CYBERARK UNIVERSITY

CPM and PVWA

CyberArk Training
1
OBJECTIVES

By the end of this lesson you will be able to:

• Describe the main functionality of the CPM and PVWA

• How to Install the CPM and PVWA

• How to Secure and Harden the CPM and PVWA

2
PVWA AND CPM
FUNCTIONALITY

3
PASSWORD VAULT WEB ACCESS

• The Password Vault Web

Access (PVWA) must be
installed first after the Digital
Vault

• The PVWA enables both end

users and administrators to
access and manage
privileged accounts

• PAS Component
configurations are
accomplished via the PVWA

4
CENTRAL POLICY MANAGER

• The CPM is responsible for:

• Password Management Operations
• Changing and verifying all target account
password
• Enforces Password Policy
• The CPM Accounts Feed and Auto-
Detection Operations
• Discovery – Designed to quickly locate
critical accounts and credentials
• Analyze – Provides a view to assess
the risk of each account
• Provision – Accounts can be
provisioned in the Vault in a simple and
intuitive way

5
COMPONENT COMMUNICATION – CPM AND PVWA

Managed Target
Central Policy
Accounts and Servers Manager 1858

1858 Vault
HTTPS

End Users:
IT Staff, Auditor, etc. The CPM and the PVWA
Password Vault
exchange information.
Web Access However, all the communication
HTTPS is done through the Vault.
Vault Administrators

6
PVWA PREREQUISITES
INSTALLATION

7
AUTOMATIC INSTALLATION

• You can use the PAS deployment scripts

provided with the installation package to
automatically install and deploy the Core PAS
components on multiple servers, according to
your organizational requirements.

• What do the scripts do?

• Install the Internet Information Services
prerequisite software
• Optionally Install the PVWA component
• Implement hardening procedures on the
Component Servers
• For details about the hardening procedures, see
the Hardening the CyberArk CPM and PVWA
Servers guide

8
 MANUAL INSTALL OF IIS PREREQUISITES
• The manual step by step
procedures to install the
prerequisite IIS roles and
features is found on
[Link]
• The Password Vault Web
Access component is a
Microsoft IIS web application
and so the Web Server role
must be installed first
• Note the Role Features listed
here. No other Roles or
Features should be installed

9
INSTALL IIS PREREQUISITES

• Launch the Installation

Automation PowerShell
script from an Administrator:
Windows PowerShell

• Allow the script to complete,

and review the [Link]
file located in a sub-
directory where the script is
located.

• Always test the Web Server

installation by opening a
browser and connecting to
the default web site. This is
an important test prior to
installing the PVWA.

10
INSTALL A SIGNED SSL CERTIFICATE

• Replace the self-signed

certificate created by
Installation Automation
script with a web
certificate issued by a
trusted certificate authority
• The IIS server must be
configured to only accept
HTTPS connections. This
is a manual step

• The PVWA should be a

dedicated IIS server. No
other web applications
should be allowed

11
 PVWA
INSTALLATION

12
PREREQUISITES

• Copy all necessary files to

the Windows Component
Server.

• Extract zip files before

launching Setup.

• Do not attempt to launch

the setup from a shared
network drive. Always
launch setup from a local
drive.

13
WEB APPLICATION DESTINATION

• Select the destination

folder for the web
application

• Because Microsoft installs

IIS on “C:\” accept the
default destination folder
for the PasswordVault
virtual directory

14
CONFIGURATION FILES DESTINATION

• Select the destination

folder for the PVWA
configuration files

• If needed, the
Configuration Files
destination folder can be
changed to an alternate
drive letter

15
SETUP TYPE

• Full Password Vault Web

Access option installs the
PVWA for desktop
browsers

• Mobile Password Vault

Web Access option installs
a PVWA interface that is
specifically designed for
mobile devices

• Select whether to install

the full PVWA server,
mobile version or both

16
WEB APPLICATION DETAILS

• Select the authentication

types that will be enabled
on the PVWA

• Choose a default
authentication method if
required

• If no authentication type is
selected a user will be
unable to authenticate to
the Vault using the PVWA

