CyberArk Tips and Tricks - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Wednesday, November 20, 2019

CyberArk Tips and Tricks

Collections some small tips and tricks to tune CyberArk meeting business requirements.



Enable Copy/Paste Function Between PSM RDP Sessions


By default, the settings disables this function. You will not be able to copy / paste between PSM RDP sessions, although SSH sessions work.

Following steps can show you how to enable this :

·        1.  Go to Administration > Options > Connection Components > PSM-RDP > User Parameters 







·        2. Set the AllowMappingLocalDrives parameters for Visible and Value, both, to Yes
·         
·        If that AllowMappingLocalDrives parameter is missing you can right click on User Parameters and add it. 




Change Maximum Timeframe for Checkout

Global Settings - Administration - Configuration Options - Dual Control



Change MaximumTimeFrame to 21600 , which is 15 days * 24 hours  * 60 minutes.


image



Checkout Time and Extendable


MinValidityPeriod = 4 hours = 240 seconds
DoNotExtendMinValidityPeriod = Yes

The MinValidityPeriod parameter controls the number of minutes the CPM waits from the last retrieval of the password until it will attempt to change it. This gives the user a minimum period of time in which he can use the password before it is changed by the CPM. If Exclusive mode is enforced on the Safe where the password object is stored, the MinValidityPeriod parameter also determines the number of minutes after which an exclusive password will be released automatically by the CPM.

The MaxSessionDuration parameter determines the maximum duration of the session, in minutes. This can be specified as a general PSM parameter or in a specific platform.

Note: When users log off from the remote Windows machine, the sessions on both the PSM and the remote machine are ended. However, when users disconnect the session by clicking Close or if the MaxSessionDuration parameter has expired, the PSM session is automatically ended, but the session on the remote machine continues running. The next time they log onto the same remote machine through the PSM, they will continue the same session as before. To prevent this, make sure that the Terminal Server is configured to end disconnect sessions after a specific time period.

In order to set it to unlimited:

MaxSessionDuration – The maximum duration in seconds of the session. The default value is 0 (zero), indicating that the session duration is unlimited.

Q. Does initiating a new PSM connection refresh the timer for MaxSessionDuration on a checked-out account?

A. If the user logged off properly, the MaxSessionDuration will reset since the PSM session was closed. If the user disconnected without logging off properly, they will join the same session they disconnected from and not reset the MaxSessionDuration.

Q. Does initiating a new PSM connection refresh the timer for MinValidity on a checked-out account?

A. I assume in this case a "checked-out account" is one that has Exclusive Usage enabled. In that instance, MinValidityPeriod timer starts when the account is locked and then unlocks the account after the interval. The password can be accessed as many times as needed during that time period. If MinValidityPeriod is not being used with Exclusive Usage, it will reset anytime the credential has a Show/Copy/Connect activity.


  • MaxSessionDuration timer is refreshed on a new PSM Connection to a previously checked out account - but only for the new session. If you have 2 sessions running utilizing the same "managed account", the old timer is still going for the first session you established.

  • MinValidity timer refreshed anytime a user does anything with the password, including show/copy/Connect.

  • If MinValidity is smaller than MaxSession duration the CPM will reset the password anyway and will not respect the MaxSessionDuration (since it's a Max). This can cause the target account to get locked if the user is currently using it.


  • You should also look at the setting for "ResetOverridesMinValidty"

  • For EA accounts, make sure you also set "Enforce One Time Password" AND give the CPM user (PasswordManager) unlock permissions in the safe. If you don't set one of those the CPM will not unlock the account once the minValidityPeriod expires.



While using the password check in / out feature, there is the following message with date in the past: "This password is accessible until 12/31/1969 7:00:00 PM. After this date, this password will be scheduled for release and change."

Cause
The underlying cause of the issue. Cause is an optional field as it is not appropriate or necessary for some types of articles.


Dual Control Options

ForceTimeframe
ForceConfirmationReason
ForceMultipleAccess
Maximum Timeframe

Note: https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasref/options%20-%20dual%20control.htm





Change Default Connector in the platform


Platform - Connection Components - PSMConnectionDefault 

Put the connector name into this property. 






Video



YouTube Video:




References











2 comments:

  1. Hello! I,ve trouble with clipboard. I tried enable MappingDrives but it doesn't work for me. I can't copy either text nor files. All GPO policies was disabled and for User and for Computer(Administrative Templates >Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection). What's wrong? Please, help me resolve this issue with clipboard.

    ReplyDelete
  2. Hello! I,ve trouble with clipboard. I tried enable MappingDrives but it doesn't work for me. I can't copy either text nor files. All GPO policies was disabled and for User and for Computer(Administrative Templates >Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection). What's wrong? Please, help me resolve this issue with clipboard.

    ReplyDelete