Privileged Access Management - Information Technology

Project Overview

Privileged Access Management (PAM) refers to a comprehensive cybersecurity strategy designed to control, monitor, secure, and audit all human and non-human privileged identities and activities across an enterprise IT environment in an effort to protect and record use of systems administrator accounts. It involves people, processes, and technology.

Privileged access allows organizations to secure their infrastructure and applications, run business efficiently, and maintain the confidentiality of sensitive data and critical infrastructure core.

Generally speaking, there are three main objectives for managing privileged access:

To comply with regulations and security frameworks by addressing their requirements.
To protect the organization by ensuring that the threat of privileged access abuse and misuse is mitigated.
To enable the business to run faster by streamlining the assignment and delegation of the minimum privileged access required to individuals within the organization.

PAM Project Milestones

What does this mean for WashU?

Server administrators: For WashU IT managed servers, administration and remote connections will move to a new secondary account that will be sent to individual users. Soon after, the WUSTL Key will no longer be used for server administrator access.

Former PMGuard users: WashU IT will migrate its Identity Access Management (IAM) security tool from PMGuard to CyberArk and retire PMGuard once the migration is complete.

The migration will occur at folder-access level, and account access will not be migrated. Users with current account access that are not given folder access by April 7 will lose access to objects and will have to request access again after the migration.
Instructions for how to add team members to folders in PM Guard (Word) are available.

What is CyberArk?

CyberArk is a leader in privileged access solutions. CyberArk patented vault technology over 22 years ago and offers a wide variety of credentials management with flexible automatic password rotation. The University has established the use of CyberArk as another security layer to maintain security and confidentiality on University systems.

CyberArk Resources

Video tutorials are available to help you navigate the CyberArk Interface.

CyberArk Video Tutorials

Other Useful Resources

How to Get Credential Using PowerShell (pdf)
How to Set up Microsoft Remote Desktop client for MacOS (pdf)
How to Set up Remote Desktop Connection Manager (pdf)
How to Modify a RDP Flat File (pdf)
How to Connect to Linux Servers using SSH (pdf)

CyberArk FAQ

For server administrators

What is my P_ Account?

Your secondary privileged account, or “P_” as WashU IT commonly refers to it as, will be used to remote into WashU IT Servers.

Your “P_” account should already be created for you, and the account name should be the same as your WUSTLKey with the prefix “P_”.

Example:

WUSTLKey: billywest

P_ Account: p_billywest

Note: If your WUSTLKey exceeds 18 characters in length, it will be shortened down to 18 characters as there is a 20 character maximum.

New Profile/Home Directory

Because the “P_” account is a new account, your system profile/home directory will be empty. Rest assured, any files that you may have had under your WUSTLKey are still on the system, but you will need to navigate to that directory to access the files.

Red Hat:

/home/<WUSTLKey>

Windows:

C:\Users\<WUSTLKey>

Local Server Permissions

The only permission that has been added to your system for your new “P_” account is being an Administrator with the ability to remote into the system. Any additional permissions needed by your application/service/etc. will need to be added by you.

File Shares

Your new “P_” account does not by default have access to the same files shares as your WUSTLKey does. If you want your “P_” account to have access, you will have to perform that task if you are able to, or request it through your normal request process. Any existing permissions for your WUSTLKeys were not changed.

User-based GPO Settings

Your new “P_” account does not have any user-based GPO settings being applied to them. If you were used to having a setting applied, please use the support link to contact WashU IT regarding those settings.

Microsoft RDP Client for MacOS

Additional steps are needed for using the MacOS RDP client

open a terminal and run the following command:
`defaults write com.microsoft.rdc.macos ClientSettings.EnforceCredSSPSupport 0`
Restart the system

For any other questions, contact the project team.