17
VAULT CONNECTION DETAILS

• Enter the IP Address of

your Vault server

• By default the Port

number is1858

• The PVWA URL is

automatically populated
and should not be
modified
• Accept the default URL

18
VAULT USERNAME AND PASSWORD DETAILS

• Enter the username and

password of the Vault user
that will be used to create
the CPM environment on
the Vault

• Typically the built-in

Administrator is used for
installing the components

19
FINISH

• Press the Finish button to

complete the installation

• There is no need for a

reboot

20
VERIFY INSTALLATION

• Review the
[Link] and
[Link] files
to make sure the
installation completed
successfully.
• The files are located in
C:\Users\Administrator\Ap
pData\Local\Temp

21
 PVWA
VERIFY SERVER ENVIRONMENT

22
PVWA IIS APPLICATION

• IIS Virtual Folder -

PasswordVault

• Points to where the PVWA

application is installed

• By default, this is the

‘PasswordVault’ folder

23
PVWA SERVICE (IIS SERVICES)

• The PVWA should be a

dedicated server with no
other applications,
specifically web
applications installed
• PVWA services status can
be viewed or restarted
using the IISRESET
command at an
Administrative Command
prompt
• IISRESET with the /Status
option will display the
status for all relevant
services as shown

24
PVWA LOGS

• Log File Location –

• %windir%\temp\PVWA\
• or according to
parameter "LogFolder"
(located in [Link] in
the IIS PasswordVault
folder)

• Because the PVWA is a

Microsoft IIS Web
Application, the Windows
Event Viewer will also
contain relevant log
entries for the PVWA.

25
 PVWA
VERIFY VAULT ENVIRONMENT

26
PVWA SAFES

During installation a set of predefined safes are

created for the PVWA

• The PVWAConfig safe contains all the

configuration settings for the Password Vault
Web Access.

• The PVWAPrivateUserPrefs safe contains the

user preference settings for the Password
Vault Web Access interface.
• The PVWAConfig and PVWAPrivateUserPrefs
safes should not be accessed directly
• The PVWAReports safe is used for internal
processes related to generating reports

27
PVWACONFIG SAFE - [Link]

• The [Link] contains

the “UI & Workflow”
settings for all platforms

• The PlatformBaseID, ties

the platforms listed in the
[Link] with the
platforms contained in the
PasswordManagerShared
safe

28
PVWA VAULT USERS AND GROUPS

• PVWAAppUser is used by
the Password Vault Web
Access for internal
Processing

• PVWAGWUser
impersonates the logged-
on user to the Vault

29
HARDENING THE PVWA

Security hardening operations on CyberArk PAS

component servers is an emphasized area of study for all
CyberArk certifications!

30
 • PVWA hardening is accomplished in 3 phases
1. Executing a CyberArk provided ‘Installation Automation’
PowerShell script
2. Applying a CyberArk provided Group Policy Object to the
component server
3. Manual procedures
PVWA
INSTALLATION • Detailed procedures can be found on [Link].
Search for
AUTOMATION -
• Harden the CyberArk CPM and PVWA Servers
HARDENING
• Configure PVWA and CPM Servers in 'In Domain' Deployments

• CyberArk certification candidates must be able to audit

CyberArk component servers and identify missing or
misconfigured parameters and resolve them

31
PVWA INSTALLATION AUTOMATION – MANUAL HARDENING

Only the following network

protocols, services or clients
are required for a CPM and
or PVWA Component
Server:
• Client for Microsoft
Network
• File and Printer Sharing
for Microsoft Network
• Internet Protocol Version
4 (TCP/IPv4)

Disable all other default

protocols, services and
clients

32
PVWA INSTALLATION AUTOMATION – SCRIPTED HARDENING

• PVWA Installation
Automation PS script
accomplishes the following
• Validates roles and
services, and sets file
system permissions
• Creates local users to
run CyberArk services
• An update to the
CyberArk hardening
Group Policy object is
required to grant the
users the “Logon as a
service” right

33
PVWA INSTALLATION AUTOMATION - HARDENING

• PVWA Installation
Automation PS script
accomplishes the following
• Validates roles and
services, and sets file
system permissions
• Creates local users to
run CyberArk services.
• Removes unneeded IIS
MimeTypes

