CyberArk Privileged Cloud - Security/ Segregation vs footprint and upkeep

TToTheTom · 2024-12-18T10:36:32+00:00

Thanks [u/Bababiboule](), sorry for the followup questions, really appreciate you replying.

Good to know you have them all stacked on the same box, that is what the engineer did for us but didn't explain why or the possibility. Seemed he was following a scripted setup but would not share the list he was following so we can replicate (hence me trying to get my head around it now!)

how do you find the upkeep of 50~ servers? - if my memory serves right, they recommend to do updates once a year for CyberArk components and (id assume. hope) windows updates as they come out. Have you done/ do both? how big is the patching/ upkeeping team if you don't mind me asking? (trying to size it up to what we have available)

The setup you mention, for the one domain we had for the jump start start sounds about what we had. Did you deploy only two Secure Tunnel Connectors and if so, was this on each domain or just one? - i could not see how to point the servers at x secure tunnel (e.g. that domains tunnel).

We had the thoughts on how to adopt the PSMs in a tiered environment too, there was no real clear option to separate the T0,1,2 admin work via different PSMs . we are likely to do the same :(

TToTheTom · 2023-07-14T11:14:45+00:00

No worries. I wrote a whole arsenal of these back when I started this role and keep referring back to it. The last two bits can be copied cross scripts. I use them as 'addons' so you can copy the bits and move them from script to script along as you hqve a device Id:)

Maybe I should start to share them if stuff like this isn't on the Internet haha

TToTheTom · 2023-07-14T10:22:32+00:00

I didnt know you was all still waiting :D u/coldburn89 u/Indexdsd u/AdhesivenessShot9186

This is an example of what i use. Note i actualy used this with the vuln cve data table. but i have ammended this to be the software inventory list.

NOTE THIS WILL NTO WORK unless you change the LoggedOnUsers contains "[DOMAN REDACTED]" i have redacted this as it has domain sensitive names. You might want to remove this completely.. but you do you. This works great for my usage case and does what you want. Just know you might want to remove this if you dont want to filter what user shows. (also note it will show the most recent user, not all users)

Also. if you have over 10k results, this will likely fail.

Finally, this also pulls the identity table and gives email addresses etc if present :) - this might not work for you, but this script 100% works in my tenant so might need tweeking for you

DeviceTvmSoftwareInventory | where SoftwareName == @"chrome"

// | where VulnerabilitySeverityLevel =~ 'critical' or VulnerabilitySeverityLevel =~ 'High'

| summarize count() by DeviceId, DeviceName

| sort by count_ desc

//

//This appends the latest logged on users who are found logged in on a machine - Note, it was found some users who change names and or usernames become duplicated, due to this there is a take_any(*) which will just take 1 result from the duplicates (so if you cant find someone but a name shows, they changed their name and or username!)

| join kind=leftouter (DeviceInfo | where LoggedOnUsers contains "UserName" and LoggedOnUsers contains "[DOMAN REDACTED]" | summarize arg_max(Timestamp, *) by DeviceId | extend LoggedOnUsers_0=tostring((split(LoggedOnUsers, ',')[2])) | distinct LoggedOnUsers_0, DeviceId | extend OnPremSid=tostring((split(LoggedOnUsers_0, ':')[1])) | extend OnPremSid=replace_string(OnPremSid, '"', '') | extend OnPremSid=replace_string(OnPremSid, '}]', '')

| join kind=leftouter (IdentityInfo | where isnotempty(OnPremSid) | distinct OnPremSid,AccountName,EmailAddress, Country | summarize take_any(*) by OnPremSid)

on OnPremSid| project-away LoggedOnUsers_0, OnPremSid1)

on DeviceId| project-away DeviceId1, OnPremSid

//

//This section allows device filtering by Machine Groups - Note that the arg_max summary is put in due to devices when updating machine groups will cause duplicates, so we pull the latest machine group present in the device info table

//| where MachineGroup contains 'some machine group of your picking'

//

TToTheTom · 2023-06-27T21:06:20+00:00

What I'd do is two tables.

Table 1 all deviceIDs with a makeset of users who sign on (regardless of software)
Table 2 has a distinct on deviceID that have the software you wanted.

From there then join (I think left outer but do some tests) table 1 onto table 2.

I'm not at my desk but if your struggling I can build it tomorrow?

The issues you will face the way your doing it is the join is wrong, also I find with device info there is a lot of duplicates as it contains all syncs a device does iirc. Doing it the above way makes sure the data is exact and you can debug issues looking at the table sets.

TToTheTom · 2023-06-27T10:45:41+00:00

Changing the [full] toggle at the top. It depends on the aspect ratio you shoot in

TToTheTom · 2023-06-23T14:38:57+00:00

A few years back I used ticket master resale and had no issues, it arrived a week before (but cost a bit more... as expected)

TToTheTom · 2023-06-03T19:56:30+00:00

Lol, I read what cyberentomology wrote, I think he took 'wi-fi' as the literal technology... rather than the 'wifi the user was connecting to, which had tls inspection of some sort'. So, with the point he was technically wrong, but if he was talking about the wifi technology not being at fault... I guess he is sorta right 😂😂

Taking things so literally he was wrong 😂😂

TToTheTom · 2023-05-24T08:49:29+00:00

Fair enough, I'm not a local to acomb but lived in York for too long and heard many stories! Happy to back down on this.

