Working with Server Core and Windows Server 2012
The Agent for Windows can be installed on Windows computers that are configured to run the Server Core operating environment. Server Core is a Windows installation option that provides a low-maintenance server environment with limited functionality.
Most Agent operations are not affected by running on Server Core. However, there are specific features that are not available or not applicable because of the limitations of the Server Core environment itself. For example, the Run with Privilege menu option is not available on Server Core computers because Server Core does not support Windows Explorer and other graphical user interface applications. However, you can use the runasrole command line utility to run specific applications using a specified role.
Similarly, no IBM Security notification area applet or desktop rights are available on Server Core computers. However, you can access the Authorization Center, agent configuration panel, and agent command-line utilities from the Server Core command prompt.
The following list summarizes the Agent for Windows features that are not supported on Server Core computers:
-
You cannot create, select, or switch desktops or use any desktop-related
features because the Windows desktop is not available on Server Core.
-
You cannot select Run with Privilege as a right-click menu option for
applications because Windows Explorer is not available on Server Core.
-
You cannot open the Authorization Center or access the IBM Security notification
area applet because the Windows desktop and Windows Explorer are not
available on Server Core.
-
You cannot open applications such as the agent configuration panel from
Start menu shortcuts because the Windows desktop and Windows Explorer are
not available on Server Core.
You should note that only the Agent for Windows is supported for the Server Core environment. A small number of other Verify Privilege Server Suite components for Windows support a command line interface, but are not configured to support a Server Core environment.
Server Core Supported Platforms
IBM Security supports the following versions of the Server Core environments:
- Windows Server 2008 R2 Server Core
- Windows Server 2012 Server Core
- Windows Server 2012 Minimal Server Interface
- Windows Server 2012 R2 Server Core
- Windows Server 2012 R2 Minimal Server Interface
You should note that Server Core is not supported on Windows Server 2008 because Windows Server 2008 Server Core does not support any version of the .NET Framework. The Agent for Windows requires the .NET Framework. For more information about the supported libraries and .NET functionality on Server Core, see the reference material available on the Microsoft Developer Network website for the operating system you have deployed.
For general information about Server Core on Windows Server 2008 R2, see: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753802(v=ws.10)
For general information about Server Core on Windows Server 2012 R2, see: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831786(v=ws.11)
Installing the Agent on a Computer Running Server Core
You cannot use the autorun.exe or the setup.exe program to install components on a computer that is configured to run as a Server Core environment. Instead, you must install from Microsoft Installer (.msi) files using the msiexec command-line program.
To install the Agent for Windows on Server Core:
-
Use the Deployment Image Servicing and Management (DISM) or another command-line tool to enable the .NET Framework.
For example, if you are using Windows Server 2012 or later and the .NET Framework is located on the installation media in the D:\sources\sxs folder, use the following command:
DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:D:\sources\sxs
To install .NET Framework on Windows Server 2008 R2, run the following commands to enable the required features:
Dism /Online /Enable-Feature /FeatureName:NetFx2-ServerCore-WOW64
Dism /Online /Enable-Feature /FeatureName:NetFx3-ServerCore-WOW64
Dism /Online /Enable-Feature /FeatureName:NetFx2-ServerCore
Dism /Online /Enable-Feature /FeatureName:NetFx3-ServerCore
-
Copy the Agent for Windows files to the Server Core computer.
For example:
copy D:\Common\Centrify* C:\Agent
copy D:\Agent\* C:\Agent
-
Install the Common Component service using the .msi file.
For example, to install the Common Component on a computer with 64-bit architecture, you might use the following command:
msiexec /i "Common Component64.msi" /qn
-
Install the Agent for Windows using the .msi file.
Run the following command:
msiexec /i "Agent for Windows64.msi" /qn
-
Restart the computer with the appropriate shutdown options to complete the installation and start agent services.
For example, you might run the following command:
shutdown /r
Note that restarting the computer is not required if you install only auditing features.
Opening Consoles on Server Core Computers
Because the primary interface for the Server Core environment is a command prompt with only limited support for graphical user interface features, you must use the command line to open the consoles that enable you to join or leave a zone, view your rights and roles, and configure agent settings.
