The CyberArk Privileged Access Security (PAS) Administration course covers CyberArk’s core PAS Solution: Enterprise Password Vault (EPV), Privileged Session Management (PSM) solutions, and Privileged Threat Analytics (PTA). CyberArk administrators, or ‘Vault Admins’, gain extensive hands-on experience in administering the core PAS Solution using our step-by-step exercise guide and dedicated lab environment.

  • Standard User Accounts
  • Super Users
  • Application Accounts
  • Service Accounts
Privileged Accounts
  • Elevated personal user accounts
  • Shared privileged accounts
  • Application accounts
Privileged Access

CyberArk Shared Technology Platform:

CynerArk Blueprint Stages overview

Lab Topology

For v10.10 

Total Seven Machines:
001-DC: 10.0.0.2 – 1G RAM and 25G Storage
002-PVWA/PSM/CPM : 10.0.20.1 – 4G RAM and 30G Storage
003-PSMP/PSM Gateway: 10.0.1.16 – 1G RAM and 30G Storage
004-PTA : 10.0.0.1 – 6G RAM and 50G Storage
005-Target Linux: 10.0.0.20 – 2G RAM and 20G Storage
006-Target Windows: 10.0.10.50 – 2G RAM and 60G Storage
007-Vault : 10.0.10.1 – 1G RAM and 20G Storage

For v12.2 

Total Seven Machines:
001-DC01: 10.0.0.1 GW 10.0.255.254 – 2G RAM, 2vCPU and 30GB Storage, Server 2019 Standard
002-Components – PVWA/PSM/CPM : 10.0.20.1 – 6G RAM, 6 vCPU and 30G Storage, Server 2019 Standard
003-psm-ssh-gw, PSMP/PSM Gateway: 10.0.30.1 – 6G RAM and 50G Storage
004-PTAserver : 10.0.30.2 – 8G RAM and 50G Storage
005-Target Win 10.0.21.1 – 2G RAM and 60G Storage, DNS 10.0.0.1, GW: 10.0.255.254
006-Target Lin: 10.0.0.20 – 1G RAM and 20G Storage
007-Vault : 10.0.10.1 – 2G RAM and 30G Storage
008-DR: 10.0.14.1 – 2GB, 30GB storage

Lab Environment


DC01 

Group Policy:

Certificate Services

  • https://localhost/certsrv/

Email Services

  • Mailenable

Components Server – PVWA/PSM/CPM

v12.2 PVWA Web GUI Interface

Vault Server

v12.2 Vault GUI

Vault Services

Basic Tasks for Admin (Defender)

AD Group mapping
  • Vault Admin
  • Auditors
  • Users
  • Helpdesk
  • Manager
Master policy
  • Exception
  • Activate PSM
Duplicate Platform
  • change password verification/reconcillation settings
  • rotation days
  • deactivate platform
Create safe
Add accounts
  • Create service accounts safe
    • add reconcilliation accounts
    • discovery scan accounts
  • Win Domain 
  • Win local
  • DB account
  • Linux account
    • linked account = logon account
  • Linux SSH key
  • Dependents – Service account
    • scheduled tasks
    • configuration file
Workflow
  • dual control
  • exclusive password with automated release – check-in/check-out
  • one time use
  • Just-in-Time (JIT) access
Discovery
  • auto onboarding
  • windows accounts discovery
  • manual onboarding
  • add accounts from file
PSM
  • exception
  • via HTML5 gateway
  • monitoring
  • recording
PTA
  • detection and auto-remediation for *nix
  • detection and auto-remediation for windows
Reports
Backup and restore
DR

Others

  • Rotation CPM logs
  • custom file categories
Note: In many cases, the service account would be blocked from modifying its own password. If that were the case, you would need to associate a reconcile account with the Platform and set the parameter ChangePasswordInResetMode to Yes. This procedure is covered in the CyberArk PAM Install & Configure training. You would also need to associate a logon account with the scheduled task, which would be used to perform the password change for the dependency.

Basic Tasks for Installation and Configuration (Sentry Certification)

Vault 
  • Server
  • Client
  • Post installation

PVWA

  • IIS pre-requisite using script
  • import certficates
  • PVWA
  • Harden
  • PrivateArk client
  • Load Balancing

CPM

  • 1st CPM
  • Post Installation
  • 2nd CPM
  • Post Installation
  • Harden
  • Rename 1st CPM and update PVWA
Integration
  • LDAP
  • SMTP
  • SIEM
  • NTP
  • Authentication
    • Radius
    • PKI
    • 2FA
PSM
  • Standalone PSM
  • Load balanced PSM
  • PSM for SSH
Securing
  • Lok down user interface
  • RDP over SSL
  • LDAP Bind account
  • PSMConnect/PSMAdminConnect
  • PSM-PrivateArk Client
  • PSM-PVEA-CHROME
Backup
DR
Others
  • Vault Firewall Rules
  • Master User Logging
  • PSMP advanced implementation