34
PVWA INSTALLATION AUTOMATION - HARDENING

• PVWA Installation
Automation PS script
accomplishes the following
• Validates roles and
services, and sets file
system permissions
• Creates local users to
run CyberArk services.
• Removes unneeded IIS
MimeTypes
• Disables SSL and
enables TLS 1.2, sets
Advanced Audit policy
and other Registry
settings

35
PVWA INSTALLATION AUTOMATION - HARDENING

• PVWA Installation
Automation PS script
accomplishes the following
• Validates roles and
services, and sets file
system permissions
• Creates local users to
run CyberArk services.
• Removes unneeded IIS
MimeTypes
• Disables SSL and
enables TLS 1.2, sets
Advanced Audit policy
and other Registry
settings
• Redirects HTTP to
HTTPS
36
PVWA INSTALLATION AUTOMATION - HARDENING

• PVWA Installation
Automation PS [Link]
can be found in a
subfolder of
\InstallationAutomation\
Date_Time
• The [Link] file provides
detail on the status of the
changes.

37
MULTIPLE PVWAS

38
 • Fault Tolerance and Disaster Recovery in the Web Interface

• Additional capacity for heavy end user traffic

USE CASES • Reduction of web traffic over WAN lines for remote site users

• To provide a second less privileged web interface for external

users (vendors or contractors).

39
ARCHITECTURE

• A naming convention is
usually irrelevant since
PVWAs are all active and
User
all serve the same role

• PVWAs can be load

balanced with an external
Load Balancer
hardware load balancer

• In a load balanced
configuration, each
component server must be PVWA1 PVWA2 PVWA3 PVWA4
identically configured, e.g.,
operating system,
CyberArk PAS version and
Vault
installation directories

40
INSTALL MULTIPLE PVWA SERVERS

• Install each PVWA

normally. No special
configuration required.

• Each PVWA server should

be installed and
configured exactly the
same for Load Balanced
configurations.
• Provide the list of PVWA
host names to Admin of
your External Load
Balancer and request a
Virtual IP.

41
 CPM
INSTALLATION

42
INSTALL CPM PREREQUISITES

• If installing the CPM on a

dedicated Windows Server, run
the CPM_PreInstallation.ps1
script to enable TLS 1.2
• Launch the Installation
Automation PowerShell script
from an Administrator: Windows
PowerShell

• Allow the script to complete and

review the [Link] file
located in a sub-directory where
the script is located

43
 CPM PREREQUISITES
• At least one PVWA server
must be installed prior to
installing the CPM
• Press Install to install the
required Microsoft
Redistributable Package(s), if
applicable

44
CHOOSE DESTINATION FOLDER

• Select the destination

folder for the CPM files

45
SETUP TYPE

• When installing a new

CPM select No Policy
Manager was previously
installed and press Next

• Select Yes only in case of

re-installing CPM
software, that will use the
license of a previously
installed CPM.

46
VAULT CONNECTION DETAILS

• Enter the IP Address of

your Vault server

• By default the Port

number is1858

47
VAULT USERNAME AND PASSWORD DETAILS

• Enter the username and

password of the Vault user
that will be used to create
the CPM environment on
the Vault

• Typically the built-in

Administrator is used for
installing the components

48
FINISH

• Press the Finish button to

complete the installation

• There is no need for a

reboot

49
VERIFY INSTALLATION

• Review the [Link]

to make sure the
installation completed
successfully.

• Errors during the

installation process will
show in this file

• The file is located in

C:\Users\Administrator\Ap
pData\Local\Temp

• Capture the log and move

it to a different folder if an
auditor intends to review it.

50
 CPM
VERIFY SERVER ENVIRONMENT

51
 CPM DIRECTORY STRUCTURE
• The bin directory– contains all
the files required to run the
CPM and the Change
Password processes on remote
machines:
• The Logs directory contains the
CPM activity log files.
• The Samples directory contains
samples of all the default policy
files.
• The tmp directory contains files
that are used by the CPM for
internal processing.
• The Vault directory contains the
[Link] parameter file

52
THE CPM SERVICES

• CyberArk Password
Manager executes all
password management
operations.

• CyberArk Central Policy

Manager Scanner is
associated with the
Accounts Discovery utility
• Note that the CPM
Services before hardening
are running under “Local
System”

53
CPM LOGS

• [Link] – contains all the log messages, including general and informative messages,
Activity Logs (Logs
errors, and warnings.
folder)
• pm_error.log – contains only warning and error messages.

