CyberArk PAM Key Features

CyberArk PAM Key Features

• CyberArk PAM provides a comprehensive solution for discovering, isolating, recording, monitoring, and remediating privileged credentials and sessions.

Discover and Manage Credentials

• Automated processes for account discovery
• Policies for managing credentials, including:
  • Password complexity
  • Rotation frequency
  • Others

The Vault

• A secure storage for credentials
• Clients of the Vault include:
  • End users (IT staff, auditors, etc.)
  • Custom applications
  • Reporting tools
• The Vault provides a centralized policy management system

The Vault: End-to-End Security

• Secure storage of credentials
• Discretionary and mandatory access control
• Encryption of sessions and files
• Proprietary protocol and hardened built-in firewall
• Single or two-factor authentication
• Granular permissions and role-based access control
• Subnet-based access control and time limits
• Event-based alerts and tamper-proof audit trail
• Hierarchical encryption model, with every object having a unique key

User Management in PVWA

• User management module introduced in PAM version 13, accessible through PVWA
• Create and edit CyberArk users
• Create groups and assign users to them
• View all users (LDAP and CyberArk)
• Disable or activate a suspended user
• Reset a user's password

Managing Users

• Create new CyberArk users manually through PVWA
• Edit CyberArk users through PVWA
• Create groups and assign users to them through PVWA
• Disable or activate a suspended user through PVWA
• Reset a user's password through PVWA

Changing Master Password

• Change the Master user password by logging in as Master user and clicking User → Set Password

User Management in PrivateArk Client

• Manage users and groups via PrivateArk Client
• Adding users: authorized interfaces, authentication, vault authorizations, group membership, and general tabs
• Users stored in Vault database
• Recommended to manage users with an external LDAP directory, such as Active Directory
• Can manually create users via PrivateArk Client

General Tab

• Manually add new users through PrivateArk Client interface

Authorized Interfaces

• Select which interfaces a user can log in from

Authentication

• Select the authentication method for a user

Vault Authorizations

• Configure Vault authorizations for a user

Group Membership

• Select which groups a user is a member of

User Management Overview

• Users vs. Accounts: understand the differences between the two
• Internal Users and Groups vs. Transparent Users and Groups: understand the differences between the two

Platform Management

• Platforms have three main functions: defining technical settings, pointing to relevant plug-ins and connection components, and basis for exceptions to the Master Policy.

Platform Functions

• Define password policy settings such as minimum length, forbidden characters, and more.
• Manage how you log in and change a password on different target systems (e.g., Unix, Windows).

Creating and Managing Platforms

• Platforms are located under the Administration tab.
• Platforms are grouped by target system type.
• There are several dozen baseline platforms that function out of the box with little or no configuration.

Duplicating Platforms

• Duplicating a Platform is required when accounts of the same system type require different policies.
• Example: Unix accounts in different regions need to be rotated on a different basis.

Platform Naming Convention

• Use a logical naming convention based on business rules (e.g., LIN SSH 30 indicates Linux accounts via SSH connections with 30-day password rotation).

Editing Platform Settings

• Select Edit to modify Platform settings (e.g., password policy settings).
• Platforms are divided into two broad sections: UI & Workflows, and Automatic Password Management.

Password Complexity

• The Generate Password section controls password creation policy, including length, complexity, forbidden characters, and more.

Activating/Deactivating Platforms

• The Vault administrator can deactivate Platforms that are not currently relevant to your implementation, providing better administration and performance.

Policy By Platform

• The Platform Management page displays password management policies applied to different platforms.

Summary

• The general workflow when working with CyberArk PAM involves configuring key parameters in the Master Policy and Platforms.
• Key parameters include password policy settings, plug-ins, and connection components.

Granular Safe Permissions

• In the Safe Members tab, users and groups with access to the Safe are displayed.
• Members can be added and permissions assigned, managing access to accounts and passwords.

Permissions

• Permissions are organized into groups: Access, Account management, Safe management and monitoring, Workflow, and Advanced.

