Centrify CloudTools

Implementing Active Directory-Based Access Control for Linux Cloud Servers Using RightScale Server Templates

Centrify CloudTools include Centrify RightScripts that secure cloud systems by joining them to your Active Directory infrastructure

RightScale's web-based cloud computing management platform enables organizations to quickly and consistently spin up cloud-based applications. The core component is a ServerTemplate, which contains a RightImage (a simple base operating system image) and RightScripts. RightScripts can run the boot, operational and shutdown phases to define the role and behavior of that particular server.

The Centrify CloudTools include several Centrify Express RightScripts that have been configured to automatically lock down a Linux cloud server at the moment when it is launched. To make it easy and cost-effective for you to get started, we have configured the RightScript to pre-install our free Centrify Express, which will handle the tasks of automatically joining the new server instance to your enterprise Active Directory domain and locking down access to the root account. These Centrify RightScripts are provided at no charge. Support is available on the Centrify CloudTools Community, where you can exchange best practice advice with Centrify staff and other CloudTools users.

See our white paper, Enforcing Enterprise-Out Security for Cloud Servers, for a full an overview of Centrify's solution for dynamically extending an organization's existing enterprise security infrastructure out to cloud-based UNIX and Linux systems.

How the Centrify Express RightScripts Work

As part of Centrify CloudTools, Centrify has created four RightScripts for use with RightScale in order to automate the installation and configuration of Centrify DirectControl Express on any Server Template in order to join Active Directory and enforce AD based user authentication and privilege policies. There are four RightScripts provided as described below which you will find in the RightScript Library if you search for Centrify as the publisher.

  • Centrify — Install Centrify Suite Express. This RightScript can be added as a Boot Script to any Server Template to determine the Operating System of the cloud server that was launched, then download directly from Centrify the latest version of Centrify Suite Express and then install Centrify DirectControl Express and Centrify OpenSSH on the supported cloud server instance.
  • Centrify — Join Active Directory. After Centrify Suite Express has been installed, this RightScript is run as a Boot Script to join the new cloud server instance to your Active Directory Domain. Once this script has executed, the system will be configured to allow any of your Active Directory users to login with their Active Directory userid and password to the new cloud server instance.
  • Centrify — Setup AD Access and Privilege Management. This script will configure the system to require AD Group membership in order for your AD users to be able to login or execute commands with privileges.

    • The local "root" account is configured to require the Active Directory password for the "cloud.root" account upon login as "root". This configuration ensures that your Active Directory infrastructure is in control of the root login to the newly created cloud server instance once it has been joined to Active Directory.
    • In order to control user access to the new cloud server instance, this script will ask for the name of an AD group whose members will be granted rights to login.
    • Since some users who login may need root privileges, this script will ask for the name of an AD group whose members will be granted privileges through sudo.
  • Centrify — Leave Active Directory. This decommission script will terminate the relationship of the cloud server and Active Directory and reset the computer account so that the next new instance can reuse the computer account.