Securing an AD Domain-joined CentOS7 server

sudburr

Server

• FOG Version: n/a
• OS: CentOS 7.3.1611

Client

• Service Version:
• OS:

Description

Playing with fire here. I have a CentOS 7.3.1611 GUI server with xRDP installed, joined to an Active Directory domain.

I want to restrict the wide-open access AD accounts have to it so only the AD group “ABC” can SSH telnet and RDP to it.

sudburr

That did the trick!

# Join to an AD Domain
# --------------------------
# Elevate Access Level
	sudo su

# Install Pre-requisites for joining to an AD Domain
	yum install -y sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

# Join to domain
# ( http://www.unix.com/man-page/centos/8/realm/ )
	realm join --user=DomainJoinCapableADAccount domain.name

# Restrict access from domain
	realm deny --all

# Permit access by Domain User Group "ADGroupName" (A-z only)
	realm permit -R domain.name -g ADGroupName

# Do not require FQDN for username
	sed -i "s|use_fully_qualified_names = True|use_fully_qualified_names = False|g" /etc/sssd/sssd.conf
	systemctl restart sssd

# Permit Access to SUDO
	echo "%ADGroupName    ALL=(ALL)       ALL" >> /etc/sudoers.d/sudoers

# Reboot to Commit
	reboot

Now for the next hurdle.

george1421

I can’t access our DMS system at the office right now because I have the complete instructions on doing this (not with xRDP), but to restrict ssh access to specific AD groups.

This one should get you started with AD logging in: https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/

And this one shows you how to limit access based on an AD group: https://www.centos.org/forums/viewtopic.php?t=53403

we have ours setup so that only linux admin group has access to our linux server and the rest of the admins (not in the group) can not.

Wayne Workman

@sudburr It’s just a simple realm command to deny all, then another realm command to allow a specific security group. What you are trying to do is not only possible, but a typical industry practice.
Here’s a snippit:

#Locking down who can log in from the domain.
#Block everyone:
realm deny -R domainname.com -a

#permit a specific group
# Security group needs made in Active Directory first.
#MUST BE domain local type group.

#SYNTAX:
#realm permit -R full.domain.name -g group_name_here full.domain.name\group_name_here
#To add group securitygroupname as able to log in:

realm permit -R domainname.com -g securitygroupname

####To remove if necessary:  
realm permit --withdraw domainname.com -g securitygroupname

george1421

@Wayne-Workman said in Securing an AD Domain-joined CentOS7 server:

What you are trying to do is not only possible, but a typical industry practice.

Well said.

sudburr

That did the trick!

# Join to an AD Domain
# --------------------------
# Elevate Access Level
	sudo su

# Install Pre-requisites for joining to an AD Domain
	yum install -y sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

# Join to domain
# ( http://www.unix.com/man-page/centos/8/realm/ )
	realm join --user=DomainJoinCapableADAccount domain.name

# Restrict access from domain
	realm deny --all

# Permit access by Domain User Group "ADGroupName" (A-z only)
	realm permit -R domain.name -g ADGroupName

# Do not require FQDN for username
	sed -i "s|use_fully_qualified_names = True|use_fully_qualified_names = False|g" /etc/sssd/sssd.conf
	systemctl restart sssd

# Permit Access to SUDO
	echo "%ADGroupName    ALL=(ALL)       ALL" >> /etc/sudoers.d/sudoers

# Reboot to Commit
	reboot

Now for the next hurdle.

Wayne Workman

@sudburr The reboot isn’t necessary, but otherwise great job on the post below - it’ll help many folks in the future.