New features might require you to change current update policies, especially if you're supporting more remote workers.
Contributing Writer, CSO |
The need to manage patching on home machines that have no Group Policy, Windows Server Update Services [WSUS] or System Center Configuration Manager [SCCM] control means that you may be looking for alternatives. Employees' personal machines might run Windows 10 Home version, which has limited ability to control updates. With corporate-owned machines you have more options.
Recently, Microsoft released the Update Baseline for Windows 10 that includes several settings to control Windows update. The recommended baselines control:
- Configuring deadlines
- Restart behavior
- Accounting for low activity devices
- Delivery optimization
- Power policies
The group policies that control Windows Update on Windows 10 Professional, Enterprise and Educational versions are collectively called Windows Update for Business. You can set them via group policy or registry keys. They are on the roadmap to be converted and controlled by Intune as well.
This section describes the hardening task procedures. Use this reference to troubleshoot your automatic installation or manually perform these steps.
The hardening script
The PSM hardening procedure on the PSM server machine enhances PSM security. The PSM Hardening script is copied to the PSM machine as part of the installation, to the \Hardening folder.
If you are using the automated installation script, several steps are done during the Hardening stage. |
To configure the PSM users’ passwords when installing the PSM on AWS, refer to Introduction before hardening the PSM server machine. |
Run the hardening script
If you are using the automated installation script, this step is done during the Hardening stage. |
Perform the following procedures to run the hardening script.
Enable PowerShell scripts on the PSM machine
To check the current PowerShell script execution policy, open the PowerShell window, then run the command Get-ExecutionPolicy.The command will return a RemoteSigned status.
Get-ExecutionPolicy
If the command does not return the RemoteSigned status, run the following command to allow local PowerShell scripts to run
Set-ExecutionPolicy RemoteSigned –force
For more information about this command, refer to PowerShell's man page.
Modify the PSM hardening script
Remove the read-only permissions from the PSM hardening script file PSMHardening.ps1.
Open the PSM hardening script using Notepad and proceed with the following options:
To enable the PSM to connect to Web applications change the value of $SUPPORT_WEB_APPLICATIONS to $true.
- To harden a PSM cluster:
In the $PSM_VAULT_FILE_PATH parameter, specify the shared Vault folder and/or the Vault file that is not under the PSM directory path.
In the $PSM_RECORDING_PATH parameter, specify the shared recording folder and/or recording directory that is not under the PSM directory path.
Run the PSM hardening script
In a PowerShell window, open the PSM installation >\Hardening folder.
CD “C:\Program Files [x86]\CyberArk\PSM\Hardening”
To start the script, run the following command:
./PSMHardening.ps1
Review the PSM hardening script output log file
Check the log for errors.
If the log contains errors, refer to the # Error Codes section in the hardening script for troubleshooting suggestions. If you cannot solve the problem, contact your CyberArk support representative.
If the PVWA is installed on the same machine, check that the script recognized and modified the PVWA folders’ permissions.
If the script did not recognize the PVWA, or a warning message was written in the log, modify the permissions manually as follows:
| C:\CyberArk | PSMConnect PSMAdminConnect | Deny All Access |
| C:\InetPub | PSMConnect PSMAdminConnect | Deny All Access |
Return the security level for running PowerShell scripts to the same status as it was before you ran the script. For example, to set the execution policy to Restricted, run the following command:
Set-ExecutionPolicy restricted
For more information about this command, refer to PowerShell's man page.
After running the hardening script
If you are using the automated installation script, these steps are done during the Hardening stage. |
Hide PSM local drives in PSM sessions
This procedure hides the PSM local drives in the PSM sessions. It is applied automatically.
If you add a new local drive to the PSM machine, run the Hardening stage again with the Runs post hardening tasks step enabled to apply the hiding policy on the newly added drive. Before running the Hardening stage, any PSM local Shadow user in the system must be removed, along with its user profile.
Remove Shadow users' user profiles
| 1. | Open Properties for Computer > Advanced system settings > Advanced Tab > User Profiles > Settings.... |
| 2. | Delete any user profile with the PSM- prefix. |
Remove PSM local Shadow users
| 1. | Go to Computer Management > Local Users and Groups > Users. |
| 2. | Remove any user with the PSM generated Shadow-User description. |
Block Internet Explorer developer tools
This procedure blocks Internet Explorer development tools when connecting to web sites through the PSM.
Internet Explorer developer tools are blocked in the PSM in order to prevent end users who connect via the PSM from accessing it.