Contents

PAM=Privileged Account Management

PAS=Privileged Account Security

Exercise Guide Contents

CyberArk PAS Admin, v10.10


INTRODUCTION TO CORE PAS …………………………………………………… 14
  PVWA ……………………………. 14
      Log in as Administrator .. 14
     Activate the PSM ………… 17
     Deactivate “Reason for Access” ………………………………………………. 18
     Connect using a stored account in the New UI…………………………… 18
     Connect using a stored account in the Classic UI ……………………….. 20
  PRIVATEARK CLIENT …………….. 23
  REMOTE CONTROL CLIENT ……… 27
  PRIVATEARK SERVER ……………. 29


USER MANAGEMENT ……. 34

  Know the Players ………… 34
  LDAP INTEGRATION AND DIRECTORY MAPPING ………………………………………. 35
      LDAP Integration ………… 35
      Configure Predefined Directory Mappings ………………………………… 39
      Test the LDAP Integration and Predefined Mappings …………………. 42
      Configure Custom Directory Mapping ………………………………………. 42
      Test Custom Directory Mapping ………………………………………………. 45
  UNSUSPEND A SUSPENDED USER (OPTIONAL) ………………………………………….. 50
  LOG IN WITH MASTER …………… 53


PASSWORD MANAGEMENT – PART 1 ………………………………………… 54

  SECURING WINDOWS DOMAIN ACCOUNTS …………………………………………….. 54
      Platform Management … 54
      Safe Management ………. 60
      Account Management …. 63
  EDITING THE MASTER POLICY ….. 67
      Password Management . 68
  SECURING UNIX SSH ACCOUNTS  72
      Vault Administrator Tasks ……………………………………………… 72
      Safe Manager Tasks ……. 76
      Auditor Tasks ……………… 91


PASSWORD MANAGEMENT – PART 2 ………………………………………… 94
  LINKED ACCOUNTS ………………. 94
      Securing SSH Accounts Using a Logon account ………………………….. 94
      Securing Windows Server Local Accounts via a Reconcile Account .. 97
  SECURING ORACLE ACCOUNTS . 103
      Vault Adminstrator Tasks ……………………………………………….. 103
      Safe Manager Tasks ….. 105
  SECURING AN ACCOUNT WITH SSH KEYS ……………………………………….. 107
      Generating a Key-Pair .. 107
      Verify You Are Able to Log in with the Private Key ……………………. 112
  USAGES – SECURING SERVICE ACCOUNTS ………………………………………..116
      Manage a Scheduled Task Usage …………………………………………… 116
      Managing a Configuration File Usage …………………………………….. 121


PRIVILEGED ACCESS WORKFLOWS …………………………………………… 126
REQUIRE USERS TO SPECIFY REASON FOR ACCESS ………………………………… 126
Activating the Policy ….. 126
Add Predefined Reasons for Access ………………………………………… 127
REQUIRE DUAL CONTROL ACCESS APPROVAL ……………………………………… 130
Activating the Policy ….. 130
Adding an approver to a Safe …………………………………………….. 132
Testing Dual Control ….. 134
EXCLUSIVE PASSWORDS WITH AUTOMATED RELEASE AND ONE-TIME USE ………. 138
Adding a Master Policy exception for Exclusive Passwords ……….. 138
Adding a Master Policy exception for One-Time Passwords ………. 139
Reducing the Minimum Validity Period …………………………………… 140
Testing Exclusive Passwords ……………………………………………….. 141


DISCOVERY AND ONBOARDING ………………………………………………. 143
ACCOUNTS FEED ……………….. 143
Configure Automatic Onboarding Rules ………………………………….. 143
Configure and Run Windows Accounts Discovery …………………….. 145
Verify Automatically Onboarded Accounts ……………………………… 150
Manually onboard discovered accounts………………………………….. 150
PASSWORD UPLOAD UTILITY (OPTIONAL) ………………………………….. 152
Add the Administrator as a member of template safe ………………. 152
Configure and run PUU  153
PRIVILEGED SESSION MANAGEMENT ……………………………………….. 161
Disable Privileged Access Workflows ……………………………………… 161


PRIVILEGED SESSION MANAGER  …………………………163
Enabling PSM …………… 163
Adding Exceptions …….. 163


