10-PAM-ADMIN-Privileged-Session-Management-pt1.pdf

Full Transcript

PAM Administration
Privileged Session Management
Part 1

© 2023 CyberArk Software Ltd. All rights reserved
 Agenda By the end of this session, you will be able to
describe the main features, architecture, and
flow, as well as enable and use, the following
session management solutions:

1. Privileged Session Manager (PSM)
PSM Ad-Hoc Connections
PSM via HTML5 Gateway
PSM for Windows

2. PSM for SSH

© 2023 CyberArk Software Ltd. All rights reserved
 Overview

© 2023 CyberArk Software Ltd. All rights reserved
 Privileged Session Management Provides 3 Main Benefits:

Isolation Monitoring Recording

Separate endpoints from Detect and track suspicious Support forensic analysis
critical target systems to activities in privileged and audit with detailed
prevent lateral movement sessions and events in real records of privileged activity
time

© 2023 CyberArk Software Ltd. All rights reserved
 Privileged Session Manager

© 2023 CyberArk Software Ltd. All rights reserved
 The Privileged Session Manager
When we talk about PSM, the
Privileged Session Manager, we
are usually referring to the PSM PVWA

installed on a Windows server.
You can think of this as the
“Universal PSM” because you can
connect through it practically from
any device to any device. RDP
Target
PSM Server

Direct Connection

© 2023 CyberArk Software Ltd. All rights reserved
 The Privileged
Session Manager
The PSM enables
organizations to secure,
control, and monitor privileged
access to network devices
It creates detailed session
audits and video recordings of
all IT administrator privileged
sessions on remote machines
Sessions on the target
systems are fully isolated and
the privileged account
credentials are never exposed
to the end-users or their client
applications and devices

© 2023 CyberArk Software Ltd. All rights reserved
 PSM Flow 4

Databases
PVWA
HTTPS

Windows Servers
1

PSM
2 RDP over SSL
*Nix Servers
3 6

1. Logon through PVWA Web Sites

2. Connect to PSM using RDP/TLS
3. Fetch credential from Vault Vault
Routers and Switches
4. Connect using native protocols
5. Logs forwarded to SIEM and PTA
6. Store session recording 5 ESX\vCenters

SIEM/PTA

© 2023 CyberArk Software Ltd. All rights reserved
 Enable PSM: Master Policy

Enable the PSM in the Master
Policy for all platforms or for
specific platforms by use of
exceptions

© 2023 CyberArk Software Ltd. All rights reserved
 PSM by Platform

By default, Platforms are associated
with the first installed PSM server

© 2023 CyberArk Software Ltd. All rights reserved
 PSM Connection Components

© 2023 CyberArk Software Ltd. All rights reserved
 Connection SQL Plus

Components/
RDP

Connectors
Connection Components
(aka Connectors) define the
configuration settings for using
a given third-party client to
connect to a target platform.
A few common ones are: Putty WinSCP

SQLPlus
RDP
Putty
WinSCP

© 2023 CyberArk Software Ltd. All rights reserved
 Connection
Components/
Connectors
There are many connection
components available out
of the box
Additional connection
components can be found
in the CyberArk
Marketplace
Organizations can also
build and add custom
connection components to
the PAM solution

© 2023 CyberArk Software Ltd. All rights reserved
 Platform Settings

To enable the use of a particular
third-party client to connect to a
given account, the appropriate
Connection Component needs
to be assigned to the Platform
that manages that account

© 2023 CyberArk Software Ltd. All rights reserved
 Importing
and Managing
Connectors
The new interface accelerates
and simplifies Vault
administration by allowing
admins to import PSM
connectors and link them to
Platforms, all from one
location

© 2023 CyberArk Software Ltd. All rights reserved
 Universal Connector
The Universal Connector framework facilitates the creation of custom connection components
using a (relatively) simple, freeware programming language called AutoIT.

