CyberArk Notes [PDF]

Zitiervorschau

CyberArk full course ***Vault Installation Files needed that can be downloaded in SFE: PrivateArk Client PrivateArk Server Operator Key Master Key - for recovery License Hardening is automatic and is part of the setup.exe installation.

***PVWA 1. PVWA Pre-requisites IIS and .net framework 4.8 and SSL certificate to host the PVWA url 2. PVWA version 12 installation This is where you can install full version of PVWA and the mobile version. This is also where you select the authentication type when logging in to the PVWA. Usually, we select CyberArk and LDAP. During the installation, you also need to enter the vault address, port 1858 and the PVWA url. By default, it is getting the hostname/PasswordVault. If you dont have DNS, you have to change the hostname to its IP address or address of the PVWA. 1858 is cyberark patent port Add the PVWA url in the trusted website in IE. If there are more than 1 vault in your environment or if you have DR server, you can modify the vault.conf in the PVWA server. Path is C:\CyberArk\Password Vault Web Access\VaultInfo\Vault.conf 3. PVWA Main configurations 4. PVWA built-in safes overview 5. PVWA built-in users 6. IIS Applications Overview In the server, add roles: Web Server (IIS) Internet Information Services - you can say that it is a web service where your website will be hosted. That's why it is a pre-requisite. Once installed, you can search for it in the start menu and IIS should appear. 7. Certificate binding with IIS This is to determine that the application (PVWA) will be hosted in this server. Binding is done in the IIS manager on the right pane under actions. 8. PVWA interface 9. PVWA operation tasks 10. Safes, master policies, platform settings overview 11. Changing the login screen logo 12. PVWA login message 13. PVWA hardening Installation automation

Run as admin powershell and go to the path where the server hardening is kept. Change directory first (cd) according to its path then run the pvwa hardening powershell script by entering: .\.ps1 then enter. 14. PVWA services ***CPM 1. CPM Pre-requisites Windows server .net framework microsoft visual C++ Each component has different pre-requisites. PVWA - needs IIS, PSM - needs the RDS Vault - needs to be installed in a dedicated machine or workgroup 2. CPM Version 12 installation Make sure that the vault server is up. If it is off, installation will fail. 3. CPM Main configurations 4. CPM built-in safes overview 5. CPM built-in users 6. CPM Scanner Service Troubleshooting CPM scanner service interacts with the PVWA so it should trust the SSL cert that was installed in the PVWA. The SSL cert that you issued in the PVWA should be also issued to the CPM, so it can trust PVWA and build the trusted channel. 7. CPM Operational tasks 8. CyberArk Safes, master policies, platform settings overview 9. Onboarding an account and changing the password 10. CPM hardening Can be found in the installation file > installation automation So in the file explorer window where the installation file is opened, on the upper left, just open powershell as admin and run the hardening script. If there is an error, you can check the logs in the installation automation folder. When you are done hardening the CPM server, it will create a local account for the PasswordManagerUser. 11. CPM services ========================== 10.7 version or older sequence of installation is

vault > cpm > pvwa > psm later than 10.7 vault > pvwa > cpm > psm If you install cpm first before pvwa, then you still need to update the address or url of the pvwa in the vault config file. As compared when you install first the pvwa then cpm, the address/url is updated automatically. so no need to update the vault config file. Basically, it is just to remove more manual efforts. =================================== ***PSM 1. CyberArk PSM Pre-requisites The server where you will install PSM should be in the domain or domain-joined. So initially the server is a workgroup or is not part of the domain, then you need to join it to your domain. Process: Update the IPv4 DNS. Set the IP address of the domain controller server, so that the PSM server can connect to it. Once done, go to Server manager > Local Server. Then select workgroup. Then select change. Change the "Member of" from Workgroup to Domain. Then enter the domain name. Once the server is domain-joined. You can now login to the server using domain accounts. Another pre-requisite is the RDS. Once RDS is installed, only then you should install the PSM in that same server. 2. PSM Version 12 installation Note: CyberArk Vault should be up and running when installing the PSM. Run the setup.exe.