Safe Naming

• Safe names are limited to 28 characters and do not support double-byte characters.
• A naming convention is recommended, such as P-BOS-SRV-WIN-LAD-HR for local admin accounts on HR production servers.

Safe Constraints

• The number of objects stored in a Safe should be limited to 20,000, including versions of passwords.
• The recommended number of accounts or files stored in a Safe is between 3,000 and 5,000.

Access Control

• The principle of “least privilege” should be followed, storing objects in Safes according to need-to-know access.
• Separate Safes are recommended for Windows Desktop Accounts, Windows Local Administrators, and Windows Domain Accounts.
• Object-level access control is not recommended.

Adding Safe Members

• A new wizard streamlines the process of creating Safes and adding initial members.
• Permission presets and user/group searching are available.

Platforms and Safes

• The AllowedSafes parameter can limit the scope of a platform to specific Safes using a regular expression pattern.
• This helps improve CPM performance and simplifies administrative tasks.

Accounts

• Accounts store privileged account IDs and passwords in Safes
• Examples of accounts include:
  • Domain administrators
  • Local administrators
  • Root accounts
  • Service accounts
• Every account resides in a single Safe
• Every account is associated with a single Target Account Platform

Adding a Linux Account

• To add a new Linux account, provide the following information:
  • Platform: LIN SSH 30
  • Safe: Lin-Fin-US
  • Master Policy:_Exception: Change password every 30 days
  • Username: logon01
  • Password: ****** (hidden for security)
  • Address: target-lin.acme.corp

Account Management Operations

• Central Policy Manager (CPM) manages passwords and SSH keys on devices based on policies set by Vault Administrators
• CPM performs three actions:
  1. Password Verification: Confirms passwords in Vault match target system
  2. Password Change: Changes passwords automatically based on expiration period or user intervention
  3. Reconciliation of unknown or lost passwords: Process used when Vault password doesn't match target system

Password Management Overview

• CPM manages privileged accounts through three actions: Verification, Change, and Reconciliation
• Verification confirms passwords in Vault match target system
• Change updates passwords automatically or through user intervention
• Reconciliation resolves unknown or lost passwords

Verification Process

• Scan Vault for Account
• Login using current credentials
• Notify Vault of success or failure

Change Process

• Scan Vault for Account
• Login using current credentials
• Generate new password
• Connect and run change password
• Store new credentials

Push Private Keys to Application Servers

• CyberArk PAM allows pushing private keys to application servers for SSH key authentication.

Linked Accounts

• There are two types of linked accounts commonly used and supported by default for most platforms:
  • Logon account
  • Reconcile account

Logon Account

• No additional information provided about logon accounts.

Root Account Best Practices

• Using a username "root" is not recommended as it compromises all systems that trust it if it is compromised.
• SSH keys are more difficult to change than passwords.

SSH Key Manager

• Creates unique key-pairs for each target system.
• Private keys are stored in the Vault, not on user workstations.
• The CPM (Central Policy Manager) changes key-pairs often and automatically disseminates public keys to target systems.
• End users retrieve the private key from the Vault to authenticate to the target system.

Agenda and Objectives

• By the end of this session, you will be able to:
  • Describe and configure linked accounts (logon accounts and reconcile accounts)
  • Describe and configure SSH key management

Configuration File Management

• Certain applications retrieve credentials from configuration files, which can be managed by the CPM.
• Supported file types include plain text, INI files, XML files, and web configuration files.

Config File Usage

• Applications use configuration files to retrieve passwords for authentication.
• When the CPM changes a password, it must also update the corresponding configuration file.

Adding Config File Usage

• To add a configuration file usage, the relevant usage must be added manually to the target account platform.
• The parameter SearchForUsages must be enabled.

Dependent Platforms

• Dependent Platforms are used for managing Usages.
• A usage refers to an instance where an account is used to perform a task somewhere else.

Usages

• The CPM can synchronize an account password with all other occurrences of the same password on the same server or anywhere in the network.
• This is done through Usages, which are registered in CyberArk PAM.

