Cyberark End User Training Presentation

May 2015

Cyberark End User Knowledge Transfer

Prepared By:

Daniel P Wallace

Principal Consultant

Grow Forward, LLC

[email protected]

Agenda

• Logging On

• Finding Accounts

• Accessing Passwords

• Account Check-Out & Check-In

• Viewing & Copying Passwords

• PSM Secure Connect

• Transparent Connect

• Windows Walk-Through

• UN*X Walk-Through

Logging Onto the Privileged Account Security Solution

• In your browser, specify the following URL: http://URL/passwordvault

• Select Cyberark Authentication

• The Cyberark authentication page appears

• Type your Cyberark user name and password in the appropriate edit boxes, then click Sign in

Finding Accounts

• Accounts are stored in “Safes” which reside in the Cyberark vault

• Users who have the Retrieve accounts and List accounts authorizations in a Safe where accounts are stored can view the passwords in accounts. Once they have found the account they are looking for, the authorization determines the tasks that they can perform, as follows:

• Retrieve accounts – Users can view the password.

• Retrieve accounts and Use accounts – Users can use the password to connect to a remote device.

• Accounts that are retrieved or stored recently appear ‘Recently’ accounts lists. If the account you are looking for does not appear in this list, you will have to search for it.

Regular Account Search

• In the Accounts page, specify the Search criteria

• In the Search field, specify a keyword to search for You can specify up to four keywords

• Specify focused search criteria to optimize the search, resulting in quick and accurate results

• Click Go; the search is carried out in all the Safes in the Vault that you are authorized to access

You can carry out a search for all the accounts in the Vault that you have access to by leaving the Search field empty. However, this might take a while as the process searches the entire Vault

You can specify a Safe name that includes spaces. This Safe name does not need to be specified within quotation marks

Advanced Search

• Click the drop-down arrow in the Go button;

the advanced search pop-up window appears

• In the Keywords field, specify a keyword to

search for. You can specify up to four keywords. If you leave this empty, a general

search will be performed

• In the Safe field, specify the name of a Safe to

search. If you don’t specify a Safe, the search

will be carried out in all the Safes in the Vault that you are authorized to access

• Select the type of account to search for

• Click Search; the advanced search is carried

out

Advanced Search

• The PVWA displays all the accounts that meet the specified criteria in the Accounts Results list. After a search that finds Service Accounts, the Service Accounts themselves are displayed in the search results, but not the master account

• At the bottom of the list of accounts, you can see the number ofaccounts that met the search criteria, and the number of pages in the list

• Click a column heading to reorganize the displayed accounts according to that column

• Browse through the pages in the list to view additional accounts

Advanced Search – Deleted Accounts

• In the Accounts list, click the drop-down arrow in the Go button; the advanced search pop-up window appears

• In the Keywords field, specify a keyword to search for. You can specify up to four keywords. If you leave this empty, a general search will be performed.

• In the Safe field, specify the name of a Safe to search. If you don’t specify a Safe, the search will be carried out in all the Safes in the Vault that you are authorized to access.

• Select Search Deleted Accounts, then click Search; an advanced search for deleted accounts is carried out, and a list of accounts that meets the specified criteria is displayed.

Accessing Account Passwords

• The Accounts page displays your accounts in a set of views that you can display, sort, and access quickly and easily.

• These multiple views enable you to display accounts according to predefined criteria, based on account and operation status.

• You can also define customized views according to your own requirements and save them, so that you can display search results in one quick step.

• You can perform a variety of management tasks in each list of accounts, depending on your own permissions for accessing these accounts.

• These different views, available at your fingertips, and the ability to manipulate entire lists, combined with the multiple actions that you can initiate on the same page increase usability and streamline account management, making it intuitive and efficient.

Accessing Account Passwords

Specifying a Reason for Accessing Passwords

• In the PVWA, click Show, Copy, or Connect to access the account; the password retrieval window appears and displays the reason edit box

• Users can specify a reason in their own words or choose from a predetermined list if one is defined

• Click OK; the PVWA will now retrieve the password, and the reason you specified or selected will be stored in the audit log

Account Check-Out & Check-In• Security requirements demand full identification and monitoring of users who

access privileged accounts during any given period. In addition, to guarantee accountability, any user who uses a Cyberark account must be the only one to do so. (EDIT NOTE: This particular solution was configured for account “Exclusive Use”)

• The Password Vault enables users to check out a ‘one-time’ password and lock it so that no other users can retrieve it at the same time. After the user has used the password, he/she checks the password back into the Vault. This ensures exclusive usage of the privileged account, enabling full control and tracking for the password.

• If the password is designated as “one-time use only”, CPM will automatically change its value before unlocking it and making it available to other users.

• Passwords that are not released immediately by the user can be released automatically after a predetermined period of time.

