Devolutions RDM CyberArk Integration - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Sunday, December 17, 2023

Devolutions RDM CyberArk Integration

The purpose of the CyberArk Dashboard entry is to provide Remote Desktop Manager users with an interface that eliminates the need to use Password Vault Web Access (PVWA) to see the list of safes and credentials that the currently logged on user has access to. Combined with password-less scenarios and/or our rich role-based access control (RBAC), this means that a user does NOT need to know the CyberArk credentials to be presented with a list of accounts they have access to. Additionally, since the dashboard is meant to authenticate once to your server and, most importantly, maintain an active session for as long as it is active, it has the significant advantage of only requiring MFA once when you launch the dashboard.




Another design principle of the dashboard is that its main usage model is to go through the CyberArk Privileged Session Manager (PSM) to reach assets. This means that Remote Desktop Manager does NOT need to read the password for the account to be used. Less secure models are available to support older scenarios that some of our customers are still using.

How it is working


How it is working for Devolutions RDM integrating with CyberArk PAM solution:


Account brokering inserts credentials on the back end (by integrating with the privileged account management solution), which means that end-users never see credentials in the first place. However, they can still access the necessary accounts to complete their day-to-day work. Not only is this much more secure, but it is highly efficient as well. End users get their work done, and SysAdmins do not have to deal with numerous access-related requests. In addition, all actions performed in Remote Desktop Manager can be logged and reported for auditing and compliance purposes.

Below is an example diagram demonstrating how Remote Desktop Manager integrates with CyberArk’s PAM Solution

diagram

  1. The end-user attempts to access a privileged remote connection through RDM.
  2. RDM confirms that the end user’s certificate is valid.
  3. RDM connects to CyberArk and requests the necessary credentials.
  4. CyberArk accepts the request and sends the credentials to RDM.
  5. The credentials are used to grant the end-user access, so they can complete their work-related task.
At no point in this process does the end-user see the credentials!


 

Basic Devolutions RDM Operation


1. Add new data source

SQLite is local light DB usually for personal usage. 


SQLite db will be saved to folder at C:\Users\Netsec\Appdata\Local\Devolutions\RemoteDesktopManager

2. Add License



3. Two Licenses

  • One for RDM's enterprise version license
  • Second is for CyberArk Dashboard Integration License







Create PSM Integration


This is to use PSM /u /a /c string to create a session using PSM to connect to remote. 

192.168.2.25 is PSM server ip address.


Here is the magic string:




You will not need to grant following settings:
On the PSM server, no need to allow domain users to log on through RDS:





Devolutions RDM CyberArk Dashboard

 
Once you added the license, the hidden entey template for CyberArk will be available.

1. Select CyberArk Template

Session templates - CyberArk Dashboard 


Credential Mgmt Template


2. Use CyberArk Dashboard Template

Enter https://51sec.cyberark.cloud/privilegecloud as Web Services URL. 
Choose SAML as authentication mode



for self-hosted environment:

virtual directory will need to have / at the front




3. Advanced Settings


Override screen size for better embedding experience

No need to use PSM as connection





Synchronizer

 
Create a new entry for Synchronizer








GitHub Project for PSM Template

Steps

  1. Install RDM from Devolutions
  2. Start RDM and log in (either with a free account or an enterprise account)
  3. Import the template from this repo
  4. Create a folder if you want to group connections
  5. Add entry -> Add from template
  6. Select the template you imported in step 3 and replace information thats within brackets <>, including the brackets

The target account is defined as username@address, where the fields corrosponds with the fields in CyberArk.


New Template / Import Template



PSM-SSH or Other Remote APP

 
To get PSM-SSH session embedded into RDM Client, you will need to DisableRemoteApp function for the connector. Else, you will have to use "Open external" session. 



If DisableRemoteApp is not set to Yes, and not checked with option "Open externally", PSM-SSH session will be automatically closed. 




Edit Entries In Batch

 


$connection.ConnectUsingDashboardOnDoubleClick = "True";$RDM.Save();




Video

 




No comments:

Post a Comment