Professional Documents
Culture Documents
Exercise Guide
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
Contents
CONTENTS ............................................................................................................................................................. 2
INTRODUCTION ..................................................................................................................................................... 7
USING SKYTAP...............................................................................................................................................................7
INTERNATIONAL USERS ...................................................................................................................................................9
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
Password Management .....................................................................................................................................67
SECURING UNIX SSH ACCOUNTS ....................................................................................................................................70
Vault Administrator Tasks – Mike ......................................................................................................................70
Safe Manager Tasks – Paul ................................................................................................................................73
Auditor Tasks ......................................................................................................................................................85
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
Manually onboard discovered accounts...........................................................................................................151
ADD MULTIPLE ACCOUNTS FROM FILE ...........................................................................................................................154
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
Running a Restore ............................................................................................................................................214
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk University Exercise Guide page 6
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Introduction
Using Skytap
Before beginning the exercises, here are a few tips to help you navigate the labs more
effectively. You can refer to the section for International Users for instructions on
changing the keyboard.
The virtual machines need to be running for you to be able to do the exercises. You can
start all the virtual machines with one click by pressing the start button. The button is
highlighted in red in the image below. Note that all but two of the machines in this image
are already running.
Note: The number and names of virtual machines vary by course. The image above is
given as an example and might not match exactly what you see.
The environments have been set up to start up gradually: first the domain controller, then
the Vault, and so on. It will take a few minutes for them to get up and running. Also note,
that some machines are designed not to start automatically. This is the case of the
PTAServer and DR in the image above. These servers are not needed until later in the
course, so you can start them when instructed in the manual or by the CyberArk trainer.
Occasionally, for reasons outside our control, one or more machines may fail to start up
when requested. If you notice that a particular machine is not responding to a ping or if
you cannot log in using Active Directory, you should check your virtual machines to make
sure they are all running properly.
Click on the large monitor icon to connect to a virtual machine with the HTML 5 client.
Use the Ctrl-Alt-Del button on the tool bar to send a Ctrl-Alt-Del to the machine.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
The clipboard icon will allow you to copy and paste text between your computer and
your lab machine. Do NOT copy and paste from this PDF into the CyberArk PAS
tool. It will not work.
The full screen icon will resize your virtual screen to adapt to your computer’s screen
settings to avoid scrolling.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
International Users
By default, the lab machines are configured to use a US English keyboard layout. If you
use a machine from a country other than the US, you may experience odd behavior from
your lab machines. The solution is to install the keyboard layout for your keyboard on our
lab machines. Follow the process below to find and configure the correct keyboard layout
for your keyboard.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: If you use an alternate keyboard layout (e.g. AZERTY, Dvorak) you can click options
next to your language to install that. Otherwise, close the Language window.
In the system tray, click ENG, then choose your keyboard layout. You may switch
back and forth between keyboard layouts. Your instructor may need to switch back
to ENG to help you with exercises.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
For the purposes of the training, we have created an IT environment for the fictitious
company Acme Corporation. The domain name is acme.corp.
The goal is to provide trainees with an environment that resembles as closely as possible
an actual production environment. As such, there is a domain with Active Directory, an
email server, a certification authority for PKI authentication, and so on. Our goal is to
integrate CyberArk PAM in this corporate environment and to bring the principal privileged
accounts under CyberArk control.
Acme Servers
The table below lists the various servers, their roles, and configuration. The lines shaded
blue represent servers hosting CyberArk services.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
We will do most of our work on the server components, also known as the Component
server. As indicated above, the Component server runs most of the CyberArk component
services. For convenience, it also serves as the workstation for the Vault administrator.
All the servers (except for the ptaserver and DR) are configured to start automatically
when the general power-on button is clicked in Skytap. Obviously, for CyberArk PAM to
work properly, the servers need to be running. So, if you run into problems connecting to
the PVWA or opening a PSM session to a Linux machine, the first thing to do is to check
that all the machines and the corresponding services are running.
Because we won’t need them immediately, we will start up the ptaserver and DR later in
the course.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
In this first section, we will perform a few basic tasks to start to familiarize ourselves with
the various CyberArk PAM tools and interfaces. We will:
• Log into the Components server, which will also serve as our workstation.
• Log into Password Vault Web Access (PVWA)
• Connect via PrivateArk Client
• Connect via Remote Control Client
• Vault Server Central Administration
All actions should be performed on the Components server unless otherwise indicated.
First, we need to log into Windows. We are going to use the Components server as our
workstation. The account we will use is Mike, an Active Directory user who has been
given the responsibility for configuring and maintaining the CyberArk PAM solution in
Acme.
In Skytap, click on the screen for the 02 – components virtual machine. This will
open a browser window with the machine’s login screen.
Click the Ctrl-Alt-Del button in the Skytap toolbar at the top of the window to bring up
the login dialog. You can also use the keyboard combination Ctrl+Alt-End to send
Ctrl+Alt+Delete.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Enter mike as the username and Cyberark1 as the password. Remember, the
machines use the US English keyboard as the default, so you may have to adjust the
keys you use. When you are finished, hit Enter to log in.
And you should find yourself logged into the Components server with the Active
Directory credentials of the CyberArk Vault Administrator.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
PVWA
In this section, we will perform some basic operations using the Password Vault Web
Access, or PVWA. We will:
Log in as Mike
On the Components server, launch a browser using one of the shortcuts in the
taskbar at the bottom of the screen. You should arrive directly on the login screen for
the PVWA.
Note: The screenshots in this guide have been made using the Chrome browser, which
works very well and is probably the fastest.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
There are currently two authentication methods available to us: CyberArk and
LDAP. LDAP integration has already been performed by the installation team, so we
can connect with the Active Directory credentials of our CyberArk Vault Administrator
Mike. Click on the LDAP icon.
Enter the username Mike and password Cyberark1 and then hit Enter or click Sign
In.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
By default, you will be in the Accounts View, which provides access to all the
privileged accounts in the Safes of which you are a member. There are not many
accounts at the moment. It will be our job to add them.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
As you can see in the image above, the Connect button is greyed out. The reason for this
is that the PSM has not yet been activated (this is the default value), we will activate it
now.
To activate the PSM, we will need to modify the Master Policy. Click on the
Policies tab.
In the Master Policy, open the Session Management section, select Require
privileged session monitoring and isolation, and then click the pencil icon in the upper
right-hand corner.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Toggle the value from Inactive to Active and then click the diskette icon to save the
change.
While we are here, we can make our lives easier by deactivating the option Require users
to specify a reason for access, which can be found in the Privileged Access
Workflows section at the top. That way we will not be required to enter in a reason every
time we want to test a newly created account.
Select the policy, click the pencil icon, toggle the value from Active to Inactive, and then
click the diskette icon to save your changes.
Now we will test using a password from the Vault by connecting to a target device using a
test account.
Go back to Accounts View by clicking on the tab along the left-hand side of the
screen (second from the top) and then click again on the root10 account. You should
now see that the Connect button is enabled.
Click on Connect.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Depending on the browser, the PSM server will send an RDP file. In Chrome, it is
downloaded to the local machine and appears in the lower left-hand corner of the
screen.
Click on the RDP file to launch the connection. You will then be prompted to allow
the RemoteApp program to run. Click Connect.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: If it is the first time the currently logged in user (in this case Mike) connects to the
target server, you will be prompted to accept the server’s key. You must accept the
key.
You will see a banner telling you that your session is being recorded by the
Privileged Session Manager (this will eventually disappear) and then see a PuTTY
window with the SSH connection to the machine target-lin with the username root10.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: The password for this user was retrieved by the PSM from the Vault and inserted
into the PuTTY session at the moment of connection. At no time did the password
appear on the user machine.
Enter “exit” (without the quotes) into the SSH session and hit Enter to close the
session. This closes the SSH session and the RDP connection.
CyberArk introduced a new user interface beginning with version 10. There is, however,
still some functionality that can only be accessed through the old interface, or Classic UI,
so we will now look at how to access this user interface.
In this section, we will use another method to retrieve the password for root10 by using the
Show button in the classic UI.
Back in the PVWA, you should still see the details for the account root10. In the
upper right-hand corner of the Accounts View you will see a link to the Classic UI.
Click the link.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Here, you are looking at the Account Details for root10 in the Classic UI. Notice that
we are still in the version 10 interface: You still have access to the tabs along the left-
hand side. Now click the Show button.
We can now see the password that is currently stored in the Vault for the account
root10.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
As a last step, click the Change button at the top of the Account Details view. You
are presented with three options. The first option – Change the password
immediately (by the CPM) – is available in both the Classic and the new UI. The
other two options are for the moment only available in the Classic UI. Click OK to
change the password immediately.
Now hover the mouse over the Accounts tab on the left-hand side and select
Accounts View. This will bring us back to the new interface. Click on the root10
account again and after a few minutes, you should see that the password has been
changed by PasswordManager (in other words, the CPM). Press refresh until you
see the password has been changed.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
PrivateArk Client
In this section, we will see how to perform a basic file retrieval using the PrivateArk
Client. The file we are going to retrieve is italog.log, the Vault’s main log file.
Connecting
In the Windows taskbar, click on the shortcut to launch the PrivateArk Client.
Now double-click on the link named Primary Vault. You can configure multiple Vault
connections here: Primary, Disaster Recovery, etc.
Note: you will notice you have two servers configured: Primary Vault and DR Vault.
When you are requested in this guide to connect using the PrivateArk Client,
always use the Primary Vault, unless stated otherwise.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Enter the username and password for the internal CyberArk Administrator user.
Note: It is not possible to login to the CyberArk solution via both interfaces at the same
time, using the same user. If you have not logged out of your session on the PVWA,
logging into the PrivateArk Client with the same user will terminate your session.
The reverse, however, is not true: if you leave your PrivateArk Client session open
and try to log into the PVWA with the same user, you will not be able to.
Now we are in the main window looking at the Safes to which the current user has
access. The Safe we are interested in is the System Safe. Double-click in it to open
it and “step into” the Safe.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
You will probably receive a message asking if you want to clear expired Safe history.
Click Yes.
The file we want to view is italog.log. We are not going to modify the file, so right-
click on it and select Retrieve for Read-Only.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
The file is extracted from the Safe and displayed. Take a moment to view some of
the log messages and then close the file.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
To indicate to the Vault that we are finished with the file, right-click on it again and
select Return to Safe.
You can change how you view the Safes by going to the View menu. Click View and
then Details.
You can either use the Logoff button or simply close the PrivateArk Client. Both
will close the Safe and terminate your session.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
We are now going to execute a few simple commands using the Remote Control Client,
a command-line tool for performing remote administration on the Vault.
To start the Remote Control Client, run the following command (highlighted in
yellow below):
Once you have the PARCLIENT prompt, get the current Vault status by running:
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
When you stop the Vault, the Event Notification Engine, or ENE, is also stopped
because it is dependent on the Vault service. However, when you start the Vault,
the ENE is not automatically restarted. You have to restart it manually by running:
As a final step, check the status on these two Vault services by running:
Type exit and hit enter to exit the PrivateArk Remote Control Client.