Scheduled Task Example

• A scheduled task can be used to run a task with a specific account.
• In this example, a local Windows user – sendmail01 – is used to run a scheduled task – SchedTask01.

Adding Config File Usage (2)

• The specific INI config file usage must be added to the relevant account.
• The usage specifies the server address, full path to the INI file, and where in the file the password can be found.

Configuration Files

• When the CPM changes a password, it will also change the password in the corresponding configuration file.
• The password can be encrypted using an external command.

Logon Account

• An extra account may be required to log onto the remote machine where the usage exists.
• A logon account can be associated with the usage.

Encrypting the Password in Config Files

• Passwords stored in configuration files can be encrypted using an external command.
• The encryption command and encryption regex parameters are used to handle the encryption process.

Advanced Settings

• End users can connect transparently using privileged accounts and are allowed by default to view passwords.
• Users can specify a reason for access, which forces them to provide a reason why they are using a particular account.

Privileged Account Request

• The list of options for the drop-down is defined at the Platform level, so it can have a different set of reasons on a platform-by-platform basis.
• Predefined Reasons can be added to create a list of choices for users when accessing a password in the PVWA.

Dual Control

• Dual control requires end users to get authorization before accessing privileged accounts.
• Authorization must be given by one or more managers or peers, depending on the configuration.
• Dual Control is controlled through Safe membership, where Requesters are the people who want to use the privileged accounts.
• At least one person from each group with approver permissions must approve the request before the requester can use the password.

Multi-Group Approval Process

• If more than one group with approver permissions is set up, at least one person from each group must approve the request before the requester can use the password.
• In advanced settings, a multi-level approval process can be enabled, where a request must first be approved by one group before it is forwarded for approval to another group.
• Direct manager approval can be enabled, determined by the Manager attribute on the requester's AD user object.

Exclusive Access

• Exclusive access allows multiple users to access the password simultaneously.
• The password is changed automatically upon manual release, and the system will release it automatically based on the Minimum validity period.
• In later versions, the password can be auto-released by the PSM.

Summary

• The session covered five workflows: Allow transparent connections, Require users to specify reason for access, Dual Control, Exclusive Passwords, and One-time Passwords.

PAM Web Services API

• PAM Web Services API is a set of REST-based services running on the PVWA.
• It allows scripts and applications to communicate with the Vault.
• Used by CyberArk applications as well as third-party applications.
• Enables organizations to develop custom interactions with the Vault to automate business processes.

Discovery and Onboarding Methods

• Discovery and Onboarding Methods include:
  • Add a single account
  • Add multiple accounts from file
  • Discovery and Audit (DNA)
  • Continuous Accounts Discovery
  • Accounts Discovery & Onboarding Rules
  • Rest API

Onboarding Accounts

• Onboarding accounts can be done using three main REST methods:
  • Add account
  • Add discovered accounts
  • Create bulk upload of accounts

Add Account Method

• Used when the target Safe and Platform are known to the onboarding utility.

Add Discovered Accounts Method

• Used by CyberArk discovery and upload mechanisms, as well as third-party discovery mechanisms.
• Uploads discovered accounts (and dependencies) to the Pending Safe or onboards the accounts directly via automatic onboarding rules.

PAM Administration

• Involves Discovery and Onboarding.

PSM Flow

• PSM provides complete isolation of target systems, ensuring privileged credentials never reach users or their devices.
• Connections can be made from Unix, Linux, Mac, or Windows end-user machines.
• The PSM flow involves:
  • Logging on through PVWA
  • Connecting to PSM using RDP/TLS
  • Fetching credentials from Vault
  • Connecting using native protocols
  • Forwarding logs to SIEM and PTA
  • Storing session recordings

PSM for Windows

• The PSM for Windows flow involves:
  • Connecting to PSM using RDP/TLS
  • Fetching credentials from Vault
  • Connecting using native protocols
  • Forwarding logs to SIEM and PTA
  • Storing session recordings

