Securing an AD Domain-joined CentOS7 server



  • Server
    • FOG Version: n/a
    • OS: CentOS 7.3.1611
    Client
    • Service Version:
    • OS:
    Description

    Playing with fire here. I have a CentOS 7.3.1611 GUI server with xRDP installed, joined to an Active Directory domain.

    I want to restrict the wide-open access AD accounts have to it so only the AD group “ABC” can SSH telnet and RDP to it.


  • Moderator

    @sudburr The reboot isn’t necessary, but otherwise great job on the post below - it’ll help many folks in the future.



  • That did the trick!

    # Join to an AD Domain
    # --------------------------
    # Elevate Access Level
    	sudo su
    
    # Install Pre-requisites for joining to an AD Domain
    	yum install -y sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python
    
    # Join to domain
    # ( http://www.unix.com/man-page/centos/8/realm/ )
    	realm join --user=DomainJoinCapableADAccount domain.name
    
    # Restrict access from domain
    	realm deny --all
    
    # Permit access by Domain User Group "ADGroupName" (A-z only)
    	realm permit -R domain.name -g ADGroupName
    
    # Do not require FQDN for username
    	sed -i "s|use_fully_qualified_names = True|use_fully_qualified_names = False|g" /etc/sssd/sssd.conf
    	systemctl restart sssd
    
    # Permit Access to SUDO
    	echo "%ADGroupName    ALL=(ALL)       ALL" >> /etc/sudoers.d/sudoers
    
    # Reboot to Commit
    	reboot
    

    Now for the next hurdle.


  • Moderator

    @Wayne-Workman said in Securing an AD Domain-joined CentOS7 server:

    What you are trying to do is not only possible, but a typical industry practice.

    Well said.


  • Moderator

    @sudburr It’s just a simple realm command to deny all, then another realm command to allow a specific security group. What you are trying to do is not only possible, but a typical industry practice.
    Here’s a snippit:

    #Locking down who can log in from the domain.
    #Block everyone:
    realm deny -R domainname.com -a
    
    #permit a specific group
    # Security group needs made in Active Directory first.
    #MUST BE domain local type group.
    
    #SYNTAX:
    #realm permit -R full.domain.name -g group_name_here full.domain.name\group_name_here
    #To add group securitygroupname as able to log in:
    
    realm permit -R domainname.com -g securitygroupname
    
    ####To remove if necessary:  
    realm permit --withdraw domainname.com -g securitygroupname
    

  • Moderator

    I can’t access our DMS system at the office right now because I have the complete instructions on doing this (not with xRDP), but to restrict ssh access to specific AD groups.

    This one should get you started with AD logging in: https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/

    And this one shows you how to limit access based on an AD group: https://www.centos.org/forums/viewtopic.php?t=53403

    we have ours setup so that only linux admin group has access to our linux server and the rest of the admins (not in the group) can not.


Log in to reply
 

356
Online

39.3k
Users

11.0k
Topics

104.4k
Posts

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.