In the last section for this first chapter, we will see how to stop and restart the Vault
service directly on the Vault. To do this, we will need to switch in Skytap from the
Component server to the Vault server.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
On the desktop of the Vault server, you will find two CyberArk icons:
• PrivateArk Server
• PrivateArk Client
You will receive a User Account Control alert. Click Yes to allow the action.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
The main function of the Server Central Administration tool is to view the italog.log
file and to stop and restart the Vault. Click on the red traffic light icon to stop the
Vault service.
You will be prompted for the type of shutdown. Choose Normal shutdown and click
OK.
You will be asked to confirm Vault shutdown. Click Yes to shutdown the Vault.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
You will see the messages indicating the shutdown procedure ending with the
message: ITAFW002I Firewall is closed to client communication.
To restart the Vault service, click on the green traffic light icon.
You will see several messages indicating that the Vault is starting up.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
As was the case with the Remote Control Client, starting the Vault in the Server
Central Administration tool does not restart the Cyber-Ark Event Notification
Engine (as it is listed in the local services). The ENE is essential for the Vault to
send emails and alerts, so you will have to start it by going into the Services tool on
the Vault server and starting the service there. You will find a shortcut in the taskbar
on the Vault desktop.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
User Management
Before we begin, let's first get to know the different users we will be using throughout this
lab and their roles. The password for all these users is Cyberark1.
Linux Team
Windows Team
Oracle Team
In this first section we will review the LDAP integration with CyberArk PAM and the
predefined directory mapping to four common CyberArk roles.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
1. Create the connection to the LDAP server, which in our case is Active Directory.
2. Create the directory mappings between the AD groups and the built-in CyberArk
roles.
The above steps have already been completed by the implementation team. We will now
review the predefined directory mappings and examine the authorizations assigned to four
common CyberArk roles.
To review the LDAP integration and existing directory mappings, you must use the built-in
CyberArk Administrator account (password: Cyberark1).
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Along the left side of the window you will find the navigation tabs. The User
Provisioning tab is the next to last one. Hover the mouse over the tab and select
LDAP Integration.
Note that CyberArk PAM has been integrated with the acme.corp domain and that
four directory mappings have been defined.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
As you can see, there are 4 AD groups and each AD group is mapped to selected
CyberArk roles as shown in the table below.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
In the Details tab you can see the mapping criteria, the mapping destination in the
Vault, the authentication method the mapped users will use to authenticate to
CyberArk, and how many days user activity logs are kept.
Note: In the above example we can see that users who belong to the AD group CyberArk
Vault Admins are mapped to this role, and that the authentication method they will
use is LDAP.
To know what Vault authorizations are assigned to the mapped users, click on the
Vault authorizations tab.
Here we can see that users who are mapped to the role of Vault admins will be
assigned with all Vault authorizations, except for Backup all safes. In other words,
members of the AD group CyberArk Vault Admins will be assigned the following Vault
authorizations when they authenticate to CyberArk for the first time:
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note you can now edit all the settings we reviewed in the Details page as well as edit
the Vault authorizations that are assigned to users who meet the search criteria.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Here we can review which LDAP users currently meet the mapping criteria and will
be assigned the Vault admin role when they are first created in CyberArk.
Note: In the above example we can see that Mike is the only user who meets the Mapping
Criteria. This means that when Mike authenticates to CyberArk for the first time,
his user will be created and assigned the Vault authorizations of a Vault admin
(which includes all Vault authorizations except for Backup all safes).
Repeat the above steps to review the details of the other three pre-defined
mappings: Safe Managers, Auditors and Users. Note the following for each mapping:
• What Vault authorizations are assigned to users who meet the criteria?
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Now that we can log into CyberArk PAS using Active Directory accounts, test the
integration by logging in with the following accounts (all have the password Cyberark1).
• Mike
• Cindy
• Paul
• Carlos
Take note of the differences in access to different PVWA panes and buttons.
In this section we will create a custom directory mapping for CyberArk Help Desk – a
group with the necessary Vault authorizations to manage users in CyberArk.
Navigate to User Provisioning > LDAP Integration. This time select Add Mapping.
Click in the Map order section to update the display and move Help Desk to the
second position using the up and down arrows. Then click on Next.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: The mapping order is important for users who belong to multiple
groups/mappings. For example, if a user belongs to both Help Desk and Vault
Admins mappings, the user will receive the privileges for the first mapping listed. If
Help Desk was listed first, a user who is also a help desk user would only receive
the help desk subset of vault authorizations, instead of the full set provided by the
Vault Admins mapping.
Type ‘cyber’ and then select the Active Directory group CyberArk Help Desk under
LDAP group (once you begin typing the name should autocomplete itself). You may
click on View users to view the users the directory mapping will be applied to. Then
click on Next.
Select the following Vault Authorizations: Activate Users, Audit Users, and Reset
Users’ Passwords then click on Next.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Verify your settings in the Summary page. If all is ok, click on Save.
To test this custom mapping, we will log in to the PrivateArk Client as Dexter, who works
in the CyberArk Help Desk. The reason for using the PrivateArk Client is that user
management is still mostly handled in this interface. In this exercise we will also see how
to change the authentication method used in the PrivateArk Client.
Open the PrivateArk Client using the shortcut in the Windows task bar.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Click on Advanced.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Double click on the Prod icon login to the Prod vault. Enter Dexter as the username
and Cyberark1 as the password.
Note that you should not see any Safes when logged in to the PrivateArk Client as
Dexter.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
You should be able to see all the users provisioned in the Vault, both internal users
and transparent users. You should also be able to see the newly added Dexter
transparent user.
Select another user, for example, Mike, and review the user’s Vault authorizations.
Then click on Trusted Net Areas…
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
As you can see, the user is now active (there is no need to deactivate it). In the event
the Mike or any other user gets suspended, you will now be able to re-activate the
user using Dexter or any other user of the CyberArk Help Desk group, by clicking on
Activate.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
When finished, change the default authentication method for the Prod server back to
PrivateArk authentication.
In this exercise, you will provoke a user suspension by entering the incorrect password for
a user and then see how an administrator or a power user can unsuspend the user.
From the Components server, try to login via the PVWA as Carlos using a wrong
password. After 5 unsuccessful attempts the user should be suspended. You should
receive the below message on the 6th attempt.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
On the Components server, open the PrivateArk Client using the shortcut in the
Windows task bar.
Locate the Carlos user. Click on Trusted Net Areas. Then click on Activate to
unsuspend Carlos.
Open the PVWA and try to login as Carlos, this time using the correct password
(Cyberark1). Verify you can now login as Carlos.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
There are some cases where you will need to log in to the Vault with the Master user. This
can be in the event of an emergency or to give permissions to a user for a Safe when
there are no active users with the necessary permissions.
In order to use the Master user, the dbparm.ini file must point to the location of the
Recovery Private Key. By default, this is the CD-ROM drive of the server.
Because we do not have a CD-ROM drive (we are using VMs for our lab exercises),
you will need to point it to the relevant location.
RecoveryPrvKey=”C:\CYBR_Files\Keys\Master CD\recprv.key”
You don’t need to do anything here, but in a real environment, you would have to
retrieve the Master CD from a physical safe, load it into the Vault server, and only
then be able to connect to the Vault as Master.
Delete the username Administrator and enter: Master. The password is Cyberark1.
These values were set during installation.
You should notice that there are more safes displayed when you are logged in as the
Master user.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
In this section, we will look at how to secure Windows domain accounts. We will begin
with accounts that are owned by the CyberArk Vault Administrators and that are used by
CyberArk PAM to perform CPM operations:
We will duplicate a Platform for these accounts, create a Safe, add an Active Directory
group as members of the Safe, and then add the accounts to the Safe.
Platform Management
Duplicating a Platform
If you are not still logged in, connect to the PVWA using LDAP authentication with the
Vault Administrator account mike with the password Cyberark1.
Note: As earlier when you logged in as Administrator, you will arrive by default in the
Accounts View. Notice, however, that you do not see the same accounts. Each
user will only see the accounts that are in Safes to which he or she has been
granted access.
As shown in the image below, in the Toolbar along the left side of the page, hover
over the wrench icon to expand the Administration menu and then click on
Platform Management.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Select the Windows Domain Accounts platform and press the Duplicate button.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Enter as the name WIN DOM ADM 15 (you can also give it a meaningful description)
and then press Create.
Select the WIN DOM ADM 15 platform and press the Edit button.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: This setting will prompt the CPM to automatically verify the password whenever a
new account assigned to this platform is added.
While not required, it is always a good idea to press the Apply button to make sure
your changes are saved (bottom right of the screen).
Note: Changing the ImmediateInterval to 1 is only suitable for testing and should be left to
its default value.
Still in Automatic Password Management > General, enter the following into the
AllowedSafes parameter.
CyberArk-Service-Accounts|Win-Dom-
Warning! Do NOT copy and paste from the PDF file. It will probably not work. Make sure there
is no space in front of or behind the | symbol.
Note: This regular expression restricts the Safes to which this Platform can be applied to
only those Safes that start with the string “Win-Dom-” or the safe named “CyberArk-
Service-Accounts”. This field is case sensitive.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Press Apply.
PasswordLength 17
MinUpperCase 2
MinLowerCase 2
MinDigit 1
MinSpecial 1
Note: The sum of the various complexity parameters must be less than or equal to
PasswordLength for password change to function. However, the system does not
check the values for you.
Press Apply and OK to save all your changes and close the Platform.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: Notice that some of the Platforms are Active while others are Inactive. It is best
practice in CyberArk PAM to deactivate all Platforms that are not being actively
used. The Platforms we will be using in this course are:
- Oracle Database
- Unix via SSH
- Unix via SSH Keys
- Windows Domain Accounts
- Windows Server Local Accounts
You can deactivate the Platforms we won’t be using. Doing so is best practice and will
help avoid errors. We can always reactivate a Platform if we need to, but if it is
deactivated, no one will use it by mistake.
Note: As we have duplicated the Windows Domain Accounts platform to a new platform,
you can now deactivate the Windows Domain Accounts platform.
To deactivate a platform, select the platform, click on the ellipsis and select
Deactivate:
Safe Management
In this section, we will create a Safe to store several accounts that are used by the Vault
Administrators to manage other privileged accounts in CyberArk PAM. Specifically, we
will store our reconcile account and our accounts discovery scan account.
Creating a Safe
In the left-hand toolbar, click on POLICIES, Access Control (Safes), and then click
Add Safe.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
On the Safe Details page, click the Add Member button to grant other users access
to this safe.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Enter “cyberark v” (without the quotes) in the Search field, leave Vault as the value in
the Search In field, and click Search.
Select the group CyberArk Vault Admins, check all the boxes to give Vault
Administrators full rights on these CyberArk service accounts, and click the Add
button. Click Close when you are done.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Now add another CyberArk group to the Safe: CyberArk Safe Managers. In the
Access section, give them only the List Accounts permission. We will need this for a
later exercise.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Account Management
In this section, we are going to add two accounts from Active Directory to CyberArk PAS
beginning with our reconcile account.
