CyberArk 12.1 Lab - 6. Secure CyberArk PAM and Tune Performance - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Saturday, February 18, 2023

CyberArk 12.1 Lab - 6. Secure CyberArk PAM and Tune Performance

  This post summarizes some settings to Secure CyberArk and how to tune the performance




Limit Platforms to Specific Safes



CyberArk Accounts

Service Accounts

  • LDAP Bind Account - VaultInternal Safe
    • create a specific platform for it
  • PSMConnect - PSM related
    • User cannot change password and Password never expires
    • Windows local account template
    • Auto-reconciliation
  • PSMAdminConnect - PSM created
    • User cannot change password and Password never expires
    • Windows local account template
    • auto-reconciliation
  • PVWAReportsUser
  • PasswordManagerUser

Administrator Accounts

  • Enable PSM-PrivateArk Client

PSM-PVWA

Configure Applocker to enable Google Chrome

Restart Component Server

Connecting with PSM-PVWA-CHROME




Vault

The vaults configuration and log files can be found in the folder C:\Program Files (x86)\PrivateArk\Server\Conf
  • dbparm.ini
  • license.xml
  • paragent.ini
  • passparm.ini
  • tsparm.ini
Logs are in the folder: C:\Program Files (x86)\PrivateArk\Server\Logs
  • ltalog.log
  • paragent.log

Configuration also stores in the system safe.

CPM


  •  meet recommend system requirements
    • physical vs vritual
    • more than 100,000 managed passwords, then additional CPMs needed
  • CPM settings
    • Interval setting - change from 60 - 1440 (1 day)
    • Emails about CPM activity
    • CPM Log rotation
    • PlatformToManage
    • Only Platforms needed to be actived.











No comments:

Post a Comment