CyberArk PAM-DEF - CyberArk Defender - PAM

The correct sequence to delegate the rights to unlock users to Tier 1 support with an existing LDAP group is as follows:

Sign into the PWA (V10) as a local user with the “Manage Directory Mapping” privilege.

Open LDAP Integration view.

Add Mapping to the existing LDAP integration.

Name the new mapping and set the mapping order.

Select required LDAP group and assign authorization “Activate Users”.

Comprehensive Explanation: To delegate the rights to unlock users, you must first access the Privileged Web Access (PWA) with the appropriate privileges to manage directory mappings. Then, navigate to the LDAP Integration view to add a new mapping to the existing LDAP integration. This mapping should be named and ordered correctly. Finally, select the LDAP group that represents Tier 1 support and assign the specific authorization needed to unlock users, which is “Activate Users” in this context12.

References:

CyberArk Docs: LDAP Integration in V102

CyberArk Knowledge Article: How to delegate permissions to unlock Active Directory accounts1

CyberArk does not implement license limits by controlling the number and types of users that can be provisioned in the vault. CyberArk implements license limits by controlling the number and types of users that can authenticate to the vault and use its features. The license limits are based on the user types and objects that are defined in the vault, such as Vault Users, LDAP Users, LDAP Groups, Safes, Accounts, etc. The license limits are enforced by the License Manager, which is a service that runs on the Vault server and monitors the license usage. The License Manager can send notifications and alerts when the license usage reaches certain thresholds, and can also block or allow access to the vault based on the license status1.

References:

1: Manage the CyberArk License

The directory mappings are the rules that define how users and groups from an external directory, such as Active Directory (AD), are mapped to roles and authorizations in CyberArk. To verify that the Vault Admins directory mapping points to the correct AD group, you need to check the Mappings page in the PVWA. This page displays the list of existing directory mappings in the Vault and their properties, such as mapping name, LDAP branch, domain groups, and mapping authorizations. You can edit or delete a directory mapping from this page, or create a new one using the Create Directory Mapping button. References: Directory Maps, Create directory mapping, Get directory mapping list

A connection component is a set of parameters that defines how PSM connects to a target system using a specific protocol or application. Different connection components are suitable for different types of systems or functions. The correct matches are as follows:

PSM-SSH: This connection component enables transparent connections to UNIX machines using the SSH protocol. It supports various UNIX flavors, such as Linux, Solaris, AIX, and HP-UX.

PSM-RDP: This connection component enables transparent connections to Windows machines using the RDP protocol. It supports various Windows versions, such as Windows Server, Windows 10, and Windows 7.

PSM-WinSCP: This connection component enables transparent connections to UNIX machines using the WinSCP application. It supports file transfer operations, such as upload, download, delete, and rename, between the local and remote machines.

PSM-SQLPlus: This connection component enables transparent connections to Oracle databases using the SQL*Plus application. It supports various Oracle versions, such as Oracle 12c, Oracle 11g, and Oracle 10g.

PSM-OS390: This connection component enables transparent connections to IBM mainframes using the OS/390 protocol. It supports various mainframe applications, such as TSO, CICS, and IMS.

References: Connection Components, Connection Component Parameters

 When configuring a discovery scan for UNIX, you must specify the CPM Scanner and the list of machines to scan. The CPM Scanner is the component responsible for executing the discovery process, and it requires a list of target machines to scan for new and modified accounts and their dependencies. This list can be provided in the form of a CSV file for UNIX machines1. The discovery process will then scan the predefined machines to identify privileged accounts that should be onboarded into the Vault for secure and automated management according to enterprise compliance policies2.

References:

CyberArk Docs - Manage discovery processes1

CyberArk Docs - Scan for accounts using Account Discovery

 Non-repudiation in the context of CyberArk Master Policy settings refers to the assurance that a user cannot deny the validity of their actions. The settings that ensure non-repudiation are those that enforce accountability and traceability of actions. Enforcing check-in/check-out exclusive access ensures that only one user can access an account at a time, and their actions can be traced back to themEnforcing one-time password access means that passwords are used only once and then changed, which prevents the reuse of credentials and ties actions to specific instances of access12.

References:

CyberArk Docs: Master Policy Rules2

CyberArk Docs: The Master Policy1

 To enable the automatic response “Add to Pending” within PTA when unmanaged credentials are found, the PTAUser needs to have the minimum permissions for the PasswordManager_pending safe as follows:

List Accounts: This permission allows the PTAUser to view the accounts in the safe and their properties.

View Safe members: This permission allows the PTAUser to view the members of the safe and their authorizations.

Add accounts (includes update properties): This permission allows the PTAUser to add new accounts to the safe and update their properties, such as name, address, platform, and policy.