Please note that the account is named cybrreconcile (that is cybr, without the “e”).
Next, select the Platform we created for domain accounts: Win Dom Adm 15.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Address: acme.corp
Username: cybrreconcile
Password (optional) Cyberark1
Confirm Password Cyberark1
Log On To <click on Resolve>
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: Because AutoVerifyOnAdd was set to Yes, the account will be scheduled for
immediate verification. In a minute or two, you should see that the account was
verified by PasswordManager.
Select the newly created account from the list and then click on the link Additional
details & actions in classic interface to open the account in the classic interface.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Copy the Safe name and the Name values to Notepad (we’ll be using these values in
a later exercise). They should look something like this:
Safe: CyberArk-Service-Accounts
Name: Operating System-WINDOMADM15-acme.corp-cybrreconcile
We will need another Windows account for a later exercise – cybrscan. Add a second
Windows domain account using the information below.
Best Practice: After adding a new account, you should rotate the password so that only
CyberArk PAM knows the password. Go ahead and change the passwords for
both cybrreconcile and cybrscan.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Password Management
To edit the Master Policy, click on Policies in the left-hand toolbar. By default you
will land in the Master Policy. In the Password Management section, select
Require password change every X days and then in the Rule Preview area on the
right, click on the pencil icon to edit the default value of 90 days.
Change the value to 60 and then click the diskette icon to save your change.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Add Exceptions
Let’s also add an exception for the Platform we created earlier – WIN DOM ADM 15 – so
that its passwords are changed every 15 days, rather than every 60 days.
Again, select the option Require password change every X days and click Add
Exception.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
In this section, we will be managing a “Unix SSH” account or, to be more precise, a Linux
via SSH account.
In the previous section, we were managing what we could call “meta-accounts”: accounts
that are owned by the Vault Administrators and that are used by CyberArk PAM to
manage other accounts (which we will see later). Here, we are dealing with a very typical
account. It is an account that is owned by an IT team (in this case the Active Directory
group LinuxAdmins) and as such our Vault Administrators do not need to know the
password or have access to it.
To achieve this, we are going to divide the tasks of configuring CyberArk PAM to manage
these accounts into separate phases and perform the actions by “changing hats”; that is,
logging into CyberArk PAM with different user accounts according to the table below:
Vault administrator tasks are handled by Mike, so use this account to login to the PVWA.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Here you will create a Platform to manage Linux accounts that connect to their targets
with SSH.
Enter LIN SSH 30 in the Name field and optionally something like Linux servers via
SSH, rotate passwords every 30 days for a description and then press Create.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Important! Although you are free (and encouraged) to apply your own naming conventions for
Platforms and Safes in your own environments, please note that we will be referring
to the names provided here in later exercises. If you choose to give your Platforms
and Safes with different names, it may prevent you from completing later exercises
successfully. We therefore recommend you use the names suggested in the guide.
Change ImmediateInterval to 1
Note: Changing the ImmediateInterval field to 1 is only suitable for testing but should set to
5 or higher in a real environment.
Change AllowedSafes to Lin- (case sensitive). This determines which safes can use
this platform.
Click Apply to save your changes, but do not exit the platform just yet.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Finally, in Generate Password, note that the default password length for Unix
machines is 12 characters. This value can be changed to reflect your organization’s
requirements.
Note: Until recently, the default password length for *nix accounts in CyberArk PAM was
8. It has been increased to 12.
Note: As we have duplicated the Unix via SSH platform to a new platform, you can now
deactivate the Unix via SSH platform.
We have already seen how to create a Master Policy exception. Create a new one for our
new Platform that rotates the passwords every 30 days.
For this section, we will need to “change hats”; that is, we need to imagine that we are a
different user. We are no longer a Vault Administrator, but a Linux system administrator
named Paul. We have been instructed to place all our privileged accounts into CyberArk
PAM so that their passwords (and SSH keys) will be stored in the Vault.
Paul is a member of the Active Directory groups CyberArk Safe Managers. This means
that when he logs in to CyberArk PAS, he will have the right to create Safes, add users to
the Safes he creates, and to add new accounts to those Safes, which is what we shall do.
Note: Some features may require the use of the UI´s classic interface (pre-version 10). In
order to access this, you may need to select “Additional details & actions in classic
interface”, as shown below.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
We will perform the basic tasks required to manage a privileged account on a Linux server
to which we connect using SSH. We will create a Safe to securely store the account and
add an AD group of users who are authorized to use the account. We will then add the
new account, verify that we can connect with it, and see how an auditor can monitor the
account activity.
Creating a Safe
Log in to the PVWA as Paul with the password Cyberark1 using LDAP
authentication. Notice that Paul can see the CyberArk service accounts, but he is
unable to view the passwords or use the accounts (due to his limited permissions).
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Enter Lin-Fin-US as the Safe Name. This is the Safe where the ACME Corporation
will store the privileged accounts for its Linux servers that hold financial data for its
US division.
You can also provide a meaningful description. We won’t worry about the other
parameters for now, so press Save when you are done.
Press Add Member to grant other users access to the new Safe.
Enter linuxad in the Search field, select acme.corp in the Search In field and press
Search. Select LinuxAdmins, uncheck the option Retrieve accounts, and press Add.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Now add another group. This time add the LDAP group CyberArk Vault Admins with
the following permissions:
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Click Add and then close the Add Safe Member window.
Note: You should now see that the LinuxAdmins group has been added to the newly
created Lin-Fin-US safe. We removed the ‘Retrieve’ option so that users will never
have access to the password. They can use it to connect, but never actually see it.
Also note that the user logged in is the creator of the Safe and is granted full
permissions by default.
We also added the CyberArk Vault Admins group so that they will be able to perform
account onboarding, which we will see later, but they will not be able to view the
passwords or even use the accounts to connect.
We have created a Platform and a Safe. Now we will add our first Linux account and store
it in the Lin-Fin-US safe and manage it with the LIN SSH 30 platform.
On the Add Account page, first select the system type *NIX and click Next:
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: In the image above, only one safe appears. Why is that?
Address: 10.0.0.20
Username: logon01
Password: Cyberark1
Confirm Password: Cyberark1
On the Accounts page, select the newly created account. In Account Details,
press the Change button to confirm that you have created the account correctly and
to change the password to a value known only to CyberArk PAM.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
After a minute or two, you will see that the value for Compliance Status is updated
to Changed by PasswordManager.
Paul wants to make sure that his new account is working correctly, so we are going to
connect to the target system using the account through the PSM.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: The behavior of RDP files will depend on the browser you use. The example shown
here is from Google Chrome.
Click on the RDP file to open it. You may receive a pop-up warning about the
publisher of the RemoteApp program. Click Connect to continue.
The first time you connect to a particular machine, you will receive an alert about the
server’s host key. Click Yes to accept the server’s key.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
In the lower right-hand corner of the screen, you will see a pop-up informing you that
the session is being recorded. It will disappear automatically.
And then a PuTTY window will appear with your SSH connection to the machine
targe-lin as logon01.
Close the RemoteApp window by typing “exit” (without the quotes) and hitting Enter.
In the PVWA, you can view some of the messages your actions generated in the
Activities list.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Our first test verified that we are able to establish a connection to the target system using
the PSM. Now we want to just make sure that a normal user – i.e., a user who has to use
CyberArk PAM to get his or her job done – can use the account to connect to the target.
Note: Notice that the Show and Copy buttons are greyed out. This is because Paul
removed the Retrieve option for these users. They can connect to the target
system, but they will never know what the password is, making it less likely that the
password can be compromised.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
As you did in the previous test, open the RDP file, accept the publisher and the
server key. Execute a few simple, non-destructive commands (remember, you are a
privileged user) such as pwd and ls -al in order to generate some session
activity. When you are done, enter exit and hit Enter to close the session.
Auditor Tasks
In this step you will review the activity related to the logon01 account by putting on our
auditor’s hat.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Sign out of the PVWA and log in using LDAP Authentication as cindy.
Notice that you have the details of what happened during the session under
Activities, including the commands you executed. Click on the Play button to view
the recording.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
The recording plays automatically. You can pause, rewind, fast-forward, or jump to a
specific place in the recording by clicking on a command.
You can close the recording window by clicking on the X in the upper right-hand
corner.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
• Linked Accounts
• Securing Oracle Accounts
• Securing an Account with SSH Keys
• Manage Service account platforms
Linked Accounts
In this exercise you will add to our CyberArk PAM implementation a Linux privileged
account that is prevented by the target machine’s security policy from accessing the server
via SSH, which is a very common restriction for root accounts. You will then associate a
‘logon’ account with this new account, allowing you to manage the password despite the
SSH restriction. The logon account establishes the connection to the target machine and
executes a switch-user operation to the privileged account, and then runs the password
change.
Note: In the Unix/Linux world, the account that is typically prevented from
connecting to a server remotely is the root account. Here in CyberArk
training, we are going to use an account named user01 and we will use the
account we created earlier, logon01, as the logon account.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Password: Cyberark1
Confirm Password: Cyberark1
Press Add.
On the Account Details page, press the Verify button and select OK to the pop up
to confirm. The status will appear as ‘This account is scheduled for immediate
verification’.
Eventually this will fail because the CPM received an ‘Access Denied’ message due to the
restriction on user01 (in the log file you should see an error message – “Permission
Denied”)
Open the account details page using the Additional details & actions in classic
interface link.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Select the logon01 account created earlier – you may need to search to see this user
– and click Associate.
Back in the Account Details view, press the Verify button and click OK to confirm.
If you receive the following message, press OK.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: After a few minutes, the account should be verified. In the background the CPM
connected to the server as logon01 and switched to the user01 account to verify the
password.
In this exercise you will add a Windows local server account for which the correct
password is unknown. In order to bring this account under management, you will
associate it with a domain administrator account (cybrreconcile) that can perform a
password reset.
Duplicating a Platform
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Enter WIN SRV LCL ADM 45 as the platform name, you may optionally add a
description like “Rotate password every 45 days”, and press Create.
Go to UI & Workflows.
Note: Once again, we are modifying this value for training purposes only, enabling us to
move a little faster. A one-minute immediate interval is suitable for testing but
should be set to five in a production environment.
Enter Win-Srv- in the AllowedSafes field to limit the accounts with which this platform
can be used. Click Apply to save your change.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
RCAutomaticReconcileWhenUnsynced: Yes
ReconcileAccountSafe: CyberArk-Service-Accounts
ReconcileAccountName: (you can copy this from the notepad file
that you created earlier, do NOT copy
from this PDF)
Note: The values for the parameters as they appear above assume that you have followed
all previous instructions to the letter. If you haven’t, then these values will not work.
Also, copying and pasting from the PDF into the virtual machine causes problems,
so the safest approach is to do as instructed earlier and copy the values from the
PVWA, paste them into Notepad, and then copy them into the appropriate fields in
the Platform.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: Don’t forget to enable automatic password change and verification. Also, think
about what appropriate values for password length and complexity would be.