• Exclusive password check-in and check-out can be configured for individual accounts as well as for account groups.

Viewing Checked-Out Accounts

• You can check for accounts that have been checked-out by other users in the Safes where you are an owner.

• In the Accounts list, display any list of accounts; all the locked accounts are marked with the Locked account icon.

Releasing Exclusive Accounts

After retrieving an exclusive account, you can manually release it through the Password Vault Web Access or CPM will release it automatically after the period of time specified in the platform.

Authorized users can release accounts in any of the following pages:

• Locked Accounts

• Account Details

• Edit Account

Releasing Exclusive Accounts

The locked account cannot be changed until it has been released, so while it is locked, the Save buttons are disabled. As soon as the account is released, the Save button is enabled, and the password and account properties can be changed.

If the platform attached to this account is configured to change passwords after they have been used, the password in this account will be changed by the CPM and then the account will be released.

Viewing Passwords

• In the Accounts list, click the Show password

icon in the line of the account to view; the password in the account line is displayed for a

predetermined number of seconds.

OR

• In the Accounts list, click the account to view; the Account Details window appears. In the

Password pane, the password appears as a

series of asterisks.

• Click Show; the asterisks are replace by the

password for a predetermined number of

seconds.

Copying Passwords

• In the Accounts List, in the record of the account whose password you wish to copy, click the Copy password icon

OR

• In the Account Details window, click Copy

Connecting through PSM Secure Connect

• Users can connect to any machine they have access to through PSM using any account, including those that are not managed in the Cyberark Vault.

• All secure connect sessions benefit from the standard PSM features, including session recording, command level auditing, and standard audit records.

• Authorized users can monitor live sessions in real time, assume control, and terminate them when necessary.

• In the Secure Connect page, users select a client that enables them to log onto the remote device.

• Then they specify the address of the remote machine, and the user name and password that are required to log on, but which are not managed in the Vault. The system list is cached for ease of access.


• In the Accounts List, click Secure Connect; the

Secure Connect page appears.

• From the Client drop-down list, select the

Secure Connect client to use to connect to the remote machine; the information that is

required for each client is displayed. The

following example shows the Secure Connect page for the RDP client.

• Specify the information that is required to create a secure connection to the remote

machine. The following table lists the

information that can be specified, as well as additional information for specific clients.


• Click Connect; the following window appears

• Click Connect; the remote connection is made through the PSM and the secure connect session begins

Connecting Transparently to Remote Devices

• Regardless of the privileged SSO method that is implemented, users can transparently log on to target applications and systems from the PVWA interface.

• If more than one connection component has been configured for the platform that this account is associated with, you can select the connection component to use.

Connecting Transparently to Remote Devices

• Display the Accounts Details page of the account to use to log onto the remote device.

• If multiple connection components have been configured for this account, from the connection component drop-down list, select the connection component to use to log on.

• Click Connect.

Accessing the Connection Window (Direct Access to Target Systems)

• Users can directly access the Connect window used to log onto a remote devices through a direct URL or a desktop shortcut.

• If a reason for access, a ticketing system, or dual control is enforced for the account, the relevant window will appear for the user toprovide the required information. After the user has provided the correct information or has received authorization to access the account specified in the direct line, the Connection window willappear.

• If a browser blocks pop-ups in the PVWA, enable the pop-up to display the Connect window.

Accessing the Connection Window (Direct Access to Target Systems)

• Display the Account Details page for the account to use to connect to the remote terminal

• Click Copy Shortcut; the PVWA creates a link that includes the transparent connection component that is displayed and copies it to the Connection window

• On the desktop, create a new shortcut. When you are asked for the location of the shortcut item, paste the copied link into the edit box

Account Check-Out for Windows

To show a specific account’s password, select the

first icon towards the right hand portion of the

screen.


You will then see the following

dialogue


To copy a password to your clipboard, select the next

icon over.


If the account is a domain account, select the

magnifying glass to resolve the Logon To field then

specify the remote machine address you wish to

connect to.


Click connect.

Account Check-Out for UN*X

To show a specific account’s password, select the

first icon towards the right hand portion of the

screen.


You will then see the following

dialogue


To copy a password to your clipboard, select the next

icon over.


If the account is a domain account, select the

magnifying glass to resolve the Logon To field then

specify the remote machine address you wish to

connect to.


Click connect.


Verify the server’s host

key


And after a short execution sequence,

you will be automatically logged in as

root.

Using the Privileged Management SSH Proxy (PSMP) directly from Unix terminal.

Use the modified ssh connect string to directly ssh to a Unix machine via the PSMP proxy server:

[Vault Username]@[Target account]@[Target address]@[PSMP address]


Enter your (VaultUser) LDAP password.


And after a short execution

sequence, you will be automatically

logged in as root.

Cyberark End User Training Presentation

Business

Transcript of Cyberark End User Training Presentation