Latest Posts

CyberArk PAS Administration Lab - v10.10

The CyberArk Privileged Access Security (PAS) Administration course covers CyberArk’s core PAS Solution: Enterprise Password Vault (EPV), Privileged Session Management (PSM) solutions, and Privileged Threat Analytics (PTA). CyberArk administrators, or ‘Vault Admins’, gain extensive hands-on experience in administering the core PAS Solution using our step-by-step exercise guide and dedicated lab environment.

This post is to show what kind of subjects you will learn.
 
CyberArk PAS Administration LAB V10.10




Lab Topology

Total Seven Machines:
001-DC: 10.0.0.2 - 1G RAM and 25G Storage
002-PVWA/PSM/CPM : 10.0.20.1 - 4G RAM and 30G Storage
003-PSMP/PSM Gateway: 10.0.1.16 - 1G RAM and 30G Storage
004-PTA : 10.0.0.1 - 6G RAM and 50G Storage
005-Target Linux: 10.0.0.20 - 2G RAM and 20G Storage
006-Target Windows: 10.0.10.50 - 2G RAM and 60G Storage
007-Vault : 10.0.10.1 - 1G RAM and 20G Storage



Contents

INTRODUCTION TO CORE PAS ............................................................ 14
  PVWA .................................. 14
      Log in as Administrator .. 14
     Activate the PSM ............ 17
     Deactivate “Reason for Access” ....................................................... 18
     Connect using a stored account in the New UI................................. 18
     Connect using a stored account in the Classic UI ............................. 20
  PRIVATEARK CLIENT ................. 23
  REMOTE CONTROL CLIENT ......... 27
  PRIVATEARK SERVER ................ 29

USER MANAGEMENT ....... 34

  Know the Players ............ 34
  LDAP INTEGRATION AND DIRECTORY MAPPING .............................................. 35
      LDAP Integration ............ 35
      Configure Predefined Directory Mappings ....................................... 39
      Test the LDAP Integration and Predefined Mappings ...................... 42
      Configure Custom Directory Mapping .............................................. 42
      Test Custom Directory Mapping ....................................................... 45
  UNSUSPEND A SUSPENDED USER (OPTIONAL) .................................................. 50
  LOG IN WITH MASTER ............... 53

PASSWORD MANAGEMENT – PART 1 ................................................ 54

  SECURING WINDOWS DOMAIN ACCOUNTS ..................................................... 54
      Platform Management ... 54
      Safe Management .......... 60
      Account Management .... 63
  EDITING THE MASTER POLICY ..... 67
      Password Management . 68
  SECURING UNIX SSH ACCOUNTS  72
      Vault Administrator Tasks ...................................................... 72
      Safe Manager Tasks ....... 76
      Auditor Tasks .................. 91

PASSWORD MANAGEMENT – PART 2 ................................................ 94
  LINKED ACCOUNTS ................... 94
      Securing SSH Accounts Using a Logon account ................................ 94
      Securing Windows Server Local Accounts via a Reconcile Account .. 97
  SECURING ORACLE ACCOUNTS . 103
      Vault Adminstrator Tasks ........................................................ 103
      Safe Manager Tasks ..... 105
  SECURING AN ACCOUNT WITH SSH KEYS ............................................... 107
      Generating a Key-Pair .. 107
      Verify You Are Able to Log in with the Private Key ......................... 112
  USAGES – SECURING SERVICE ACCOUNTS ...............................................116
      Manage a Scheduled Task Usage ................................................... 116
      Managing a Configuration File Usage ............................................ 121

PRIVILEGED ACCESS WORKFLOWS ................................................... 126
REQUIRE USERS TO SPECIFY REASON FOR ACCESS ....................................... 126
Activating the Policy ..... 126
Add Predefined Reasons for Access ................................................ 127
REQUIRE DUAL CONTROL ACCESS APPROVAL ............................................. 130
Activating the Policy ..... 130
Adding an approver to a Safe ..................................................... 132
Testing Dual Control ..... 134
EXCLUSIVE PASSWORDS WITH AUTOMATED RELEASE AND ONE-TIME USE .......... 138
Adding a Master Policy exception for Exclusive Passwords ........... 138
Adding a Master Policy exception for One-Time Passwords .......... 139
Reducing the Minimum Validity Period .......................................... 140
Testing Exclusive Passwords ........................................................ 141