Note: Don’t forget to add the relevant exception to the Master Policy in order to enable
automatic password rotation every 45 days.
Note: as we have now duplicated the Windows Server Local Accounts, you can deactivate
the platform.
Once again, we are changing hats and are going to log in as a Safe Manager named Tom,
who is responsible for the Windows servers team. In this part of the exercise, we will:
• Create a Safe
• Add Members to the Safe
• Add an Account
Creating a Safe
Now we are going to create a Safe for our Windows server local administrator accounts.
To comply with data protection regulation, we are going to organize our Safes so that only
US admins can access the passwords for US safes.
Log in to the PVWA as the AD user Tom with the password Cyberark1.
Name the Safe Win-Srv-Fin-US. Leave the default values for the rest.
Add the AD group WindowsAdmins to the Safe, but remove the check for Retrieve
Accounts – we don’t want our local administrators to view passwords. As this is the
first time we are assigning permissions to this group, make sure to search for the
group in acme.corp.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Now add the LDAP group CyberArk Vault Admins. Remove the permissions: Use
accounts and Retrieve accounts. Add Account Management (which will add all the
permissions under it). We will need this for a later exercise.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Adding an Account
Here we will add a local administrator account for your target Windows server: target-
win.acme.corp. Remember, we don’t know what the password is, so you could put
anything in the password fields (although they must match). We are still using the Tom
account.
Go to the ACCOUNTS page, and press Add Account. Enter the following and press
the Add button:
Note: After adding the account, when you select it you should see a message stating ‘The
password for this account has been manually scheduled for change. This is
because you set AutoChangeOnAdd to Yes in the policy. Also note that there is a
reconcile account already associated with this new account.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Press Refresh. Because the password for this account is incorrect, the password
change will fail.
Press Refresh again and after a short time and you should receive a message
saying that the account was successfully reconciled. The first time an account is
reconciled it can take a little while, so be patient.
Duplicating a Platform
In this section, we are going to create a Platform dedicated to managing accounts used to
access Oracle databases, such as a DBA account.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
• Set ImmediateInterval to 1.
Press Apply.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
In the Generate Password section, add the equal sign character (‘=’ without the
quotes) to the PasswordForbiddenChars field. Make sure you add the new character
without deleting any of the existing characters.
Note: Now that we have duplicated the Oracle Database platform, you can deactivate the
base Oracle Database platform.
Note: Don’t forget to add an exception to the Master Policy in order to rotate the oracle
DBA passwords every 30 days.
Because we are dealing with a different technology – Oracle in this case – the person
responsible for managing Oracle Safes is different. Our Safe Manager for this exercise is,
of course, named Robert.
Creating a Safe
Log in to the PVWA as LDAP user Robert and go to POLICIES > Access Control
(Safes).
Add the Active Directory group OracleAdmins to the Safe, removing the Retrieve
permission (make sure to search for the group in acme.crop).
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Now add the LDAP group CyberArk Vault Admins. Remove the permissions: Use
accounts and Retrieve accounts. Add Account Management (which will add all the
permissions under it). We will need this for a later exercise.
Adding an Account
Go the ACCOUNTS tab, click Add Account and enter the following:
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Press Add.
Note: Because the policy was set to AutoChangeOnAdd=Yes, the account will be set for
immediate change.
Press refresh and you will see the message: ‘The password for this account has
been manually scheduled for change’.
After a minute or two, press the Show button to display the new password.
In this section, we will perform the tasks required to manage a Linux account that connects
to its target server with a public-private key-pair.
Generating a Key-Pair
On the Components server launch PuTTY Key Generator from the Taskbar and
click Generate.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
As instructed, you need to make mouse movements in the blank area to generate
random data for the key.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Click Yes to store they key without a passphrase. The CPM does not support private
keys with passphrases.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Select all the text in the ‘Public key for pasting into Open SSH authorized keys file’
box and copy it to your clipboard.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
vi ~/.ssh/authorized_keys
Press i (or the Insert button on your keyboard) to enter insert mode.
Right-click inside the editor to paste the key. Verify that the key pasted correctly.
Warning! It can be a bit tricky to copy and paste into a terminal window. Make sure that your
key text begins with the string “ssh-rsa” and that it ends with “rsa-key-date” where
date is today’s date.
Press ESC and then enter :wq -- (colon) (w) (q) and then press ENTER to save and
exit.
Make sure the key appears in the authorized_keys file (and that all characters were
pasted properly) by using the cat command:
cat ~/.ssh/authorized_keys
Note: If you need help with the vi editor, you can read the tutorial at:
http://www.tutorialspoint.com/unix/unix-vi-editor.htm
Now we will test that we are able to authenticate with the private key.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Type 10.0.0.20 in the Host Name box, but do not connect yet. Navigate to
Connection > Data.
Click Browse and browse to the ppk file you created earlier.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Now click Open and verify that you can log on without supplying a username and
password.
Note: It should be noted that adding an SSH key does not automatically disable password
authentication for this account on the target. You will still be able to log in with the
password for root01.
Highlight *NIX > Unix via SSH Keys (make sure that you choose the Unix via SSH
Keys platform, not the “Unix via SSH” platform).
Select Duplicate.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
• Set ImmediateInterval to 1.
Press Apply.
Note: Now that we have duplicated the Unix via SSH Keys platform, you can deactivate
the base Unix via SSH Keys platform.
Note: Don’t forget to add an exception to the Master Policy in order to rotate SSH Keys
every 90 days.
Go to the ACCOUNTS VIEW page and click the Add Account button.
Add an account with the following properties. If you do not see the SSH Key
configuration area, you may have duplicated the wrong platform.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Click Add.
Once the change completes, verify that you are NOT able to connect with PuTTY
using the private SSH key stored locally on the Components server.
In this section, we will look at service account usages. Specifically, we will look at:
Service Dependencies
When working with service dependencies, all service accounts on the remote machine must
be managed by the CPM. During standard service dependency management, if a service is
dependent on another service on the same remote machine, when the CPM tries to change
the service account password, its service accounts in the Vault will be disabled and a
corresponding message will be written in the CPM log. This means that all dependent
services will be handled by the root of the dependent services.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
The virtual machine “Target Windows” (target-win - 10.0.21.1) contains two scheduled
tasks: schedtask01 and schedtask02. They are both configured to send an email to
Mike and John every time they are run and can be executed manually from a remote
machine by members of the LDAP groups WindowsAdmins and CyberArk Vault Admins.
The schedtask01 is configured to run with the local account localadmin01, while
schedtask02 is configured to run with local account localadmin02.
To test the scheduled task, launch a command prompt. You have a shortcut to
launch a command prompt.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
To open the email, launch a new browser tab and open the email client at
https://webmail.acme.corp/mewebmail/Mondo/lang/sys/Login.aspx (there is a short
cut in the browser toolbar titled "Webmail), and login as mike with the password
Cyberark1.
Now, log in to the PVWA as Tom and go to the localadmin01 Account Details. Open
the classic interface.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Enter SchedTask01 in the Task Name field and enter target-win.acme.corp in the
Address field. Press Save.
After pressing Save, you’ll be able to see the new scheduled task that is associated
with the localadmin01 account.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: In many cases, the service account would be blocked from modifying its own
password. If that is the case, you would need to associate a reconcile account with
the Platform and set the parameter ChangePasswordInResetMode to Yes. This
procedure is covered in the CyberArk PAM Install & Configure training. You would
also need to associate a logon account with the scheduled task, which would be
used to perform the password change for the dependency.
Next, go back to the localadmin01 Account Details window and run a password
change. Select Change the password immediately (by the CPM).
Note: The scheduled task is associated with a different platform than the localadmin01
account. After the localadmin01 account has been changed, the flag will be set for
the scheduled task to be changed. The entire process could take around 10
minutes to complete.
After the Windows password has been changed, select the scheduled task, and open
the Account Details. You will see that the usage password is now scheduled for
immediate change.
CyberArk University Exercise Guide page 114
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Wait for the usage password to change and then re-run the scheduled task from the
command prompt.
Now check your email. This time you should receive a message stating that “The
scheduled task is working”.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: It is highly recommended to use the accounts discovery feature to detect, provision,
and manage all service accounts automatically. We will use the Accounts Discovery
capability later to discover and onboard schedtask02 which is associated with
localadmin02.
In this exercise you will be configuring a usage to update a password in a configuration file
whenever the specified account’s password is changed. In this example, the credentials
for dba01, an oracle database privileged account, are also used by an application, which
retrieves the credentials from a configuration file – app01.ini. The file app01.ini is located
on the Linux server IP address 10.0.0.20 in the /var/opt/app directory.
[Startup]
Product=App Server
ProductGUID=bf1f0850-d1c7-11d3-8e83-0000e8efafe3
CompanyName=Acme
CompanyURL=www.acmeiincv.com
MediaFormat=1
LogMode=1
SmallProgress=N
SplashTime=
CheckMD5=Y
CmdLine=
ShowPasswordDialog=N
ScriptDriven=4
[Languages]
Default=0x0409
Supported=0x0409
RequireExactLangMatch=0x0404,0x0804
RTLLangs=0x0401,0x040d
[Server]
Hostname=OraServer
Username=dba01
Password=Cyberark1
[Database]
Db=xe
Port=1521
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
The account dba01 is an Oracle DB account and is therefore unable to change the
credentials in a configuration file that is located on the Linux machine. As preparation, we
will now create a Logon account which will be used by the CPM to login to the Linux target
server and change the credentials stored in the app01.ini configuration file
Click on the newly created account and click on Verify. Confirm that the CPM can
verify the account password.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
After selecting Add Usages, you will have a new ‘Usages’ entry at the end of the UI &
Workflows section. Right click Usages and select Add Usage.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Now go to ACCOUNTS and open the dba01 account using the Classic UI.
If the previous steps were configured properly, you should be able to see a new tab
called INI File in the Accounts Details page. In the new tab, click on Add.
Address: 10.0.0.20
File Path: /var/opt/app/app01.ini
Connection Type: SSH
INI Parameter Name: Password
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Click on Associate.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: The reason we are associating a Logon account with the Usage is because the
target account (dba01) does not have permissions or the ability to change the
password in the configuration file (app01.ini). The CPM will use the Logon account
(app-account01) to connect to the target Linux machine and change the password in
the configuration file.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Review the details of the Usage in the Accounts Details page and make sure
everything is configured properly.
Go to the Account Details for the primary account (dba01), click the Change button
page.
Once the password for the primary account has changed, click on the Usage, and
verify that the Usage is now set for Immediate change.
Review the Account Details page again after a few minutes to confirm the CPM
changed the password for the Usage as well.
Note: This process can take several minutes to complete. The usage has interval settings,
just like the account. When the account changes, it scans the vault for usages,
marks those usages for change, and then, according to those intervals, the changes
take effect. So, it will be a few minutes between when the password changes and
the file changes.
