PAM Administration

Accounts – Part 1

© 2023 CyberArk Software Ltd. All rights reserved

 By the end of this session, you will be able to:

Agenda 1. Add an Account via the PVWA

2. Understand the different password

management operations

© 2023 CyberArk Software Ltd. All rights reserved

 Overview

© 2023 CyberArk Software Ltd. All rights reserved

 Policies, Platforms, Safes, and Accounts

Add exceptions
Review/Edit Create Add
to Master Policy Create Safes
Master Policy Platforms Accounts
based on Platforms

• Business/audit rules • Technical settings for • Exceptions to • Access control • Individual objects
for managing managing passwords Master Policy rules containing the required
passwords and connecting to information (address,
target systems username, password,
• Global policy etc.) to manage
settings • Basis for exceptions privileged accounts

© 2023 CyberArk Software Ltd. All rights reserved

 Accounts
Accounts – The actual privileged
account IDs and passwords
• Stored in Safes
• Examples include:
⎼ Domain administrators
⎼ Local administrators
⎼ Root accounts
⎼ Service accounts
⎼ And more
• Every account resides in a
single Safe
• Every account is associated
with a single Target Account
Platform

© 2023 CyberArk Software Ltd. All rights reserved

 Add An Account

© 2023 CyberArk Software Ltd. All rights reserved

 Add A New Linux Account

Platform: Safe:
Master Policy Account:
LIN SSH 30 Lin-Fin-US

• Change passwords • Password length • Members of the • Username: logon01

every 60 days should be 10 “LinuxAdmins” Team
characters long group will have “Use • Password: ******
and list” permissions
• Master Policy • Address:
Exception: Change target-lin.acme.corp
password every 30
days

© 2023 CyberArk Software Ltd. All rights reserved

 Accounts View – Add a Linux Account

© 2023 CyberArk Software Ltd. All rights reserved

 Accounts View – Add a Linux Account

© 2023 CyberArk Software Ltd. All rights reserved

 Accounts View – Add a Linux Account

© 2023 CyberArk Software Ltd. All rights reserved

 Accounts View – Add a Linux Account

© 2023 CyberArk Software Ltd. All rights reserved

 Accounts View – Add a Linux Account

© 2023 CyberArk Software Ltd. All rights reserved

 What Just Happened?

So, we have “created” an account.

But what does that mean?
Did we create a new account called
“logon01” on that target system?

No. All we have done is registered

information in the CyberArk PAM
database about an account named
logon01.

© 2023 CyberArk Software Ltd. All rights reserved

 Accounts View – Add a Linux Account

© 2023 CyberArk Software Ltd. All rights reserved

 Account Management Operations

In this section we will discuss the

account management operations
performed by the CPM

© 2023 CyberArk Software Ltd. All rights reserved

 Password Management is Performed By the CPM
The CPM manages passwords and SSH keys on
devices based on the policies set by Vault Administrators
Policy

y7qeF$1
Im7yT%w
Tojsd$5fh
gviNa9%
X5$aq+p

Central Policy
Manager

System User Pass

Unix root tops3cr3t

Oracle SYS tops3cr3t

Windows Administrator tops3cr3t

z/OS DB2ADMIN tops3cr3t

Cisco enable tops3cr3t

IT Environment

© 2023 CyberArk Software Ltd. All rights reserved

 Password Management Overview
There are three actions performed by the CPM in order to manage privileged accounts:

1 Password Verification:
Confirms the password stored in the Vault matches the password on the target system

2 Password Change:
Changes the password automatically based upon an expiration period or by user intervention

3 Reconciliation of unknown or lost passwords:

Process used when the password stored in the Vault does not match the target system

Central Policy
Manager IT Environment

© 2023 CyberArk Software Ltd. All rights reserved

 Verifying the Account

© 2023 CyberArk Software Ltd. All rights reserved

 Verify Process
Vault CPM Target

Scan Vault for Account

Account Info & Current Passwords Login using current credentials

Success or failure

Notify the Vault

© 2023 CyberArk Software Ltd. All rights reserved

 Completed Verification

© 2023 CyberArk Software Ltd. All rights reserved

 Password Change

© 2023 CyberArk Software Ltd. All rights reserved

 Confirm Change

© 2023 CyberArk Software Ltd. All rights reserved

 Pending Change

© 2023 CyberArk Software Ltd. All rights reserved

 Change Process
Vault CPM Target

Scan Vault for Account

Account Info & Current Passwords Login using current credentials

Success or failure

Connect & run change password

Generate
Password
Success or failure

Login using new credentials

Success or failure
Store new credentials

© 2023 CyberArk Software Ltd. All rights reserved

 Completed Change

© 2023 CyberArk Software Ltd. All rights reserved

 Summary

© 2023 CyberArk Software Ltd. All rights reserved

 Summary In this session we discussed:

• What accounts are

• How to add an account to CyberArk

PAM via the PVWA

• The different password

management operations

© 2023 CyberArk Software Ltd. All rights reserved

 Documentation
Rapid Risk Reduction:
A 30-Day Sprint to Protect Privileged Credentials

Additional
Resources You may now complete the following exercises:
Securing Windows Domain Accounts
• Account Management
̶ Add the reconcile account
̶ Add the accounts discovery account
Securing Unix SSH Accounts
Securing Oracle Database Accounts