System hardening

The following details the process of hardening servers that are hosting the service to reduce their attack surface and is done by performing the following:

Things to know before you begin

The following is intended for Windows Server 2016 systems only. It assumes you have completed the installation steps as detailed in:

  • installed Centrify Scalable Privilege Access Service successfully.
  • the operating system has been hardened in accordance with either:

The following should be used in conjunction with any applicable organizational security policies and hardening guidelines. General hardening of the Windows Server 2016 instances should be performed before applying the more detailed steps below. If there are conflicts between the following and organizational policy documents, they should be raised with the internal security team for assessment and resolution.

Note:   As a general rule, the most restrictive policy that allows for the desired operation of Hyper-scalable PAS without adversely effecting it or any other required element of Windows functionality should be implemented.

All Hyper-scalable PAS components, with the exception of the management node, should be installed on dedicated servers. The servers should not serve any other purpose than that required by the Hyper-scalable PAS solution. The systems considered to be direct components of the Hyper-scalable PAS solution are as follows:

  • Centrify Centrify PAS
  • Connectors

Windows operating system hardening

For Microsoft Windows Server Operating Systems hardening, refer to the Center for Internet Security Level 1 Benchmarks for Windows Server at https://www.cisecurity.org/benchmark/microsoft_windows_server/.

Applying Windows operating system updates

Windows updates should be applied in a timely fashion in accordance with the organizational security policy. These may be applied manually or automatically using the Windows Server Update Service (WSUS). Configuration of WSUS is beyond the scope of this document and will also depend on the organization’s update strategy. Microsoft provides comprehensive documentation for WSUS and should be consulted as needed.

Using anti-virus software

It is recommended consult with your company IT and/or compliance departments to discuss anti-virus needs.

Disabling network protocols

The following networking components are not required by Hyper-scalable PAS or the supporting Windows infrastructure and can therefore be safely disabled on all network adapters:

  • File and Printer Sharing for Microsoft Networks.
  • QoS Packer Scheduler.
  • Microsoft LLDP Protocol Driver.
  • Internet Protocol Version 6 (TCP/IPv6).
  • Link-Layer Topology Discovery Responder.
  • Link-Layer-Topology Discovery Mapper I/O Driver.

This should leave only the following networking components enabled:

  • Internet Protocol Version 4 (TCP/IPv4).
  • Client for Microsoft Networks.

The following image illustrates how the network adapter properties should look following these changes:

Configuring Windows logging and auditing

By default, Windows Server 2016 does not log all events of potential interest. Unless organizational policies mandate them and they have previously been enabled, perform the following steps:

  1. Go to Start MenuAdministrative ToolsGroup Policy Management. In the left pane, navigate to Forest Domains Domain Name. Expand it.
  2. If it does not already exist, create a new Group Policy Object called “Centrify” by right-clicking on Domain Name and selecting Create a GPO in this domain and link it here….
  3. Right-click on the “Centrify” policy object.
  4. Click Edit in the context menu. It shows Group Policy Management Editor. Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit Policies. It lists all audit policies in the right pane. Here, enable the following policies for both “Successful” and “Failed” events:
  5. Configure the following keys as follows:
Key Value

Logon/Logoff → Audit Logoff

Success & Failure

Logon/Logoff → Audit Logon

Success & Failure

Object Access → Audit Detailed File Share

Success & Failure

Object Access → Audit File Share

Success & Failure

Object Access → Audit File System

Success & Failure

Object Access → Audit Registry

Success & Failure

Object Access → Audit Handle Manipulation

Success & Failure

Following making the above changes open an Administrative command prompt and enter gpupdate/force.

Verifying firewall configuration

During the installation process, the Windows Firewall is correctly configured to allow Hyper-scalable PAS components to operate correctly. No further steps should be required. If a firewall other than the Windows Firewall is in use, it must be configured according to the following values:

Disabling default accounts

The local administrator account should be disabled to prevent its use. Before you do this, ensure you have another administrative account configured.

To disable local administrator account, enter the following command into an administrative command prompt:

net user administrator /active:no

The same steps should be taken for the "Guest" and "DefaultAccount" accounts.

To list the accounts present on a server, enter the following command into an administrative command prompt:

net users

To learn if a given account is active or not, enter the following command into an administrative command prompt:

net user <account name>

For instance, net user guest should return output of the following form:

Note:    Note the line "Account active No."