Perform the following steps to verify the password dba01 in the Vault matches the
password in the app01.ini file.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
First, log in to the PVWA as Robert and locate the dba01 account. Select Show to
see the password of dba01. Copy the password to Notepad.
Now, log in to the PVWA as Paul and connect to 10.0.0.20 with the app-account01
account.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
In this section we will test the Require users to specify reason for access workflow as well
as configure predefined reasons.
Log into the PVWA as mike and go to POLICIES > Master Policy > Privileged
Access Workflows, select Require users to specify reason for access, and press
Add Exception.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Set Require users to specify reason for access to Active. Set Allow users to specify
reason for access to Inactive. Click on Finish.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Add the following predefined reasons (you may also add your own if you wish).
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Now, log into the PVWA as Carlos and select the user01 account. Click on Connect.
Select one of the predefined reasons, for example, Emergency Reboot. Then click on
Connect again to download the RDP file.
Once the connection to the target machine has been established, navigate to the
Activities tab and verify you can see the Audit details for the Connect action.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
When you are finished, disconnect from the target machine, and move on to the next
exercise.
Dual control – requiring a manager to validate a request for access approval for certain
accounts – is a 2-step process:
1. You must activate the policy Require dual control password access approval, either
globally or by exception for a certain Platform (which is the usual case and what we
will do).
2. Add an approver to a Safe, either a group or a user, with at least the List Accounts
and Authorize account requests permissions.
This minimum configuration would give the manager/approver the right to validate the
requests, but not the right to use the passwords to connect to target systems (they only
have List, not Use or Retrieve).
Log into the PVWA as mike and go to POLICIES > Master Policy > Privileged
Access Workflows, select Require dual control password access approval, and
press Add Exception.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Click Active. Review (but do not modify) the other options available. When ready,
press Finish.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Log on to the PVWA as Paul and go to POLICIES > Access Control (Safes).
Enter ITManagers in the Search field, select acme.corp in the Search In field, and
press Search.
Under Access, remove the checks for Use accounts and Retrieve accounts for this
group.
Scroll down and expand the Workflow link to access the Authorize account requests
check box. Check the Authorize account requests authorization box with Level 1
remove the Access Safe without confirmation permissions.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Press Add.
Testing this workflow requires us to wear a number of hats. We configured the system as
a Safe Manager – Paul – now we are going to become ordinary users of the system.
• We will first log in as a user who has the right to use a password, but only with
manager approval – Carlos.
• We will then put on our manager hat and check our email, notice that we have a
notification for an approval request pending, log into the PVWA as that manager
user – Tom – using the link provided, and approve the request.
• Finally, we will return to the PVWA as Carlos, find the approval notification, and
access the target system with the password.
Note: Because we will be changing users, you might want to use two browsers or separate
browser sessions. You can use incognito mode to open two separate sessions with
two separate users.
First, login to the PVWA as the LDAP user Tom with the password Cyberark1 (note
Tom can now see Linux accounts as well as Windows, but he is unable to use the
Linux accounts, only approve Dual Control requests by members of the Linux team).
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Next, open a different browser or incognito mode in Chrome, and login in as the
LDAP user Carlos with the password Cyberark1.
Locate the logon01 account and select the Request Connection button.
Enter a reason to access. Note you are unable to enter free text and can only see the
predefined reasons we configured in the previous exercise. Activate the Timeframe
and specify FROM the current date in the morning TO the end of the last day of the
class. Also activate Multiple access is required and then press on the Send Request
button.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Login as Tom. You should have received an e-mail with the new request (if you do
not receive an email, make sure the ENE service is running on the Vault).
Note: unfortunately, because we are using Mike to login to the Windows OS, we will not be
able to click on the link in order to navigate directly to the Incoming requests page.
Instead, we will login to the PVWA and navigate manually.
Login to the PVWA as Tom (password Cyberark1) if you are not already logged in.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Locate the incoming request from Carlos and press the Confirm button.
Before signing out, go to the Accounts View. Take note of the fact Tom is unable to
make requests to view the logon01 password or use it to connect.
Sign out and close the browser to terminate the Tom session.
Browse to the email client and login as Carlos. You should receive an e-mail stating
the request has been confirmed.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Login to the PVWA as Carlos (password Cyberark1) if you are not already logged on,
and go to the Account View page. Notice the Status of the request is now
confirmed. You can now use the password and connect to the previously requested
account.
In this exercise, you will configure the Windows Server Local accounts added earlier for
exclusive access with an automatic release based on the Minimum Validity Period.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Press the Active button to enable Enforce check-in/check-out exclusive access and
click Finish.
To allow for an automatic release of a checked-out password, you will need to enable the
policy Enforce one-time password access for the platform WIN SRV LCL ADM 45.
CyberArk University Exercise Guide page 136
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Press Active to enable one-time password access for this platform and then click
Finish.
Note: This next step is for testing/training purposes only and should not be used in a
production environment.
We will set the Minimum Validity Period to 5 minutes, so that we can see our results more
quickly. The MinValidityPeriod parameter is configured in the Platform.
Go to ADMINISTRATION > Platform Management, select WIN SRV LCL ADM 45,
and click Edit.
Set MinValidityPeriod to 5.
Press Apply and OK to close the Platform and then sign out of the PVWA.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
In this section, we will test our configuration of exclusive passwords with automatic
release. We will use the users Tom and John. Tom is the Safe Manager (therefore its
owner) and John is a member of the Active Directory group WindowsAdmins.
Login to the PVWA as the LDAP user Tom with the password Cyberark1.
Go to ACCOUNTS.
Click on the localadmin01 account and click the Show button. Tom has now
checked out the password.
You should be able to see the password as well as disclaimer stating the password is
available for the next 5 minutes, after which it will be rotated.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Log out of the PVWA and log back in as John. You should notice a lock icon next to
the localadmin01 account.
Note: Only Tom or a user who has the "Unlock Account" permissions on that Safe can
release the account manually by using the “Check-in” option, however we will not
use this option as we want to see the system release it automatically at the end of
the Minimum Validity Period.
Hover over the lock icon, it should say “The account is checked-out by Tom”.
If you press Connect, you will be able to download the RDP file. However, if you click
on the RDP file and attempt to launch a connection, you will receive an error
message.
After several minutes (remember the minimum validity period was set to 5 min), John will
be able to access the password and the CPM will have changed the password.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Hint: If the account is not released after several minutes, run the restart-services.bat file
and check again.
Starting with v11.7, the PSM can also release an account locked by exclusive access upon
closing the remote session. Perform the following steps to test automatic release by PSM:
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Login to the PVWA as John and locate the localadmin01 account. Click on Connect.
After the session to the target machine has been established, confirm the account is
locked by John.
If everything has been configured correctly in the previous steps, the localadmin01
should be unlocked immediately by the PSM (without password rotation). To confirm,
open the Account details page and look at Activities. You should be able to see that
the account has been unlocked by the PSM.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Then, after a few minutes, the account password will also be rotated by the CPM
(thanks to the One-time password setting).
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Accounts Feed
In this section you will configure rules for automatically onboarding accounts discovered
using the Accounts Feed feature, run a Windows Discovery to discover and automatically
onboard accounts, and lastly you will manually onboard accounts that were not covered by
the automatic onboarding rule.
In this section, you will configure Onboarding Rules in order to add newly discovered
accounts to the Vault without any human intervention.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Click Next.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Review your rule and if everything seems to be in order click on Create rule.
The Accounts Discovery process requires an account to log in to the domain and scan the
individual machines. We will use the cybrscan account we created in the first exercise.
Note: The user cybrscan is an Active Directory account created especially for the
purposes of running Accounts Discovery scans. It is a member of the Domain
Admins AD group.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Go to Accounts > Pending & Discovery > Discovery Management and click New
Windows Discovery.
Use the Click to select an account from the Vault link and select the cybrscan
account.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Under What recurring pattern to set for this Discovery? Select Onetime, then click
Done.
You will receive a message saying that the Windows discovery has been added.
Press OK.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Press the Refresh icon to update the status. You may need to back out of the
window and go back in to see the state change. This can take a few minutes.
Note: it is also possible the discovery will complete but with errors. This is normal in our
environment.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Go to Accounts > Accounts View. If you configured your automatic rules properly,
you should be able to see all the “discoveryXX” accounts in the accounts view. If you
assigned a reconcile account to the platform, the accounts added should also be
reconciled or scheduled for immediate reconciliation.
In this section, we will manually onboard an account that was discovered but for which
there was no automatic onboarding rule.
Go to the Pending Accounts list, enter localadmin02 in the Keywords field and run
a search.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: one of the main benefits of discovery and onboarding is the ability to discover
dependencies tied to Windows accounts. Unlike the previous exercise, this time the
dependency will be onboarded along with the target account, and the CPM will
manage the dependency, without any human intervention.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Press Onboard.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Go to the ACCOUNTS page and search (press the magnifying glass icon top
right) for the newly created account. Because the platform was configured for
automatic reconciliation, you should see that the account has been reconciled.
Confirm that you can also see there is a dependency associated with the account.
To confirm the scheduled task is also working, open a command line interface and
input the following command.
Now, login to the mail client as Mike, and verify you received the email confirming
schedtask02 is working.
Frequently there is a need to upload many known accounts into CyberArk PAM from an
existing repository. This is especially valuable during the early stages of
implementing CyberArk PAM, migrating from another solution, or when onboarding a new
department into the PAM solution.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
• Download a detailed result file with the failed accounts and error messages
Review the file and the properties of the accounts we are about to upload to the PAS
solution.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Go to ACCOUNTS > Accounts View and select Add accounts from file.
First, review the instructions in the page. Note you can also download a sample CSV
file. When you are ready, click on Drag and drop file or browse.
Navigate to c:\Add-Accounts and select the accounts-Linux.csv file. Review the page
and select Upload.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Refresh the page. Search for logon and confirm the accounts were onboarded.
You may also select some of the accounts and launch a Verify or Change action to
confirm the CPM is able to manage the target accounts.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
First, we will disable the PSM globally and then activate it for specific platforms using
exceptions.
We will then perform tests to ensure that privileged session management is functioning
properly using the various connection methods available:
To simplify the PSM testing, we will first disable the Privileged Access Workflows that we
modified in earlier exercises.
Note: Do NOT disable the Privileged Access Workflow Allow EPV transparent
connections.
In the Edit Exception window click on the red Remove Exception button.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Remove all the other exceptions we created under Privileged Access Workflows
and make sure all workflows are set to Inactive except for Allow EPV transparent
connections… If you disable this, you will not be able to connect using the PSM.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
The PSM is enabled through the Master Policy. The PSM can be enabled either globally
for all platforms or disabled globally and only activated through exceptions, which is what
we will test here.
This method allows users to connect securely via the PSM to all types of systems and
applications through the unified PVWA web portal user interface.
Adding Exceptions
Once deactivated, with Require privileged session monitoring and isolation still
selected, press Add Exception.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Repeat the above steps to enable PSM for the ORA DBA 30 and WIN SRV LCL ADM
45 platforms.