Block Internet Explorer development tools
From Start, run the following executable: gpedit.msc; the Local Group Policy Editor window appears.
In Computer Configuration, select Administrative Templates; a list of available templates is displayed.
In the list of templates, double-click Windows Components, and then double-click Internet Explorer; a list of settings is displayed.
Double-click Toolbars.
Double-click Turn off Developer Tools, then in the settings window, select Enabled.
Click OK.
This procedure blocks Internet Explorer context menus when connecting to web sites through PSM.
The Internet Explorer context menu in the PSM is blocked in order to prevent end users from adding the developer tools.
Block Internet Explorer context menus
From Start, run the following executable: regedit.exe; the Registry Editor window appears.
Display the contents of the following key:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Internet Explorer \ Restrictions.
Change the value of the DWORD NoBrowserContextMenu to 1. If DWORD does not exist, create it.
Run AppLocker rules
If you are using the automated installation script, this step is done during the Hardening stage. |
To create a hardened and secure PSM environment, the system must limit the applications that can be launched during a PSM session. To do this, the PSM uses the Windows AppLocker feature, which defines a set of rules that allow or deny applications from running on the PSM machine, based on unique file identities. These rules specify which users or groups can run those applications.
The PSM installation includes an AppLocker script which enables PSM users to invoke internal PSM applications, mandatory Windows applications, and 3rd party external applications that are used as clients in the PSM.
All AppLocker rules are defined in the PSMConfigureAppLocker.xml file in the PSM installation folder > Hardening.
If your environment includes executables that must be allowed, in addition to those that are built-in to the PSM installation, such as PSM Universal Connectors executables, you must edit this file to add rules that will allow these executables.
If you have connectors deployed using shared universal connector deployment on multiple PSM servers they will be updated automatically in the AppLocker rules. For details, see Deploy Universal Connectors on multiple PSM servers.
Beginning in version 11.5.9, DLL files are allowed only when located with the allowed executables. If your environment includes DLL files that are not located with the allowed executables, you must add them to the PSMConfigureAppLocker.xml file.
Verification before running the AppLocker script
Make sure that the organizational GPO AppLocker policy is not enabled on the PSM machine.
- Configure the PSM machine to allow PowerShell scripts to run:
Open a PowerShell window, then run the Get-ExecutionPolicy command to check the current PowerShell script execution policy, as shown in the following example.
The command will return the RemoteSigned status.
Get-ExecutionPolicy
If the above command doe not return the RemoteSigned status, run the Set‑ExecutionPolicy command to allow local PowerShell scripts to run, as shown in the following example:
Set-ExecutionPolicy RemoteSigned –force
For more information about this command, refer to the PowerShell man page.
Run the AppLocker script
In the PSM installation folder, remove the read-only permissions from the PSMConfigureAppLocker.xml file.
Open the PSMConfigureAppLocker.xml configuration file and edit the PSM AppLocker configuration manually.
Make sure that the paths specified in the file specify the PSM installation folder path.
If your environment includes executables that must be allowed, in addition to those that are built-in the PSM installation, such as PSM Universal Connectors executables, add a rule for each executable to allow it on the PSM sesrver.
-
Run the Automatic PSM AppLocker Configuration Script to set the AppLocker and ensure that PSM users can only run approved applications. This script enables PSM users to invoke internal PSM applications and mandatory Windows applications. The PowerShell script that configures the AppLocker Rules is called PSMConfigureAppLocker.ps1. This PSMConfigureAppLocker.ps1 script file is located in the folder PSM installation > Hardening
In a PowerShell window, open the PSM installation >\Hardening folder.
CD “C:\Program Files [x86]\CyberArk\PSM\Hardening”To start the script, run the following command:
./PSMConfigureAppLocker.ps1
Return the security level for running PowerShell after running the AppLocker script
After running the AppLocker script, you can return the security level for running PowerShell scripts to the same status as it was before you ran the AppLocker script.
For example, to set the execution policy to restricted, run the following command:
|
For more information, refer to PowerShell's main page.
Automatic hardening in 'In Domain' deployments
Even If you are using the automated installation script, this step is still required. |
This section describes the automatic hardening procedure for In Domain deployments, including each file type and its configuration, as well as the procedures for applying and editing these files in a customer's environment.
Import a GPO file to an 'In Domain' Active Directory domain
Open the Group Policy Management Console [GPMC.msc] on your domain.
Expand Group Policy Management, then the forest, and then Domains.
Expand , then right-click Group Policy Objects and select New.The New GPO window appears.
- In the Name field, specify the name of the new GPO [for example, CyberArk PSM Hardening], then click OK.
