07-PAM-ADMIN-Dependents.pdf
Document Details
Uploaded by FancySarod
2023
Tags
Full Transcript
PAM Administration Dependent Platforms © 2023 CyberArk Software Ltd. All rights reserved Agenda By the end of this session the participant will be able to:...
PAM Administration Dependent Platforms © 2023 CyberArk Software Ltd. All rights reserved Agenda By the end of this session the participant will be able to: Configure various types of Dependent Platforms © 2023 CyberArk Software Ltd. All rights reserved Overview © 2023 CyberArk Software Ltd. All rights reserved Dependents Dependents are another type of Platform and are used for managing Usages A usage refers to an instance when an account, which is created at the operating system or domain level, is also used to perform some task somewhere else When we change the password for the target account, we must also make sure that any other occurrences (or usages) of the password are also changed © 2023 CyberArk Software Ltd. All rights reserved Usages The CPM can synchronize an account password with all other occurrences of the same password on the same server or anywhere in the network, provided that those occurrences are registered in CyberArk PAM. This is done through Usages CPM changes CPM scans CPM updates password for usages usages SearchForUsages=Yes © 2023 CyberArk Software Ltd. All rights reserved Scheduled Task Example © 2023 CyberArk Software Ltd. All rights reserved Scheduled Task Example In our example, a local Windows user – sendmail01 – is used to run a scheduled task – SchedTask01. When we change the password for sendmail01, we must also change the copy of the password that is stored with the scheduled task. If we don’t, the scheduled task will no longer run. © 2023 CyberArk Software Ltd. All rights reserved Scheduled Task Example Viewing the account details for sendmail01 in the Classic Interface, you will see the Scheduled Task tab. This is where we need to add the task, providing the name of the task and the server address. When the CPM changes the password for sendmail01, it will also change the password in the Scheduled Tasks. © 2023 CyberArk Software Ltd. All rights reserved Windows Usages: Platform Configuration Windows Usages are enabled by default in all the Windows Target Platforms. The Target Platform must reference the Dependent Platforms for the Usages. And have the parameter SearchForUsages set to Yes. © 2023 CyberArk Software Ltd. All rights reserved Windows Usages: Platform Configuration The names listed under Usages reference the PAM object IDs for the Dependent Platforms. Here we see the usage SchedTask in a Windows platform. If we look at the dependent platform Scheduled Task, we will see that its ID is also SchedTask. This parameter informs the Target Platform what kinds of Dependents it should look for when scanning for usages. 1 0 © 2023 CyberArk Software Ltd. All rights reserved Configuration File Example © 2023 CyberArk Software Ltd. All rights reserved Config File Example Certain applications are hard-coded to retrieve credentials from configuration files The CPM can manage application accounts in the following types of files: ⎼ Plain text ⎼ INI files ⎼ XML files ⎼ Web configuration files These usages must be added manually to the appropriate Target Platforms © 2023 CyberArk Software Ltd. All rights reserved Config File Usage Explained In this example, we have an application that uses a database account – dba01 – to retrieve data for processing. The application retrieves the password for (the privileged account) from a configuration file and uses the credentials to authenticate to a target database. When the CPM changes the password for dba01, it must also push the updated password to the config file that is used by the application. CRM-SRV1 Configuration File Application Address: 10.0.0.20 Username: dba01 Database CPM Digital Vault Password: Yt%6y& © 2023 CyberArk Software Ltd. All rights reserved Add Config File Usage (1) To add a configuration file usage, you will first need to add manually the relevant usage in the target account platform Then enable the parameter SearchForUsages © 2023 CyberArk Software Ltd. All rights reserved Add Config File Usage (2) Next, you must add the specific INI config file usage to the relevant account Notice that, in addition to providing the server address and the full path to the INI file, this usage also specifies where in the file the password can be found: in the section Server at the parameter Password © 2023 CyberArk Software Ltd. All rights reserved Configuration Files In this example, when the CPM changes the password for dba01, it will also change the password in the file /var/opt/app/app01.ini on the server 10.0.0.20 (target-lin). © 2023 CyberArk Software Ltd. All rights reserved Logon Account If an extra account is required to log onto the remote machine where the usage exists, you will need to associate a logon account with the usage. © 2023 CyberArk Software Ltd. All rights reserved Encrypting the Password in config Files Passwords stored in configuration files can be encrypted using an external command Encryption Command The full path of the encryption command that will encrypt the password. The encryption file can be stored in any location on the CPM machine. Encryption Regex The parameter that handles the output of the Encryption Command parameter. If this parameter is not defined, it will behave as if "(.*)" has been specified. This parameter is only relevant when the Encryption Command parameter is defined. © 2023 CyberArk Software Ltd. All rights reserved Discovering Dependencies © 2023 CyberArk Software Ltd. All rights reserved Discoverable Dependents The Accounts Discovery process can detect the following Windows dependencies and automatically onboard them: COM+ Application accounts IIS Directory Security (Anonymous Access) accounts IIS Application Pool accounts Scheduled Tasks accounts Windows Services accounts © 2023 CyberArk Software Ltd. All rights reserved Non-Discoverable Dependents The remaining dependent account types cannot be discovered and must be added manually: Database String INI File Private SSH Key Text File Web File Windows Registry XML File We will discuss Accounts Discovery in more detail in a later session © 2023 CyberArk Software Ltd. All rights reserved Summary © 2023 CyberArk Software Ltd. All rights reserved Summary In this session we discussed, Dependent platforms How to configure various types of usages © 2023 CyberArk Software Ltd. All rights reserved Exercises You may now complete the following exercise: Dependents – Securing Usages Manage a Scheduled Task Usage Managing a Configuration File Usage ̶ Create a Logon account ̶ Configure Usages on the Oracle platform ̶ Add the Usage to the target account
