PAM Administration Discovery and Onboarding PDF
Document Details
Uploaded by FancySarod
CyberArk University
2023
Tags
Summary
This document provides a guide on PAM (Privileged Access Management) on onboarding accounts to the system. It details different methods for discovery and onboarding accounts, emphasizing the use of files and automatic onboarding rules.
Full Transcript
PAM Administration Discovery and Onboarding © 2023 CyberArk Software Ltd. All rights reserved Agenda By the end of this session, you will be able to:...
PAM Administration Discovery and Onboarding © 2023 CyberArk Software Ltd. All rights reserved Agenda By the end of this session, you will be able to: 1. Describe the main methods for discovering and onboarding accounts to the system 2. Discover and onboard accounts using Adding Multiple Accounts from file and Accounts Discovery with Automatic Onboarding Rules © 2023 CyberArk Software Ltd. All rights reserved Add a single account Add multiple accounts from file Discovery and Accounts Discovery & Onboarding Rules Onboarding Methods Continuous Accounts Discovery Discovery and Audit (DNA) Rest API © 2023 CyberArk Software Ltd. All rights reserved Add a Single Account © 2023 CyberArk Software Ltd. All rights reserved Add a single account Add multiple accounts from file Discovery and Accounts Discovery & Onboarding Rules Onboarding Methods Continuous Accounts Discovery Discovery and Audit (DNA) Rest API © 2023 CyberArk Software Ltd. All rights reserved Add Multiple Accounts from File Frequently there is a need to upload many known accounts from an existing repository This is especially valuable during the early stages of implementing CyberArk PAM, migrating from another solution, or when onboarding a new department into the PAM solution © 2023 CyberArk Software Ltd. All rights reserved Add Multiple Accounts from File You can download a sample CSV file Once you have provided the data on the accounts to create, you can then upload the file to the system for processing, either by browsing to the file or using drag & drop © 2023 CyberArk Software Ltd. All rights reserved Accounts File Account parameters to be uploaded to the Vault are entered into a text file as Comma Separated Values (CSV) Each row represents an account and contains the properties for that account © 2023 CyberArk Software Ltd. All rights reserved Limitations Linked accounts and dependencies are not supported All accounts must be uploaded into existing Safes and groups Each file can contain a maximum of 10,000 accounts The upload process cannot be cancelled once started You must wait for the current file to finish uploading before you can upload another file Multiple users cannot upload files at the same time © 2023 CyberArk Software Ltd. All rights reserved Add a single account Add multiple accounts from file Discovery and Accounts Discovery & Onboarding Rules Onboarding Methods Continuous Accounts Discovery Discovery and Audit (DNA) Rest API © 2023 CyberArk Software Ltd. All rights reserved Accounts Discovery Workflow Discover Onboard Manage Onboarding Rules Continually scan the Add all discovered Automatically add Minimize the time to Windows & Linux privileged accounts to privileged accounts to be onboard accounts and environment to detect the pending list to managed and rotated in prevents human errors privileged credentials validate privilege the digital vault that may occur during and accounts manual onboarding © 2023 CyberArk Software Ltd. All rights reserved Windows Discovery Workflow © 2023 CyberArk Software Ltd. All rights reserved Windows Discovery Vault Admin creates the Discovery CPM Scanner connects to the Vault and collects the task Vault Admin PVWA Vault Dom ADM Local ADM CPM scans the Directory CPM authenticates to the targets and scan for Accounts Automatic Onboarding Rules Accounts are filtered by the CPM Scanner Pending Safe Domain Controller Automatic Onboarding Rules If no rule is defined, the accounts will be sent directly to the Pending Safe Accounts which fit a rule are onboarded in the appropriate Safe System Address User Windows target-win.acme.corp Local Admin Accounts which do not fit a rule Windows DC01.acme.corp Domain Admin are stored in the Pending Safe for IT Environment manual onboarding © 2023 CyberArk Software Ltd. All rights reserved Running a New Windows Discovery Then click New Windows Discovery Go to the Accounts tab. Under Accounts Feed, click on Pending & Discovery and then Discovery Management. Available to members of the Vault Admins group © 2023 CyberArk Software Ltd. All rights reserved Running a New Windows Discovery Information needed for a Windows discovery: Domain Name Choose if a secure connection will be used to connect to Active Directory Scan account Continued… © 2023 CyberArk Software Ltd. All rights reserved Windows Discovery – Which Account to Use? The account must: Be a domain account Have the following permissions: ⎼ Read permissions on the Active Directory ⎼ Local administrative rights