© 2023 CyberArk Software Ltd. All rights reserved
 PSM Ad-hoc Sessions

© 2023 CyberArk Software Ltd. All rights reserved
 PSM Ad-hoc
Connection:
Overview
With an Ad-Hoc Connection,
users can connect securely to
any machine supported by the
PSM if they know the password
Main use cases:
⎼ Connecting with accounts that
are not stored in the CyberArk
Vault
⎼ Connecting with personal
accounts
Provides all the benefits of
PSM: isolation, monitoring,
and recording

© 2023 CyberArk Software Ltd. All rights reserved
 Enable Ad-hoc
Connections

The PSM Secure Connect
Platform must be activated
Privileged session
monitoring and isolation
must be enabled for the
PSM Secure Connect
platform. This can be done
either globally or via an
exception to the Master
policy.

© 2023 CyberArk Software Ltd. All rights reserved
 Launch Ad-hoc
Connection

Users will need to specify all
the account details when
they connect:
The Client they want to
use on the PSM
Target system Address
Username
Password, etc.

© 2023 CyberArk Software Ltd. All rights reserved
 HTML5 Gateway

© 2023 CyberArk Software Ltd. All rights reserved
 HTML5 Gateway: Overview
Many organizations block RDP client connections from end-users' machines for security
reasons or regulatory requirements.
RDP is a Microsoft protocol, so in order to use it in Linux, Unix, or MAC environments,
users must install a 3rd-party client in order to connect to the PSM.
The HTML5 Gateway tunnels the session between the end user and the PSM proxy
machine using a secure WebSocket protocol (port 443). This solution eliminates the need
to open an RDP connection from the end user's machine. Instead, the end user only
requires a web browser to establish a connection to a remote machine through PSM.
Secure access through HTML5 requires integrating an HTML5 gateway on a Linux server
(can be co-hosted with PSM for SSH). The Gateway is based on Apache Guacamole.

© 2023 CyberArk Software Ltd. All rights reserved
 HTML5 Gateway: Flow
HTTPS Databases
PVWA

5
1 Windows/UNIX
Gateway Servers

2 WebSocket 3 RDP

PSM
Web Sites
1. Logon through PVWA and click on 4 7
Connect
2. Connect to HTML5 GW using
Routers and Switches
WebSocket
3. Connect to PSM using RDP
Vault
4. Fetch credential from Vault
ESX\vCenters
5. Connect using native protocols
6. Logs forwarded to SIEM and PTA 6
7. Store session recording SIEM/PTA

© 2023 CyberArk Software Ltd. All rights reserved
 Enable HTML5
Gateway

The HTML5 GW is enabled at the
system level for each PSM server

© 2023 CyberArk Software Ltd. All rights reserved
 Use HDML5-based
or RDP-file
Connection Method
Users can be given the option
to connect either an HTML5-
based or RDP-file connection
method when connecting to the
remote server
This setting is applied at the
Connection Component level

© 2023 CyberArk Software Ltd. All rights reserved
 PSM for Windows

© 2023 CyberArk Software Ltd. All rights reserved
 PSM for Windows: Overview
Users connect directly from their desktops with an RDP-compliant client to the
PSM, which then connects to the target host using the protocol appropriate to
that host: SSH, RDP, etc.

There is no need to go through the PVWA.

Users can launch the RDP client and sign in into CyberArk
using single- or multi-factor authentication (for example, LDAP with RADIUS).
⎼ The RDP client application must include the ability to configure run “Start Program”
for the RDP connections.

⎼ Connections can be made from Unix / Linux / Mac / Windows end user machines.

PSM continues to provide complete isolation of the target systems, ensuring
that privileged credentials never reach users or their devices.