- In the Group Policy Objects, right-click the newly created GPO then select Import Settings….
The Import Settings Wizard appears.
In the Welcome to the Import Settings Wizard window, click Next. The Backup GPO window appears.
You do not have to configure backup as this GPO is new.
- Click Next. The Backup location screen appears.
- Click Browse, and select the location of the folder where the hardening settings are stored. For example,
CyberArk PSM Hardening - GPO Settingsfrom the installation package.
Be sure to unzip the folder where the hardening settings are stored. If CPM is installed on the same machine, use |
- Then click Next. The Source GPO window appears.
- Select the Hardening GPO, for example, PSM Hardening GPO, then click Next. The Scanning Backup window appears.
- Click Next. The Completing the Import Settings Wizard window appears.
- Click Finish. The Import window appears and shows the progress of the GPO import.
- When the GPO import process is complete, click OK.
Link GPO to a dedicated OU containing CyberArk servers
Make sure all Servers are located under a dedicated OU, so the GPO will not affect any other server.
In the Group Policy Management Console, right-click the OU, then select Link an Existing GPO.
- Select the relevant GPO, for example, PSM Hardening, then click OK.
Automatic hardening in 'Out of Domain' deployments
This section describes how to apply automatic hardening procedures in 'Out of Domain' deployments.
If you are using the automated installation script, this step is done during the Hardening stage. |
Import an INF file to the local machine
Copy the relevant INF hardening file to the local machine [CyberArk component].
In a command line, run gpedit.msc.
Display Computer Configuration, then display Windows Settings.
Right-click Security Settings, and Import Policy.
- Browse to the folder where the INF hardening file is located, for example, CyberArk PSM Hardening, and open it.
Apply advanced audit
Copy the relevant Advanced Audit.csv file to the local machine [CyberArk component].
In a command line, run gpedit.msc.
Display Computer Configuration, then display Windows Settings, and expand Security Settings.
Expand Advanced Audit Policy Configuration, then right-click System Audit Policies – Local Group Policy Object, and select Import Settings.
- Browse to the folder where the Advanced Audit.csv is saved, and open it.
General routine configurations for 'In Domain' and 'Out of Domain' deployments
This section describes configuration that must be performed in 'In Domain' deployments as well as in 'Out of Domain' deployments.
Even If you are using the automated installation script, this step is still required. |
Update your Operating System
Microsoft releases periodic updates [security updates and service packs] to address security issues that were discovered in Operating Systems. Make sure your Operating System is updated to the latest version.
You can install the updates in either of the following ways:
- Manually install updates and service packs.
Automatically install with Server Update Services [WSUS], which is located on a corporate network.
Install an Anti-Virus solution
In today’s world, the pace of virus development is very fast. Servers without anti-virus protection are exposed to two risks:
Server infected with viruses that might damage the server and the entire network.
Trojan horses that are planted to allow remote control of the server and to all the information on it.
Install an Anti-Virus solution and update it as needed.
Validate proper server roles
Server roles can be set using the Server Manager. Ensure that the unnecessary roles are not installed on the server
Restrict network protocols
Install only the required protocols and remove unnecessary ones.
For example, only TCP/IP are necessary, and ensure that no additional protocols such as IPX or NetBEUI are allowed.
Rename default accounts
It is recommended to change the names of both the Administrator and the guest to names that will not testify about their permissions.
It is also recommended to create a new locked and unprivileged Administrator user name as bait.
Enable Microsoft Edge
Configure AppLocker to enable Microsoft Edge
Remove the read-only permission from the PSMConfigureAppLocker.xml file.
In the Hardening subfolder of the PSM installation folder, open the PSMConfigureAppLocker.xml configuration file and edit the AllowedApplications section:
Make sure that the following lines exist and are uncommented:
Verify that the path specified in the xml matches the browser installation path.
Save the PSMConfigureAppLocker.xml configuration file and close it.
Use the following command to run PowerShell and start the script:
CD “C:\Program Files [x86]\CyberArk\PSM\Hardening” PSMConfigureAppLocker.ps1
For more information, see Run AppLocker rules.
Harden the Edge browser on the PSM server
In-domain environments
For PSM servers that are part of a domain, after you configure the connection components you must harden the PSM server. In the Secure Web Application Connectors Framework zip file package, inside the Hardening folder, there are two zip files that contain the GPO settings used to harden the PSM server:
CyberArk Hardening - In Domain - PSM V1.8.0 - Shared CPM.zip - Use this file if both PSM and CPM are installed on the same server.
