Best Practices
This section, created by Delinea Systems Engineering in collaboration with Delinea Engineering and Delinea Professional Services, describes the deployment best practices for Server Suite. The goal of this document is to outline and document the actions customers can take to prevent unexpected service degradation with the Server Suite product.
Using our best practices that have evolved over many years, we have developed the Server Suite software to be extremely resilient to many types of Active Directory topologies, networks and environments. In addition, we have gathered data from our major deployments to provide the top items that a customer should do to ensure the Server Suite deployment is healthy. The best practices are organized by functional area.
Best Practices For Unix And Linux Systems With Server Suite
This section includes the following topics:
Upgrade Server Suite Agents And Administrative Tools
Many technologies are prone to introducing problems when upgrading to the latest and greatest version. Delinea technology has been around for 15 years and unlike common practice with other technologies of waiting to upgrade, Delinea recommends having the latest and greatest versions installed because these will provide greater stability and security. Delinea provides major releases and minor releases every year. The agent is continually receiving security, performance, and feature updates. The administrator tools (consoles, SDKs, APIs) are continually adding functionality that can be pushed to the agent and more support for automation.
Customers should review security updates from Delinea on a periodic basis.
One of the most important things a customer can do is to upgrade the Server Suite Agent once per year to take advantage of the additional functionality/stability offered with latest versions. Server Suite Agents and administrative tools are easy to upgrade, can be done in a modular fashion and are backwards and forwards compatible. The most recent releases can be found at the Downloads section of the Support Portal.
Customers should leverage Enterprise grade deployment framework (supported by technologies like Chef, Puppet, Bladelogic, etc) to automatically deploy the Server Suite Agent and updates. Leverage Chef/Puppet/BladeLogic to automatically deploy and maintain agent configuration parameters and to leverage the Delinea Repo to automatically upgrade target systems in a streamlined fashion. Another option is the Delinea Software Repo for streamlined installation and updates.
Enable NSCD
Nscd is a daemon that provides a cache for the most common name service requests. The default configuration file, /etc/nscd.conf, determines the behavior of the cache daemon. More information on NSCD can be found here.
We recommend enabling nscd on each Server Suite enabled server to maximize the caching performance. The default configuration of nscd will suffice.
Set Group Policies To Govern The Agent Behavior
One of the most powerful features in the Server Suite platform is the ability to centrally push out Group Policy to Linux systems. We recommend deploying at least 1 GPO to your systems so you have the means to centrally configure the agent behavior in your environment. Group policy settings are documented in the Group Policy Guide. In the event a change to the Delinea parameters is needed for the environment, a GPO change can quickly deploy the change to the systems.
Set agent parameters
Exclusions of Domains
Server Suite provides robust support for complex active directory environments with varying trust relationships. Many agent parameters can be configured through Group Policy. We often see customers don't cleanup decommissioned domains or have domains in the environment not in scope for Server Suite. We recommend blacklisting the domains that are not in scope or whitelisting only the domains in scope for Server Suite.
An example of excluding, black listing, a domain in /etc/centrifydc/centrifydc.conf is:
adclient.excluded.domains: anvil.acme.com
An example of including, white listing, a domain in /etc/centrifydc.conf is:
adclient.included.domains: anvil.acme.com
Paged Control
To operate the best with the Microsoft Active Directory search optimizer, Server Suite provides a parameter called “adclient.schema.extensions.search.add.paged.control”. We recommend setting this parameter to true to optimize AD lookups.
Suite 2016.1
If the version of the Server Suite Agent for *NIX running is version 5.3.1, part Suite 2016.1, we highly recommend configuring the parameter “adclient.altupn.update.interval: 90000000” in /etc/centrifydc/centrifydc.conf.
These parameters can be deployed via the GPO “Add centrifydc.conf properties” under Computer Configuration > Centrify Settings > DirectControl Settings. See the Group Policy Guide for additional information.