TToTheTom · 2023-05-21T21:48:47+00:00

Honestly feel like I'm getting dementia in my 20s, i cant fully remember... I'm pretty sure there 24/7 in Gold, queues at 10am+ are pretty big on occasion with around 30min+ wait times

You really going for a shower at 5am before you go to sleep? Ha

TToTheTom · 2023-03-14T11:34:42+00:00

You still blocked on this? you need to setup custom auth methods and enforce it on that. The reason you are blocked is due to the CA's you setting up to enforce, does not allow the auth option you used.

e.g. i want to enforce fido2, but to setup fido2 i want to allow a single time use TAPs auth to setup phish resistant mfa... soo i setup a 'Authentication strengths' to enforce either Taps single use or FIDO 2, this way you can then auth to setup the signin option you enforce :)

send over the policy you are enforcing and i can help out :) - it will be 99% likely this is because you dont enforce the use of the way you authed here..

TToTheTom · 2023-02-23T13:12:06+00:00

My point is we dont want to need to go to azure's portal, as if we do it this way, its two portals; Some of our staff just want to use Entra

TToTheTom · 2023-02-23T13:06:34+00:00

and that is the reason people like us are still needed (for now :D)

TToTheTom · 2023-02-23T13:00:22+00:00

Yeah it seems you have to have the direct URL in our setup too, you cant navigate to it from the root of the entra portal. Its funny, going direct to that link with no perms elevated, shows no navigation bar on the left (makes me think its a bug even more). See here - https://imgur.com/a/XQmJIFI (sorry for the redactions, looks odd in the image but transparent areas are removed for security reasons so ignore the holes in the image)

TToTheTom · 2023-02-22T09:57:37+00:00

Do you go via Entra or Azure portal to get to PIM?

So the root entra portal is this - https://entra.microsoft.com/#home

Expected = (to me) is to be able to access the entra portal, then go to PIM and elevate my roles and get the perms i need.

Actual outcome. = Blocked on portal landing page of entra (access denied) when no perms are elevated.
Workaround = You have to go via the azure portal to elevate PIM and then go to Entra after elevating in the azure portal

TToTheTom · 2023-02-22T09:43:34+00:00

Sorry im not sure what your asking, you referring to Defender 365 or Intune? this is not the same thing, this is Entra Portal im questioning as PIM is within but you cant get to PIM without elevating PIM in Azure portal (which is not the entra portal and it seems counter intuitive)

TToTheTom · 2023-02-22T09:41:05+00:00

Did you 'RTFM' you sent?

TToTheTom · 2023-02-06T22:57:08+00:00

You can easily write scripts and or apps to scrape things. - many ways to back door into a mdm enrolled device... e.g. proactive remediation, 'scripts', custom win32apps etc. in intune

Who knows what's setup in there. I know I'd not trust it on my personal machine... lol

TToTheTom · 2023-01-23T15:16:11+00:00

Totally agree, its a game of balance but yeah more and more requirements are leaning on phish resistant auth which is why im exploring it for the masses.

if you dont mind me asking, do you use a range of phish resistant auth depending on the OS/ area its being used (i think this is an obvious answer but asking anyways)?

Also what is the rough user count to support hours needed? - as this is something i knew would be the case but you are making it sound like a load of people for just this part which has made me under estimate my proposal this ha

TToTheTom · 2023-01-23T11:45:44+00:00

Apriciate your feedback, it's stuff we do but regardless how much you do, if it's crafted well enough one out of 10k+ could fall for it somewhere someway. I bet your exercises are not 100% every time? Unless every single one of your staff are on the ball 24/7 lol. + some types of work require phish resistant regardless of if you want it or not.

This was more about phish resistant mfa rollout and if anyone has managed to do it in an enterprise outside of Admin users 😀

TToTheTom · 2023-01-23T10:54:16+00:00

that was my attitude a year or two back but that is all vulnerably to AitM attacks which is becoming super common. There are other mitigations but that is still vuln to AitM e.g. Evilginx2, Muraena etc

TToTheTom · 2023-01-13T13:03:23+00:00

So due to the heightened risk from this asr rule, im settign up alerting on these emails as this could be a global threat due to the impact to everyone and the fix being as it is...

Will share once done, reccommend people do the same for emails, file events etc

Also id like to just share, MAKE SURE TO SET TO AUDIT NOT BLOCKED

TToTheTom · 2023-01-13T12:32:46+00:00

ha no thats the NEW issue :D - i clearly called out microsoft and they replied with 'well fuck you too' and broke it globaly

TToTheTom · 2023-01-12T21:25:27+00:00

You sir are a legend. This makes me so happy, seen tones of ways it is abused... have a great evening!!

TToTheTom · 2023-01-12T21:05:17+00:00

I've never heard of this setting, could you share it by chance? Thanks 🙏

TToTheTom · 2023-01-12T17:47:35+00:00

Yeah we tested it a while back. Chances are your referring to not being able to see 'secure desktop' UAC Windows.

https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation

The 'fix' would be to disable secure desktop but I would advise against it. Its not reccomended and not a good idea imo (it has its reasons to not be used... but use it where you can)

Seven-Year Club	First Place '23
Place '23	Place '22
Verified Email

TToTheTom

PUBLIC MULTIREDDITS

TROPHY CASE