PSM for SSH

• The PSM for SSH flow involves:
  • Opening an SSH session to the PSM server
  • Retrieving a privileged account password from the Vault
  • Opening an SSH session to the target using the privileged account
  • Forwarding logs to SIEM and PTA
  • Storing SSH session audits

Summary

• The Privileged Session Manager (PSM) features include:
  • PSM Connection Components
  • PSM Ad-Hoc Connections
  • PSM via HTML5 Gateway
  • PSM for Windows
  • PSM for SSH

Active Session Monitoring (PSM)

• PSM enables authorized users to monitor active sessions, take part in controlling these sessions, and suspend or terminate them.
• PSM can automatically suspend or terminate sessions when notified by PTA or a third-party threat analytics tool.

Active Session Monitoring (PSM for SSH)

• It is not possible to monitor or control live PSM for SSH sessions, but it is possible to view the live session audit.
• Recordings created by PSM for SSH are displayed in the classic interface.

Monitor Active Sessions

• Users can monitor active sessions using PVWA, HTTP/S, Unix, Administrator, RDP, and SSH (using putty).

Sizing Calculations for the PSM Server

• The required storage on the PSM Server (SPSM) is calculated using the formula: SPSM = Csession * tsession * Rsession recording + 20GB.
• The average bit rate of recorded video for different sessions is:
  • 100 KB/min for average SSH session
  • 200 KB/min for average low activity RDP session
  • 300 KB/min for average high activity RDP session with rich wallpaper

Sizing Calculations for the Vault Server

• The required storage on the Vault Server (SVault) is calculated using the formula: SVault = tretention * Nsession * tsession * Rsession recording + 20GB.
• The retention history requirement (tretention) is a factor in calculating the required storage.

PAM Administration

• The goal of this section is to enable participants to monitor and manage privileged session recordings, audits, and active sessions.
• The participant will be able to monitor and manage privileged session recordings, audits, and active sessions upon completion of this session.

Recordings

• PSM and PSM for SSH create video and text recordings for privileged sessions and store them in the Vault.
• Authorized users can view these recordings at any time.
• Recordings can be stored in an external storage device.

Configuring Rules

• Rules are defined by category, pattern, session response, threat score, and scope
• Categories include SSH, Universal Keystrokes, SCP, SQL, and Windows title
• Patterns are regular expressions to be monitored
• Session responses include Suspend, Terminate, and None
• Threat score ranges from 1-100
• Scope determines who or what the rule will apply to

Session Analysis and Response Life Cycle

• The life cycle includes analytics, define risks, alerts, automatic response, manual response, and risk review
• The security team is involved in the manual response and risk review stage

Privileged Threat Analytics

• It quickly gathers and analyzes critical data
• Enables speedy response and automated containment
• Detects suspicious activities
• Alerts security teams with detailed event information
• Collects data from a wide variety of sources
• Part of CyberArk's PAM administration

Agenda

• Describe the main functionality of Privileged Threat Analytics (PTA)
• Describe the different data sources used by the PTA
• Describe the different attacks and risks detected by the PTA
• Describe the alert flow by the PTA
• Configure and test PTA automatic responses
• Describe the session analysis and response flow

Report Categories

• There are two categories of reports: Operational reports and Audit/Compliance reports.

Filter Options

• Each type of report has differing filtering criteria.

Scheduling Reports

• Reports can be run immediately, saved, or scheduled to run on a regular basis.
• Subscribers can be added to receive notifications by email when the report is generated, containing a link to the report.

Report Status

• The Refresh button can be used to check if a report has been generated.

Finished Reports

• Reports can be downloaded in Excel or CSV formats.

Report Types

• PrivateArk Reports are of interest to Vault Admins and include:
  • License capacity of the system
  • Lists of Users
  • Active/Non-active Users
  • Safes List
  • Active/Non-active Safes
• PVWA Reports are of interest to Auditors and include:
  • Privileged Accounts Inventory
  • Applications Inventory
  • Privileged Accounts Compliance Status
  • Entitlement Report
  • Activity Log

Report Generation

• Reports can be generated using the PVWA and the PrivateArk Client.
• The Export Vault Data (EVD) Utility can be used to extract data for reports.