Connect with a Linux Account ……………………………………………….. 165
Connect with an Oracle Account ……………………………………………. 167
Connect via HTML5 Gateway ………………………………………………… 169
Connect using PSM Ad-Hoc Connection ………………………………….. 170
PRIVILEGED SESSION MANAGER FOR WINDOWS …………………………………….. 173
PRIVILEGED SESSION MANAGER FOR SSH …………………………………………….. 176
AUDITING USER ACTIVITY IN THE PSM (MONITORING) ……………………………… 177
PSM Session Terminators ……………………………………………………… 178
Monitor, Suspend and Terminate Active Sessions …………………….. 181
Monitor Recordings …… 182


PRIVILEGED THREAT ANALYTICS ……………………………………………… 184
DETECTIONS AND AUTOMATIC REMEDIATION FOR UNIX/LINUX …………………… 184
Unmanaged Privileged Access ………………………………………………. 184
Suspected Credential Theft and Automatic Password Rotation ….. 186
Suspicious Password Change and Automatic Reconciliation ……… 189
Suspicious activities in a Unix session and automatic suspension . 191
Security Rules Exceptions ……………………………………………….. 194
DETECTIONS AND AUTOMATIC REMEDIATION FOR WINDOWS …………………….. 195
Unmanaged Privileged Access ………………………………………………. 195
Suspicious Activities in a Windows Session and Automatic Suspension …………..200
CONNECT TO THE PTA ADMINISTRATION INTERFACE ……………………………….. 203


REPORTS …………………… 205
GENERATE “PRIVILEGED ACCOUNTS INVENTORY” REPORT ………………………….. 205
GENERATE “SAFES LIST” REPORT AND “USERS LIST” REPORT ………………………. 207
GENERATE REPORTS USING EVD …………………………………………… 209


REPLICATIONS ……………. 214
BACKUP AND RESTORE ………… 214
Enabling the Backup and DR users …………………………………………. 214
Installing the PrivateArk Replicator ………………………………………… 216
Create a Safe and an Account to test Backup ………………………….. 221
Running a Backup ……… 222
Delete the Linux02 Safe  223
Running a Restore …….. 223


COMMON ADMINISTRATIVE TASKS …………………………………………. 225
ROTATING CPM LOGS ………… 225


OPTIONAL EXERCISES ….. 227
AD HOC ACCESS ……………….. 227
Set up the Ad Hoc Access Platform…………………………………………. 228
Add the Local Administrator Account …………………………………….. 230
CPM Scanner Configuration ………………………………………………….. 230
Test Ad Hoc Access ……. 231
CUSTOM FILE CATEGORIES ……. 232
Creating the Custom File Category …………………………………………. 233
Adding the Custom File Category to the Platform …………………….. 234
Making the File Categorical Searchable ………………………………….. 235
Testing the New File Category ………………………………………………. 237

CyberArk PAM Install & Configure, v10.9

 INTRODUCTION…………………………………..4 
USING SKYTAP………………………………………..4 
INTERNATIONAL USERS………………………………… 6 


SCENARIO ………………………………………….10 
EPV INSTRUCTIONS………………………………..11 
VAULT INSTALLATION……………………………..12 
BEFORE INSTALLATION…………………………………… 12 
VAULT SERVER INSTALLATION……………………………….15 
PRIVATEARK CLIENT INSTALLATION………………………….23 
POST VAULT INSTALLATION ……………………………… 26 


