What's New in Centrify Server Suite 2016

© 2016 Centrify Corporation. All Rights Reserved. 1
What’s New in Centrify
Server Suite 2016
Presented by:
Brad Zehring, Director of Product Management
Hubert Sigler, Sr. Technical Support Engineer

• Welcome
• New Features
• Product updates
• Closing
Agenda

Multi-factor Authentication for Servers
ENTERPRISE
DATA
CENTER
Shared Account
Sessions and Auditing
Audit DB
JumpBox
Centrify Identity Platform
Centrify Cloud Connector
Multi-factor Authentication
for Linux Login
SERVER SUITE
Privilege
Elevation
Block cyber attacks
• MFA for Linux login and privilege elevation
• Unique zone-based policies control step-up
authentication through role assignment
• Servers communicate securely with
on-premises Cloud Connector to initiate MFA
Authentication methods
• Centrify Mobile Authenticator
• Phone call to user’s Active Directory published
number
• OTP to SMS or email
• Security question
Multi-factor Authentication to
Cloud Service
Multi-factor Authentication for
Login and Privilege Elevation

MFA for Linux login and Privilege Elevation
Coming in Server Suite 2016

Local Account Provisioning
Local account and group management
• Consolidate application and service accounts
into Active Directory
• Identity life-cycle management strengthens
security
Manage user identities and local accounts
• Enabled: Create locally if it does not exist
• Disabled: Prevent login
• Remove: Delete the entry from /etc/passwd or
/etc/group
Zone-based Application Identity
Management

Secure Local Account Passwords
Centrify Agent uses a notification cli callout for all
actions:
• Example script enables CPS to manage the password
• Supports 3rd party password managers
Credential Management with Password Managers
• New accounts have a random password set and
registered with CPS
• Unlocked accounts have a new random password set
• Removed accounts will be deleted from CPS
Secure and Manage Passwords Admin
• Defines Local Accounts in a Zone
• Defines local groups in a Zone
Centrify Agent
• Create/Delete Local Accounts
• Create/Delete Local Groups
• Notification to manage
passwords
Notification.cli
callout script
Password
Manager

Report Services for Standard Edition
New Report Services infrastructure replaces Report Center
• Enterprise class service leverages SQL Server Report Services
• Significantly improved reporting performance
• Web accessible reports
New Compliance Reports
• SOX & PCI reports included
Scheduled Reports
• Schedule reports to be delivered via email or shared
Visual report creation
• Leveraging SQL Server Report Services (SSRS)
Simplifies data access
• Enables usage of external BI Tools for data visualization

Agenda
Server Suite Editions Standard Enterprise
DirectControl 5.3.0 ü ü
DirectManage 5.3.0 ü ü
Windows Agent 3.3.0 ü ü
DirectAudit 3.3.0 ü

Centrify DirectControl 5.3.0
• Multi-Factor Authentication (MFA)
• Local Account Management
• Report Services
• Agent components
• General
• Support Platforms update

Multi-Factor Authentication (MFA)
• Supported for AD users in hierarchical zone on Linux systems
• Can be enabled for PAM (ie login) and dzdo
• Requires Centrify Cloud (CIS) & Cloud Connector
• Can be configured to require the following methods in addition to password:
• Centrify Mobile App (iOS/Android)
• SMS message
• Phone call
• Email verification
• Answer Security Question
• Rescue/Backup login can be enabled in the event of cloud connectivity issues

Multi-Factor Authentication (MFA), PAM (Login) Example

Multi-Factor Authentication (MFA), dzdo & Mobile Example

Local Account Management
• Hierarchical zones can now provision
& manage local users/groups on AD
joined *nix systems
• Examples: oracle, db2, other service accounts
• Automation ready with capability to
register users in Centrify Privilege
Service (CPS) or other password
management solution
• Can call script to setup password, create home
directory, etc

Centrify Report Services
• Brand new component, included with DirectManage
• Leverages SQL Reporting Service (SSRS) to deliver a robust web-based
reporting solution for your AD users
• Securely synchronizes a subset of AD user, group, and zone data into a
Reporting DB
• Pre-canned reports included
• PCI & SOX
• Support for custom reports
• Access Manager no longer required

