Professional Documents
Culture Documents
February 2016
Table of Contents
Introduction 3
Automatic Hardening in 'In Domain' Deployments 4
Importing a GPO file to an Active Directory Domain (In Domain) 5
Adding Custom Settings to the GPO File (In Domain) 8
Linking GPO to a Dedicated OU containing CyberArk servers 10
Automatic Hardening in 'Out of Domain' Deployments 11
Importing an INF File to the Local Machine 12
Applying Advanced Audit 13
General Configuration for All Deployments 14
Update your Operating System 15
Install an Anti-Virus Solution 15
Validate Proper Server Roles 15
Restrict Network Protocols 15
Rename Default Accounts 15
Configuring the PSM Server in 'In Domain' Deployments 16
Automatic Procedures (Handled by GPO and Installation Scripts) 17
Manual Procedures 17
Disable Smart Cards 17
Enable the Firewall 18
Disable Terminal Services Redirection 18
Configuring the PSM Server in 'Out of Domain' Deployments 19
Automatic Procedures (Handled by INF and Installation Scripts) 20
Manual Procedures (Administrative Templates) 20
Terminal Services 20
User Changes for Installation 22
Introduction
This guide describes automatic and manual procedures for hardening CyberArk's PSM
server. These procedures were tested and reviewed by CyberArk's Research and
Development department and CyberArk's Security Team. The automatic procedure and
the manual procedure complement each other and, therefore, both must be applied.
When the PSM server environment is a part of Active Directory domain ('In Domain'), the
automatic hardening procedure is based on a prepared GPO (Group Policy Object) file.
However, when the PSM server environment is not a part of Active Directory domain
('Out of Domain'), it is based on an INF file.
This guide describes how to harden CyberArk's PSM server that is installed on
Windows 2012R2 Server in 'In Domain' deployments as well as in 'Out of Domain'
deployments.
This chapter describes the automatic hardening procedure for 'In Domain' deployments,
including each file type and its configuration, as well as the procedures for applying and
editing these files in a customer's environment. It includes the following sections:
Importing a GPO file to an Active Directory Domain (In Domain)
Adding Custom Settings to the GPO File (In Domain)
Linking GPO to a Dedicated OU containing CyberArk servers
5. In the Group Policy Objects, right-click the newly created GPO then select Import
Settings….
6. In the Welcome to the Import Settings Wizard window, click Next; the Backup GPO
window appears.
8. Click Browse… , and select the location of the folder where the hardening settings
are stored, for example, CyberArk PSM Hardening GPO in the CD Image, then click
Next; the Source GPO window appears.
9. Select the Hardening GPO, for example, PSM Hardening GPO, then click Next; the
Scanning Backup window appears.
10. Click Next; the Completing the Import Settings Wizard window appears.
11. Click Finish; the Import window appears and shows the progress of the GPO import.
12. When the GPO import process has been completed, click OK.
2. Select the relevant GPO, for example, PSM Hardening, then click OK.
This chapter describes how to apply automatic hardening procedures in 'Out of Domain'
deployments . It includes the following sections:
Importing an INF File to the Local Machine
Applying Advanced Audit
5. Browse to the folder where the INF hardening file, for example, CyberArk PSM
Hardening, is saved, and open it.
5. Browse to the folder where the Advanced Audit.csv is saved, and open it.
This chapter describes configuration that must be performed in 'In Domain' deployments
as well as in 'Out of Domain' deployments. It includes the following sections:
Update your Operating System
Install an Anti-Virus Solution
Validate Proper Server Roles
Restrict Network Protocols
Rename Default Accounts
This chapter describes how to configure the PSM Server in 'In Domain' deployments. It
includes the following sections:
Automatic Procedures (Handled by GPO and Installation Scripts)
Manual Procedures
Manual Procedures
Disable Smart Cards
Note: Customer's discretion is required.
If smart cards are not used with the PSM server(s), disable this feature.
Services
Setting
Policy Comments
Services
Services
Services
Services