INSTALL PASSWORD VAULT WEB ACCESS…………27 
INSTALL IIS PRE-REQUISITE SOFTWARE USING AUTOMATIC PREREQUISITES SCRIPT ………………………………………………………… 27
REQUIRE HTTP OVER SSL (PVWA)……………………………………………………………………………………………………………. 29
INSTALL PVWA…………………………………………………………………………………………………………………………………… 29
HARDENING THE CYBERARK PVWA SERVERS …………………………………………………………………………………………………. 32
CONFIGURE IIS REDIRECTION……………………………………………………………………………………………………………………. 34
TEST PVWA LOAD BALANCING…………………………………………………………………………………………………………………. 36
INSTALL CPM (DISTRIBUTED)………………………………………………………………………………………………………………… 37
INSTALL 1
ST CPM …………………………………………………………………………………………………………………………………. 37
INSTALL THE PRIVATEARK CLIENT ON THE COMPONENT SERVER……………………………………………………………………………… 41
POST CPM INSTALLATION……………………………………………………………………………………………………………………….. 41
INSTALL 2
ND CPM…………………………………………………………………………………………………………………………………. 41
POST CPM INSTALLATION……………………………………………………………………………………………………………………….. 42
INSTALL THE PRIVATEARK CLIENT ON THE COMP01B SERVER………………………………………………………………………………… 43
RENAME 1
ST CPM………………………………………………………………………………………………………………………………… 43
UPDATE THE NAME OF THE CPM IN THE PVWA………………………………………………………………………………………………. 46
HARDEN THE CPM SERVER………………………………………………………………………………………………………………………. 46
INTEGRATIONS……………………………………………………………………………………………………………………………………. 48
LDAP AUTHENTICATION (OVER SSL)…………………………………………………………………………………………………………… 48
SMTP INTEGRATION……………………………………………………………………………………………………………………………… 53
SIEM INTEGRATION………………………………………………………………………………………………………………………………. 56
NTP INTEGRATION ……………………………………………………………………………………………………………………………….. 59
AUTHENTICATION TYPES ……………………………………………………………………………………………………………………… 62
RADIUS AUTHENTICATION ……………………………………………………………………………………………………………………… 62
PKI AUTHENTICATION ……………………………………………………………………………………………………………………………. 68
TWO FACTOR AUTHENTICATION (2FA) ………………………………………………………………………………………………………… 72
EPV TESTING AND VALIDATION…………………………………………………………………………………………………………….. 73
ADD WINDOWS DOMAIN ACCOUNT……………………………………………………………………………………………………………. 73
ADD WINDOWS SERVER LOCAL ACCOUNT……………………………………………………………………………………………………… 73
ADD LINUX ROOT ACCOUNT …………………………………………………………………………………………………………………….. 74
ADD ORACLE DATABASE ACCOUNT……………………………………………………………………………………………………………… 74
Privileged Account Security Install & Configure, v10.9
CyberArk University Exercise Guide Page 2
© Cyber-Ark® Software Ltd – No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and mechanical,
without the express prior written permission of Cyber-Ark® Software Ltd.
INSTALL PSM/PSMP…………………………………………………………………………………………………………………………….. 76
INSTALL A STANDALONE PSM INSTALLATION………………………………………………………………………………………….. 77
PSM INSTALLATION PREREQUISITES ……………………………………………………………………………………………………………. 77
PSM INSTALLATION………………………………………………………………………………………………………………………………. 80
PSM POST INSTALLATION ……………………………………………………………………………………………………………………….. 83
PSM HARDENING ………………………………………………………………………………………………………………………………… 84
PSM TESTING AND VALIDATION………………………………………………………………………………………………………………… 86
LOAD BALANCED PSM SERVERS…………………………………………………………………………………………………………….. 89
CONFIGURE PSM LOAD BALANCING……………………………………………………………………………………………………………. 89
PSM FOR SSH INSTALLATION………………………………………………………………………………………………………………… 92
SECURING CYBERARK…………………………………………………………………………………………………………………………… 98
LOCK DOWN A USER’S INTERFACE………………………………………………………………………………………………………………. 98
USE RDP OVER SSL………………………………………………………………………………………………………………………………. 99
MANAGE LDAP BINDACCOUNT ………………………………………………………………………………………………………………. 104
MANAGE PSMCONNECT/PSMADMINCONNECT USING THE CPM……………………………………………………………………….. 105
MANAGE CYBERARK ADMINISTRATOR ACCOUNT USING THE CPM ……………………………………………………………………….. 109
CONNECT WITH PSM-PRIVATEARK CLIENT ………………………………………………………………………………………………….. 110
CONNECT USING PSM-PVWA-CHROME……………………………………………………………………………………………………. 113
BACKUP……………………………………………………………………………………………………………………………………………. 116
ENABLE THE BACKUP AND DR USERS …………………………………………………………………………………………………………. 116
INSTALL THE PRIVATEARK REPLICATOR COMPONENT ……………………………………………………………………………………….. 119
TESTING THE BACKUP/RESTORE PROCESS ……………………………………………………………………………………………………. 123
DISASTER RECOVERY………………………………………………………………………………………………………………………….. 126
INSTALL THE DISASTER RECOVERY MODULE………………………………………………………………………………………………….. 126
VALIDATE THE REPLICATION WAS SUCCESSFUL ……………………………………………………………………………………………….. 129
EXECUTE AUTOMATIC FAILOVER TEST ………………………………………………………………………………………………………… 130
EXECUTE FAILBACK PROCEDURE USING MANUAL FAILOVER ……………………………………………………………………………….. 132
(OPTIONAL) EXERCISES ………………………………………………………………………………………………………………………. 137
ADVANCED PSMP IMPLEMENTATIONS…………………………………………………………………………………………………. 138
ADDING FIREWALL RULES TO THE VAULT MANUALLY…………………………………………………………………………….. 142

References

  • https://training.cyberark.com/
  • https://cyberark.influitive.com/
  • https://champions.cyberark.com/
  • https://cyberark-customers.force.com/s/

By Jonny

One thought on “CyberArk PAM Basic Lab Environment and Admin/Install/Configure Lab Instruction”

Leave a Reply to Bhagya ShroffCancel reply

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.

%d