PAM Administration Privileged Session Management Part 1 PDF

Summary

This document provides an overview of Privileged Session Management (PSM) features and how to enable and use them. It covers PSM Connection Components, Ad-Hoc Connections via HTML5 gateway, and connections for Windows and SSH. CyberArk Software content.

Full Transcript

PAM Administration Privileged Session Management Part 1 © 2023 CyberArk Software Ltd. All rights reserved Agenda By the end of this session, you will be able to...

PAM Administration Privileged Session Management Part 1 © 2023 CyberArk Software Ltd. All rights reserved Agenda By the end of this session, you will be able to describe the main features, architecture, and flow, as well as enable and use, the following session management solutions: 1. Privileged Session Manager (PSM) PSM Ad-Hoc Connections PSM via HTML5 Gateway PSM for Windows 2. PSM for SSH © 2023 CyberArk Software Ltd. All rights reserved Overview © 2023 CyberArk Software Ltd. All rights reserved Privileged Session Management Provides 3 Main Benefits: Isolation Monitoring Recording Separate endpoints from Detect and track suspicious Support forensic analysis critical target systems to activities in privileged and audit with detailed prevent lateral movement sessions and events in real records of privileged activity time © 2023 CyberArk Software Ltd. All rights reserved Privileged Session Manager © 2023 CyberArk Software Ltd. All rights reserved The Privileged Session Manager When we talk about PSM, the Privileged Session Manager, we are usually referring to the PSM PVWA installed on a Windows server. You can think of this as the “Universal PSM” because you can connect through it practically from any device to any device. RDP Target PSM Server Direct Connection © 2023 CyberArk Software Ltd. All rights reserved The Privileged Session Manager The PSM enables organizations to secure, control, and monitor privileged access to network devices It creates detailed session audits and video recordings of all IT administrator privileged sessions on remote machines Sessions on the target systems are fully isolated and the privileged account credentials are never exposed to the end-users or their client applications and devices © 2023 CyberArk Software Ltd. All rights reserved PSM Flow 4 Databases PVWA HTTPS Windows Servers 1 PSM 2 RDP over SSL *Nix Servers 3 6 1. Logon through PVWA Web Sites 2. Connect to PSM using RDP/TLS 3. Fetch credential from Vault Vault Routers and Switches 4. Connect using native protocols 5. Logs forwarded to SIEM and PTA 6. Store session recording 5 ESX\vCenters SIEM/PTA © 2023 CyberArk Software Ltd. All rights reserved Enable PSM: Master Policy Enable the PSM in the Master Policy for all platforms or for specific platforms by use of exceptions © 2023 CyberArk Software Ltd. All rights reserved PSM by Platform By default, Platforms are associated with the first installed PSM server © 2023 CyberArk Software Ltd. All rights reserved PSM Connection Components © 2023 CyberArk Software Ltd. All rights reserved Connection SQL Plus Components/ RDP Connectors Connection Components (aka Connectors) define the configuration settings for using a given third-party client to connect to a target platform. A few common ones are: Putty WinSCP SQLPlus RDP Putty WinSCP © 2023 CyberArk Software Ltd. All rights reserved Connection Components/ Connectors There are many connection components available out of the box Additional connection components can be found in the CyberArk Marketplace Organizations can also build and add custom connection components to the PAM solution © 2023 CyberArk Software Ltd. All rights reserved Platform Settings To enable the use of a particular third-party client to connect to a given account, the appropriate Connection Component needs to be assigned to the Platform that manages that account © 2023 CyberArk Software Ltd. All rights reserved Importing and Managing Connectors The new interface accelerates and simplifies Vault administration by allowing admins to import PSM connectors and link them to Platforms, all from one location © 2023 CyberArk Software Ltd. All rights reserved Universal Connector The Universal Connector framework facilitates the creation of custom connection components using a (relatively) simple, freeware programming language called AutoIT. © 2023 CyberArk Software Ltd. All rights reserved PSM Ad-hoc Sessions © 2023 CyberArk Software Ltd. All rights reserved PSM Ad-hoc Connection: Overview With an Ad-Hoc Connection, users can connect securely to any machine supported by the PSM if they know the password Main use cases: ⎼ Connecting with accounts that are not stored in the CyberArk Vault ⎼ Connecting with personal accounts Provides all the benefits of PSM: isolation, monitoring, and recording © 2023 CyberArk Software Ltd. All rights reserved Enable Ad-hoc Connections The PSM Secure Connect Platform must be activated Privileged session monitoring and isolation must be enabled for the PSM Secure Connect platform. This can be done either globally or via an exception to the Master policy. © 2023 CyberArk Software Ltd. All rights reserved Launch Ad-hoc Connection Users will need to specify all the account details when they connect: The Client they want to use on the PSM Target system Address Username Password, etc. © 2023 CyberArk Software Ltd. All rights reserved HTML5 Gateway © 2023 CyberArk Software Ltd. All rights reserved HTML5 Gateway: Overview Many organizations block RDP client connections from end-users' machines for security reasons or regulatory requirements. RDP is a Microsoft protocol, so in order to use it in Linux, Unix, or MAC environments, users must install a 3rd-party client in order to connect to the PSM. The HTML5 Gateway tunnels the session between the end user and the PSM proxy machine using a secure WebSocket protocol (port 443). This solution eliminates the need to open an RDP