Project Overview

Privileged Access Management (PAM) refers to a comprehensive cybersecurity strategy designed to control, monitor, secure, and audit all human and non-human privileged identities and activities across an enterprise IT environment in an effort to protect and record use of systems administrator accounts. It involves people, processes, and technology.

Privileged access allows organizations to secure their infrastructure and applications, run business efficiently, and maintain the confidentiality of sensitive data and critical infrastructure core.

Generally speaking, there are three main objectives for managing privileged access:

  • To comply with regulations and security frameworks by addressing their requirements.
  • To protect the organization by ensuring that the threat of privileged access abuse and misuse is mitigated.
  • To enable the business to run faster by streamlining the assignment and delegation of the minimum privileged access required to individuals within the organization.

What does this mean for WashU?

Server administrators: For WashU IT managed servers, administration and remote connections will move to a new secondary account that will be sent to individual users. Soon after, the WUSTL Key will no longer be used for server administrator access.

Former PMGuard users: WashU IT will migrate its Identity Access Management (IAM) security tool from PMGuard to CyberArk and retire PMGuard once the migration is complete.

  • The migration will occur at folder-access level, and account access will not be migrated. Users with current account access that are not given folder access by April 7 will lose access to objects and will have to request access again after the migration.
  • Instructions for how to add team members to folders in PM Guard (Word) are available.

What is CyberArk?

CyberArk is a leader in privileged access solutions. CyberArk patented vault technology over 22 years ago and offers a wide variety of credentials management with flexible automatic password rotation. The University has established the use of CyberArk as another security layer to maintain security and confidentiality on University systems. 

CyberArk Resources

Video tutorials are available to help you navigate the CyberArk Interface.

Other Useful Resources

CyberArk FAQ

For server administrators

What is my P_ Account?

Your secondary privileged account, or “P_” as WashU IT commonly refers to it as, will be used to remote into WashU IT Servers.  
 
Your “P_” account should already be created for you, and the account name should be the same as your WUSTLKey with the prefix “P_”. 

Example:  

WUSTLKey:     billywest 

P_ Account:    p_billywest 

Note: If your WUSTLKey exceeds 18 characters in length, it will be shortened down to 18 characters as there is a 20 character maximum. 

New Profile/Home Directory 

Because the “P_” account is a new account, your system profile/home directory will be empty. Rest assured, any files that you may have had under your WUSTLKey are still on the system, but you will need to navigate to that directory to access the files. 

Red Hat:  

/home/<WUSTLKey> 

Windows:  

C:\Users\<WUSTLKey> 

Local Server Permissions 

The only permission that has been added to your system for your new “P_” account is being an Administrator with the ability to remote into the system. Any additional permissions needed by your application/service/etc. will need to be added by you. 

File Shares

Your new “P_” account does not by default have access to the same files shares as your WUSTLKey does. If you want your “P_” account to have access, you will have to perform that task if you are able to, or request it through your normal request process. Any existing permissions for your WUSTLKeys were not changed. 

User-based GPO Settings

Your new “P_” account does not have any user-based GPO settings being applied to them. If you were used to having a setting applied, please use the support link to contact WashU IT regarding those settings. 

Microsoft RDP Client for MacOS

Additional steps are needed for using the MacOS RDP client 

open a terminal and run the following command:  
`defaults write com.microsoft.rdc.macos ClientSettings.EnforceCredSSPSupport 0` 
Restart the system 

Default image

Can I access CyberArk off campus?

To access CyberArk off campus, use the VPN and Duo 2FA.

For issues with Duo 2FA, visit the WashU Two-Factor Authentication page.

Default image

CyberArk login troubleshooting

A video tutorial for Logging Into CyberArk is available.

Authentication Error – no spinning circle
Verify WUSTL Key and password…

Default image

CyberArk Remote Connection Troubleshooting

A video tutorial for Using CyberArk to Connect for Remote Access to Servers is available.

“Session has been closed” error…

Default image

How can I access training videos for CyberArk?

Short video tutorials are available for CyberArk users to learn more about logging in, password storage, and remote connection through CyberArk’s web interface…

Default image

How can I get access or permissions to a CyberArk safe or account?

If you do not see a safe or account you need, or lack appropriate access to complete your work, submit a ServiceNow request…

Default image

How do I get CyberArk access?

For CyberArk access, you must first submit a ServiceNow request for CyberArk web access. Once access is granted, both you and your manager…

Default image

How do I know if my system requires CyberArk?

CyberArk is intended to protect accounts (usernames and passwords) that have access to create or destroy something that could have negative impact to the University…

Default image

How do I manage or change passwords stored in CyberArk?

A video tutorial for Using CyberArk for Password Storage is available.

To Change a Stored Password…

Default image

How do I use CyberArk’s web interface for remote connection?

For instructions on using CyberArk’s web interface for remote connection, a video tutorial for Using CyberArk to Connect for Remote Access to Servers is available…

For any other questions, contact the project team.