DISCOVERY AND ONBOARDING ....................................................... 143
ACCOUNTS FEED .................... 143
Configure Automatic Onboarding Rules ......................................... 143
Configure and Run Windows Accounts Discovery .......................... 145
Verify Automatically Onboarded Accounts .................................... 150
Manually onboard discovered accounts......................................... 150
PASSWORD UPLOAD UTILITY (OPTIONAL) ......................................... 152
Add the Administrator as a member of template safe ................... 152
Configure and run PUU  153
PRIVILEGED SESSION MANAGEMENT ............................................... 161
Disable Privileged Access Workflows ............................................. 161

PRIVILEGED SESSION MANAGER  ..............................163
Enabling PSM ............... 163
Adding Exceptions ........ 163

Connect with a Linux Account ........................................................ 165
Connect with an Oracle Account .................................................... 167
Connect via HTML5 Gateway ......................................................... 169
Connect using PSM Ad-Hoc Connection ......................................... 170
PRIVILEGED SESSION MANAGER FOR WINDOWS ............................................ 173
PRIVILEGED SESSION MANAGER FOR SSH ..................................................... 176
AUDITING USER ACTIVITY IN THE PSM (MONITORING) .................................... 177
PSM Session Terminators ............................................................... 178
Monitor, Suspend and Terminate Active Sessions .......................... 181
Monitor Recordings ...... 182

PRIVILEGED THREAT ANALYTICS ...................................................... 184
DETECTIONS AND AUTOMATIC REMEDIATION FOR UNIX/LINUX ........................ 184
Unmanaged Privileged Access ....................................................... 184
Suspected Credential Theft and Automatic Password Rotation ..... 186
Suspicious Password Change and Automatic Reconciliation ......... 189
Suspicious activities in a Unix session and automatic suspension . 191
Security Rules Exceptions ........................................................ 194
DETECTIONS AND AUTOMATIC REMEDIATION FOR WINDOWS .......................... 195
Unmanaged Privileged Access ....................................................... 195
Suspicious Activities in a Windows Session and Automatic Suspension ..............200
CONNECT TO THE PTA ADMINISTRATION INTERFACE ...................................... 203

REPORTS ........................ 205
GENERATE “PRIVILEGED ACCOUNTS INVENTORY” REPORT ................................ 205
GENERATE “SAFES LIST” REPORT AND “USERS LIST” REPORT ............................ 207
GENERATE REPORTS USING EVD ................................................... 209

REPLICATIONS ................ 214
BACKUP AND RESTORE ............ 214
Enabling the Backup and DR users ................................................. 214
Installing the PrivateArk Replicator ................................................ 216
Create a Safe and an Account to test Backup ................................ 221
Running a Backup ......... 222
Delete the Linux02 Safe  223
Running a Restore ........ 223

COMMON ADMINISTRATIVE TASKS ................................................. 225
ROTATING CPM LOGS ............ 225

OPTIONAL EXERCISES ..... 227
AD HOC ACCESS .................... 227
Set up the Ad Hoc Access Platform................................................. 228
Add the Local Administrator Account ............................................ 230
CPM Scanner Configuration ........................................................... 230
Test Ad Hoc Access ....... 231
CUSTOM FILE CATEGORIES ....... 232
Creating the Custom File Category ................................................. 233
Adding the Custom File Category to the Platform .......................... 234
Making the File Categorical Searchable ......................................... 235
Testing the New File Category ....................................................... 237



CyberArk PAS Install & Configure, v10.9
PAS=Privileged Account Security


Exercise Guide Contents INTRODUCTION.........................................4 
USING SKYTAP...............................................4 
INTERNATIONAL USERS....................................... 6 

SCENARIO .................................................10 
EPV INSTRUCTIONS......................................11 
VAULT INSTALLATION...................................12 
BEFORE INSTALLATION.......................................... 12 
VAULT SERVER INSTALLATION.....................................15 
PRIVATEARK CLIENT INSTALLATION...............................23 
POST VAULT INSTALLATION .................................... 26 