• Generated by the Central Password Manager built-in password generation plug-ins

Third party log files when an error occurs
(Logs\ThirdParty • Name of the log file:
folder) <type of password>-<Safe>-<folder>-<name of password object>.log
Operating System-UnixSSH-[Link]-[Link]:

• After a log file has been uploaded into the Safe, it is renamed and moved into the History
History log files subfolder.
(Logs\History folder) • The file is marked with a time stamp and renamed as follows: <filename> (<date>-
<time>).log

54
 CPM
VERIFY VAULT ENVIRONMENT

55
 CPM SAFES
• Verify that the following safes
were created for the CPM
• PasswordManager
• PasswordManager_ADInternal
• PasswordManager_info
• PasswordManager_Pending
• PasswordManager_workspace
• PasswordManagerShared
• PasswordManager_Temp

56
PASSWORDMANAGER SAFE

• The PasswordManager
safe stores the CPM
configuration file

• Customization of CPM
settings that are written to
this file is accomplished
via the System
Configuration page in the
PVWA.

57
PASSWORDMANAGERSHARED SAFE

• The ‘.ini’ files in the

PasswordManagerShared
safe contain the
“Automatic Password
Management” section for
each platform.
• Customization of platform
settings that are written to
this file is accomplished
via editing the specific
Target Account Platform in
the PVWA.

58 58
CPM VAULT USER

• The first CPM user created

by the CPM installer is
named PasswordManager

• When creating a safe using

the PVWA, a CPM must be
assigned providing the
PasswordManager access
to the privileged accounts.

• Once assigned the

PasswordManager user
will be added as an Owner
of assigned safes to enable
password management
operations.

59
HARDENING THE CPM

Security hardening operations on CyberArk PAS

component servers is an emphasized area of study for all
CyberArk certifications!

60
HARDENING THE CYBERARK CPM AND PVWA SERVERS

• The Hardening the CyberArk CPM and PVWA

Servers online documentation provides prescriptive
guidance to help you secure and harden the
CyberArk Component servers
• CPM or PVWA hardening is accomplished via a
combination of PowerShell scripts and GPO
policy enforcement
• Instructions are provided for GPO deployment
for in-Domain environments and a manual
procedure for out-of-domain environments
• PowerShell scripts are provided to compliment
the deployment of the hardened configuration
• Both procedures must be completed to consider
the hardening complete

61
 HARDENING OVERVIEW – GPO/INF
• In-Domain Automatic Hardening via GPO
• When the CPM and / or the PVWA server environments
are part of Active Directory domain ('InDomain’), a
Group Policy Object can be applied to enforce security
policies.

• Out of Domain Hardening via INF Import

• When the CPM and PVWA server environments are not
a part of Active Directory domain ('Out of Domain'), the
hardening procedure is applied via an INF file.

• The CyberArk CPM and PVWA Servers guide

provides a complete list of all GPO settings.
• Search CyberArk Docs for “Harden the CyberArk CPM
and PVWA Servers” for automatic and manual
procedures for hardening CyberArk's CPM and PVWA
servers

62
HARDENING OVERVIEW – PS SCRIPTS

• CPM Installation
Automation PowerShell
script accomplishes the
following
• Validates roles and
services, and sets file
system permissions
• A log file is created
detailing the operation

63
PVWA INSTALLATION AUTOMATION – SCRIPTED HARDENING

• CPM Installation
Automation PowerShell
script accomplishes the
following
• Validates roles and
services, and sets file
system permissions
• Creates local users to
run CyberArk services

64
PVWA INSTALLATION AUTOMATION – SCRIPTED HARDENING

• PVWA Installation
Automation PS script
accomplishes the following
• Validates roles and
services, and sets file
system permissions
• Creates local users to
run CyberArk services
• An update to the
CyberArk hardening
Group Policy object is
necessary to grant
and enforce the
required “Logon as a
service” right