on discovered Windows servers and workstations © 2023 CyberArk Software Ltd. All rights reserved Running a New Windows Discovery Information needed for a Windows discovery: OU of Servers / Workstations in AD CPM to perform the scan Whether to run a recurring or one-time discovery © 2023 CyberArk Software Ltd. All rights reserved Completing the New Discovery The status will be listed as Pending until the The new discovery will be process starts. At this point you can listed on the Discovery – Stop the Discovery Management page – Delete the Discovery The status will change to Running when the process starts © 2023 CyberArk Software Ltd. All rights reserved Windows Discovery Process Multiple discoveries from different CPM Scanners can run simultaneously Accounts found will be categorized as Privileged / Non-Privileged: ⎼ The categorization is based on the group membership ⎼ If the account is a member of any Local Administrators group, the account is privileged ⎼ The account will remain privileged until removed from all machines it was discovered on © 2023 CyberArk Software Ltd. All rights reserved Pending Accounts Accounts that do not match any Onboarding Rule will be listed in Pending Accounts The results of these queries are displayed above the list Various search criteria are available under Click F5 to refresh the list or Refine by use the Refresh button © 2023 CyberArk Software Ltd. All rights reserved Account Preview Click on an account to see further details in the Account Preview pane. © 2023 CyberArk Software Ltd. All rights reserved Dependencies For Windows accounts, the Dependencies column shows you if any account is used anywhere else (a usage), such as for a Windows service or scheduled task. © 2023 CyberArk Software Ltd. All rights reserved Onboarding Pending Accounts - 1 Select one or more accounts from the list of Pending accounts and click Onboard Accounts © 2023 CyberArk Software Ltd. All rights reserved Onboarding Pending Accounts - 2 Information needed for onboarding accounts: The Safe in which these accounts should be stored. You can either choose an existing safe or create a new one The Platform – What type of account are these? Do they require a separate platform? Is reconciliation available? © 2023 CyberArk Software Ltd. All rights reserved Onboarding Pending Accounts - 3 Once onboarded, the new accounts can be found in the Accounts View © 2023 CyberArk Software Ltd. All rights reserved Onboarding Rules © 2023 CyberArk Software Ltd. All rights reserved Automatic Onboarding Rules Minimize the time it takes to onboard and to manage accounts securely, reduce the time spent reviewing pending accounts, and prevent human errors from occurring during manual onboarding © 2023 CyberArk Software Ltd. All rights reserved Onboarding Wizard An intuitive wizard steps you through each stage of the rule creation process and ensures that each rule is unique © 2023 CyberArk Software Ltd. All rights reserved Onboarding Wizard: Select System Type Select the type of account to onboard: Windows *Nix © 2023 CyberArk Software Ltd. All rights reserved Onboarding Wizard: Select Scope Machine type Account type Account Category Privileged account type Optionally, a user or machine name string to match © 2023 CyberArk Software Ltd. All rights reserved Onboarding Wizard: Select Platform Select the target Platform that will be associated with accounts that match this rule © 2023 CyberArk Software Ltd. All rights reserved Onboarding Wizard: Select Safe Select the Safe in which the accounts will be stored © 2023 CyberArk Software Ltd. All rights reserved Onboarding Wizard: Define Rule Properties Define properties of this new rule Name Description Initial password settings NOTE if a reconcile account is associated with the Platform and the parameter Auto Verify on Add is set to Yes, you can completely automate the onboarding process by having the passwords for these accounts 33 changed immediately and automatically by CyberArk PAM. © 2023 Copyright © CyberArk Software 2023 CyberArk Ltd. All Software rights Ltd. reserved All rights reserved. New Rule Creation Summary © 2023 CyberArk Software Ltd. All rights reserved New Rule on Rules List The newly created rule appears in the list of Onboarding Rules and is assigned the highest precedence You can edit or delete existing rules Callo ut 2 © 2023 CyberArk Software Ltd. All rights reserved Automatic Onboarding Rules - Notes Onboarding Rules apply to both Accounts Discovery and using the Add discovered accounts feature of the REST API Discovered accounts are automatically processed by the onboarding rules and provisioned in the Vault Accounts that cannot be processed by any of the rules are added to the Pending Accounts list and can be reviewed and onboarded manually Automatic Onboarding Rules only apply to accounts without dependencies. A new rule takes precedence over an existing rule © 2023 CyberArk Software Ltd. All rights reserved Unix Discovery Workflow © 2023 CyberArk Software Ltd. All