Latest Posts

CyberArk PAS Configuration Notes (Architecture)

CyberArk is an info security company mainly dedicated to privileged account security. The CyberArk Privileged Account Security solution comprises features that secure, monitor and manages confidential accounts.
The major components used widely are following:
  • Enterprise Password Vault
  • Central Policy Manager (CPM)
  • Password Vault Web Access (PVWA)
  • Privileged Session Manager (PSM)
PAS = (Privileged Access Security)

PSM "connect" explaination



A user clicks "connect" in PVWA, an initial RDP session is established between the user and the PSM server. Since the user shouldn't be able to connect to the PSM server directly, the PSMConnect account is used. Once the session connects, PSM checks the session variables of the connecting user, including CyberArk username. Then the PSMConnect session creates a temporary profile for the user on the PSM server, called a Shadow user (if one doesn't exist), and switches the user's RDP session to that "isolated" shadow session/profile. Now that the user is in their own shadow session, PSM tries to execute the Connection Component specified. For example if it's SSH, it needs to pull the target address, managed account and password from the Vault. It will check if the user is authorized to use that account, pull the information, and launch an ssh session using command line switches for putty. Finally it will start recording, and give control to the RDS session back to the user.



CPM "verify" explaination



For most platforms, to "verify" the password, CyberArk tries to log into the target with the stored account. If it's able to log in, it calls the password verify. In Unix machines that concept is fairly straightforward - it does an SSH connection, and if it's able to get to the regular prompt, it calls it a success. In Windows, for the regular (non-WMI platform), it tries to issue a "net use \servername\IPC$ /user:<manageduser>" command. If successful, the password is verified. For databases it might try to establish an ODBC connection, etc.




Change PSM Server ID

  1. First, login to the PVWA, browse to Administration, System Configuration, Options, Privileged Session Management, Configured PSM Servers and select the PSM Server you need to change from the list of servers. In the properties pane, set the value of the ID property to the new Server ID, click Apply and OK. 
  2. Next, edit the basic_psm.ini file located on the PSM server in the PSM root directory and update the PSMServerlD parameter with the new Server ID, save the file and restart the "CyberArk Privileged Session Manager" service on the PSM server.

Password Management Architecture

Session Manager Architecture

Privileged Threat Analytics Architecture
PAM Solution High Availability Design






Key Features of Core PAS


Standard Core PAS Componets


RDP Traffic Flow



Vault, Components and Clients








References:


2 comments:

  1. Thank you! Cyberark doesn't look unpolished. However, it still has some issues.

    ReplyDelete
    Replies
    1. Hi Roland, it does what it can do. Understanding how those components (PVWA, CPM, PSM, Vault Server, Vault Client) whoring together is important before implement it, especially before rolling out to your production environment. I am still testing lots of other features, such as html5 gateway, psmp, integrating with other applications and databases. It looks promising based on CyberArk website, but it does need a good engineer behind it.

      Delete