65
HARDENING OVERVIEW – PS SCRIPTS

• CPM Installation Automation PowerShell script

accomplishes the following
• Creates a local user to run CPM services
using an alternate credential
• Set directory and file permissions
• Validates server roles and features
• Sets screen saver parameters
• Set’s advanced auditing policy
• Configures RDP settings
• Sets EventLog size and retention
• Set’s permissions to registry settings
• Other settings

66
HARDENING OVERVIEW – PS SCRIPTS

• Open an Administrators: PowerShell

Window to launch the CPM_Hardening.ps1
script from the \Installation Automation folder

• Review the [Link] file located in a sub-

directory where the script is located

67
MULTIPLE CPMS

68
USE CASES

1858 or 443
Vault
[Link] [Link]

1858
Target Target
Systems Systems
[Link] Central Policy Central Policy [Link]
Manager 1858 Manager

[Link] [Link]
Password Vault
Web Access
• A single CPM cannot
accommodate the total number
of accounts managed.
End Users: • Accounts are managed in
IT Staff, Auditor, etc.
End Users: multiple sites or VLANs protected
IT Staff, Auditor, etc.
by firewall

69
 PORT REQUIREMENTS

• Reference “Privileged
Account Security System CPM TO VAULT CPM TO TARGETS
[Link]”,
Standard CPM Ports and Windows
135,445 and more
Protocols for more
information. UNIX
22,23 and more

• This document should be Mainframe

22,23,449,8476 and more
provided to the customer
Database
early in the planning stages TCP/1858 139,445,1433,1521,3306,5000, and more
of the CyberArk deployment
Directories
project. 389,636 and more

Appliances
22,23,18190, and more

Many, many others

70
MULTIPLE CPM SERVERS – ACTIVE-PASSIVE

• CPM is installed at
multiple locations, but only
enabled at one TARGET MACHINES
ROOT
• Activating and deactivating
CPMs is a manual process

• Inactive CPMs will need to

assume a license from the
active CPM. This is
commonly seen in DR
implementations. <inactive>
CPM_WIN
CPM_WIN

VAULT

71
MULTIPLE CPM SERVERS

• Multiple CPMs are active

simultaneously
TARGET MACHINES TARGET MACHINES
• Individual safes are
ROOT ROOT
assigned to individual
CPMs

• Provides distributed
architecture

• Each CPM must be

licensed separately
CPM_WIN CPM_UNIX

VAULT

72
NAMING CONVENTION

Create a naming convention to name each CPM according to the safes it will manage.

BY REGION BY SITE BY ENVIRONMENT

CPM_APAC CPM_BOS CPM_PROD

CPM_EMEA CPM_SFO CPM_DEV

CPM_NA CPM_ORD CPM_DMZ

73
INSTALLING ADDITIONAL CPMS

To install multiple CPMs:

• Install the first CPM according to the

normal process
• Install additional CPMs

• Rename the first CPM to match your

desired naming convention

74
INSTALLING ADDITIONAL CPMS

• The installer will

automatically name the
first CPM
PasswordManager.

• Each subsequent installer

will prompt you to provide
a CPM name since
PasswordManager is
already in use.

• Name each new CPM

according to your naming
convention.

75
 RENAME THE SAFES FOR THE FIRST CPM

• First step is to STOP ALL CPM

Services

• Next rename the

PasswordManager_* safes to
the new name, however…
Do NOT rename the following
safes:
• PasswordManager_Pending
• PasswordManagerShared
• PasswordManagerTemp

76
RENAME THE COMPONENT USER FOR THE FIRST CPM

• First step is to STOP

BOTH CPM Services

• Rename the
PasswordManager_*
safes to the new name

• Rename the
PasswordManager user
and reset its password

77
RESET THE CREDENTIAL FILE

• Rename the
PasswordManager_*
safes to the new name

• Rename the
PasswordManager user
and reset its password.

• Update the Credential File

on the first CPM server so
that the CPM can
authenticate to the vault.

78
RENAME THE CPM IN THE PVWA

• Rename the
PasswordManager_*
safes to the new name

• Rename the
PasswordManager user
and reset its password.

• Update the Credential File

on the first CPM server.
• Change the name of the
CPM in the PVWA (under
Options) so that it displays
correctly in all PVWA
options.

79
RESTART THE CPM SERVICES

• Rename the
PasswordManager_*
safes to the new name

• Rename the
PasswordManager user
and reset its password.

