Project Overview
Privileged Access Management (PAM) refers to a comprehensive cybersecurity strategy designed to control, monitor, secure, and audit all human and non-human privileged identities and activities across an enterprise IT environment in an effort to protect and record use of systems administrator accounts. It involves people, processes, and technology.
Privileged access allows organizations to secure their infrastructure and applications, run business efficiently, and maintain the confidentiality of sensitive data and critical infrastructure core.
Generally speaking, there are three main objectives for managing privileged access:
- To comply with regulations and security frameworks by addressing their requirements.
- To protect the organization by ensuring that the threat of privileged access abuse and misuse is mitigated.
- To enable the business to run faster by streamlining the assignment and delegation of the minimum privileged access required to individuals within the organization.
What does this mean for WashU?
Server administrators: For WashU IT managed servers, administration and remote connections will move to a new secondary account that will be sent to individual users. Soon after, the WUSTL Key will no longer be used for server administrator access.
Former PMGuard users: WashU IT will migrate its Identity Access Management (IAM) security tool from PMGuard to CyberArk and retire PMGuard once the migration is complete.
- The migration will occur at folder-access level, and account access will not be migrated. Users with current account access that are not given folder access by April 7 will lose access to objects and will have to request access again after the migration.
- Instructions for how to add team members to folders in PM Guard (Word) are available.
What is CyberArk?
CyberArk is a leader in privileged access solutions. CyberArk patented vault technology over 22 years ago and offers a wide variety of credentials management with flexible automatic password rotation. The University has established the use of CyberArk as another security layer to maintain security and confidentiality on University systems.
CyberArk Resources
Video tutorials are available to help you navigate the CyberArk Interface.
Other Useful Resources
- How to Get Credential Using PowerShell (pdf)
- How to Set up Microsoft Remote Desktop client for MacOS (pdf)
- How to Set up Remote Desktop Connection Manager (pdf)
- How to Modify a RDP Flat File (pdf)
- How to Connect to Linux Servers using SSH (pdf)
CyberArk FAQ
For server administrators
Your secondary privileged account, or “P_” as WashU IT commonly refers to it as, will be used to remote into WashU IT Servers.
Your “P_” account should already be created for you, and the account name should be the same as your WUSTLKey with the prefix “P_”.
Example:
WUSTLKey: billywest
P_ Account: p_billywest
Note: If your WUSTLKey exceeds 18 characters in length, it will be shortened down to 18 characters as there is a 20 character maximum.
Because the “P_” account is a new account, your system profile/home directory will be empty. Rest assured, any files that you may have had under your WUSTLKey are still on the system, but you will need to navigate to that directory to access the files.
Red Hat:
/home/<WUSTLKey>
Windows:
C:\Users\<WUSTLKey>
The only permission that has been added to your system for your new “P_” account is being an Administrator with the ability to remote into the system. Any additional permissions needed by your application/service/etc. will need to be added by you.
Your new “P_” account does not by default have access to the same files shares as your WUSTLKey does. If you want your “P_” account to have access, you will have to perform that task if you are able to, or request it through your normal request process. Any existing permissions for your WUSTLKeys were not changed.
Your new “P_” account does not have any user-based GPO settings being applied to them. If you were used to having a setting applied, please use the support link to contact WashU IT regarding those settings.
Additional steps are needed for using the MacOS RDP client
open a terminal and run the following command:
`defaults write com.microsoft.rdc.macos ClientSettings.EnforceCredSSPSupport 0`
Restart the system
Can I access CyberArk off campus?
To access CyberArk off campus, use the VPN and Duo 2FA.
For issues with Duo 2FA, visit the WashU Two-Factor Authentication page.
CyberArk login troubleshooting
A video tutorial for Logging Into CyberArk is available.
Authentication Error – no spinning circle
Verify WUSTL Key and password…
CyberArk Remote Connection Troubleshooting
A video tutorial for Using CyberArk to Connect for Remote Access to Servers is available.
“Session has been closed” error…
How can I access training videos for CyberArk?
Short video tutorials are available for CyberArk users to learn more about logging in, password storage, and remote connection through CyberArk’s web interface…
How can I get access or permissions to a CyberArk safe or account?
If you do not see a safe or account you need, or lack appropriate access to complete your work, submit a ServiceNow request…
How do I get CyberArk access?
For CyberArk access, you must first submit a ServiceNow request for CyberArk web access. Once access is granted, both you and your manager…
How do I know if my system requires CyberArk?
CyberArk is intended to protect accounts (usernames and passwords) that have access to create or destroy something that could have negative impact to the University…
How do I manage or change passwords stored in CyberArk?
A video tutorial for Using CyberArk for Password Storage is available.
To Change a Stored Password…
How do I use CyberArk’s web interface for remote connection?
For instructions on using CyberArk’s web interface for remote connection, a video tutorial for Using CyberArk to Connect for Remote Access to Servers is available…
For any other questions, contact the project team.