Agenda By the end of this session, you will be able to describe the main features, architecture, and flow, as well as enable and use, the following session management solutions:
1. Privileged Session Manager (PSM)
• PSM Ad-Hoc Connections • PSM via HTML5 Gateway • PSM for Windows
Privileged Session Management Provides 3 Main Benefits:
Isolation Monitoring Recording
Separate endpoints from Detect and track suspicious Support forensic analysis critical target systems to activities in privileged and audit with detailed prevent lateral movement sessions and events in real records of privileged activity time
The Privileged Session Manager • The PSM enables organizations to secure, control, and monitor privileged access to network devices • It creates detailed session audits and video recordings of all IT administrator privileged sessions on remote machines • Sessions on the target systems are fully isolated and the privileged account credentials are never exposed to the end-users or their client applications and devices
3. Fetch credential from Vault Vault Routers and Switches 4. Connect using native protocols 5. Logs forwarded to SIEM and PTA 6. Store session recording 5 ESX\vCenters
Connectors Connection Components (aka Connectors) define the configuration settings for using a given third-party client to connect to a target platform. A few common ones are: Putty WinSCP
Connection Components/ Connectors • There are many connection components available out of the box • Additional connection components can be found in the CyberArk Marketplace • Organizations can also build and add custom connection components to the PAM solution
Importing and Managing Connectors The new interface accelerates and simplifies Vault administration by allowing admins to import PSM connectors and link them to Platforms, all from one location
Universal Connector The Universal Connector framework facilitates the creation of custom connection components using a (relatively) simple, freeware programming language called AutoIT.
PSM Ad-hoc Connection: Overview With an Ad-Hoc Connection, users can connect securely to any machine supported by the PSM if they know the password • Main use cases: ⎼ Connecting with accounts that are not stored in the CyberArk Vault ⎼ Connecting with personal accounts • Provides all the benefits of PSM: isolation, monitoring, and recording
Platform must be activated • Privileged session monitoring and isolation must be enabled for the PSM Secure Connect platform. This can be done either globally or via an exception to the Master policy.
HTML5 Gateway: Overview • Many organizations block RDP client connections from end-users' machines for security reasons or regulatory requirements. • RDP is a Microsoft protocol, so in order to use it in Linux, Unix, or MAC environments, users must install a 3rd-party client in order to connect to the PSM. • The HTML5 Gateway tunnels the session between the end user and the PSM proxy machine using a secure WebSocket protocol (port 443). This solution eliminates the need to open an RDP connection from the end user's machine. Instead, the end user only requires a web browser to establish a connection to a remote machine through PSM. • Secure access through HTML5 requires integrating an HTML5 gateway on a Linux server (can be co-hosted with PSM for SSH). The Gateway is based on Apache Guacamole.
PSM Web Sites 1. Logon through PVWA and click on 4 7 Connect 2. Connect to HTML5 GW using Routers and Switches WebSocket 3. Connect to PSM using RDP Vault 4. Fetch credential from Vault ESX\vCenters 5. Connect using native protocols 6. Logs forwarded to SIEM and PTA 6 7. Store session recording SIEM/PTA
Use HDML5-based or RDP-file Connection Method • Users can be given the option to connect either an HTML5- based or RDP-file connection method when connecting to the remote server • This setting is applied at the Connection Component level
PSM for Windows: Overview • Users connect directly from their desktops with an RDP-compliant client to the PSM, which then connects to the target host using the protocol appropriate to that host: SSH, RDP, etc.
• There is no need to go through the PVWA.
• Users can launch the RDP client and sign in into CyberArk using single- or multi-factor authentication (for example, LDAP with RADIUS). ⎼ The RDP client application must include the ability to configure run “Start Program” for the RDP connections.
⎼ Connections can be made from Unix / Linux / Mac / Windows end user machines.
• PSM continues to provide complete isolation of the target systems, ensuring
that privileged credentials never reach users or their devices.
Routers and Switches 2. Fetch credential from Vault Vault 3. Connect using native protocols 4. Logs forwarded to SIEM and PTA 5. Store session recording ESX\vCenters
#### PSM Address audiomode:i:0 redirectpriinters:i:1 redirectcomports:i:0 You can also configure redirectsmartcards:i:1 individual RDP files to redirectclipboard:i:1 redirectposdevices:i:0 connect through the PSM autoconnection enabled:i:1 authentication level:i:2 • It is possible to configure prompt for credentials:i:0 connections with or without negotiate security layer:i:1 remoteapplicationmode:i:0 providing the target system alternate shell:s: details Shell working directory:s: gatewayhostname:s: gatewayusagemethod:i:4 gatewaycredentialssource:i:4 gatewayprofileusagemethod:i:0 promptcredentialonce:i:0 Target system details gatewaybrokeringtype:i:0 use redirection server name:i:0 rdgiskdcproxy:i:0 kdcproxyname:s: alternate shell:s:psm /u localadmin01 /a target-win.acme.corp /c PSM-RDP # alternate shell:s:psm
PSM for SSH Client Settings Vault username Target account name Target system address PSM-SSH address
mike@logon01@10.0.0.20@10.0.30.1 • The connection settings for PSM for SSH resemble those of PSM for Windows. • Connections are not launched via the PVWA, but through a special connection string.
2. PSM retrieves privileged account password from the vault 3. Open SSH session to the target using the privileged account 4. Logs forwarded to SIEM and PTA 5. Store SSH session audit
HTML5 Based Remote Access Note: You must be logged https://training.cyberark.com/elearning/ into the CyberArk training html5-based-remote-access portal to access this material
You may now complete the following exercises:
Additional Privileged Session Management – Part 1
– Remove Privileged Access Workflows Exceptions
Resources – Disabling the PSM Globally
• Privileged Session Manager – Adding Exceptions – Connect with a Linux Account – Connect with an Oracle Account – Connect via HTML5 Gateway – Connect using PSM Ad-Hoc Connection • Privileged Session Manager for Windows – Connect using RDP file without providing the target system details – Connect using RDP file with the target system details • Privileged Session Manager for SSH