• Update the Credential File

on the first CPM server.
• Change the name of the
CPM in the PVWA (under
Options).
• Restart the CPM services
and check the [Link].

80
CPM ASSIGNMENTS

• Once the CPMs have

been named correctly, SAFE ASSIGNED CPM
assign CPMs to safes MSSQL_NA CPM_NA
according to design.
MSSQL_APAC CPM_APAC

SrvAcc_NA CPM_NA

SrvAcc_APAC CPM_APAC

Recon_NA CPM_NA

Recon_APAC CPM_APAC

Cybr_NA CPM_APAC

Cybr_APAC CPM_NA

81
GENERAL CONFIGURATION AND
RECOMMENDATIONS

82
GENERAL CONFIGURATION FOR ALL DEPLOYMENTS

• Component servers
should participate in an
organizations Vulnerability
Management Program.

• There are a number of

additional steps that
should be performed in 'In
Domain' deployments as
well as in 'Out of Domain'
deployments including:
• Update your Operating
System
• Install an Anti-Virus
Solution

83
GENERAL CONFIGURATION FOR ALL DEPLOYMENTS CONT.

• Restrict Network Protocols

• Install only the required protocols and remove unnecessary ones. For example, only TCP/IP are necessary,
and ensure that no additional protocols such as IPX or NetBEUI are allowed.

• Rename Default Accounts

• It is recommended to change the names of both the Administrator and the guest to names that will not
testify about their permissions.

• Validate Proper Server Roles

• To minimize your attack surface, as a best practice, make sure that only the minimum roles and features
that are required are defined on the CPM and PVWA server(s).
• Remove all unnecessary roles and features.

• IIS Hardening (PVWA Only)

84
SECURE AND ISOLATE COMPONENT SERVERS

• Follow Best Practices to

Mitigate Credential Theft
on Servers

• Treat all CyberArk

Components as Tier 0
applications and
infrastructure

• Ensure any credentials

that are authorized to log
into CyberArk Component
servers do not have
Domain Administrator
permissions.

85
SECURE AND ISOLATE COMPONENT SERVERS

• Limit the number of domain credentials that are

able to access the component servers

• Consider using host-based firewalls and IPsec

to restrict, encrypt and authenticate inbound
administrative traffic.

• Consider using CyberArk Privileged Session

Manager and the local administrator account to
access component servers providing Isolation,
Control via Policy and Monitored access.

• Deploy application whitelisting and limit

execution to authorized applications

86
REDUCE APPLICATION ATTACK SURFACE

• Eliminate unnecessary
CyberArk administrative
accounts

• Reduce privileges of
CyberArk administrative
accounts

• Apply the concept of Least

Permissions when
accessing CyberArk
component servers.
Restrict personal accounts
to business-as-usual
permissions justified for
their role.

87
REDUCE APPLICATION ATTACK SURFACE

• Consider requiring
privilege elevation for
system configuration
changes.

• Use the CyberArk

Privileged Session
Manager to isolate and
monitor CyberArk
administration

• Require two-factor
authentication for all
avenues of administrative
access

88
SUMMARY

89
SUMMARY

This session covered:

• Installing the CPM and PVWA

• Configuring the CPM and PVWA

• The CPM and PVWA Server Environment

• The CPM and PVWA Vault Environment

• Securing the CPM and PVWA

90
QUIZ
1. During the CPM installation, what does this option mean? “No Policy Manager was previously
installed”
• If you are installing a new CPM and intend to consume a new license, this is the option to choose. If you
are installing only the software but re-using a license, i.e. PasswordManager user, select “Yes. This is an
update from a previous version of Policy Manager.”

2. True or False: Beginning with PAS v10.6, Installation Automation PowerShell scripts must be used
to install PVWA pre-requisite software and to harden the PVWA and CPM Servers.
• False. Using the provided PowerShell scripts is a choice. All configurations are documented in the PAS
Installation Guide or the “Hardening the CyberArk CPM and PVWA Servers” documents.

3. Why does the PVWA installer create 2 Vault users, and what is their purpose?
• The PVWAAppUser is used for internal processing and consumes a license.
• The PVWAGWUser is the internal user that impersonates the logged on user to the vault.

91
THANK YOU

92