3. PSM Main configurations Config file is located in Program Files (x86) > CyberArk > PSM > basic_psm.config You'll see there the PSMserver, PSMAdmin, PVWAConfig =============================== HTML5 Gateway If the org does not want to use RDP as the connection or the rdp port is not used, then we can have the HTML5 gateway installed.

In that case, it will convert your HTTP request will be converted to RDP only. Then the user will be able to connect to the server. Note: If you want to install 2 or more PSM server, the process is just the same. like the pre-requisite. But there will be 1 difference. While you install the 2nd psm, it will ask you for the username. PSMApp user, PSMGW user so you need to provide different names otherwise it will override the default users on the initial psm and it will possibly fail. So you can just name that as PSMApp1, PSMApp2 or PSMGW1, PSMGW2... 4. PSM Ports 5. PSM built-in safes overview 6. PSM built-in users 7. PSM Operational tasks 8. PSM Master policies, platform settings overview 9. Establishing connection to a server 10.PSM Hardening For PSM, hardening part is also part of the installation like the vault. 11. PSM services 12. Pointing the connection to one PSM in a load balanced environment 13. PSM shadow users It also uses a PSMShadow user so when you hit the connect button, a shadow user will be created and it’s a shadow of yours. It has a limited permission. If the PMShadow got hacked, there is nothing to worry, because it does not have any permission on your machine. 14. Active directory installation 15. Promoting a server to domain controller 16. How to put a server into Domain Once you've put the server or joined the PSM server in the domain of the AD server, then you can proceed onboarding. =============================== Installing the Active Directory on a Windows server and promoting it as a domain controller 1. In the main dashboard of the server, select "add roles and features" then follow the prompts. 2. Under the Server Roles, Select the following: Active Directory Domain Services. Then the rest will be default. 3. Once installation is complete, go back to the server manager dashboard and on the upper right part of it, click on the flag icon and select the post-deployment configuration. Select "Promote this server to a domain controller". Then you can select from the ff: * Add a domain controller to an existing domain

* Add a new domain to an existing forest * Add a new forest Then indicate your desired root domain like ralphyt.com Then just follow the prompt. 4. Once installation is done, go back to the main dashboard to check the properties if it is now showing the domain name. Then on the tools option, select or open ADUC. Once you have the domain controller, you can then install PSM. Best practice is to install each component on each domain-joined server. =============================== ***CyberArk SMTP Integration 1. CyberArk SMTP Integration 2. CyberArk ENE configuration 3. CyberArk SMTP Setup 4. CyberArk SMTP test 5. CyberArk notification settings 6. CyberArk Notification engine 7. CyberArk Vault SMTP 8. CyberArk ENE SMTP 9. CyberArk PTA SMTP 10. CyberArk notifications 11. CyberArk notification agent rules Port for SMTP is 25. Prerequisite is to install IIS so you can open mail enabled URL and we can check our notification. 1. Install IIS in the server manager. 2. =============================== Remote Desktop licensing installation and configuration in Windows 2012 1. Install roles Add "remote desktop services" as the server role Add the following features: Remote Server Administration Tools: Remote Desktop Licensing Diagnoser tool Remote Desktop Licensing tools 2. Enter license key information 3. Check the RD licensing diagnoser for valid license 4. Configure the group policy to specify the RD license server and licensing mode. =============================== ***DR Vault Installation

1. CyberArk DR Vault Pre-requisites It should also be a workgroup. 2. CyberArk DR Vault Installation Download the Disaster recovery installation file. Note: Install first the PA server. Once that's done, you can then proceed with installing the DR setup.exe. Note: Once you have installed the Privateark server, you can set the service from automatic to manual, then stop the service. So during the installation of the DR service, you need to enter the credentials of the DR user. To get that cred, go back to the primary PA server then go to users and enable it coz by default it is disabled. Then, provide a password. You also need to enter the IP address of the vault that the DR will replicate. Once the DR setup.exe is installed successfuly then it will start replicating the data from the primary vault. Once the DR is setup, make sure to update the vault config file of the PVWA and PSM with the address of the DR server.