© 2023 CyberArk Software Ltd. All rights reserved
 PSM for Windows: Flow
Databases

3
Windows/UNIX
Servers
PSM
1 RDP over SSL

2 5
Web Sites

1. Connect to PSM using RDP/TLS
Routers and Switches
2. Fetch credential from Vault
Vault
3. Connect using native protocols
4. Logs forwarded to SIEM and PTA
5. Store session recording ESX\vCenters

4

SIEM/PTA

© 2023 CyberArk Software Ltd. All rights reserved
 RDP Client
Settings

PSM IP
Vault user
Activate Start Program
Program path:
⎼ Privileged Account name
⎼ Target address
⎼ Connection Component

© 2023 CyberArk Software Ltd. All rights reserved
 Preconfigured full address:s:components.acme.corp

RDP Files enablecredsspsupport:i:0
#### PSM Address
audiomode:i:0
redirectpriinters:i:1
redirectcomports:i:0
You can also configure redirectsmartcards:i:1
individual RDP files to redirectclipboard:i:1
redirectposdevices:i:0
connect through the PSM autoconnection enabled:i:1
authentication level:i:2
It is possible to configure prompt for credentials:i:0
connections with or without negotiate security layer:i:1
remoteapplicationmode:i:0
providing the target system alternate shell:s:
details Shell working directory:s:
gatewayhostname:s:
gatewayusagemethod:i:4
gatewaycredentialssource:i:4
gatewayprofileusagemethod:i:0
promptcredentialonce:i:0 Target system details
gatewaybrokeringtype:i:0
use redirection server name:i:0
rdgiskdcproxy:i:0
kdcproxyname:s:
alternate shell:s:psm /u localadmin01 /a target-win.acme.corp /c PSM-RDP
# alternate shell:s:psm

© 2023 CyberArk Software Ltd. All rights reserved
 PSM for SSH

© 2023 CyberArk Software Ltd. All rights reserved
 PSM for SSH: Overview

The average enterprise manages hundreds
of Unix servers and network devices

Systems are usually critical, but access to
them is uncontrolled

Network and Unix teams are reluctant to
change their existing workflows and tool sets

PSM for SSH (previously PSM SSH Proxy or
PSMP) is designed to provide a native
Unix/Linux user experience when connecting
to any SSH target system

© 2023 CyberArk Software Ltd. All rights reserved
 PSM for SSH
Client Settings
Vault username
Target account name
Target system address
PSM-SSH address

mike@[email protected]@10.0.30.1
The connection settings for
PSM for SSH resemble
those of PSM for Windows.
Connections are not
launched via the PVWA,
but through a special
connection string.

© 2023 CyberArk Software Ltd. All rights reserved
 PSM for SSH: Flow

1 3
SSH PSM SSH with privileged account
SSH
UNIX/Linux
2 5 Servers

4

Vault SIEM/PTA

1. User opens SSH session to the PSM server
2. PSM retrieves privileged account password from the vault
3. Open SSH session to the target using the privileged account
4. Logs forwarded to SIEM and PTA
5. Store SSH session audit

© 2023 CyberArk Software Ltd. All rights reserved
© 2023 CyberArk Software Ltd. All rights reserved
 Summary

© 2023 CyberArk Software Ltd. All rights reserved
 Summary In this session we covered the main PSM
features, as well as how to enable and use:

Privileged Session Manager (PSM)
‒ PSM Connection Components
‒ PSM Ad-Hoc Connections
‒ PSM via HTML5 Gateway
‒ PSM for Windows

PSM for SSH

© 2023 CyberArk Software Ltd. All rights reserved
 HTML5 Based Remote Access
Note: You must be logged
https://training.cyberark.com/elearning/
into the CyberArk training
html5-based-remote-access portal to access this material

You may now complete the following exercises:

Additional Privileged Session Management – Part 1
– Remove Privileged Access Workflows Exceptions

Resources – Disabling the PSM Globally
Privileged Session Manager
– Adding Exceptions
– Connect with a Linux Account
– Connect with an Oracle Account
– Connect via HTML5 Gateway
– Connect using PSM Ad-Hoc Connection
Privileged Session Manager for Windows
– Connect using RDP file without providing the target
system details
– Connect using RDP file with the target system details
Privileged Session Manager for SSH