Hardening the CyberArk PSM Server

February 2016

Copyright © 1999-2016 CyberArk Software Ltd. All rights reserved.

This document contains information and ideas, which are proprietary to CyberArk
Software Ltd. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted, in any form or by any means, electronic, mechanical, photocopying,
recording, scanning, or otherwise, without the prior written permission of CyberArk
Software Ltd.
CAVSEC-HPSM-0216
2 Table of Contents

Table of Contents

Introduction 3
Automatic Hardening in 'In Domain' Deployments 4
Importing a GPO file to an Active Directory Domain (In Domain) 5
Adding Custom Settings to the GPO File (In Domain) 8
Linking GPO to a Dedicated OU containing CyberArk servers 10
Automatic Hardening in 'Out of Domain' Deployments 11
Importing an INF File to the Local Machine 12
Applying Advanced Audit 13
General Configuration for All Deployments 14
Update your Operating System 15
Install an Anti-Virus Solution 15
Validate Proper Server Roles 15
Restrict Network Protocols 15
Rename Default Accounts 15
Configuring the PSM Server in 'In Domain' Deployments 16
Automatic Procedures (Handled by GPO and Installation Scripts) 17
Manual Procedures 17
Disable Smart Cards 17
Enable the Firewall 18
Disable Terminal Services Redirection 18
Configuring the PSM Server in 'Out of Domain' Deployments 19
Automatic Procedures (Handled by INF and Installation Scripts) 20
Manual Procedures (Administrative Templates) 20
Terminal Services 20
User Changes for Installation 22

Privileged Account Security

 3

Introduction

This guide describes automatic and manual procedures for hardening CyberArk's PSM
server. These procedures were tested and reviewed by CyberArk's Research and
Development department and CyberArk's Security Team. The automatic procedure and
the manual procedure complement each other and, therefore, both must be applied.
When the PSM server environment is a part of Active Directory domain ('In Domain'), the
automatic hardening procedure is based on a prepared GPO (Group Policy Object) file.
However, when the PSM server environment is not a part of Active Directory domain
('Out of Domain'), it is based on an INF file.
This guide describes how to harden CyberArk's PSM server that is installed on
Windows 2012R2 Server in 'In Domain' deployments as well as in 'Out of Domain'
deployments.

Privileged Account Security

 4

Automatic Hardening in 'In Domain'

Deployments

This chapter describes the automatic hardening procedure for 'In Domain' deployments,
including each file type and its configuration, as well as the procedures for applying and
editing these files in a customer's environment. It includes the following sections:
Importing a GPO file to an Active Directory Domain (In Domain)
Adding Custom Settings to the GPO File (In Domain)
Linking GPO to a Dedicated OU containing CyberArk servers

Privileged Account Security

Hardening the PSM Server 5

Importing a GPO file to an Active Directory

Domain (In Domain)
1. Open the Group Policy Management Console (GPMC.msc).
2. Expand Group Policy Management, then the CyberArk.com forest, and then
Domains.
3. Expand CyberArk.com, then right-click Group Policy Objects and select New.

The New GPO window appears.

4. In the Name field, specify the name of the new GPO, for example, "CyberArk PSM
Hardening", then click OK.

5. In the Group Policy Objects, right-click the newly created GPO then select Import
Settings….

Privileged Account Security

6 Automatic Hardening in 'In Domain' Deployments

The Import Settings Wizard appears.

6. In the Welcome to the Import Settings Wizard window, click Next; the Backup GPO
window appears.

You do not have to configure backup as this GPO is new.

7. Click Next; the Backup location screen appears.

Privileged Account Security

Hardening the PSM Server 7

8. Click Browse… , and select the location of the folder where the hardening settings
are stored, for example, CyberArk PSM Hardening GPO in the CD Image, then click
Next; the Source GPO window appears.

9. Select the Hardening GPO, for example, PSM Hardening GPO, then click Next; the
Scanning Backup window appears.

Privileged Account Security

8 Automatic Hardening in 'In Domain' Deployments

10. Click Next; the Completing the Import Settings Wizard window appears.

11. Click Finish; the Import window appears and shows the progress of the GPO import.

12. When the GPO import process has been completed, click OK.

Adding Custom Settings to the GPO File (In

Domain)
1. In the Group Policy Management Console , under Group Policy Objects, right-
click the newly created GPO and click Edit….

Privileged Account Security

Hardening the PSM Server 9

2. Navigate to the following folder: Computer Configuration \ Policies \ Windows

Settings \ Security Settings \ Local Policies \ User Rights Assignments.
3. Double click Allow log on locally and add the PSMShadowUsers group.

4. Double click Allow log on through Remote Desktop Services.

If the PSMConnect and PSMAdminConnect users are domain users, add them
with a "<Domain>\" prefix, as shown in the left screenshot below.
Otherwise, add them without a prefix , as shown in the right screenshot below.

