cyberark.my.site.com
Open in
urlscan Pro
2a02:26f0:3500:18::1724:a299
Public Scan
URL:
https://cyberark.my.site.com/s/article/00003736
Submission: On January 30 via api from US — Scanned from DE
Submission: On January 30 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
<form id="form-search" data-aura-rendered-by="14:36;a"><input maxlength="500" aria-describedby="" id="15:36;a" placeholder="Search for anything in the community..." type="text"
class="inputSearchKey su__rtlpx-2 inputBox input uiInput uiInputText uiInput--default uiInput--input" data-aura-rendered-by="19:36;a" data-aura-class="uiInput uiInputText uiInput--default uiInput--input"
data-interactive-lib-uid="2"><!--render facet: 22:36;a--></form>Text Content
Loading ×Sorry to interrupt CSS Error Refresh Skip to Main Content CyberArk Technical Community * Home * Engage * Additional Resources * Welcome Center * More Expand search Search * Search "" Close search Sign-in / Register HAVE A QUESTION? ASK THE COMMUNITY Search WHAT ARE PSM SHADOW USERS AND HOW DO THEY WORK? 15-FEB-2021•KNOWLEDGE ARTICLE INFORMATION Article Total View Count 24,246 Article Number 000004950 Title What are PSM Shadow Users and how do they work? Question Q1: What are PSM Shadow User accounts and how do they work? Q2: What is their purpose? Q3: When do these accounts get deleted? Q4: What is the recommended method for cleaning up unused accounts/profiles? Q5: Why do RDP sessions not require or use a PSM Shadow User account to connect through PSM? Q6: How does password rotation on PSM Shadow User accounts work? Answer A1: A PSM Shadow user is automatically created during a PSM Connection. The PSM Shadow users sandbox the client session. The point of the Shadow users is process isolation, so the programs launched on the same server by different vault users run under different identities, and cannot leak information between the sessions. These identities are created by the SYSTEM user and do not have any privileges. The credentials of the shadow users are managed and changed internally by the PSM server. The PSM will change (reset) the shadow user password every time a new connection is made. Also, the hardening of the PSM Server restricts the use of these Shadow users. PIM Suite Installation Guide describes hardening procedure for PSM server that includes steps to limit permissions of the Shadow users on the PSM server A2: In v6.0 we added the ability to use a variety of clients on the PSM server (i.e. Toad, SQL+, etc...). To help increase the security and the expand-ability of the PSM in version 7.0 we took some steps towards sandboxing the client sessions. This is achieved via the new PSM Shadow users with a unique account being created for each Vault user - their shadow user. These shadow users are local users on the PSM machine. This user is created dynamically and managed by the PSM (the default is for no password to be used, unless GPO requires one) When a user is connecting using the PSM, we still connect to the PSM machine using the PSMConnect user, but we now use the shadow-user to run the client (similar to a "run-as" approach). This creates full separation with each user having its own permissions, files, registry - making it very difficult to harm other users sessions. As these Shadow users are local users they should have the log on locally right. A3: This is a configurable parameter (ClearUserProfilesInterval). It can be found in PVWA in: 1) Administration Tab 2) (System Configuration - Component Settings - Options) 3) (PIM Suite Configuration - Privileged Session Management - General Settings - Server Settings) This parameter defines the interval in which the Shadow User cleanup process will be initiated. The default is every 30 days. The Shadow User account and profile will be removed by this process if the associated Vault User no longer exists in the vault. A4: It would be recommended to keep the shadow user account as long as the associated vault user still exists. Once the vault user is removed, the shadow user will be cleaned up in the next cycle of the ClearUserProfilesInterval. If you need to keep the vault user and are not concerned about losing the associated shadow user and profile, it is ok to manually clean these up on the PSM server by completing both steps below: 1) Control Panel -> System -> Advanced system settings -> On Advanced tab, in the User Profiles section - Click on the Settings button -> Select the required user name and click on the Delete button A5: Because PSMRdpClient is the only connection client that runs with PSMConnect and not a shadow user. If we were using a shadow user, some functionality won't work – like copy-paste from client to target machine. And shadow user is not needed here for the purpose of security that we need it for the other connection clients. A6: There is no mechanism in place to allow automatic rotation of PSM Shadow Users password. Please note that we don't consider Shadow Users to be a risk, because a Shadow User is a weak user, who cannot log in remotely to the PSM server. Additionally, every session a new password is being generated for the Shadow User. Product Related Versions N/A URL Name 00003736 Article Record Type FAQ Privileged Session Manager (PAM Self-Hosted)PAM Self-Hosted ATTACHMENTS Refresh Navigation ModeAction Mode Sort by:TitleSorted: NoneShow actionsSort by:Last ModifiedSorted: NoneShow actionsSort by:Created BySorted: NoneShow actions Upload FilesOr drop files FollowFollowingUnfollow RELATED ARTICLES * How to manually run an application as a PSM Shadow User Number of Views2.61K * PSM service restart initiate Cleanup job for shadow user profile deletion Number of Views394 * PSM SSMS with Windows Auth showing PSM Shadow User Name Number of Views2.02K * How do Safe Permissions work for Users and Groups? Number of Views1.86K * PSM Shadow user profile not cleaned up Number of Views2.44K * CyberArk Website * Terms & Conditions Technical Community CyberArk © 2023 CyberArk Software Ltd. All rights reserved. * Privacy Policy * Community Feedback * Users Access Loading