51 Security

Learning, Sharing, Creating

CyberArk

Devolutions RDM CyberArk Integration

Bynetsec

Feb 28, 2024

The purpose of the CyberArk Dashboard entry is to provide Remote Desktop Manager users with an interface that eliminates the need to use Password Vault Web Access (PVWA) to see the list of safes and credentials that the currently logged on user has access to. Combined with password-less scenarios and/or our rich role-based access control (RBAC), this means that a user does NOT need to know the CyberArk credentials to be presented with a list of accounts they have access to. Additionally, since the dashboard is meant to authenticate once to your server and, most importantly, maintain an active session for as long as it is active, it has the significant advantage of only requiring MFA once when you launch the dashboard.


Another design principle of the dashboard is that its main usage model is to go through the CyberArk Privileged Session Manager (PSM) to reach assets. This means that Remote Desktop Manager does NOT need to read the password for the account to be used. Less secure models are available to support older scenarios that some of our customers are still using.

How it is working


How it is working for Devolutions RDM integrating with CyberArk PAM solution:


Account brokering inserts credentials on the back end (by integrating with the privileged account management solution), which means that end-users never see credentials in the first place. However, they can still access the necessary accounts to complete their day-to-day work. Not only is this much more secure, but it is highly efficient as well. End users get their work done, and SysAdmins do not have to deal with numerous access-related requests. In addition, all actions performed in Remote Desktop Manager can be logged and reported for auditing and compliance purposes.

Below is an example diagram demonstrating how Remote Desktop Manager integrates with CyberArk’s PAM Solution

diagram

  1. The end-user attempts to access a privileged remote connection through RDM.
  2. RDM confirms that the end user’s certificate is valid.
  3. RDM connects to CyberArk and requests the necessary credentials.
  4. CyberArk accepts the request and sends the credentials to RDM.
  5. The credentials are used to grant the end-user access, so they can complete their work-related task.

At no point in this process does the end-user see the credentials!


 

Basic Devolutions RDM Operation

1. Add new data source

SQLite is local light DB usually for personal usage. 
SQLite db will be saved to folder at C:\Users\Netsec\Appdata\Local\Devolutions\RemoteDesktopManager

2. Add License

3. Two Licenses

  • One for RDM’s enterprise version license
  • Second is for CyberArk Dashboard Integration License

Create PSM Integration

This is to use PSM /u /a /c string to create a session using PSM to connect to remote. 

192.168.2.25 is PSM server ip address.



Here is the magic string:


You will not need to grant following settings:
On the PSM server, no need to allow domain users to log on through RDS:


Devolutions RDM CyberArk Dashboard

 

Once you added the license, the hidden entey template for CyberArk will be available.

1. Select CyberArk Template

Session templates – CyberArk Dashboard 

Credential Mgmt Template

2. Use CyberArk Dashboard Template

Enter https://51sec.cyberark.cloud/privilegecloud as Web Services URL. 
Choose SAML as authentication mode

for self-hosted environment:
virtual directory will need to have / at the front

3. Advanced Settings

Override screen size for better embedding experience

No need to use PSM as connection

Synchronizer

 

Create a new entry for Synchronizer

GitHub Project for PSM Template

Steps

  1. Install RDM from Devolutions
  2. Start RDM and log in (either with a free account or an enterprise account)
  3. Import the template from this repo
  4. Create a folder if you want to group connections
  5. Add entry -> Add from template
  6. Select the template you imported in step 3 and replace information thats within brackets <>, including the brackets

The target account is defined as username@address, where the fields corrosponds with the fields in CyberArk.

New Template / Import Template

PSM-SSH or Other Remote APP

 

To get PSM-SSH session embedded into RDM Client, you will need to DisableRemoteApp function for the connector. Else, you will have to use “Open external” session. 

If DisableRemoteApp is not set to Yes, and not checked with option “Open externally”, PSM-SSH session will be automatically closed. 

Edit Entries In Batch

 

$connection.ConnectUsingDashboardOnDoubleClick = “True”;$RDM.Save();

Video

 

By netsec

Related Post

CyberArk

Upgrade CyberArk PAM Connector Components (CPM & PSM) for Privilege Cloud

Mar 10, 2024 netsec
CyberArk

CyberArk Remote Access – Vendor PAM ( Previously Alero)

Mar 10, 2024 netsec
CyberArk

Install / Update Browser Installed on PSM Server and Configure Azure Portal Connector for Platform

Mar 10, 2024 netsec

Leave a Reply