Permissions

• Different reports require different permissions to run.

CyberArk's Scalable Architecture

• The architecture consists of auditors, PVWA, CPM, PSM, and a Vault (HA Cluster) in the main data center, with replicated environments in London and Hong Kong.
• The IT environment is integrated with the Vault and other components.

PAM Self-Hosted Components

• PAM Self-Hosted is a Privileged Access Manager solution where all components are owned and operated by the customer.
• It can be deployed on-premises, in the cloud, or in a hybrid environment.
• The components include:
  • Secure Digital Vault: a secure server for storing privileged account information.
  • Password Vault Web Access (PVWA): a web interface for users to access privileged account information.
  • Central Policy Manager (CPM): performs password changes on devices and configures policies.
  • Privileged Session Manager (PSM): isolates and monitors privileged account activity, recording sessions.
  • Privilege Threat Analytics (PTA): monitors and detects malicious privileged account behavior.

CyberArk PAM Offerings

• PAM Self-Hosted is an entirely on-premises or cloud-based deployment.
• CyberArk Privilege Cloud is a PAM solution delivered as Software as a Service (SaaS).

Before Installing

• Enable the Backup user
• Set the password on the Primary Vault

Install the Utility

• Install the Replicator module and specify a path to a backup folder for the replicated data

Configure Vault.ini

• Edit the Vault.ini to give the Replicator utility the network address of the Vault server

Create Cred File

• The Credential File is used by the utility to authenticate to the Vault
• The password for the Backup user is changed in the Vault and the Credential File is updated after every successful login

Performing a Backup

• The backup is launched at a command line using the PAReplicate.exe executable file
• The syntax of the command specifies the vault.ini file and uses the logonfromfile and fullbackup switches

Overview

• The CyberArk Vault enables you to backup and restore a single Safe to a Vault, as well as a complete Vault’s data and metadata
• The Data and Metadata folders are extremely important and it is imperative to back them up regularly

Backup Considerations

• Vault backup can be implemented in two ways: Direct Backup (Not Recommended) and Indirect Backup (Recommended)
• Direct Backup introduces an external application to the Vault and potentially reduces the level of security
• Indirect Backup uses the PrivateArk Replicate Utility to pull Vault data as encrypted files to a server, and then enterprise backup software can backup these files

Installation and Setup

• Before installing the Replicator utility, ensure the backup server has at least the same disk space as the Vault database on an NTFS volume, accessibility by your enterprise backup system, and physical security that only permits authorized users to access it

Enhanced DR Replication

• Database synchronization occurs between the Primary Vault and Disaster Recovery Environment
• The DR Service is responsible for synchronization
• Data and metadata synchronization can be enabled in the padr.ini configuration file with the default setting EnableDbsync=Yes

Data Replication Interval

• The ReplicateInterval parameter determines the length of time between synchronizations of the Vault file system
• The default interval is 3,600 seconds (or one hour)

PVWA Failover Setup

• PVWA servers can be configured for automatic failover to allow users to access passwords without interruption
• Audit data should be saved via the activity log before re-enabling replication
• SIEM integration can mitigate the issue of saving audit data

DNS Load Balancing

• A DNS Alias can be used to control which Vault is used by the components (CPMs, PSMs, PVWAs)
• The DNS Alias is set in the Vault.ini file
• DNS Alias updates are a manual process and will extend the outage

Failover

• Automatic failover can be enabled with the parameter EnableFailover=Yes
• The CheckInterval indicates the DR Vault will contact the Primary Vault every 60 seconds, and if it fails, it will try again 4 times, once every 30 seconds
• After which, the DR Vault considers that the Primary is down and it goes into DR mode

Manual Failover

• To configure the DR Vault for manual failover, padr.ini should be configured as follows: EnableFailover to No, EnableDbsync to Yes, and ActivateManualFailover to No
• To perform a proper manual failover, set the parameter ActivateManualFailover to Yes and restart the DR service

The Failover Process

• The failover process involves connection failure, retry attempts, failover started, data synchronization, starting PrivateArk, stopping the Server, and disaster recovery service

CyberArk PAM Solution Encryption

• Three files form the cornerstone of the CyberArk PAM solution encryption methodology: Server Key, Recovery Public Key, and Recovery Private Key.
• These files are required to install and operate CyberArk PAM.