We will first test connecting securely to a Linux machine using SSH via the PSM. In this
exercise, you will connect to the PSM using RDP, and the PSM will run PuTTy to connect
you to the target Linux machine
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Login to the PVWA as Paul, go to the ACCOUNTS page, and locate user01. Press
the Connect button.
You will notice an RDP file has been downloaded to your desktop. Choose to open it
with Remote Desktop Connection (default) and press OK.
If everything was configured correctly, you should see a message that your session is
being recorded.
Optionally, run some Linux commands. In the example below the user is running:
mkdir user16
rm –R user16
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Log out of the PVWA and log back in as the user Robert.
In the main Accounts window, find the account dba01 and click the Connect button.
You should see a message stating that your session is being recorded.
Note: If you receive a Remote Desktop Connect pop-up, “Your Remote Desktop Services
session has ended”, retry the connection component. You may have to connect a
couple of times before seeing the message.
Later in the lab exercise, you will be logging in as an auditor and looking for any sessions
that issued commands with the word salary.
HTML5 Gateway
In this section, we will see how to configure the PSM HTML5 Gateway, which enables us
to tunnel sessions between end users and the PSM server using a secure WebSocket
protocol (port 443). This eliminates the need to open an RDP connection from the end
user's machine. The RDP session is delivered to the end user through a browser tab,
rather than via an RDP window.
Note: In this environment, the HTML5 Gateway has already been installed for you. It is
running on the same Linux server as the PSM for SSH, but it has not been enabled
in the PVWA.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Set the Enable parameter to Yes and click the Apply button.
Now log in as the user John and go back to the ACCOUNTS page and locate
localadmin01.
Press the Connect button. This time, instead of downloading an RDP file, you will
receive a pop-up asking whether you want to map your local drives and whether you
want to Connect using HTML5 GW. By default, both are disabled, so enable them
both. Provide a reason for the launching the connection, and then click Connect to
launch an HTML5 connection.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: The ability to toggle between RDP file and HTML5GW connections is defined at the
Connection Component level. For your convenience, the functionality has been
preconfigured for RDP and SSH connections in this lab.
To enable this functionality for other connection types other than RDP or SSH, go to
Options -> Connection Components -> PSM-RDP -> User Parameters and copy
the AllowSelectHTML5 parameter. Then paste it in a different connection
component, for example: PSM-WinSCP
A new tab opens in the browser and you can see the RDP toolbar at the top.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
In this section we will copy a file from our workstation to the remote machine via the
HTML5 Gateway.
Grab the tab and move it to create a separate window from your PVWA session.
Then reduce the PVWA window and resize the RDP window so that you can see the
desktop of the COMPONENTS server, as shown in the image below.
On your COMPONENTS desktop, you will find a file named 2-TRGT-WIN.txt. Drag
and drop this file into the browser RDP window. You should be able to see the
following message stating that the file has been copied to the mapped drive Z on
COMPONENTS, which you can view on the remote machine TARGET-WINDOWS.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
You should be able to see the following message on your screen. Click on Close.
Lastly, copy the file from the Z on COMPONENTS drive that was created on the
target machine to the desktop on TARGET-WINDOWS.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Now we are going to copy a file in the other direction, from the remote machine back to our
workstation.
Still working in the browser RDP window (so on TARGET-WINDOWS), make a copy
of the file named 2-TRGT-WIN.txt that is now on the Desktop of TARGET-
WINDOWS, and name it 2-COMP-SRV.txt.
Next, open the Download directory Z on COMPONENTS. Drag and drop the 2-
COMP-SRV.txt. file that is on the desktop of the TARGET-WINDOWS into the
Download directory. The file should be automatically downloaded to the local
workstation using the browser download. You should then be able to find the file in
the Downloads folder on the local workstation.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Next, you will configure a PSM Ad-Hoc Connection (previously known as Secure
Connect), which allows you to launch a PSM connection using unmanaged accounts.
First, log into the PVWA as mike, and go to ADMINISTRATION > Platform
Management.
Platform PSMSecureConnect
Client: WinSCP
Address: 10.0.0.20
User Name: root01
Password: Cyberark1
Map Local Drives: Checked
(scroll down)
Port 22
Press Connect.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Optional: When you have connected to WinSCP, copy a file from the PSM server to
the target machine.
Suggestion: C:\Add-Accounts\accounts-Linux.csv.
Note: The Ad-Hoc connection will open in the browser unless you disable the HTML5GW.
If you want to launch the connection using an RDP file, go to OPTIONS >
Privileged Session Management > Configured PSM Servers > PSMServer >
Connection Details > PSM Gateway, and set Enable to No.
PSM for Windows (previously known as “RDP Proxy”) enables users to connect through
PSM to any remote target securely with a standard remote desktop client application like
mstsc or an RDP connection manager.
You can also use preconfigured RDP files. When using RDP files, you can configure a
single RDP file to connect through PSM without providing the target system details or
configure separate RDP files that include the target system details in advance. In this
exercise we will look at both options for using preconfigured RDP files.
Connect using RDP file without providing the target system details:
In the first example, we will use a preconfigured RDP file without providing the target
system details in advance.
On the desktop of the Components server, you will find an RDP file titled PSM for
WIN.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Confirm you were able to connect to the target system as localadmin01. Then
disconnect from the target system.
In this example, we will use a preconfigured RDP file that includes the target system
details in advance. Perform the following steps:
Open the PSM for WIN RDP file for edit using Notepad++.
Scroll to the bottom of the file. Note the two different alternate shells in the file.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Edit the RDP file as follows to include the target system details in advance:
Double click on the RDP file to launch the connection. If configured properly, you will
be prompted only for the Vault user credentials. After you authenticate as John, the
connection to the target machine as localadmin01 should be made automatically.
Note: You can use any RDP client application to connect to any target system via PSM.
When setting up your RDP client, make sure to input the following details:
- PSM Address
- Vault username
- RDP Start Program setting
For more details on configuring RDP clients please review the online
documentation.
PSM for SSH (previously known as PSM SSH Proxy or PSMP) is designed to provide a
native Unix/Linux user experience, connecting to any SSH target.
On the Components server, open PuTTy. You can find a shortcut for PuTTy in the
task bar.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Use the following connection string to connect to the Target Linux machine using the
logon01 account where the Vault user is Carlos.
Carlos@logon01@10.0.0.20@psm-ssh-gw.acme.corp
Hint: To be able troubleshoot easily, make sure you mark “Never” under “Close window
on exit”
When prompted for a password, enter the password for Carlos (password:
Cyberark1)
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
In this section, we are going to look at some of the audit information that was gathered by
CyberArk PAM during our PSM testing. We will also be monitoring live sessions and test
session termination and suspension. To do so, we will need to connect as a user who is a
member of the Auditors group – cindy.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Login to the PVWA as John and open a privileged session using the localadmin01
account via the PSM.
Logout of the PVWA (or use incognito mode) and login in via LDAP as Cindy.
Go to Active Sessions and locate the session opened by John and click on Monitor.
You should now be able to monitor John’s session as it happens.
As Cindy, try to Monitor, Suspend, Resume and ultimately Terminate the session.
Note: Not all members of the Auditors group can terminate, suspend or resume sessions.
These permissions are only available to users who are also members of the internal
PSMSessionTerminators group.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Monitor Recordings
As Cindy, verify that you can see the recordings related to your prior sessions and try
to play some of these recordings. Note that recordings related to PSM for SSH are
presented in the classic UI.
You can also search recordings by activities in a privileged session. For example,
enter salary in the Session activities field and press Apply. Once you locate the
SQL recording, click on Play.
Review the recording. Click on the session line for more detail and find the command
“select * from scott.salary”. Note that the recording will now start at the command
selected.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: Because the PTA server can become unpredictable in the Skytap environment if it
gets suspended, it has been configured not to start automatically. To perform these
next steps, you will need to start your PTA server manually in Skytap.
In this section you will observe how the PTA detects when privileged accounts are being
used and then check if they are being managed by CyberArk. If the account is not
managed, the PTA will generate a security event and add the account to the list of
Pending Accounts. The Vault Administrator can then onboard the account to the relevant
safe. Automatic Onboarding Rules can also be applied.
First, we need to establish an SSH session to the target Linux server to create an event on
the PTA, which we will review using the Security pane in the PVWA.
Open PuTTy from the Components server and open an SSH session to Target
Linux as root02 (password: Cyberark1).
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Login to the PVWA as mike and go to Security > Security Events and verify that
you can see the “Unmanaged privileged account” alert related to root02.
Note: “root.*” is defined by default as a privileged user in the PTA. You can add other
usernames (using regular expressions) that should also be detected by the PTA as
privileged accounts to be managed by CyberArk PAM. To add additional
usernames to the PTA administrative interface and go to SETTINGS > Privileged
Groups and Users.
Go to Accounts Feed > Pending & Discovery. Select root02 from the list (use
“Refine By” to search for the account if needed) and click on Onboard Accounts.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Onboard the account to the Lin-Fin-US safe and associate the account with the LIN
SSH 30 platform.
Optionally, return Security > Security Events and close the Security event now that
it has been dealt with.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: You may notice that there are also other Unmanaged privileged access events
related to accounts that are managed in the Vault. This is because the PTA has not
been made aware of those accounts yet. The PTA has a scheduled task that is by
default scheduled to run once a day to retrieve the account list from the Vault. We
have configured the PTA in this lab to run the task every minute, which means that
any account you now onboard, will be recognized by the PTA almost immediately.
Feel free to close the other Unmanaged privileged access events, as they are a
false positive in our case.
In this section, you will configure the PTA to detect when privileged accounts are being
used without first retrieving the password from PAS and trigger the CPM to initiate a
password change.
Login to the PVWA as Paul and go to POLICIES > Access Control (Safes). Select
the Lin-Fin-US safe and click on Members.
Click on Add Member and search for the PTAUser in the Vault. Select the PTAUser.
Keep the default permissions and expand Account Management. Select “Initiate
CPM account management operations” and click on Add.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Repeat the above step to add the PTAAppUser to the Lin-Fin-US safe as well
(including the “Initiate CPM account management operations” permission).
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Close and exit from your putty session to 10.0.0.20 if it is still open.
Once again, open PuTTy from the Components server and open an SSH session to
Target Linux as root02 (password: Cyberark1).
Login to the PVWA as mike and go to Security > Security Events and verify that
you can see the “Suspected Credentials Theft” alert related to root02.
In the PVWA, go to the root02 account and verify that the CPM changed the
password.
Open the Activities tab to verify that the CPM changed the password after the PTA
detected the suspected credential theft alert and under Activities added the relevant
file category for Immediate Change.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: To detect Suspected Credential Theft, the PTA compares the login time on the
target machine with the last time the password was retrieved from the Vault. By
default, the PTA creates a Suspected Credential Theft event if the password was
not retrieved within the last 8 hours. For the purpose of this lab, we have configured
the PTA to raise an alert if the password was not retrieved within the last 2 minutes.