Centrify Report Services Control Panel & Client

Centrify Report Services Report Sample

Agent components
• Centrify LDAP Proxy
• ldapsearch adds extendedDN to the –e or –E option to return the extended distinguished name of the
object
• Centrify OpenSSH
• Updated to OpenSSH 7.1p1
• Still supports SSH protocol version 1 unlike stock OpenSSH
• New parameter 'Krb5ccUnique‘ to control how to generate Kerberos credentials cache. Default is “yes”
• Some parameter updates (see release notes)
• No longer installed by default by install.sh, must use custom installation to install
• Will upgrade if prior version installed
• Still required to address known AIX issues:
• For use with DirectAudit to audit local users
• Matching local/AD user

General
• New right introduced “User is visible”
• Similar to “listed” role in previous versions
• New option “adinfo –y cloud” to view cloud status
• New option “adkeytab –t” to report the last password change attempt time and
results
• New option “adflush –c” to refresh cloud connector info
• OpenSSL updated to 0.9.8zg
• cURL updated to 7.44.0
• Support to append CA root certificate to the system default store on RHEL

Support Platforms Update
Newly Added
•Fedora 23 (x86, x86_64)
•CentOS 6.7 (x86, x86_64)
•Oracle Enterprise Linux 6.7 (x86, x86_64)
•Red Hat Enterprise Linux Desktop 6.7
(x86, x86_64)
•Red Hat Enterprise Linux Server 6.7
(x86, x86_64)
(ppc64 – no Power8)
•Red Hat Enterprise Linux Desktop 7.2
(x86_64)
(x86_64)
•Red Hat Enterprise Linux Server 7.0, 7.1,
7.2 (ppc64 – no Power8)
•Scientific Linux 6.7 (x86, x86_64)
•Ubuntu Desktop 15.10 (x86, x86_64)
•Ubuntu Server 15.10 (x86, x86_64)
•SUSE Linux Enterprise Desktop 11 SP4
(x86, x86_64)
•SUSE Linux Enterprise Server 11 SP4
(x86, x86_64, ppc64,ia64)
•SUSE Linux Enterprise Server 12 (ppc64
– no Power8)
•Oracle Solaris 11.3 (x86_64, SPARC)
End of Life (EOL)
•All 32-bit Windows platforms
•Fedora 19 (32-bit and 64-bit)
•Oracle Enterprise Linux 4.x (32-bit and
64-bit)
•openSUSE 12.1,12.2, 12.3 (32-bit and
64-bit)
•Oracle Solaris 8 SPARC
Sun setting
•Debian Linux 6.x (32-bit and 64-bit)
•HP-UX 11.11, 11.23PA-RISC (Normal
and Trusted modes)
•HP-UX 11.23 Itanium (Normal and
Trusted modes)
•Oracle Solaris 9 (32-bit and 64-bit)
•Ubuntu Desktop 14.10 (32-bit and64-bit)
•Ubuntu Server 14.10 (32-bit and 64-bit)
Pre-sunset
•Ubuntu Desktop 15.04,15.10(32-bit and
64-bit)
•Ubuntu Server 15.04, 15.10 (32-bit and
64-bit)
•SUSE Linux Enterprise Desktop 10 (32-
bit and 64-bit)
•SUSE Linux Enterprise Server 10 (32-bit
and 64-bit)
•openSUSE 13.1 (32-bit and64-bit)

Centrify DirectManage 5.3.0
• Access manager
• New requirements: Windows 7 SP1/Windows 2008 R2
• Documentation no longer installed during install wizard, still present in /Documentation folder in
download
• Support for managed service accounts (MSA)
• Ability to delegate zone control to multiple zones at once
• “Generate Centrify Recommended Deployment Structure” Wizard now integrated with the Setup Wizard
• Report Center
• Disabled by default in Access Manager
• Replaced by Report Services introduced in this release

Centrify DirectManage 5.3.0, cont’d…
• Access Module for PowerShell
• Based on .Net Framework 4.5
• Support for ZPA
• Support for “user is visible” system right
• Get-CdmManagedComputer enhancements:
• Preferred Site
• Subnet Site
• Zone Provisioning Agent (ZPA)
• Support for managed service accounts (MSA) and group managed service accounts (gMSA) as the
service account
• Group Policy Extensions
• ADM templates no longer shipping, only ADMX templates are available