Vault Object Encryption - Day-to-Day Operations

• Vault objects are encrypted using AES-256.
• Server Key is used to encrypt vault objects.
• Safe objects are encrypted using AES-256.
• Safe Key is used to encrypt safe objects.
• Password files are encrypted using AES-256.
• File Key is used to encrypt password files.

The Vault: End-to-End Security

• The Vault provides end-to-end security with features like:
  • Discretionary and Mandatory Access Control
  • Session Encryption
  • Firewall Authentication
  • Granular Permissions
  • Subnet-Based Access Control
  • Tamperproof Audit Trail
  • Hierarchical Encryption Model
• The Vault uses a proprietary protocol and hardened built-in Windows firewall.
• OpenSSL encryption is used.
• Role-Based Access Control and Time Limits are available.
• Every object in the Vault has a unique key.

Vault Encryption and Key Management

• Keys are encrypted using a 3rd-party tool.
• Keys are not stored in RAM.
• Keys are always available, even when the Vault is restarted.
• Inserting a medium is required to encrypt the key.

Summary

• The session covered security controls protecting the Vault and encryption keys.
• It also covered encryption mechanisms protecting Vault data.

CyberArk PAM Solution Encryption

• Three files form the cornerstone of the CyberArk PAM solution encryption methodology: Server Key, Recovery Public Key, and Recovery Private Key.
• These files are required to install and operate CyberArk PAM.

Vault Object Encryption - Day-to-Day Operations

• Vault objects are encrypted using AES-256.
• Server Key is used to encrypt vault objects.
• Safe objects are encrypted using AES-256.
• Safe Key is used to encrypt safe objects.
• Password files are encrypted using AES-256.
• File Key is used to encrypt password files.

The Vault: End-to-End Security

• The Vault provides end-to-end security with features like:
  • Discretionary and Mandatory Access Control
  • Session Encryption
  • Firewall Authentication
  • Granular Permissions
  • Subnet-Based Access Control
  • Tamperproof Audit Trail
  • Hierarchical Encryption Model
• The Vault uses a proprietary protocol and hardened built-in Windows firewall.
• OpenSSL encryption is used.
• Role-Based Access Control and Time Limits are available.
• Every object in the Vault has a unique key.

Vault Encryption and Key Management

• Keys are encrypted using a 3rd-party tool.
• Keys are not stored in RAM.
• Keys are always available, even when the Vault is restarted.
• Inserting a medium is required to encrypt the key.

Summary

• The session covered security controls protecting the Vault and encryption keys.
• It also covered encryption mechanisms protecting Vault data.

Remote Control

• Enables users to perform remote operations on Vault, DR Vault, and ENE components.
• Consists of Remote Control Agent (Windows service) and Remote Control Client (command-line interface utility).
• Remote Control Agent runs on Vault components, while the Client can run on any computer without requiring other Vault components.

Remote Monitoring

• Enables users to receive Operating System and Vault information, including CPU, memory, and disk usage, event log notifications, and service status.
• Uses SNMP to send Vault traps to a remote terminal.
• CyberArk provides two MIB files for SNMP v1 and v2 that describe SNMP notifications sent by the Vault.

System Monitoring and Administrative Tasks

• Can monitor system health via REST, email, SIEM, and SNMP.
• Can monitor replications and DR status.
• Perform common administrative tasks related to system maintenance.

Monitoring Components

• Can monitor components via REST, email, SIEM, and SNMP.
• Examples of components that can be monitored include PVWAAppUser, PasswordManager, DR, and Backup.