In this section you will configure the PTA to detect when a password is being changed
manually, bypassing the CPM, and have the PTA trigger the CPM to reconcile the
password.
For this exercise to work, you must associate a reconcile account with root02.
Note: If you performed the optional exercise on SSH key, you can use the root01 account
you created previously. If you have not already added the root01, do so now,
creating it as a normal password account (exactly like logon01).
Login to the PVWA as Paul and go to Accounts > Accounts View and select the
root02 account. Using the classic UI, associate root01 as the reconcile account for
root02.
Go to Accounts > Accounts View and select root02 again and launch an SSH
connection via the PSM.
Type the following command to change the password of root02 back to Cyberak1:
passwd root02
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Go back to the PVWA as mike and go to Security > Security Events. You should be
able to see two new alerts. One for a “Suspicious activities detected in a
privileged session”, and one for “Suspicious password change”.
Verify that you can see the “Suspicious password change” alert and that an
automatic password reconciliation was initiated.
Go to Accounts > Accounts View and select root02. Verify that root02 was indeed
reconciled by the CPM.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
In this section you will configure the PTA to detect when a risky command is used in a
privileged session and to suspend the session automatically.
Login to the PVWA as mike and go to Security > Security Configurations >
Privileged Session Analysis and Response. Find the SSH passwd command (the
command is used to change the password manually) and click on Edit.
Configure the risk to a Score of 90 and the Session response to Suspend. Click on
Save.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Log in to the PVWA as Paul and go to Accounts > Accounts View and select the
root02 account. Launch a privileged session by clicking on the connect button.
After the session opens, try to run the passwd root02 command again. The
session should be suspended immediately, and a message should appear letting the
user know the session is suspended.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Login to the PVWA as mike. Go to Security > Security Events and verify you can
see the “Suspicious activities detected in a privileged session” alert. Verify that
the session got a score of 90.
Note: mike can resume the session only because we added the user to the
PSMLiveSessionTerminators group.
Login as cindy and go to the Monitoring pane. If the session is still in progress, you
should see in Active Sessions with the options to terminate, suspend or monitor the
session. If you already closed the session, you should be able to play the recording.
In this section, we will tweak the rule we created in the last section so that if a designated
user needs to execute passwd during a session, their session will not be suspended out.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Log into the PVWA as mike and go back to Security > Security Configurations,
select the passwd rule and click the Edit button.
Enter the username Paul in the field, hit Enter, and then click the Change scope
button. You will then be returned to Edit Rule dialogue. Click Save to close the
dialogue.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
To test the rule, you can log in to the PVWA as the user Paul, connect using any of
the accounts in the Lin-Fin-US safe, and run the passwd command. Your session
should not be suspended. Try the same with Carlos. This time your session should
be suspended as before.
In this section you will observe how the PTA detects when a Windows account is being
added to a privileged group and then checks if the account is being managed by
CyberArk. If the account is not managed, the PTA will generate a security event and add
the account to the list of Pending Accounts.
Unlike the previous example, in this case the account is detected by the PTA as soon as
the account is granted privileged permissions, allowing PTA to respond and take control
over this unmanaged privileged account. This solution shortens the time it takes to detect
an attacker or a malicious insider who attempts to create a backdoor account, bypassing
the organizational policy.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Add a new user called backdoor. Set the password to Cyberark1 and select
Password never expires. Then click on Create.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Right-click on the newly added user and select properties. Go to the Member Of tab
and click on Add…
Type "Administrators" and then Check names…. Click on OK to add the backdoor
user to the local Administrators group.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Log into the PVWA as mike and go back to Security > Security Events. After about
20 seconds or so, you should be able to see a new Security Event for Unmanaged
Privileged Access, notifying the CyberArk Security administrator that an account
called backdoor, which is not managed by CyberArk, was added to the local
privileged Administrators group.
On the left navigation select Accounts, then go to Accounts Feed > Pending &
Discovery. Select backdoor from the list (use “Refine By” to search for the account if
needed) and click on Onboard Accounts.
Onboard the account to the Win-Srv-Fin-US safe and associate the account with the
WIN SRV LCL ADM 45 platform. Choose to Automatically reconcile the password
in order to take full control of the backdoor account. Click on Onboard.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Verify that the backdoor account has been reconciled by the CPM.
In this section you will configure the PTA to detect when a risky command is used in a
Windows privileged session and to suspend the session automatically. We will use this
ability to prevent malicious users from adding another backdoor account.
Login to the PVWA as mike and go to Security > Security Configurations >
Privileged Session Analysis and Response. Click on "Add rule".
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
(.*)New user(.*)
Under description enter: "Prevent malicious insiders from adding a backdoor user".
Set the risk score to 80 and set the session response to Suspend. Then click on
Add.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Login to the PVWA using LDAP authentication as mike. Go to Security > Security
Events and verify you can see the “Suspicious activities detected in a privileged
session” event. Verify that the session got a score of 80.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
The PTA has a separate administration interface that is used for initial configuration and
can be used to monitor threats and run reports.
In our environment, you can access the PTA Administration interface with the following
information. There is a shortcut for the PTA in the bookmarks bar:
Address: https://ptaserver.acme.corp
Password: CyberArk1234
When you log in, you should see information related to the activities we performed earlier.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Reports
In this section you will be asked to create three types of reports.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Review the options to filter the report but keep the default values, then click Next.
Select the refresh icon at the bottom of the page until the report status shows
“Done”. Open the report by clicking on the Excel icon.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
After going over the report, save the new report to the desktop of the Components
server. If you are asked if you want to save the document in its current format, click
Keep Current Format.
On the Components server, open the PrivateArk Client and login as Mike (using
LDAP authentication)
Under Tools > Reports, click on Safes List to generate a safes list report
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Click Report Output and save the new report to the desktop of the Components
server.
Open the LibreOffice Calc application (you can use the search functionality to easily
locate the app).
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Use LibreOffice Calc to open the SafesList report file on your desktop.
Click OK.
After reviewing the report, save a copy of the report to the desktop of the
Components server.
Repeat these steps creating a Users List report and copy the report to the desktop
of the Components server.
By the end of this exercise you should have 3 reports on the desktop. These reports
are “Privileged Accounts Inventory”, “Safes List” and “Users List”.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
In this section we will use the Export Vault Data (EVD) utility to generate reports. The
EVD utility exports data from the Vault to TXT or CSV files, from where they can be
imported into third-party applications or databases. Each report is saved in a different file.
Additional information about using EVD can be found in the online documentation.
First, we will enable the built-in Auditor user. Login to the PrivateArk Client as
Administrator (using PrivateArk authentication).
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Click on OK. Then Close. And finally, logoff the PrivateArk Client.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Open the Vault.ini file using notepad and set the Vault IP address: 10.0.10.1. You
may also change the Vault name to "Primary" or “Primary Vault” (but it is not
mandatory).
Set the following parameters according to the below (keep all other parameters as
default by simply pressing 'Enter'):
Vault username=Auditor
Vault Password=Cyberark1
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
ExportVaultData \VaultFile="C:\ExportVaultData\Vault.ini"
\CredFile="C:\ExportVaultData\auditor.cred" \Target=File \LogNumOfDays=4
\LogList="C:\ExportVaultData\loglist.csv"
Note: The above example will create a log activities report for the Vault defined in
the Vault.ini file in C:\ExportVaultData. The user who will access the Vault to
generate this report is defined in the auditor.cred file in C:\ExportVaultData.The log
activities report will be saved in a file called loglist.CSV, also in C:\ExportVaultData.
The Log is generated for the last 4 days.
A new file called loglist.csv was generated in the C:\ExportVaultData folder. Review
the file using LibreOffice Calc to see the Activities log report generated by EVD.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Replications
In this section, you will use the CyberArk Replicator utility to test backup and restore of
the Vault data. Like all other components, the CyberArk Replicator utility has already
been installed in your environment by the implementation team.
Note: In this exercise we will be using two CyberArk built-in users. The first user is
Backup, which has permissions to backup all safes. we will use Backup to execute
the back up of all safes. The second user is Operator, which has authority to restore
all safes. We will user Operator to restore a safe. The two users are disabled by
default; however, the implementation team has already enabled those two users in
your environment. The password for both users was set to Cyberark1.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
In the Vault.ini file, enter “Primary Vault” for the VAULT parameter (although this is
not mandatory).
Enter the IP address of your vault server in the address parameter: 10.0.10.1
CreateCredFile.exe backup.cred
Vault Username [mandatory] ==> backup
Vault Password…==> Cyberark1
Press enter to accept the defaults for the remaining questions as they are not
relevant in our environment.
Running a Backup
To perform a backup, run the following command from the Replicate installation folder:
If the backup is successful, you should see several messages indicating that files are
being replicated with a final message stating that the replication process has ended.
CyberArk University Exercise Guide page 212
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
If the replicate was successful, proceed to the next steps. If not, verify the configuration
information and try again.
Login to the PVWA as Mike and search for root10 account (stored in a safe called
TEST).
Press Yes to confirm that you would like to delete the safe and contents.
You will receive a message that the Root folder cannot be deleted for 7 days.
However, the contents of the safe should have been removed.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
To confirm that the contents of the TEST safe have been deleted go to the Accounts
page.
Enter root10 in the search box and press the Search button.
The root10 account that you were able to locate earlier, should not appear.
Running a Restore
You will be prompted for the password for the Operator user, which should be
Cyberark1.
You will receive a message stating that the restore process has ended.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
You should now see the root10 account using address 10.0.0.21, residing in safe
TEST-RESTORE.
Note: The Target Safe (/TEST-RESTORE) is the name of the restored Safe to create. The
restore process does not overwrite an existing Safe – it creates a new one.
Therefore, this name must not correspond with an existing Safe.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Disaster Recovery
In this section we will test the Disaster Recovery (DR) procedures for automatic failover
and manual failback. The exercise will include the following steps:
1) First, we will configure the Disaster Recovery module on the DR server to perform
an automatic failover in case the Primary Vault is no longer reachable.
2) We will execute a full replication from the Primary Vault to the DR Vault.
3) We will test an automatic failover from the Primary Vault to the DR Vault. As part
of the test we will also confirm that our end users can still access critical systems
via CyberArk, without any human intervention.
4) We will set the Primary Vault to act as DR and replicate all data back from the DR
Vault to the Primary Vault.
5) We will then perform a manual failback from the DR Vault to the Primary Vault
6) Lastly, we will set the DR Vault back to DR mode and confirm our end users are
still able to connect to critical systems via CyberArk.
Note: The below steps have already been performed by the implementation team:
The PrivateArk Server, PrivateArk Client and Disaster Recovery module have all
been installed on both your Vault01a and DR servers by the implementation team.
As noted above, the implementation team has already installed the PrivateArk Server,
PrivateArk Client and Disaster Recovery service on the DR server. However, to avoid
an unwanted automatic failover during the first days of the course, automatic failover was
disabled. We are now going to enable Automatic Failover on the DR Vault.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: Notice FailoverMode is currently set to No. Do NOT change this setting. It will
automatically change later when we test the failover process.