Joining a Zone
One of the first tasks after installing the Agent for Windows is to join a zone. You can do by launching the agent configuration panel from the command prompt.
To open the agent configuration panel to join a zone:
- Navigate to the Agent for Windows installation directory.
-
By default, the agent files are installed in the C:\Program
Files\Centrify\Agent for Windows directory.
- Run Centrify.DirectAuthorize.Agent.Config.exe.
- Click Change.
- Click Browse.
-
Type all or part of the zone name, click Find Now, then select the zone to
join and click OK.
- Click Close to exit the agent configuration panel.
If you later need to change the zone, run diagnostics, refresh the authorization cache, or view or modify log settings, you can run Centrify.DirectAuthorize.Agent.Config.exe to perform those tasks.
Viewing Authorization Details
By default, identity management, privilege management, and audit and monitoring service features are enabled after you install and configure the Agent for Windows. To see details about your rights, role definitions, role assignments, and auditing status, you can launch the Authorization Center from the command prompt.
To open the Authorization Center on a computer with the Server Core operating system:
-
Navigate to the Agent for Windows installation directory.
By default, the agent files are installed in C:\Program Files\Centrify\Agent for Windows directory.
-
Run Centrify.DirectAuthorize.Auth.Center.exe.
Configuring Auditing Options
By default, identity management, privilege management, and audit and monitoring service features are enabled when you install the Agent for Windows. To configure audit and monitoring service options and specify the audit installation for the agent, you can launch the agent configuration panel from the command prompt.
To open the agent configuration panel to configure auditing features:
-
Navigate to the Agent installation directory.
By default, the agent files are installed in the C:\Program Files\Centrify\Audit\Agent directory.
-
Run agent.configure.exe.
-
Click Configure.
-
Select a color quality, then click Next.
Because the Server Core operating system uses very few graphical elements, in most cases you should accept the default setting of Low for the color quality. This setting minimizes the storage requirements for auditing if you have enabled video capture auditing.
-
Accept the default offline data location and maximum size or type a different location, then click Next.
You can also drag the slider to change the maximum percentage of the drive the offline data can consume. In most cases, however, you should leave the default setting unchanged.
-
Select the audit installation, then click Next.
-
Review your configuration settings, then click Next.
-
Click Finish to close the configuration wizard.
-
Click Close to exit the agent configuration panel.
Running Command Line Programs
The Agent for Windows includes several command line programs for performing administrative tasks. The following command line programs are supported on Server Core computers:
- dzinfo
- dzjoin
- dzdiag
- dzrefresh
- dzflush
- dzdump
- runasrole
For more information about the command line options or output for these commands, see Using Windows command line programs or run the command with the /help option.
Unsupported Windows Server 2012 Features
Windows Server 2012 includes support for claims, compound authentication, and Kerberos armoring. The core Agent for Windows does not provide support for these advanced authentication features. To take full advantage of these advanced authentication services, however, requires you to make the following changes to your environment:
- Deploy Dynamic Access Control.
-
Upgrade all of your domain controllers and application servers to Windows
Server 2012 or later.
- Upgrade all of your workstations to Windows 8 or later.
- Raise the domain functional level to Windows Server 2012.
If you have a mixed environment that includes Windows 7 and Windows 8 or later workstations and Windows Server 2008 or Windows Server 2008 R2 domain controllers, you can configure the administrative template for claims, compound authentication, and Kerberos armoring to use the Not supported option (default).
To use the Supported configuration option, you must deploy Dynamic Access Control, configure Windows 8 and later client-side support for claims, compound authentication and Kerberos armoring, and ensure you have domain controllers running Windows Server 2012 to handle the authentication requests for those computers. You should not install the Agent for Windows on any computers configured to support claims, compound authentication and Kerberos armoring to prevent authentication failures.
In addition, Verify Privilege Server Suite does not provide any specific support for authenticating access to Server Message Block 3.0 (SMB3.0) file shares that are supported in Windows Server 2012. The SMB protocol operates as an application layer for providing shared access to computers, printers, and other devices. This protocol has been extended to provide shared access to virtual machines and SQL user databases.