rights reserved Set Up a New Unix Discovery © 2023 CyberArk Software Ltd. All rights reserved Set Up a New Unix Discovery Information needed for running a Unix Discovery CSV file containing IP addresses of Unix/Linux machines Unix user to perform the scan and get the accounts A default password © 2023 CyberArk Software Ltd. All rights reserved Set Up a New Unix Discovery Information needed for running a Unix Discovery CPM Scanner Whether or not to scan for SSH Keys © 2023 CyberArk Software Ltd. All rights reserved Set Up a New Unix Discovery Information needed for running a Unix Discovery Recurring or One-time © 2023 CyberArk Software Ltd. All rights reserved Add a single account Add multiple accounts from file Discovery and Accounts Discovery & Onboarding Rules Onboarding Methods Continuous Accounts Discovery Discovery and Audit (DNA) Rest API © 2023 CyberArk Software Ltd. All rights reserved Continuous Accounts Discovery by the PTA Windows Continuous accounts UNIX-like Continuous discovery discovery via log-in events for: Oracle via group membership AWS for Windows Accounts Azure Other Detections by PTA © 2023 CyberArk Software Ltd. All rights reserved Continuous Account Discovery: Login Events CyberArk Privileged Threat Analytics detects unmanaged privileged access events The PTA can detect when a connection to a machine or a cloud service is made with a privileged account that is not stored in the Vault and automatically onboard the account This detection is supported out of the box for Windows, UNIX, AWS, and Azure accounts Other platforms can be supported by building custom plug-ins for PTA © 2023 CyberArk Software Ltd. All rights reserved Continuous Account Discovery: Group Membership The PTA continuously monitors Windows Local Administrator groups Faster response time Automatic response © 2023 CyberArk Software Ltd. All rights reserved Add a single account Add multiple accounts from file Discovery and Accounts Discovery & Onboarding Rules Onboarding Methods Continuous Accounts Discovery Discovery and Audit (DNA) Rest API © 2023 CyberArk Software Ltd. All rights reserved Discover and Audit (DNA) © 2023 CyberArk Software Ltd. All rights reserved Add a single account Add multiple accounts from file Discovery and Accounts Discovery & Onboarding Rules Onboarding Methods Continuous Accounts Discovery Discovery and Audit (DNA) Rest API © 2023 CyberArk Software Ltd. All rights reserved PAM Web Services API Customer Machine The PAM Web Services API is a set of REST- based Deployment System services running on the PVWA that allow scripts and applications to communicate with the Vault. It is used by CyberArk applications as well as third- party applications, allowing organizations to develop custom interactions with the Vault to automate PAM Web Services (PVWA) business processes. EXAMPLE: Integrating the process of adding a new Windows machine to the company’s network with automatic Vault provisioning of the target server local Administrator account in the Vault © 2023 Copyright © CyberArk Software 2023 CyberArk Ltd. All Software rights Ltd. reserved All rights reserved. Onboarding Rest Methods There are three main REST methods that are relevant for the process of onboarding accounts: 1. Add account 2. Add discovered accounts 3. Create bulk upload of accounts © 2023 Copyright © CyberArk Software 2023 CyberArk Ltd. All Software rights Ltd. reserved All rights reserved. Add Account The Add Account method will be used when the target Safe and Platform are known to the onboarding utility © 2023 Copyright © CyberArk Software 2023 CyberArk Ltd. All Software rights Ltd. reserved All rights reserved. Add Discovered Accounts CyberArk discovery and upload mechanisms, as well as third-party discovery mechanisms, will use the Add Discovered Accounts method in order to upload discovered accounts (and dependencies) to the Pending Safe or onboard the accounts directly via automatic onboarding rules. CPM Scanner PTA DNA Third Party © 2023 CyberArk Software Ltd. All rights reserved Create Bulk Upload of Accounts The Create bulk upload of accounts method is used to upload multiple accounts to existing Safes It is also used when adding multiple accounts from a file via the PVWA Web UI © 2023 CyberArk Software Ltd. All rights reserved Summary © 2023 CyberArk Software Ltd. All rights reserved Summary In this session we covered: The main methods for discovering and onboarding accounts to the system How to configure Adding Accounts from a file and run Accounts Discovery Configure Automatic Onboarding Rules © 2023 CyberArk Software Ltd. All rights reserved Other resources to consider PowerShell module for CyberArk Privileged Account Security Web Service RestAPI Additional You may now complete the following exercises: Resources Discovery and Onboarding Configure Automatic Onboarding Rules Configure and Run Windows Accounts Discovery Manually onboard discovered accounts Add multiple accounts from file © 2023 CyberArk Software Ltd. All rights reserved