Latest Posts

CyberArk PAS Quick Operation Handbook

This post is to show some quick steps for regular operation on my home CyberArk lab:

Workflow for creating policies and accounts in CyberArk PAS:



An Example for Creating Policy and Accounts:

On board CyberArk End User

If you CyberArk has AD integrated, you will need to add this user into proper CybreArk AD group. Usually, you will have three types of CyberArk AD user groups:
  • CyberArk Users
  • CyberArk Auditors
  • CyberArk Admins
Depends on what type of user you will need to add in, you might need to add them into your specific AD group first.
You can check my previous post about CyberArk AD Integration configuration.

Create a safe

Once on board the user, you will need to create his/her personal safe, which will hold all his/her personal privileged accounts.

If you are on boarding a  shared Privileged account, you will need to create/modify your shared safe.




Notes:

  • By default, Safe creator will have quota ownership which will not be deleted. For how to delete it, check post https://blog.51sec.org/2019/11/cyberark-pta-solution-issues-and.html
  • Suggested permission: It should only two users in the safe member list: PSM Manager and Safe Domain User
  • Hide predefined users and groups. You can change this settings through one ini file in the vault server.
  • Safe name convention

Platform Management

There are two ways to add new platform: 
1. Duplicate existing platforms
2. Import new platforms



Notes:

  • New platform can be downloaded and imported from market place.
  • Platform name convention need to defined well
  • You can delete platform even there is account assigned to it. (Delete need to be very careful here). But since platform has gone, you wont be able to do connect, change, reconcile, this kind of actions anymore. You will not be able to edit it without select a new platform. 



Create an account



Notes:

  • Domain admin accounts can set restriction to pre-defined server which will have a drop-down menu to select
  • Local admin accounts will need to define target address and name well. 

Grant User to Add New Account to their Own Safe




Grant user to account management ability.

Or more specifically, you can remove some permissions from user to have better control. Even update account content can be removed.

Change account password

To change added account's password, you will need to switch Web Gui to classic interface mode.



YouTube Video:



Reset CyberArk Built-in administrator Password

  • Master user is automatically added to all new safes with full rights - even safes it did not create. It requires a special configuration in order to login into it.
  • Administrator is a built-in administrative user, but unlike Master it does not get automatically assigned to all new safes created (by other users).
You will also need the Master user if you're doing a full database restore from a PAReplicate backup, or if you need to re-key the vault.

If for somehow, your CyberArk administrator account has been locked up or you want to update the password, you can follow following steps to work on:

First, you will have RDP into your PVWA which has PrivateArk installed.

Then, Log into PrivateArk client with another account with Vault-level permissions such as Administrator2 . Click Tools > Administrative Tools > users and groups. Click on the "Administrator" account, and then "Trusted Networks Areas..." and click Activate.


If you don't have another local account such as adminsitrator2, you'll have to log in with the "Master" user. To log in with the "Master" user you'll have to take a few extra steps. 

Reset/Log in CyberArk Built-in Master Password

As per best practices you should always have a Backup administration account for operational stuff and shouldn't use Administrator account. In case you got into such situation, here are some thing you can follow to help you out:

Steps to Log In with Master Account:
  1. Place Master CD into server.
  2. Double click Private Ark icon
  3. Enter 'Master' as the user and enter password.

More details from CyberArk KB:
To log in as the Master user please do the following on the Vault Machine:
1. Insert the Master CD in the CD Drive
2. Verify if the dbparm.ini lists the location of the Master key in the Master CD
•  dbparm.ini is located in the following location :  Drive:\Program Files (x86)\PrivateArk\Server\dbparm.ini
•  In v10+, the dbparm.ini is located here:   Drive:\Program Files (x86)\PrivateArk\Server\conf\dbparm.ini
•  The Master key parameter and value can be found as the following in the dbparm.ini file : RecoveryPrvKey="Drive:\RecPrv.key" 
•  If the location needs to be changed, a restart of the PrivateArk Server service is required for changes to take effect
3. Start the PrivateArk Client Application on the Vault Machine
4. Right Click on the "<VaultName> Server" icon within the Private Ark Client and choose "Properties" > "Advanced" > "Authentication" tab > "Authentication methods" section > Choose "PrivateArk authentication" > Click OK in the advanced window > Click OK in the Properties window
5. Log into the Vault with the username as "Master"
•  If you need to reset the Master password, this can be accomplished by going to User > Set password after logging in



Delete Safe / Change Safe Members


Delete a safe using a administrator user which was added to the operators group. it prompts as below:

"ITATS056E Folder Root\ cannot be deleted because it contains non-expired object.
Object have been marked as deleted.
Folder can be deleted in 7 days"


There is a KB for how to delete safe member: Delete Safe member

using following URL to delete a safe member.
https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/{SafeName}/Members/{MemberName}

Unfortunately, I got following error;


At the end of account member record, there is a delete icon. You will need drag slide bar to the end to see it. That will delete member.


Reconcile Account

Passwords in the Vault must be synchronized with corresponding passwords on remote devices to ensure that they are constantly available. Therefore, the CPM runs a verification process to check that passwords are synchronized. If the verification process discovers passwords that are not synchronized with their corresponding password in the Vault, the CPM can reset both passwords and reconcile them. This ensures that the passwords are resynchronized automatically, without any manual intervention.

During password reconciliation, the unsynchronized password is replaced in the Vault and on the remote device with a new password that is generated according to the relevant platform. As soon as reconciliation is finished successfully, all standard verifications and changes can be carried out as usual. Users can see details of the last reconciliation process in the Operational Views in the Accounts List.


References






No comments