Privileged Account Security

10 Automatic Hardening in 'In Domain' Deployments

Linking GPO to a Dedicated OU containing

CyberArk servers
Linking (enabling) the GPO on the servers need to be done only AFTER the servers are
installed and configured according to installation and implementation guides, assuming
the customer would like to have a dedicated OU for PSM servers
Make sure all Servers are located under a dedicated OU, so the GPO won't affect
any other server.
1. In the Group Policy Management Console , right-click the OU then, from the pop-
up menu, select Link an Existing GPO….

2. Select the relevant GPO, for example, PSM Hardening, then click OK.

Privileged Account Security

 11

Automatic Hardening in 'Out of Domain'

Deployments

This chapter describes how to apply automatic hardening procedures in 'Out of Domain'
deployments . It includes the following sections:
Importing an INF File to the Local Machine
Applying Advanced Audit

Privileged Account Security

Hardening the PSM Server 12

Importing an INF File to the Local Machine

1. Copy the relevant INF hardening file to the local machine (CyberArk component).
2. At a command line, run gpedit.msc.

3. Display Computer Configuration, then display Windows Settings.

4. Right-click Security Settings, and Import Policy….

5. Browse to the folder where the INF hardening file, for example, CyberArk PSM
Hardening, is saved, and open it.

Privileged Account Security

13 Automatic Hardening in 'Out of Domain' Deployments

Applying Advanced Audit

1. Copy the relevant Advanced Audit.csv file to the local machine (CyberArk
component).
2. At a command line, run gpedit.msc.

3. Display Computer Configuration, then display Windows Settings, and expand

Security Settings.
4. Expand Advanced Audit Policy Configuration, then right-click System Audit
Policies – Local Group Policy Object and, from the pop-up menu, select Import
Settings.

5. Browse to the folder where the Advanced Audit.csv is saved, and open it.

Privileged Account Security

 14

General Configuration for All

Deployments

This chapter describes configuration that must be performed in 'In Domain' deployments
as well as in 'Out of Domain' deployments. It includes the following sections:
Update your Operating System
Install an Anti-Virus Solution
Validate Proper Server Roles
Restrict Network Protocols
Rename Default Accounts

Privileged Account Security

Hardening the PSM Server 15

Update your Operating System

Microsoft releases periodic updates (security updates and service packs) to address
security issues that were discovered in Operating Systems. Make sure your Operating
System is updated to the latest version.
You can install the updates in either of the following ways:
Manually install updates and service packs
Automatically install with Server Update Services (WSUS), which is located on a
corporate network

Install an Anti-Virus Solution

In today’s world, the pace of virus development is very fast. Servers without anti-virus
protection are exposed to two risks:
Server infected with viruses that might damage the server and the entire network
Trojan horses that are planted to allow remote control of the server and to all the
information on it
Install an Anti-Virus solution and update it as needed.

Validate Proper Server Roles

Server roles can be set using the Server Manager. Ensure that the unnecessary roles
are not installed on the server.

Restrict Network Protocols

Install only the required protocols and remove unnecessary ones. For example, only
TCP/IP are necessary, and ensure that no additional protocols such as IPX or NetBEUI
are allowed.

Rename Default Accounts

It is recommended to change the names of both the Administrator and the guest to
names that will not testify about their permissions. It is also recommended to create a
new locked and unprivileged Administrator user name as bait.

Privileged Account Security

 16

Configuring the PSM Server in 'In

Domain' Deployments

This chapter describes how to configure the PSM Server in 'In Domain' deployments. It
includes the following sections:
Automatic Procedures (Handled by GPO and Installation Scripts)
Manual Procedures

Privileged Account Security

Hardening the PSM Server 17

Automatic Procedures (Handled by GPO and

Installation Scripts)
Install the PSM hardening GPO as described in Importing a GPO file to an Active
Directory Domain (In Domain) on page 5. The GPO should be imported during the
installation process.
You will receive the hardening package from CyberArk as a zipped file. Unzip this file
so that you can import the hardening GPO.

Manual Procedures
Disable Smart Cards
Note: Customer's discretion is required.
If smart cards are not used with the PSM server(s), disable this feature.

Policy Setting Comments

Services

Smart Card Disabled Vulnerability: Unnecessary services are expose

the server to vulnerabilities and increasing the attack
surface
Smart Card Disabled
Removal
Policy

To Harden via a Group Policy Object (GPO)

Create a new group policy object (Services):
Computer Configuration → Policies → Windows Settings → Security Settings →
System Services

Setting
Policy Comments

Services

Do not allow smart Enabled Vulnerability: Unnecessary services expose

card device the server to vulnerabilities and increase the
redirection attack surface

To Harden via a Group Policy Object (GPO)

Create a new group policy object (Services):
Computer Configuration → Policies → Administrative Templates → Windows
Components → Remote Desktop Services → Remote Desktop Session Host →
Device and Resource Redirection

Privileged Account Security

18 Configuring the PSM Server in 'In Domain' Deployments

Enable the Firewall

Note: Customer's discretion is required.
Assuming all required network rules for proper PSM functioning are known (user
machines, target machines and other servers and services), it is recommended to enable
the Windows firewall.