Next, delete the last two lines of the file. This will trigger a full replication when we
restart the Disaster Recovery service, making sure we have the most updated data.
On the DR server, open the Windows Services applet. You will have a shortcut in the
task bar.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Now go to the desktop. Right click on the Get-DR-log.ps1 file located on the desktop
and select Run with PowerShell.
Note: The above script will run a tail on the padr.log file located in C:\Program Files
(x86)\PrivateArk\PADR\logs\ folder. The tail will allow you to monitor the actions
performed by the Disaster Recovery service in real time.
Note: if you are prompted to allow running the script, select Yes.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Confirm the Disaster Recovery module has completed the replication of data from the
Primary Vault. You should see entries with informational codes PAREP013I
Replicating Safe and at the end, PADR0010I Replicate ended.
Note: keep the tail running for the remainder of the exercise.
Now, we will execute an automatic failover test by stopping the Primary Vault server. If
everything works as expected, the Disaster Recovery module on the DR server will
recognize that the Primary Vault is offline and trigger an automatic failover.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Open the Server Central Administration app and stop click on Stop Server.
Once the Primary Vault has stopped, return to the console of the DR Server.
Monitor the the tail on the padr.log file. You should see messages stating that the
Disaster Recovery service is unable to reach the Primary Vault.
Note: If you are not seeing new entries in the log file after a few minutes, press Enter. If
you are still not seeing new entries, close the PowerShell window and run the script
again.
After 5 failures the DR Vault will go into failover mode (this is the default setting).
Check the padr.log and review the sequence of events.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
On the DR server (10.0.14.1), open the Windows Services applet and confirm the
CyberArk Vault Disaster Recovery service has terminated.
Confirm the PrivateArk Server service is now running on the DR server (10.0.14.1).
In this section we will confirm our end users (like Carlos) can still access critical systems
via CyberArk, even though the Primary Vault is offline, without human intervention.
Note the implementation team has already configured the PVWA and PSM to
automatically failover to the DR Vault when the Primary Vault is no longer available. To
support automatic failover, the Vault.ini file for both services has been configured with the
IP addresses of both the Primary Vault and the DR Vault separated by a comma.
Here you can see the configuration of the PSM Vault.ini file:
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
To confirm that both the PVWA and PSM automatic failover was successful, return to
the console of the Components server.
Open Chrome and verify that you can still login to the PVWA as John, even though
the Primary Vault is offline.
Now, verify you can launch a secure session to the target Windows machine using
the localadmin01 account via PSM. If everything worked as expected, John should
still be able to access the target server via CyberArk, without any human
intervention.
Note: you may need to try to launch the connection via PSM a couple of time before it
works, as it may take a few minutes before the PSM fails over to the DR Vault.
Before we failback to the Primary Vault we must first make sure we replicate all the latest
data from the DR Vault (which served as the active Vault for the duration of resolving the
incident). In this section we will use the Disaster Recovery module on vault01a to
replicate data back from the DR Vault to the Primary Vault.
Note: The implementation team has already installed the Disaster Recovery module on
vault01a, and manually created a separate DR user for the purpose of performing
replication from the DR Vault back to the Primary Vault.
The new user is called DR_Failback, and has been made a member of the built-in
group DR_Users. The user was assigned the following Vault authorizations: Backup
All Safes and Restore All Safes.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
• Delete the last two lines (log number and timestamp of the last successful
replication) in the file.
Note: the above changes will trigger the Disaster Recovery module on the Primary Vault to
perform a full replication of the data from the DR Vault once the service is restarted.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Right click on the Get-DR-log.ps1 file located on the desktop of the vault01a and
select Run with PowerShell.
Note: if you are prompted to allow running the script, select Yes.
Monitor the tail of the padr.log to verify that the Primary Vault has replicated all the
changes from the DR Vault.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: Contrary to the PVWA and PSM, the CPM is not configured to perform an
automatic faliover. This is to avoid the situation of split brain between the two Vaults.
To support password rotation in the DR site, we will need to manually failover the
CPM to the DR Vault (by setting the DR Vault IP address in the vault.ini file of the
CPM). We will not perform manual failover for the CPM in this exercise.
Now that all the data has been replicated back from the DR Vault to the Primary Vault,
we can proceed with performing a manual failback from the DR Vault to the Primary
Vault. The failback procedure will be performed using a Manual Failover.
Important: The above steps are critical for a successful failback from the DR Vault to the
Primary Vault. Reverting to the Primary Vault without first performing a proper
failover can result in data inconsistencies.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Monitor the tail running on the padr.log file on vault01a (10.0.10.1). Confirm you can
see the messages stating that the Failover process ended successfully, that the Vault
service is starting, and that the Disaster Recovery service has terminated.
Verify that the the CyberArk Vault Disaster Recovery service has terminated on
vault01a (10.0.10.1).
Verify that the PrivateArk Server service has started successfully on vault01a
(10.0.10.1).
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
In the last section of this exercise, we will set the DR server back to DR mode.
On the DR server, edit the padr.ini file and make the following changes:
• Delete the last two lines (log number and timestamp of the last successful
replication) in the file.
Using the Windows Services applet, stop the PrivateArk Server service on DR
(10.0.14.1).
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: click Yes to stop the Cyber-Ark Event Notification Engine service as well.
Check the tail running on the padr.log file on the DR server (10.0.14.1) and confirm
that a full replication process started and that the replication (from the Primary Vault
to the DR Vault) has ended succesfuly.
In this step we will confirm that our end users can still access critical systems via
CyberArk.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Login to the PVWA as John and launch a secure connection to the target Windows
machine using the account localadmin01. If everything works as expected, John
should be able to launch the secure connection without any human intervention.
Lastly, login to the PVWA as Mike and navigate to SYSTEM HEALTH. Confirm
server 10.0.10.1 once again acts as PRIMARY and server 10.0.14.1 acts as DR.
Confirm all other components are connected.
Note: it may take a little longer for the PSM for SSH service to failover, but eventually it
should failover to the functioning Vault.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
The CPM log files can be automatically uploaded to a Safe in the Vault according to a
predefined period in the CPM parameters file. Each time a log file is uploaded to the
Vault, it is copied to the History subfolder in the Log folder, and the CPM begins writing to
a new log file.
Log into the PVWA as mike and go to ADMINISTRATION > Configuration Options.
You should see that PasswordManager is already selected as the CPM. If there
were multiple CPMs you would select the appropriate CPM from the pulldown list.
Click CPM Settings.
Select Configuration > General and scroll down to set the following parameters.
LogCheckPeriod: 1
LogSafeName: CPM_Logs
Click OK.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
The Vault Admins group will now be able to access the CPM logs.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Optional Exercises
A major step in the Privilege Access Management program is to secure the Windows local
administrators. This is essential to reduce the risk of lateral movement. CyberArk enables
securing local administrator credentials, as well as using PSM to access those accounts.
There are cases, however, where managing the local administrator passwords is not
possible at the initial stage of deployment, whether because of objection from the IT users,
or other reasons. Just-in-Time (JIT) access allows you to smoothen out your local
administrators’ security. It can be used as an intermediate step towards full implementation
of Vaulting the local administrators. You can grant Windows admins on-demand, ad hoc
privileged access to Windows targets, for a predefined number of hours (4 hours by
default).
During this time, domain users can request to access a system as a local administrator. If
authorized, the system temporarily adds the logged-on Windows users into the target
system's local administrator group, without the need to manage the credentials of the local
administrator on that target. This allows for a frictionless and lightweight solution that
enables your organization to introduce privileged controls and help establish habitual
security, before moving into a robust PAM program.
The workflow, as exhibited in the following diagram, starts when an end user requests
access to a designated ad hoc target machine, and is subsequently added to the local
admin groups. The end user is notified that they have been granted access (or not), and
once granted, is able to access the target machine using their own login for 4 hours (by
default). After this period, the user is automatically removed from the local admin group.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
In this exercise, you will set up Just-in-Time access for the Windows admin user (John),
allowing John to be added to the local admin group on the target system for 4 hours.
Go to ADMINISTRATION > Platform Management and duplicate the WIN SRV LCL
ADM 45 Platform to a new platform called WIN SRV JIT. You may add description
stating accounts associated with this platform are not managed by the CPM.
Click on Edit to edit the new platform. In the new platform set the following
parameters to NO.
• AutoChangeOnAdd
• AllowManualChange
• PerformPeriodicChange
• VFAllowManualVerification
• VFPerformPeriodicVerification
• RCAllowManualReconciliation
• RCAutomaticReconcileWhenUnsynched
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
In the new platform, go to UI & Workflows > Properties. Remove the Username
property from Required, and add a new property called Username under Optional.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Note: For JIT access, a domain account which is used as a reconcile account should be
associated with the platform. In our case, this has already been defined in the base
platform we duplicated: WIN SRV LCL ADM 45
Note: For security best practice, you need to limit the Safes that are required for ad hoc
access, by setting the AllowedSafes parameter with a regular expression that lists
the Safes that this platform can be applied to. This too has already been defined in
the base platform we duplicated: WIN SRV LCL ADM 45
Note: you can also set the time, in minutes, after which a user is automatically removed
from the Administrators group on the target machine. By default, the parameter is
set to 240 minutes (4 hours).
Go to Accounts View and click on Add Account. Add the local administrator
account of the Target Windows server:
First, open MSTSC (you can use the search functionality to find the application).
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
You should receive an error stating that John is not authorized for remote login:
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Now, login to the PVWA as John. Search for the Target Windows local Administrator
account and click on Get Access.
Now try to launch another RDP connection to the Target Windows server as
acme\John. You should be able to login this time.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
File category is the CyberArk term for the properties or fields available on accounts
(Address, User Name, etc.). This section will detail the steps required to create and use
custom file categories, allowing you to categorize accounts based your organization’s
requirements.
In this final exercise, we will create a custom file category called BusinessUnit and provide
a list of possible choices: International, Retail, and Corporate. We will then modify our
Oracle platform so that when users add new accounts, they will be required to associate
the new account with one of these business units. Finally, we will make the new
parameter searchable within the PVWA and, of course, we will test what we have done.
On the Components server, from the PrivateArk Client, log onto the Prod Vault as
Administrator and go to File > Server File Categories.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Name: BusinessUnit
Type: List
After each value is added, select the Required Category checkbox and click OK.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Now we’ll make the new BuinessUnit File Category a required field for accounts assigned
to the ORA DBA 30 platform.
Go to UI & Workflows > Properties > Required. Right-click and select Add
Property from the context menu.
Enter BusinessUnit in the Name field and press Apply and OK. This will make
BusinessUnit a required field on any accounts attached to the ORA DBA 30 policy.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Enter BusinessUnit in the Name field and press Apply and OK. This will allow the
new file category to be searchable.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
Login to the PVWA as Robert, go to the Classic interface and in the ACCOUNTS tab
and open the dba01 account.
Enter retail in the Search field on the ACCOUNTS tab and press Go.
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security 11.7 – Administration
6/27/2021
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.