Use the Server Suite DB2 Plugin
DB2 systems normally authenticate users against the local Operating System. Therefore, most customers don't think about performance of authentication and lookups when they centralize authentication to Active Directory. However, as customers centralize authentication to Active Directory, performance considerations become more important since DB2 is very user lookup intensive. Customers that leverage DB2 in their environment should consider using the Server Suite DB2 user and group plugin since it delivers enhanced caching to improves the performance of lookups in a DB2 environment that leverages Active Directory for authentication/authorization.
Best Practices for Active Directory Environment
Index the UID Attribute
Many UNIX applications make requests for the uid attribute as part of their inner workings. If the uid attribute is not indexed and applications make frequent requests for uid data, this can have a negative effect on the performance of Domain Controllers. Delinea highly recommends customers index the uid attribute in Active Directory.
Windows Active Directory functional level and Windows Server version
Customers should maintain an upgrade strategy to use a stable and supported Active Directory functional level and the version of Windows server. As of this writing customers should be moving to Windows 2016 functional modes.
Maintain sites and services domain controller topology
A common issue customers come across is Delinea binding to the wrong Domain Controllers. For example, all the users in the US may be authenticating to a domain controller that is not geographically desirable. In most instances, this occurs because the AD Sites and Services definition does not include the subnets of the UNIX/Linux systems or is not updated on a consistent basis.
A process should be defined where the UNIX/Linux networking teams regularly interact with the AD team to assure subnets are added and removed from AD Sites and Services accordingly.
Delinea Access Model Best Practices
Proper definition of global/child zone structure.
A proper Delinea deployment should have a Global Zone with an appropriate number of Child Zones and Computer Roles to drive access across groups of systems. The general recommendation for defining profiles, roles and rights is:
- UNIX enable all users at the Global Zone level
- In addition, UNIX enable users at the child zone level, if attributes need to be different
- for users on the systems in the child zones (ie.different primary group)
- UNIX enable groups at the Child Zone vs. the Global Zone unless the groups need to be visible across all servers
- Always enable ZPA to automate UNIX profile provisioning across all Zones that will have user/group UNIX profiles
- Define Roles and Rights in the Global zone and assign roles at computer roles or zones if appropriate
A common mistake made is the use of too many Child Zones or use Child Zones incorrectly. Limit child zone sprawl. Child zones should be used for specific purposes like:
Segregating systems in different business units
Segregate the management of groups of systems to different administrative groups
Override the UNIX profiles of users and groups across groups of systems.
Another common mistake is managing roles and rights definition throughout the zone hierarchy which makes it difficult to find roles and rights when updates are needed.
Another mistake is using Zones to define access. Instead, use Computer roles to prevent lateral movement, drive an automated access model and to take advantage of performance benefits. Leverage Computer Roles and AD groups to manage system types by likeness of access and create AD user groups in a similar manner. This promotes automation because user access can be granted access/privileges by simply adding users to the right AD groups. Similarly, systems can be provisioned to the right AD group of computers. Computer roles can be defined by application types. For example, “App 1 DEV” App1 PROD”, etc. The goal is to not have to use the access manager UI for provisioning access.
Analyze The Deployment Periodically
As a Server Suite deployment matures, customers should perform a periodic analysis using the Access Manager “Analyze” feature. The analysis highlights problem areas in the Server Suite deployment. For example, the analysis will identify orphaned objects.
Additionally, Delinea recommends periodically reviewing security updates available at our support portal.
Use the Delinea Zone Provisioning Agent
We highly recommend leveraging the Zone Provisioning Agent to automatically provision UNIX profiles for users. Additionally, we recommend two instances of ZPA in large environments. This provides redundancy in the provisioning process. The ZPA service should also be monitored to ensure it is operational.
Deploy Reporting Services and Security Information and Event Management (SIEM)
To maximize the investment, we highly recommend deploying Delinea Reporting Services and SIEM integration. These capabilities provide customers which insight into which users can access which system and security related events the Server Suite Agent reports on. See the following items for more information:
- Report Administrator's Guide
- SIEM documentation on the documentation portal
- A Delinea community article
Best Practices for the Audit and Monitoring Service
This section includes the following topics:
Manage the Audit Store Database Size
The Audit Store database needs to be managed according to the company's retention policy which often dictated by the security/compliance team. To assure the audit service performs and scales as required, we recommend keeping the active Audit Store database at most, between 250GB and 500GB in size. Perform a database rotation if your active Audit Store database is larger than 500GB. A database rotation takes the current active database and marks it inactive and makes a new database the active database. See the documentation for how to automate database rotation.