Centrify DirectManage 5.3.0, cont’d…
• Deployment Manager
• Support for public key authentication using AES-128-CBC
• During “Manage Software” wizard installed components will now be automatically selected
• During “Manage Audit” wizard it now supports change of DirectAudit Installation name on computers
allowing locally configured installation

Centrify DirectAudit 3.3.0
• General
• Documentation no longer installed during wizard install
• Agent more resilient to brief disconnects from the collector
• Agent can be configured to prefer collectors in the local AD site
• Option to enable/disable video capture now supported on a per-system basis
• Better control of host names as they are displayed in DA Analyzer
• Now bundled with MS SQL Server 2008 R2 SP 2 Express with Advanced Services
• Improved Audit Trail despooling performance
• Collector
• Support for new reg key "SkipFirstSnapshot“ to help reduce overhead for smaller audit sessions
• Command recognition enhancements

Centrify DirectAudit 3.3.0, cont’d
• Audit Analyzer
• Auditors with full control over a session can assign one or more AD users as Reviewers of that session
using Audit Analyzer or PowerShell cmdlet.
• A user who was granted Reviewer using this method will be allowed to replay the session and update the review
status (Audit Role assignment not required). The reviewer will not have delete rights under this method.
• Audit Manager
• No new enhancements this release
• DA Agent for *nix
• Configure disconnect timeout "dad.collector.connect.timeout“
• “dareload –b” to request bind to another collector if available
• Better protection against simultaneous edits made to NSS/PAM files during “decontrol –e|-d”
• “dainfo –q [info]” introduced to control output

Centrify DirectAudit 3.3.0, cont’d
• Database
• New scheduled task in the Audit Management Server service to collect DirectAudit licensing info from,
the DA databases and store in Active Directory to permit more open execution of Deployment Report.
• New and enhanced database indexes to improve query performance and reduce CPU on SQL server
• FindSessions.exe Tool
• Improved performance when handling multiple Audit Store databases
• DA Agent for Windows
• New GP settings "Set maximum size of the offline data file" and "Set maximum recorded color quality"
• Audit Module for PowerShell
• New Cmdlets:
• "Set-CdaAuditSessionReviewer", delegate session reviewer directly to an Active Directory user or group
• "Get-CdaAuditSessionReviewer", get the AD users and groups who were delegated as session reviewers

Centrify Windows Agent 3.3.0
• Access Component (formerly DirectAuthorize)
• Contextual menu renamed from "Run as Role" to "Run with Privilege“
• Documentation no longer installed during wizard install
• Privileged desktop now supported on Windows 8/8.1/2012R2
• "Centrify Start Menu" button added to privileged desktop (similar to the Windows Start Menu)
• Desktop label on privileged desktop replaced by a brief systray notification
• Can be controlled via Group Policy
• New command, "dzjoin“ added to facilitate joining a zone via CLI or Scripting
• Simplified Run with Privilege (ie only one Role present)
• Support removed for switching to privileged desktop as a privileged AD user
• Still supported if group is used

Windows 8/8.1/2012 Privilege Desktop Example

Windows Agent – Old Desktop Label

Windows Agent – New Desktop Label

Centrify Windows Agent 3.3.0, cont’d
• Audit Component
• New Group Policy settings
• “Set maximum size of the offline data file“
• "Set maximum recorded color quality“
• "Use the host name specified by the agent“
• "Centrify DirectAudit Settings/Common Settings"
• Support for auditing Metro UI and tile applications in Windows 8/Windows 2012
• Support for "Agents must prefer collectors in the same site as the agent“ option in Audit Manager
• Audit Trail despooling performance enhancements

Where to next?
• What's New in Centrify Server Suite 2016
• https://www.centrify.com/support/customer-support-portal/whats-new/server-suite/
• Centrify Server Suite 2016 Release Notes
• http://www.centrify.com/support/documentation/server-suite/#2016-notes
• Centrify Download Center
• https://www.centrify.com/support/customer-support-portal/download-center/
• This presentation will be provided to customers

Questions?
• Join the conversation at http://community.centrify.com/
• Login using your Centrify customer login
• Free registration
• Use the “Centrify Server Suite” location

What's New in Centrify Server Suite 2016

More Related Content

What's hot (15)

Viewers also liked (20)

Similar to What's New in Centrify Server Suite 2016 (20)

Recently uploaded (20)

What's New in Centrify Server Suite 2016