3. CyberArk 4. CyberArk 5. CyberArk 6. CyberArk The DR user

DR DR DR DR is

Main Configurations Files Ports Full/Incremental Replication User Overview the one that will be replicating the data from the primary vault.

7. CyberArk DR Vault Concept 8. CyberARk Prod Vault And DR Vault Identical Settings 9. CyberArk DR Vault Service 10. Routing the PVWA, PSM, to DR Vault 11. CyberArk Padr.ini 12. How CyberArk DR vault check if Prod Vault Server is Active or Inactive 13. CyberArk DR Vault Log files 14. Enable CyberArk DR User 15. Create a new DR user for Production vault ***CyberArk LDAP Integration 1. CyberArk LDAP/LDAPs intergration 2. LDAP Ports 3. Install Certificate Authority on Domain controller 4. LDAP Main config file 5. CyberArk Directory Mapping 6. CyberArk LDAP Bind Account Permissions 7. CyberArk Vault Hosts File 8. CyberArk LDAP Authentication 9. CyberArk LDAP Certificate 10. LDAP Certificate tool CyberArk 11. Domain Base Contect CyberArk

12. CyberArk AD Sync 13. CyberArk AD groups You can get the root certificate to your 3rd party CA. It should be the same who provided your certificate of your domain. LDASCertificateTool - from Secure File exchange. used for checking the certificate. if it is valid and so we can have ldaps integration. Create certificate in your CA server or get one from 3rd party then install it to the CyberArk Vault for LDAPs integration. In doing any type of integration, you should always modify the host file of the computer indicating the IP address and FQDN of the vault server. Because again, the vault server is a workgroup and not part of the domain. Port for LDAPs is 636. - recommended to be used. Port for LDAP is 389. In REALITY, you dont need to create active directory or the certificate authority. You just need to request the root certificate and you can install that to the vault server and PVWA server. Then you can start with your ldaps integration. bind account - no permission required. just domain user. used for ldap/s integration. =============================== CyberArk Application Identity Manager (AIM) Installation - used to eliminate your hardcoded credentials like if you are runnng a script like batch file and to run that, you are using an account with hardcode password and stored in a plaintext. So to eliminate those passwords or hardcoded credentials, we use AIM. In that way, you can just pull out the pw from the cyberark vault and then you can use that password in your application. This is used if you want to fetch the password from one of the accounts onboarded in CyberArk. Just go to the safe where the account is stored. Then click on the members and add members. Application Access Management(AAM) and AIM is just the same. AAM is the new name. You can download the file in the secure file exchange. You need to have a license for it. Pre-requisite is IIS. 1. Just run the setup.exe and enter the necessary information like the admin acct that is used to access the vault. 2. Once installed, safe will be created in the vault. Name is AppProviderConf. The

safe contains the main configuration of the file. For the main confi file, there you can see the number of concurrent requests that AAM can handle, or max number that if can fetch in terms of the pw of the accounts 3. It will also create a built-in (default) account for the application. It has the audit permission. 4. Go to Application and add application. indicate the application ID that will be used. (ex. secapps_AIM) 5. Add the accounts SecApps_AIM and the Defaul account for the application to the safe that you will be using for the AIM. 6. Go to the safe where the account that you want to use for fetching the password of the application is stored. 7. Add members and select the default AAM user created during installation. It usually starts with prov, so just search that in the add safe member window. Default permissions to be set. 8. Add another member which is the Application ID you created earlier. Should have only the access permissions. 9. Now, these application ID and the default AAM user will be used to fetch the password of the accts which are stored in the safe. 10. To fetch the password using AAM, use the command below: CLIPasswordSDK.exe GetPassword /p AppDescs.AppID= /p Query="Safe=;Folder=Root;Object=" /o Password Go to the installation folder path of AAM, and run the CLIPasswordSDK using cmd. Enter