Question

According to Zach DeMeyer at JumpCloud, “Generally endpoint management solutions have focused solely on managing the system, not including identities and access.” JumpCloud is a cutting‐edge blend of SSO and management of permissions in a network. Users' identities are at the core of JumpCloud as a directory as a service. You create a central, authoritative version of each identity so employees can use a single set of credentials throughout all the resources they need to access. You can set up password complexity and expiration features to ensure policies are met and then, once set up, bind those users to any of the resources connected to JumpCloud from their host system to applications to networks.

To get started, go to jumpcloud.com and create your user account. Your first ten users are completely free, forever. After that, there is a small charge per user. Once your user account is validated through your email, you have access to the central console where you can set up credentials for platform, protocol, or location. You can use JumpCloud to enforce policies, set password requirements including multifactor authentication, and streamline access to most IT resources. Lab 8.1 shows how to create a user, and Lab 8.2 shows how to create a system.

---

LAB 8.1 : CREATING A USER

1. Open your browser and log into the JumpCloud web interface.
2. On the Users tab, click the green box with the plus sign (see Figure 8.3 ).

   

   Figure 8.3 : How to create a user in JumpCloud

3. Define the new user's first name, last name, username, and email address. If you have audited this user's needs, then you will know if you need to enable admin/sudo permissions or require multifactor authentication. In Figure 8.4 , you see the New User dialog box. This is where you can add the initial password for the user.

   

   Figure 8.4 : The New User dialog box

4. For each user, you have the ability to add that person to user groups for access permissions, what systems each has permission to sign into, and what directories each needs access to. You will have to build these next to tie them together.

---

---

LAB 8.2 : CREATING A SYSTEM

1. Open the systems menu, second from the top. Click the green box with the plus sign to open the New System instructions.
2. Mac, Windows, and Linux systems are bound to the JumpCloud platform when you install the system agent. Once it is installed, you can remotely and securely manage a system and the accounts on those systems and set policies. The agent is small and checks in through port 443 and reports event data. Align the system you need to manage with the platform at the type of New System.
3. Each of these will have specific instructions and connection keys. In the case of Windows, you have an agent to download as well as a connect key (see Figure 8.5 ). When you double‐click the Windows executable, you will be asked for the key during the install process.

   

   Figure 8.5 : Download the Windows Agent and use the connect key to complete the installation.

4. Copy and paste the connect key into the install file to bind the JumpCloud agent to your system. In a few moments, you will see the hostname displayed in Systems page.
5. After the asset has successfully checked in, you can apply policies to that asset. By default, Windows has 22 policies you can configure. Figure 8.6 shows a few of them. One best practice is to set up a lock screen.

   

   Figure 8.6 : Configuring Windows policies

---

The lock screen can help you not fall victim to donut day. Donut day is when you leave your computer unlocked, step away or turn your back for a moment, and someone takes advantage of you being logged in. That person will send an email to everyone saying, “I'm bringing the donuts tomorrow!” Everyone knows you left the machine unlocked. Some organizations I've worked for had a prank where they would change our wallpaper to My Little Pony and called it getting pwned. You must lock your computer, and if you forget, a policy can do it for you. It can be an expensive lesson to bring donuts for 250 people. In Figure 8.7 , you see the Windows Lock Screen policy and the ability to set the timeout in seconds. Again, you have to balance the CIA triad with usability. I have seen an executive, frustrated with the lockout policy, place a “perpetual drinking bird” next to his keyboard to peck his keyboard and simulate activity so he didn't have to type in his password every 60 seconds.

Figure 8.7 : Windows Lock Screen policy

Now that you have a user, a system, and a policy, it's time to evaluate groups, applications, and directories. Each of these will have its own impact on the security posture of your organization. With groups, you have the ability to provide your users and admins access to resources while pulling them into a central management portal. To add another layer of security, giving users the ability to use SSO to sign into an application will enhance these processes. Finally, building a directory will allow you to synchronize user accounts and enable JumpCloud to act as a single authoritative directory of users.

The goal is to work your way through the CIS controls. CIS Control 5 is controlling IM and AM. With controlled use of the correct privileges on computers, networks, and applications, you protect information and assets from theft and misuse. It becomes even more important because you have to deal with the monumental outside threat but also insiders doing things they shouldn't be doing. It can be a daunting task, but it is essential.