Update Account content: This permission allows the PTAUser to update the password of the accounts in the safe.

Update Account properties: This permission allows the PTAUser to update the properties of the existing accounts in the safe, such as name, address, platform, and policy.

These permissions are required for the PTAUser to be able to detect unmanaged privileged accounts and add them to the pending accounts queue in the PasswordManager_pending safe. The PTAUser also needs to have the same permissions for the PasswordManager_reconcile safe to enable the automatic response “Reconcile credentials” for suspicious password change events. References: Configure PTA Remediations, Safe Member Authorizations

The Master Policy is a centralized overview of the security and compliance policy of privileged accounts in the organization. It allows the administrator to configure compliance driven rules that are defined as the baseline for the enterprise. The Master Policy includes the following main concepts1:

Basic policy rules: These rules allow the administrator to define specific aspects of privileged account management, such as privileged access workflows, password management, session monitoring and auditing.

Advanced policy rules: Some basic policy rules have related advanced settings that provide more granular control over the policy enforcement.

Exceptions: These are policy rules that differ from the overall Master Policy for a specific scope of accounts, such as accounts associated with a specific platform.

The Master Policy rules are divided into four sections2:

Privileged Access Workflows: These rules define how the organization manages access to privileged accounts, such as requiring dual control, one-time passwords, exclusive passwords, transparent connections, reason for access, etc.

Password Management: These rules determine how passwords are managed, such as requiring password change, password verification, password reconciliation, ticketing integration, required properties, custom connection components, etc.

Session Management: These rules determine whether or not privileged sessions are recorded and how they are monitored, such as requiring session isolation, session recording, session audit, etc.

Audit: This rule determines how Safe audits are retained, such as specifying the audit retention period.

Based on the above information, the following options can be configured in the Master Policy:

A. Dual Control: This is a basic policy rule in the Privileged Access Workflows section that determines whether users need to get approval from authorized users before accessing a privileged account2.

B. One Time Passwords: This is a basic policy rule in the Privileged Access Workflows section that determines whether users can only use a password once before it is changed2.

C. Exclusive Passwords: This is a basic policy rule in the Privileged Access Workflows section that determines whether users need to check out a password and prevent other users from accessing it until it is checked in2.

H. Password Aging Rules: This is a basic policy rule in the Password Management section that determines how often passwords need to be changed2.

The following options cannot be configured in the Master Policy:

D. Password Reconciliation: This is not a policy rule, but a process that restores the password of a privileged account to the value that is stored in the Vault, in case it is changed or out of sync3.

E. Ticketing Integration: This is not a policy rule, but a feature that enables the integration of the Vault with external ticketing systems, such as ServiceNow, Jira, etc.

F. Required Properties: This is not a policy rule, but a platform setting that determines which properties are mandatory for adding accounts to a platform.

G. Custom Connection Components: This is not a policy rule, but a platform setting that determines which connection components are used to connect to target systems, such as PVWA, PSM, PSMP, etc.

References:

1: The Master Policy

2: Master Policy Rules

3: Password Reconciliation

: Ticketing Integration

: Required Properties

: Custom Connection Components

The purpose of the password change process is to change the password of an account according to organizationally defined password rules. The password change process is a feature of CyberArk that enables the Central Policy Manager (CPM) to manage the passwords of privileged accounts that are stored in the Vault. The CPM can change the passwords automatically or manually, based on predefined policies, schedules, or user requests. The password change process ensures that the passwords are secure, compliant, and synchronized with the target systems and the Vault. The password change process also supports different types of accounts, such as one-time passwords, exclusive accounts, and dual accounts1.

The other options are not the main purpose of the password change process, although they may be related to some aspects of it. The password change process does not test that CyberArk is storing accurate credentials for accounts, although it may verify the password validity before changing it. The password change process does not allow CyberArk to manage unknown or lost credentials, although it may reconcile the passwords if they are out of sync with the target systems. The password change process does not generate a new complex password, although it may use a random password generation mechanism to create a new password that meets the password policy requirements. References:

Change Passwords - CyberArk, section “Change Passwords”

The server key and the public recovery key are required to be present in order to start the PrivateArk Server service. The server key opens the Vault, much like the key of a physical Vault. The public recovery key is part of the asymmetric recovery key that enables the Master User to log on to the Vault in case of a disaster. The server key and the public recovery key are usually stored on a removable media, such as a disk or CD, so that they can be safely secured in a physical safe. The recovery private key and the safe key are not needed to start the PrivateArk Server service. The recovery private key is only used for recovery purposes and the safe key is only used to access a specific safe that is defined with an external key. References: Server keys, Server Components