Policy Setting Comments

Services

Windows Enabled Vulnerability: Unnecessary services expose the server to

Firewall vulnerabilities and increase the attack surface.

To Harden via a Group Policy Object (GPO)

Create a new group policy object (Services):
Computer Configuration → Policies → Windows Settings → Security Settings →
System Services

Disable Terminal Services Redirection

Note: Customer's discretion is required.
If Clipboard/Drive/Printer redirection are not being used, disable them.

Policy Setting Comments

Terminal Service Hardening

Do not allow Enabled Vulnerability: Clipboard mapping enables the client to

Clipboard transfer a virus or a malicious application to the server as
redirection well as copy configuration or sensitive data from the server
back to the client machine. There is a risk of infecting to
Do not allow drive Enabled
the whole network or damaging the system.
redirection

Do not allow Enabled

printer redirection

To Harden via a Group Policy Object (GPO)

Create a new group policy object (Services):
Computer Configuration → Policies → Adminstrative Templates → Windows
Components → Remote Desktop Services → Remote Desktop Session Host →
Device and Resource Redirection

Privileged Account Security

 19

Configuring the PSM Server in 'Out of

Domain' Deployments

This chapter describes how to configure the PSM Server in 'Out of Domain'

deployments. It includes the following sections:
Automatic Procedures (Handled by INF and Installation Scripts)
Manual Procedures (Administrative Templates)

Privileged Account Security

Hardening the PSM Server 20

Automatic Procedures (Handled by INF and

Installation Scripts)
Install the PSM hardening INF and CSV files as described in Automatic Hardening in
'Out of Domain' Deployments on page 11.
You will receive the hardening package from CyberArk as a zipped file. Unzip this file
so that you can import the hardening INF and CSV files.

Manual Procedures (Administrative Templates)

Terminal Services
Change the following services manually. For more information, refer to the policy
location in the following table.

Policy Setting Comments

Services

Automatic Disabled Administrative Templates → Windows

reconnection components → Remote Desktop
Services → Remote Desktop Session
Host → Connections

Configure keep-alive Enabled Keep-Alive

connection interval interval:1

Deny logoff of an Enabled

administrator logged in
to the console session

Set rules for remote Enabled.

control of Remote Full Control without
Desktop Services user's permission
user sessions

Do not allow LPT port Enabled

redirection

Do not allow Enabled

supported Plug and
Play device
redirection

Remove "Disconnect" Enabled Administrative Templates → Windows

option from Shut components → Remote Desktop
Down dialog Services → Remote Desktop Session
Host → Remote Session Environment
Remove Windows Enabled
Security item from
Start menu

Privileged Account Security

21 Configuring the PSM Server in 'Out of Domain' Deployments

Policy Setting Comments

Do not allow local Not Defined Administrative Templates → Windows

administrators to components → Remote Desktop
customize Services → Remote Desktop Session
permissions Host → Security

Require secure RPC Enabled

communication

Set client connection Enabled Encryption

encryption level Level: High Level

End session when Enabled Administrative Templates → Windows

time limits are reached components → Remote Desktop
Services → Remote Desktop Session
Set time limit for Not Defined
Host → Session Time Limits
active but idle Remote
Desktop Services
sessions

Set time limit for Enabled

disconnected Set to one minute
sessions

Do not delete temp Disabled Administrative Templates → Windows

folders upon exit components → Remote Desktop
Services → Remote Desktop Session
Do not use temporary Disabled
Host → Temporary folders
folders per session

Note: Customer's discretion is required when changing the following policies.

Policy Setting Comments

Services

Do not allow If this feature is Administrative Templates → Windows

Clipboard redirection used: Not components → Remote Desktop
defined Services → Remote Desktop Session
If this feature is Host → Device and Resource
not used: Redirection
Enabled

Do not allow COM If this feature is

port redirection used: Not
defined
If this feature is
not used:
Enabled

Do not allow drive If this feature is

redirection used: Not
defined
If this feature is
not used:
Enabled

Privileged Account Security

Hardening the PSM Server 22

User Changes for Installation

1. At a command line, run gpedit.msc.

2. Display Computer Configuration, then display Windows Settings, and expand

Security Settings.
3. Expand Local Policies, then select User Rights Assignment.

4. Add the PSMShadowUsers group to the Allow log on locally list.

5. Add the PSMConnect/PSMAdminConnect users to the Allow log on through
Terminal Services list.

Privileged Account Security