CyberArk 12.1 Lab - 6. Secure CyberArk PAM and Tune Performance

  This post summarizes some settings to Secure CyberArk and how to tune the performance

Limit Platforms to Specific Safes

Example: Limit a platform to specific Safes

To limit a platform to Safes called ‘LinuxPasswords’ and ‘AIXPasswords’, specify the following: AllowedSafes=(LinuxPasswords)|(AIXPasswords)

Example: Apply a platform on all Safes

To apply a platform on all Safes, specify AllowedSafes=.*. This is the default value.

CyberArk Accounts

Service Accounts

• LDAP Bind Account - VaultInternal Safe
• create a specific platform for it
• PSMConnect - PSM related
• User cannot change password and Password never expires
• Windows local account template
• Auto-reconciliation
• PSMAdminConnect - PSM created
• User cannot change password and Password never expires
• Windows local account template
• auto-reconciliation
• PVWAReportsUser
• PasswordManagerUser

Administrator Accounts

• Enable PSM-PrivateArk Client

PSM-PVWA

Configure Applocker to enable Google Chrome

Restart Component Server

Connecting with PSM-PVWA-CHROME

Vault

The vaults configuration and log files can be found in the folder C:\Program Files (x86)\PrivateArk\Server\Conf

• dbparm.ini
• license.xml
• paragent.ini
• passparm.ini
• tsparm.ini

Logs are in the folder: C:\Program Files (x86)\PrivateArk\Server\Logs

• ltalog.log
• paragent.log

Configuration also stores in the system safe.

CPM

•  meet recommend system requirements
• physical vs vritual
• more than 100,000 managed passwords, then additional CPMs needed
• CPM settings
• Interval setting - change from 60 - 1440 (1 day)
• Emails about CPM activity
• CPM Log rotation
• PlatformToManage
• Only Platforms needed to be actived.

References

• Install AD & CS (Certification Service) on Windows Server 2016 to Deploy Enterprise PKI
• Logo Privileged Access Manager Version 12.2 - Installation