is authorized to login to this server; previously we created a group called cloud.access. DNS_IP_ADDRESS. Enter the IP Address of your Active Directory domain controller, which should also be configured as a DNS Master for the domain that it is servicing such as cloud.company.com. Upon boot, this new server will use this IP address for all hostname resolution and will auto-update its hostname entry in DNS with its currently assigned public IP Address. DOMAIN. Enter the domain Name of your Active Directory domain that you are using for cloud servers, such as cloud.company.com. HOSTNAME_PREFIX. Enter the prefix of the Computer Names that you pre-created previously such as ec2host, be sure to leave off the numeric value since the boot scripts will auto add and increment the numeric to find a good computer account the new server can join. PRIVILEGE_GROUP. Enter the Active Directory group name that you created for your cloud administrators such as cloud.admins Now click Launch button. The Deployment Default page will show the state of the Cloud Server that is booting and it will change from pending to operational when it is ready. 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 16
Accessing the New AMI Instances Once the Cloud server instance is running, click on the operational server nickname in order to find the public DNS name for the instance so that you can launch an SSH client and login with any of your Active Directory user accounts that are a member of the ec2.access group within Active Directory. You can also login to the system using its Active Directory computer name, which will be registered in your DNS so that you don t have to find the public DNS name of the new instance. This helps to provide single sign-on through PuTTY. Active Directory User Single Sign-on using PuTTY Single sign-on requires that the client workstations that you use will be able to both find the IP address of the host that you are connecting to via DNS as well as be able to request a Kerberos ticket for the destination host from a trusted Active Directory domain. For this example, we will log in as an end-user on the domain controller and launch the Centrify version of PuTTY to get signed onto the AMI instance without having to type user credentials. Even better is that host authentication is performed based on a Kerberos key exchange, which is completely automatic, meaning that you don t need to manage SSH host keys anymore. The domain controller in the DMZ that we are using is running the Microsoft DNS server that is configured to require authentication for all updates. Centrify provides a command-line tool called addns as part of Centrify Express. Addns is called during the boot process to securely update the Active Directory DNS server with the IP address of the AMI instance after successfully joining Active Directory. This ensures that the DNS server has the correct public IP address of the AMI instance associated with the Active Directory computer account name that was used to join Active Directory. Now that DNS has the proper IP address entry for the new instance associated with one of the computer accounts, we can log in as an end-user using PuTTY. 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 17
In the PuTTY Configuration dialog, you will only need to enter the Active Directory computer account name of the new instance. Then navigate to the Kerberos configuration in the SSH node under Connection and check the box to Attempt Kerberos auth (SSH-2). 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 18
Click Open in order to establish a Kerberos-authenticated connection to the Active Directoryintegrated AMI instance. As you can see, the logged-in user is able to authenticate to this AMI instance without having to enter a user ID or password since PuTTY was able to obtain a Kerberos service ticket for the remote host and the Centrify OpenSSH Server was configured to authenticate the user based on GSSAPI, which enables single sign-on. Privileged Command Execution Using Sudo Users who are a member of the ec2.admin group in Active Directory will be able to run any command with root privileges simply by using the sudo command in front of their privileged command. Additionally, if you want to modify the permissions granted to the ec2.admins group or create additional groups and manage their sudo rights, you can modify the /etc/sudoers file to contain additional entries such as the two below that Centrify has added to the default /etc/sudoers file. Centrify ALL = (ALL) NOPASSWD: ALL ec2.admins ALL = (ALL) PASSWD: ALL 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 19
Using DirectManage Express to Access and Manage Centrify Express Instances DirectManage Express provides an interface to make it easier to manage your EC2 instances once they are running. In order for DirectManage to enable management of the instances, it will need to have the new instances added to its database, which can easily be done by calling the EC2 APIs with your AWS account credentials to retrieve the list of currently running instances within Amazon EC2. Adding EC2 Instances To add the currently running EC2 instances, in DirectManage Express, simply select the Add Computer task from the right-click task menu. Then select Discover computers from cloud and the wizard will ask for your Amazon secret key and access key so that it can log in to retrieve the information. 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 20
You will also be asked for login credentials in order to access the EC2 instances. Since the EC2 instance will be joined to Active Directory automatically, you can use any Active Directory account that is a member of both the ec2.access and ec2.admin groups since those accounts will be able to both login and execute commands with privileges. You should provide the login name of the Active Directory account and specify that it should use sudo for privilege elevation. As an example, you could use an account called dm.manager created for this specific purpose. Once the wizard has completed, you will see the console start to add the EC2 instances to the list of computers that it can manage. 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 21