C:\Windows\system32>net user guest
User name                    	Guest
Full Name
Comment                      	Built-in account for guest access to the computer/domain
User's comment
Country code                 	000 (System Default)
Account active               	No
Account expires              	Never
Password last set            	14/09/2018 15:41:54
Password expires             	Never
Password changeable          	14/09/2018 15:41:54
Password required            	No
User may change password     	No
Workstations allowed         	All
Logon script
User profile
Home directory
Last logon                   	Never
Logon hours allowed          	All
Local Group Memberships      	*Guests
Global Group memberships     	*None
The command completed successfully.

Disabling unnecessary default shares in Windows

To disable the share, perform the following steps:

Disable default shares on all Hyper-scalable PAS servers by running regedit (Windows key + R → regedit) and setting the value of the following registry key to (REG_DWORD) 0:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters AutoShareServer

Create the AutoShareServer key if it does not already exist .

Restart the server.

To confirm the change run the following in a command prompt: net share

The result should be as follows:

C:\>net share
Share name   Resource                        Remark
-------------------------------------------------------------------------------
IPC$                                         Remote IPC
The command completed successfully.

Windows Internet Information Server (IIS) hardening

Perform the following steps:

  1. Remove all unnecessary IIS Application Pools on all Hyper-scalable PAS servers.
  2. Start Internet Information Services (IIS) Manager (Windows Key + R → inetmgr).
  3. Open the Application Pools leaf under the server being managed and remove all application pools apart from the DefaultAppPool and the Centrify entry. The results should appear as follows:

  1. Restart the server.

Securing Hyper-scalable PAS

Understanding Hyper-scalable PAS user password policy

Due to the sensitivity of the information and functionality handled by a Hyper-scalable PAS implementation, the standard organizational password policies might not provide adequate protection. The following settings are recommended for Hyper-scalable PAS users.

  1. To apply these polices, log into the Admin Portal and navigate to Core ServicesPoliciesAdd Policy Set.
  2. Under User Security PoliciesPassword Settings set the values above as follows:
Setting Recommendation
Minimum password length 16 characters
Maximum password age 31 days
Password history 20
Require at least one digit yes
Require at least one upper case and one lower case letter yes
Require at least one symbol yes
Maximum consecutive bad password attempts allowed within window 3
Capture window for consecutive bad password attempts 10
Lockout duration before password re-attempt allowed 30
Password expiration notification 7
Escalated password expiration notification 24
Enable password expiration notification on enrolled devices yes
Show password complexity requirements when entering a new password yes

Alternatively, if there is an available OAUTH or RADIUS solution in place, with appropriate password policies, these may be configured in the same place.

Endpoint and infrastructure password profiles

The following settings password policy settings are recommended to enforce a strong level of protection for endpoints and infrastructure using Hyper-scalable PAS.

  1. To apply these policies, log into the Admin Portal and navigate to Settings Users > Password ProfilesAdd.

  1. Create new profiles with the following values:
Setting Recommendation
Minimum password length 12
Maximum password length 32 (or greater)
At least one lower-case alpha character Checked
At least one upper-case alpha character Checked
At least one digit Checked
No consecutive repeated characters Checked
At least one special character Checked
Restrict number of character occurrences Checked (3)
Special characters !#$%&()*+,-./:;<=>?@[\]^_{|}~
A leading alpha or alphanumeric character Unchecked
A trailing alpha or alphanumeric character Unchecked
Min number of alpha characters 3
Min number of non-alpha characters 3

Setting idle user timeout

Users should be timed out and required to re-authenticate after a period of inactivity exceeding five minutes. This setting can be configured through the Admin portal by:

  1. Navigating to SettingsUsersIdle User Session Timeout.
  2. Automatically Logout Idle Users should be checked and a value of 5 entered for the Minutes of inactivity before idle users are logged out setting.

Reviewing infrastructure security settings

To enforce a strong level of protection for endpoints and infrastructure using Hyper-scalable PAS the following settings password policy settings are recommended:

Setting Recommendation
Allow multiple password checkouts Unchecked
Enable periodic password history clean-up at specified interval Check and set to 90
Enable periodic password rotation at specified interval Check and set to 90
Default account password checkout lifetime 60
Minimum password age 0
SSH Custom Banner Checked and set according to organizational security policy

To apply these policies, log into the Admin Portal and navigate to SettingsAuthenticationSecuritySettings.

Windows Server Update Services (WSUS)

Microsoft pushes updates and reboots to your systems. For this reason, it is strongly recommended you follow the best practice of running a Windows Server Update Services (WSUS) for your installation cluster. This allows you control of the updates. Configure as follows:

  • Configure WSUS to only install upon administrator approval.
  • Automatic updates must be disabled.
  • Deploy new nodes with the latest operating system patches and with the current deployment package. Then, decommission the nodes in need of an operating system update.

For more information on WSUS, see Windows Server Update Services (WSUS).