03-PAM-ADMIN-Policies-and-Platforms.pdf
Document Details
Uploaded by FancySarod
CyberArk University
2023
Tags
Full Transcript
PAM Administration Policies & Platforms © 2023 CyberArk Software Ltd. All rights reserved Agenda By the end of this session, you will be able to: 1. Describe the general wo...
PAM Administration Policies & Platforms © 2023 CyberArk Software Ltd. All rights reserved Agenda By the end of this session, you will be able to: 1. Describe the general workflow when working with CyberArk PAM 2. Configure key parameters in the Master Policy 3. Create and manage Platforms © 2023 CyberArk Software Ltd. All rights reserved Overview © 2023 CyberArk Software Ltd. All rights reserved Policies, Platforms, Safes, and Accounts Add exceptions Review/Edit Create Add to Master Policy Create Safes Master Policy Platforms Accounts based on Platforms Business/audit rules Technical settings for Exceptions to Access control Individual objects for managing managing passwords Master Policy rules containing the required passwords and connecting to information (address, target systems username, password, Global policy etc.) to manage settings Basis for exceptions privileged accounts © 2023 CyberArk Software Ltd. All rights reserved The Master Policy The Master Policy enables an organization to define a baseline for managing accounts in the organization. It is used for managing the Global policy settings. Exceptions to the Master Policy rules allow sets of accounts to vary from the Policy rule. © 2023 CyberArk Software Ltd. All rights reserved Master Policy: Global Policy Dual control Exclusive access One-time passwords Allow transparent connections Require reason for access © 2023 CyberArk Software Ltd. All rights reserved Master Policy: Global Policy Set the global password change and verification requirements © 2023 CyberArk Software Ltd. All rights reserved Master Policy: Global Policy Activate Privileged Session Management and its recordings © 2023 CyberArk Software Ltd. All rights reserved Master Policy: Global Policy Set the retention policies for Vault audit data © 2023 CyberArk Software Ltd. All rights reserved Master Policy: Password Management © 2023 CyberArk Software Ltd. All rights reserved Platforms In this section we will discuss Platforms: ⎼ What they are ⎼ How to create them ⎼ How to manage them © 2023 CyberArk Software Ltd. All rights reserved Policies, Platforms, Safes, and Accounts Add exceptions Review/Edit Create Add to Master Policy Create Safes Master Policy Platforms Accounts based on Platforms Technical settings for managing passwords and connecting to target systems Basis for exceptions © 2023 CyberArk Software Ltd. All rights reserved Platform Types There are two types of platforms: Define the technical Also known as Usages, settings that determine how define additional service the system manages accounts such as accounts on different types Windows services or of servers scheduled tasks © 2023 CyberArk Software Ltd. All rights reserved What Are Platforms Used For? Platforms have three main functions: Define the technical Password policy settings such as minimum length, settings required to forbidden characters, and so on. manage passwords Point to the relevant How you log in and change a password on a Unix server is plug-ins and connection very different than how you do the same thing on a Windows server. components Different plug-ins must be used for different target systems. The basis for exceptions Exceptions can be made to the Master Policy to the Master Policy © 2023 CyberArk Software Ltd. All rights reserved Creating and Managing Platforms © 2023 CyberArk Software Ltd. All rights reserved Platform Management Platforms are located under the Administration tab. © 2023 CyberArk Software Ltd. All rights reserved Platform Management The platforms are grouped by target system type. There are several dozen baseline platforms that function out of the box with little or no configuration. © 2023 CyberArk Software Ltd. All rights reserved Duplicating Platforms Duplicating a Platform to create a new one is required when accounts of the same system type require different policies. For example, when Unix accounts in different regions need to be rotated on a different basis. © 2023 CyberArk Software Ltd. All rights reserved Duplicating Platforms: Platform Name Use a logical naming convention based upon business rules For example, LIN SSH 30 indicates this platform will be used to manage Linux accounts via SSH connections and that the passwords will be rotated every 30 days. The Platform Name must be unique © 2023 CyberArk Software Ltd. All rights reserved Edit Platform Select Edit to modify the Platform settings (for example, password policy settings) © 2023 CyberArk Software Ltd. All rights reserved Edit Platform Platforms are divided into 2 broad sections: 1. UI & Workflows 2. Automatic Password Management The settings for managing passwords can be found in the Automatic Password Management section. © 2023 CyberArk Software Ltd. All rights reserved Edit Platform: Password Complexity The Generate Password section controls the password creation policy: Length Complexity 11 Forbidden characters etc. © 2023 CyberArk Software Ltd. All rights reserved Activating/Deactivating Platforms The Vault administrator can deactivate Platforms that are not currently relevant to your implementation, providing: Better administration: Inactive Platforms are hidden from users when they add accounts Better performance: the CPM does not need to manage inactive Platforms © 2023 CyberArk Software Ltd. All rights reserved Importing New Platforms If you have a system that is not supported by one of the default Platforms, you can either create a new one or import one from the CyberArk Marketplace. © 2023 CyberArk Software Ltd. All rights reserved Master Policy Exceptions © 2023 CyberArk Software Ltd. All rights reserved Policies, Platforms, Safes and Accounts Add exceptions Review/Edit Create Add to Master Policy Create Safes Master Policy Platforms Accounts based on Platforms Exceptions to Master Policy rules © 2023 CyberArk Software Ltd. All rights reserved Exceptions to the Master Policy Exceptions to the For example, when an Master Policy are exception for how often a created by platform password change is required for a particular platform. © 2023 CyberArk Software Ltd. All rights reserved Policy By Platform In the Platform Management page, we can view the password management policies that are applied to the different platforms. © 2023 CyberArk Software Ltd. All rights reserved Summary © 2023 CyberArk Software Ltd. All rights reserved Summary In this session we discussed: The general workflow when working with CyberArk PAM How to configure key parameters in the Master Policy How to configure key parameters in Platforms © 2023 CyberArk Software Ltd. All rights reserved Customization CyberArk Marketplace (login required) Additional Resources You may now complete the following exercise: Securing Windows Domain Accounts Platform Management ̶ Duplicating a Platform ̶ Configure Password Management ̶ Editing the Master Policy
