05-PAM-ADMIN-Accounts-pt1.pdf
Document Details
Uploaded by FancySarod
2023
Tags
Full Transcript
PAM Administration Accounts – Part 1 © 2023 CyberArk Software Ltd. All rights reserved By the end of this session, you will be able to: Agenda 1. Add an Account via the PVW...
PAM Administration Accounts – Part 1 © 2023 CyberArk Software Ltd. All rights reserved By the end of this session, you will be able to: Agenda 1. Add an Account via the PVWA 2. Understand the different password management operations © 2023 CyberArk Software Ltd. All rights reserved Overview © 2023 CyberArk Software Ltd. All rights reserved Policies, Platforms, Safes, and Accounts Add exceptions Review/Edit Create Add to Master Policy Create Safes Master Policy Platforms Accounts based on Platforms Business/audit rules Technical settings for Exceptions to Access control Individual objects for managing managing passwords Master Policy rules containing the required passwords and connecting to information (address, target systems username, password, Global policy etc.) to manage settings Basis for exceptions privileged accounts © 2023 CyberArk Software Ltd. All rights reserved Accounts Accounts – The actual privileged account IDs and passwords Stored in Safes Examples include: ⎼ Domain administrators ⎼ Local administrators ⎼ Root accounts ⎼ Service accounts ⎼ And more Every account resides in a single Safe Every account is associated with a single Target Account Platform © 2023 CyberArk Software Ltd. All rights reserved Add An Account © 2023 CyberArk Software Ltd. All rights reserved Add A New Linux Account Platform: Safe: Master Policy Account: LIN SSH 30 Lin-Fin-US Change passwords Password length Members of the Username: logon01 every 60 days should be 10 “LinuxAdmins” Team characters long group will have “Use Password: ****** and list” permissions Master Policy Address: Exception: Change target-lin.acme.corp password every 30 days © 2023 CyberArk Software Ltd. All rights reserved Accounts View – Add a Linux Account © 2023 CyberArk Software Ltd. All rights reserved Accounts View – Add a Linux Account © 2023 CyberArk Software Ltd. All rights reserved Accounts View – Add a Linux Account © 2023 CyberArk Software Ltd. All rights reserved Accounts View – Add a Linux Account © 2023 CyberArk Software Ltd. All rights reserved Accounts View – Add a Linux Account © 2023 CyberArk Software Ltd. All rights reserved What Just Happened? So, we have “created” an account. But what does that mean? Did we create a new account called “logon01” on that target system? No. All we have done is registered information in the CyberArk PAM database about an account named logon01. © 2023 CyberArk Software Ltd. All rights reserved Accounts View – Add a Linux Account © 2023 CyberArk Software Ltd. All rights reserved Account Management Operations In this section we will discuss the account management operations performed by the CPM © 2023 CyberArk Software Ltd. All rights reserved Password Management is Performed By the CPM The CPM manages passwords and SSH keys on devices based on the policies set by Vault Administrators Policy y7qeF$1 Im7yT%w Tojsd$5fh gviNa9% X5$aq+p Central Policy Manager System User Pass Unix root tops3cr3t Oracle SYS tops3cr3t Windows Administrator tops3cr3t z/OS DB2ADMIN tops3cr3t Cisco enable tops3cr3t IT Environment © 2023 CyberArk Software Ltd. All rights reserved Password Management Overview There are three actions performed by the CPM in order to manage privileged accounts: 1 Password Verification: Confirms the password stored in the Vault matches the password on the target system 2 Password Change: Changes the password automatically based upon an expiration period or by user intervention 3 Reconciliation of unknown or lost passwords: Process used when the password stored in the Vault does not match the target system Central Policy Manager IT Environment © 2023 CyberArk Software Ltd. All rights reserved Verifying the Account © 2023 CyberArk Software Ltd. All rights reserved Verify Process Vault CPM Target Scan Vault for Account Account Info & Current Passwords Login using current credentials Success or failure Notify the Vault © 2023 CyberArk Software Ltd. All rights reserved Completed Verification © 2023 CyberArk Software Ltd. All rights reserved Password Change © 2023 CyberArk Software Ltd. All rights reserved Confirm Change © 2023 CyberArk Software Ltd. All rights reserved Pending Change © 2023 CyberArk Software Ltd. All rights reserved Change Process Vault CPM Target Scan Vault for Account Account Info & Current Passwords Login using current credentials Success or failure Connect & run change password Generate Password Success or failure Login using new credentials Success or failure Store new credentials © 2023 CyberArk Software Ltd. All rights reserved Completed Change © 2023 CyberArk Software Ltd. All rights reserved Summary © 2023 CyberArk Software Ltd. All rights reserved Summary In this session we discussed: What accounts are How to add an account to CyberArk PAM via the PVWA The different password management operations © 2023 CyberArk Software Ltd. All rights reserved Documentation Rapid Risk Reduction: A 30-Day Sprint to Protect Privileged Credentials Additional Resources You may now complete the following exercises: Securing Windows Domain Accounts Account Management ̶ Add the reconcile account ̶ Add the accounts discovery account Securing Unix SSH Accounts Securing Oracle Database Accounts