Another approach is to delete audit records and shrink the size of the active database. This approach works well as long as the indexes are also rebuilt. Otherwise, shrinking the database without indexing will lead to fragmented indexes and poor query performance. KB-8472 details how to shrink and re-build the database indexes.
Delinea recommends keeping only databases that are required for auditing purposes attached to the audit infrastructure. The databases that are not needed should be detached. Customers often forget to detach the databases that are outside the company's normal live data/retention policies. Too many attached Audit Store databases result into poor query performance and increased load on the Management database. Periodically review the list of attached Audit Store databases and detach the ones that are no longer needed to be online as per the retention policy.
Maintain the audit store database index
It is recommended to maintain the audit store database's indexes regularly. This can be done by setting up a simple SQL job to reorganize the indexes if they are 5%-30% fragmented and rebuild the indexes if they're more than 30% fragmented. KB-8472 details how shrink and re-build the database indexes.
Configure SQL Server
There are several SQL specific configurations and server settings that can affect performance and operation.
Avoid deploying the Audit Store databases in a SQL availability group unless it's required by the company's compliance policies.
Configure SQL Server power settings to be set to Balanced instead of High Performance.
SQL Server has a setting called Max Server Memory that controls the maximum amount of physical memory that can be consumed by the SQL Server's buffer pool. An incorrectly configured Max Server Memory may either result into the SQL engine causing high IO or OS/other programs starving for more memory. Refer to the “configuring the maximum memory for audit store databases” section of the Auditing Administrator's Guide and always configure this value as recommended before the deployment begins.
If you're expecting a database server to get migrated/retired in the near future, it's better to create a CNAME alias in DNS for the current database server and specify the alias everywhere (e.g. when creating a new Management database) rather than specifying the actual host name. This will prevent scenarios where the database server is not found after a migration.
Audit and Monitoring Architecture
The audit architecture includes several components to ensure a smooth operating and secure audit environment. A Collector is the service that collects audit records from servers being audited and stores them in the audit store database. Avoid deploying the collector on the same machine as the active Audit Store database's SQL Server.
When using the Server Suite Agent for Windows to audit sessions, configure data capture at native color depth when auditing systems with many concurrent users (such as Citrix XenApp server). When not capturing at native color depth, the DirectAudit daemon has to transform the captured data to its target format which ends up consuming CPU cycles. To automatically set native color depth at installation time, see the documentation.
Grant Audit Installation Rights To Administrator Groups
Delinea Audit Administrators have specific privileges to manage and configure the Server Suite audit configuration. A common mistake is rights are assigned to specific AD accounts vs. AD groups or rights are not delegated at all. When employees leave the company and those AD accounts are disabled, the Audit services becomes inaccessible. To avoid this, Delinea recommends rights over the Audit installation are delegated to AD groups and administrators/auditors are placed into the proper AD groups. This will ensure that all administrators within that security group will have access to configure/modify the audit settings in the event that a specific employee leaves the organization.
Delinea Relationship Best Practices
Monthly Cadence Call with Delinea
Customers can schedule a monthly cadence call with Delinea Account Team, Support, and Engineering to ensure that best practices and customer requirements are consistently being communicated.
Customers should have the contact information of their account team (Account executive, customer success manager, and systems engineer). This account team can help escalate requests internally within Delinea, handle licensing questions and feature requests.
Attend Annual Delinea Update Meetings
Customers are entitled to annual update meetings with the Delinea Account and Product Management to understand new feature availability and to submit/track enhancements. Customers often find that Delinea has provided additional capability in a new release that addresses new requirements they are entitled to. Additionally, this helps customers to understand the product roadmap and direction for Delinea and promotes a partnership between Delinea and the customer.