Enabling Component Monitoring

• Can customize email notifications by editing the body parameter in the Component is inactive template (ID: 206).
• Can enable monitoring of a specific CyberArk component user account using the PrivateArk Client.
• Can add the ComponentMonitoringInterval parameter to dbparm.ini to set the monitoring interval.
• Can define the actions taken when the Vault detects a disconnected component using the ComponentNotificationThreshold parameter.

Troubleshooting PSM-RDP

• Same troubleshooting recommendations as for PSM-RDP
• Run component manually using shadow user
• Delete Shadow users (from PSM computer management)
• Adjust AppLocker (or remove it manually in Windows for isolation)

Shadow Users

• Created by the PSM upon first connection
• Used to run connection components and store user preferences
• Can isolate problems related to shadow users by:
  • Running the component manually as the shadow user (after password reset)
  • Deleting the user (this will allow the PSM to create the user again)

Adjust AppLocker

• PSM uses Windows AppLocker feature to define rules for allowing or denying applications
• When adding a new component, adjust AppLocker by:
  • Uncommenting the line relating to the new component in PSMConfigureApplocker.xml
  • Running the PSMConfigureApplocker.ps1 script

Disable AppLocker

• Can disable AppLocker entirely for isolating the problem only
• Steps to disable AppLocker:
  • Open secpol.msc or gpedit.msc
  • Go to Computer Configuration → Windows Settings → Security Settings → Application Control Policies → AppLocker
  • Click on Configure rule enforcement and set Executable Rules to Audit Only
  • Turn Enforce rules back on after testing

CPM Services

• Restart the CPM Services to troubleshoot issues

Resynch PTA Credentials

• Run the VaultPermissionsValidation.sh script in the utility folder on the PTA server to resynch credentials for PTA Vault users and PTA_PAS_Gateway account

Common Issues Related to CPM

• Local Computer Policy conflicts with password policy on target device
• Platform and Master Policy settings must not conflict with password policy on target device

User Authentication Issues

• User Receives an Authentication Failure due to:
  • Trying to log in to PVWA with old password after changing network password
• Identifying the Error in the ITA log on the Vault
• Unsuspend the User or use Automatic Unsuspend feature

Automatic Unsuspend

• Configure the Vault to unsuspend users automatically after a predefined time period using the UserLockoutPeriodInMinutes parameter in dbparm.ini

Troubleshooting PSM Server Issues

• To troubleshoot PSM server issues, disable NLA (Network Level Authentication) on the PSM machine or target machine by going to Control Panel → System and Security → System → Remote Settings
• Manually connect with PSMConnect by disabling the Start Program in the Environment tab, getting the PSMConnect account password, and connecting to the PSM with PSMConnect and running MSTSC to the target

Increasing Timeouts

• Timeout parameters determine how long the PSM will wait for certain components to work before considering them as ‘failed’ and ending the session
• In overloaded environments, it is recommended to double the timeout values, e.g., ConnectionComponentTimeout: 20000

PSM Component Issues

• Verify if PSM users (PSMConnect / Shadow users) are supported and if Mapping drives is enabled

Target Windows Accounts

• Verify / Change / Reconcile API and “net use” command
• Use alternative plugins: WMI plugin / PowerShell plugin
• Suggested troubleshooting:
  • Check Windows Event Viewer
  • Check for unusual Local Security Settings
  • Run “net use” manually from the CPM server to verify the connection

Target Unix Accounts

• Verify / Change / Reconcile operations are affected
• Suggested troubleshooting:
  • Run plink manually
  • Disable DEP / add exceptions for DEP on the CPM server
  • Prompts and Process files – add a basic prompt

PSM-RDP Connection Troubleshooting

• Understanding the problem:
  • At what stage does the problem occur?
  • One account? Multiple accounts? Same type?
  • Is the PSM hardened? Is the PSM in a domain?
  • Which connection type is being used? RDP file / RemoteApp
• Suggested troubleshooting:
  • Check the PSM service – is it off/hanging?
  • Run component manually using shadow user
  • Delete Shadow users (from PSM computer management)
  • Adjust AppLocker (or remove it manually in Windows for isolation)