connection from the end user's machine. Instead, the end user only requires a web browser to establish a connection to a remote machine through PSM. Secure access through HTML5 requires integrating an HTML5 gateway on a Linux server (can be co-hosted with PSM for SSH). The Gateway is based on Apache Guacamole. © 2023 CyberArk Software Ltd. All rights reserved HTML5 Gateway: Flow HTTPS Databases PVWA 5 1 Windows/UNIX Gateway Servers 2 WebSocket 3 RDP PSM Web Sites 1. Logon through PVWA and click on 4 7 Connect 2. Connect to HTML5 GW using Routers and Switches WebSocket 3. Connect to PSM using RDP Vault 4. Fetch credential from Vault ESX\vCenters 5. Connect using native protocols 6. Logs forwarded to SIEM and PTA 6 7. Store session recording SIEM/PTA © 2023 CyberArk Software Ltd. All rights reserved Enable HTML5 Gateway The HTML5 GW is enabled at the system level for each PSM server © 2023 CyberArk Software Ltd. All rights reserved Use HDML5-based or RDP-file Connection Method Users can be given the option to connect either an HTML5- based or RDP-file connection method when connecting to the remote server This setting is applied at the Connection Component level © 2023 CyberArk Software Ltd. All rights reserved PSM for Windows © 2023 CyberArk Software Ltd. All rights reserved PSM for Windows: Overview Users connect directly from their desktops with an RDP-compliant client to the PSM, which then connects to the target host using the protocol appropriate to that host: SSH, RDP, etc. There is no need to go through the PVWA. Users can launch the RDP client and sign in into CyberArk using single- or multi-factor authentication (for example, LDAP with RADIUS). ⎼ The RDP client application must include the ability to configure run “Start Program” for the RDP connections. ⎼ Connections can be made from Unix / Linux / Mac / Windows end user machines. PSM continues to provide complete isolation of the target systems, ensuring that privileged credentials never reach users or their devices. © 2023 CyberArk Software Ltd. All rights reserved PSM for Windows: Flow Databases 3 Windows/UNIX Servers PSM 1 RDP over SSL 2 5 Web Sites 1. Connect to PSM using RDP/TLS Routers and Switches 2. Fetch credential from Vault Vault 3. Connect using native protocols 4. Logs forwarded to SIEM and PTA 5. Store session recording ESX\vCenters 4 SIEM/PTA © 2023 CyberArk Software Ltd. All rights reserved RDP Client Settings PSM IP Vault user Activate Start Program Program path: ⎼ Privileged Account name ⎼ Target address ⎼ Connection Component © 2023 CyberArk Software Ltd. All rights reserved Preconfigured full address:s:components.acme.corp RDP Files enablecredsspsupport:i:0 #### PSM Address audiomode:i:0 redirectpriinters:i:1 redirectcomports:i:0 You can also configure redirectsmartcards:i:1 individual RDP files to redirectclipboard:i:1 redirectposdevices:i:0 connect through the PSM autoconnection enabled:i:1 authentication level:i:2 It is possible to configure prompt for credentials:i:0 connections with or without negotiate security layer:i:1 remoteapplicationmode:i:0 providing the target system alternate shell:s: details Shell working directory:s: gatewayhostname:s: gatewayusagemethod:i:4 gatewaycredentialssource:i:4 gatewayprofileusagemethod:i:0 promptcredentialonce:i:0 Target system details gatewaybrokeringtype:i:0 use redirection server name:i:0 rdgiskdcproxy:i:0 kdcproxyname:s: alternate shell:s:psm /u localadmin01 /a target-win.acme.corp /c PSM-RDP # alternate shell:s:psm © 2023 CyberArk Software Ltd. All rights reserved PSM for SSH © 2023 CyberArk Software Ltd. All rights reserved PSM for SSH: Overview The average enterprise manages hundreds of Unix servers and network devices Systems are usually critical, but access to them is uncontrolled Network and Unix teams are reluctant to change their existing workflows and tool sets PSM for SSH (previously PSM SSH Proxy or PSMP) is designed to provide a native Unix/Linux user experience when connecting to any SSH target system © 2023 CyberArk Software Ltd. All rights reserved PSM for SSH Client Settings Vault username Target account name Target system address PSM-SSH address mike@[email protected]@10.0.30.1 The connection settings for PSM for SSH resemble those of PSM for Windows. Connections are not launched via the PVWA, but through a special connection string. © 2023 CyberArk Software Ltd. All rights reserved PSM for SSH: Flow 1 3 SSH PSM SSH with privileged account SSH UNIX/Linux 2 5 Servers 4 Vault SIEM/PTA 1. User opens SSH session to the PSM server 2. PSM retrieves privileged account password from the vault 3. Open SSH session to the target using the privileged account 4. Logs forwarded to SIEM and PTA 5. Store SSH session audit © 2023 CyberArk Software Ltd. All rights reserved © 2023 CyberArk Software Ltd. All rights reserved Summary © 2023 CyberArk Software Ltd. All rights reserved Summary In this session we covered the main PSM features, as well as how to enable and use: Privileged Session Manager (PSM) ‒ PSM Connection Components ‒ PSM Ad-Hoc Connections ‒ PSM via HTML5 Gateway ‒ PSM for Windows PSM for SSH © 2023 CyberArk Software Ltd. All rights reserved HTML5 Based Remote Access Note: You must be logged https://training.cyberark.com/elearning/ into the CyberArk training html5-based-remote-access portal to access this material You may now complete the following exercises: Additional Privileged Session Management – Part 1 – Remove Privileged Access Workflows Exceptions Resources – Disabling the PSM Globally Privileged Session Manager – Adding Exceptions – Connect with a Linux Account – Connect with an Oracle Account – Connect via HTML5 Gateway – Connect using PSM Ad-Hoc Connection Privileged Session Manager for Windows – Connect using RDP file without providing the target system details – Connect using RDP file with the target system details Privileged Session Manager for SSH

Use Quizgecko on...
Browser
Browser