INSTALL PASSWORD VAULT WEB ACCESS............27 
INSTALL IIS PRE-REQUISITE SOFTWARE USING AUTOMATIC PREREQUISITES SCRIPT .................................................................. 27 REQUIRE HTTP OVER SSL (PVWA)............................................................................................................................ 29 INSTALL PVWA...................................................................................................................................................... 29 HARDENING THE CYBERARK PVWA SERVERS ................................................................................................................ 32 CONFIGURE IIS REDIRECTION..................................................................................................................................... 34 TEST PVWA LOAD BALANCING.................................................................................................................................. 36 INSTALL CPM (DISTRIBUTED)................................................................................................................................. 37 INSTALL 1 ST CPM .................................................................................................................................................... 37 INSTALL THE PRIVATEARK CLIENT ON THE COMPONENT SERVER.......................................................................................... 41 POST CPM INSTALLATION......................................................................................................................................... 41 INSTALL 2 ND CPM.................................................................................................................................................... 41 POST CPM INSTALLATION......................................................................................................................................... 42 INSTALL THE PRIVATEARK CLIENT ON THE COMP01B SERVER............................................................................................. 43 RENAME 1 ST CPM................................................................................................................................................... 43 UPDATE THE NAME OF THE CPM IN THE PVWA............................................................................................................. 46 HARDEN THE CPM SERVER........................................................................................................................................ 46 INTEGRATIONS....................................................................................................................................................... 48 LDAP AUTHENTICATION (OVER SSL)........................................................................................................................... 48 SMTP INTEGRATION................................................................................................................................................ 53 SIEM INTEGRATION................................................................................................................................................. 56 NTP INTEGRATION .................................................................................................................................................. 59 AUTHENTICATION TYPES ....................................................................................................................................... 62 RADIUS AUTHENTICATION ....................................................................................................................................... 62 PKI AUTHENTICATION .............................................................................................................................................. 68 TWO FACTOR AUTHENTICATION (2FA) ........................................................................................................................ 72 EPV TESTING AND VALIDATION............................................................................................................................. 73 ADD WINDOWS DOMAIN ACCOUNT............................................................................................................................ 73 ADD WINDOWS SERVER LOCAL ACCOUNT..................................................................................................................... 73 ADD LINUX ROOT ACCOUNT ...................................................................................................................................... 74 ADD ORACLE DATABASE ACCOUNT.............................................................................................................................. 74 Privileged Account Security Install & Configure, v10.9 CyberArk University Exercise Guide Page 2 © Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd. INSTALL PSM/PSMP............................................................................................................................................... 76 INSTALL A STANDALONE PSM INSTALLATION........................................................................................................ 77 PSM INSTALLATION PREREQUISITES ............................................................................................................................ 77 PSM INSTALLATION................................................................................................................................................. 80 PSM POST INSTALLATION ......................................................................................................................................... 83 PSM HARDENING ................................................................................................................................................... 84 PSM TESTING AND VALIDATION................................................................................................................................. 86 LOAD BALANCED PSM SERVERS............................................................................................................................. 89 CONFIGURE PSM LOAD BALANCING............................................................................................................................ 89 PSM FOR SSH INSTALLATION................................................................................................................................. 92 SECURING CYBERARK............................................................................................................................................. 98 LOCK DOWN A USER’S INTERFACE............................................................................................................................... 98 USE RDP OVER SSL................................................................................................................................................. 99 MANAGE LDAP BINDACCOUNT ............................................................................................................................... 104 MANAGE PSMCONNECT/PSMADMINCONNECT USING THE CPM................................................................................... 105 MANAGE CYBERARK ADMINISTRATOR ACCOUNT USING THE CPM ................................................................................... 109 CONNECT WITH PSM-PRIVATEARK CLIENT ................................................................................................................. 110 CONNECT USING PSM-PVWA-CHROME................................................................................................................... 113 BACKUP................................................................................................................................................................ 116 ENABLE THE BACKUP AND DR USERS ......................................................................................................................... 116 INSTALL THE PRIVATEARK REPLICATOR COMPONENT ..................................................................................................... 119 TESTING THE BACKUP/RESTORE PROCESS ................................................................................................................... 123 DISASTER RECOVERY............................................................................................................................................ 126 INSTALL THE DISASTER RECOVERY MODULE................................................................................................................. 126 VALIDATE THE REPLICATION WAS SUCCESSFUL .............................................................................................................. 129 EXECUTE AUTOMATIC FAILOVER TEST ........................................................................................................................ 130 EXECUTE FAILBACK PROCEDURE USING MANUAL FAILOVER ............................................................................................ 132 (OPTIONAL) EXERCISES ........................................................................................................................................ 137 ADVANCED PSMP IMPLEMENTATIONS................................................................................................................ 138 ADDING FIREWALL RULES TO THE VAULT MANUALLY......................................................................................... 142


















No comments