Shadow Users

• Shadow users are created by the PSM upon first connection
• Shadow users are used to run connection components and store user preferences
• Isolate problems related to shadow users by:
  • Running the component manually as the shadow user (after password reset)
  • Deleting the user (this will allow the PSM to create the user again)

Adjusting AppLocker

• The PSM uses the Windows AppLocker feature which defines a set of rules that allow or deny applications from running on the PSM machine
• When adding a new component, adjust AppLocker by:
  • Adding an exception to PSMConfigureApplocker.xml
  • Running the PSMConfigureApplocker.ps1 script

Disabling AppLocker

• Disable AppLocker entirely (for isolating the problem only) using the MMC snap-ins
• Set Executable Rules to Audit Only and turn Enforce rules back on after testing

PSM Configuration

• PSM configuration file is located at C:\Program Files\CyberArk\PSM\Basic_psm.ini
• Debug settings can be found at PVWA > Administration Tab > Options > Privileged Session Management

CPM Configuration

• CPM configuration file is located at Vault > Safe "Password Manager" > root\policies\.ini
• Debug settings can be found at PVWA > Administration Tab > CPM settings

Debugging and Troubleshooting

• Debug levels can be set to 0 (no messages), 1, 2, 3, 4, 5, 6, or 7
• Trace levels can be set to 1, 2, 3, 4, 5, 6, or 7
• Log files can be found at \Logs and subfolders, or according to the LogsFolder parameter in Basic_psm.ini file
• CPM debug levels can be set to 1 (exceptions), 2 (trace messages), 3 (CASOS activities), 4 (CASOS debug activities), 5 (CASOS errors), or 6 (all CASOS activities and errors)

Log Files

• PSM logs can be found at \Logs and subfolders
• CPM logs can be found at \Program Files\CyberArk\PasswordManager\Logs\pm.log, \pm-error.log, \PMConsole.log, and \PMTrace.log
• Plug-in logs can be found at \Program Files\CyberArk\PasswordManager\Logs\ThirdParty\*.log
• PVWA logs can be found at %windir%\temp\

Troubleshooting Flow

• The basic troubleshooting methodology involves understanding the system implementation, component communication, and current behavior compared to expected behavior
• It is important to write down any information gathered during the troubleshooting process and any tests performed, as this information will be required when opening a case with CyberArk support

Privileged Threat Analytics (PTA)

• Detects malicious activity caused by privileged accounts and contains in-progress attacks.

On-Demand Privileges Manager

• Empowers IT and enables complete visibility and control of super users and privileged accounts across the enterprise.

Digital Vault

• A hardened and secured digital vault used to store privileged account information.
• Implemented in compliance with the CyberArk Digital Vault Server security standard, resulting in a highly secure repository for privileged account passwords.

Central Policy Manager (CPM)

• Performs password changes and SSH key rotations on devices based on policies set by Vault Administrators.
• Responsible for Accounts Feed operations, including:
  • Discover: Automates privileged account discovery.
  • Analyze: Provides an easy view of all discovered accounts.
  • Provision: Provisions the scope of accounts to manage in the Vault in a simple and intuitive way.

Policy Management

• Manages password policies for various systems, including Unix, Oracle, Windows, z/OS, and Cisco.

PVWA - Password Vault Web Access

• A web interface used by Administrators to perform administrative tasks and by end users to gain access to privileged account information.

PSM – Privileged Session Manager

• Isolates desktops from sensitive target machines to prevent cyber attacks.
• Creates accountability and control over privileged session access with policies, workflows, and single sign-on.
• Delivers continuous monitoring and compliance with session recording with zero footprint on target machines.

Enterprise Password Vault Solution Overview

• Master/exception policy definition.
• Initial load and reset accounts discovery through REST API or manual loading.
• Auditor access and policy management.
• Request access to privileged accounts through PVWA and PSM.