CyberArk Hardening - In Domain - PSM V1.8.0.zip - Use this file if PSM and CPM are installed on different servers.
To perform the hardening, you import the Group Policy Object [GPO] hardening settings. Before importing the new file, make sure to backup your existing GPO.
For detailed information how to perform hardening, see Automatic hardening in 'In Domain' deployments.
Out-of-domain environments
In the Secure Web Application Connectors Framework zip file package, run the RunGroupPolicyLoader.bat file located in the Hardening folder.
After running this script, make sure the output logs are empty.
Configure the PSM server in 'In Domain' deployments
This section describes how to configure the PSM Server in 'In Domain' deployments.
Configure automatically
Install the PSM hardening GPO as described in PSM Hardening Tasks. The GPO should be imported during the installation process.
You will receive the hardening package from CyberArk as a zipped file. Unzip this file so that you can import the hardening GPO.
Configure manually
If smart cards are not used with the PSM server[s], use the following to disable this feature:
Customer's discretion is required!
PolicySetting Services
Vulnerability: Unnecessary services are expose the server to vulnerabilities and increasing the attack surface
Smart Card
Disabled
Smart Card Removal Policy
Disabled
To Harden via a Group Policy Object [GPO],
Create a new group policy object [Services]: Computer Configuration → Policies → Windows Settings → Security Settings → System Services
PolicySetting Services
Vulnerability: Unnecessary services expose the server to vulnerabilities and increase the attack surface
Do not allow smart card device redirection
Enabled
To Harden via a Group Policy Object [GPO], do the following:
Create a new group policy object [Services]: Computer Configuration → Policies → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Device and Resource Redirection
To Enable the Firewall, do the following:
Customer's discretion is required
Assuming all required network rules for proper PSM functioning are known [user machines, target machines and other servers and services], it is recommended to enable the Windows firewall.
PolicySetting Services
Vulnerability: Unnecessary services expose the server to vulnerabilities and increase the attack surface.
Windows Firewall Enabled
To Harden via a Group Policy Object [GPO]:
Create a new group policy object [Services]: Computer Configuration → Policies → Windows Settings → Security Settings → System Services
To Disable Remote Desktop Services Redirection, do the following:
Customer's discretion is required
If Clipboard/Drive/Printer redirection are not being used, disable them.
PolicySetting Terminal Service Hardening
Vulnerability: Clipboard mapping enables the client to transfer a virus or a malicious application to the server as well as copy configuration or sensitive data from the server back to the client machine. There is a risk of infecting to the whole network or damaging the system.
Do not allow Clipboard redirection Enabled Do not allow drive redirection Enabled Do not allow printer redirection Enabled
To Harden via a Group Policy Object [GPO]
Create a new group policy object [Services]: Computer Configuration → Policies → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Device and Resource Redirection
Configure 'Out of Domain' PSM servers
Use the following procedures to configure PSM Servers in ‘Out of Domain’ deployments.
Manually configure Out of Domain PSM servers - administrative templates
To manually configure Remote Desktop Services, do the following:
| Services | |
Administrative Templates → Windows components → Remote Desktop Services → Remote Desktop Session Host → Connections | |
| Automatic reconnection | Disabled |
| Configure keep-alive connection interval | Enabled |
| Deny logoff of an administrator logged in to the console session | Enabled |
| Set rules for remote control of Remote Desktop Services user sessions | Enabled |
| Do not allow LPT port redirection | Enabled |
| Do not allow supported Plug and Play device redirection | Enabled |
Administrative Templates → Windows components → Remote Desktop Services → Remote Desktop Session Host → Remote Session Environment | |
| Remove "Disconnect" option from Shut Down dialog | Enabled |
| Remove Windows Security item from Start menu | Enabled |
Administrative Templates → Windows components → Remote Desktop Services → Remote Desktop Session Host → Security | |
| Do not allow local administrators to customize permissions | Not Defined |
| Require secure RPC communication | Enabled |
| Set client connection encryption level | Enabled |
Administrative Templates → Windows components → Remote Desktop Services → Remote Desktop Session Host → Session Time Limits | |
| End session when time limits are reached | Enabled |
| Set time limit for active but idle Remote Desktop Services sessions | Not Defined |
| Set time limit for disconnected sessions | Enabled |
Administrative Templates → Windows components → Remote Desktop Services → Remote Desktop Session Host → Temporary folders | |
| Do not delete temp folders upon exit | Disabled |
| Do not use temporary folders per session | Disabled |
Customer's discretion is required when changing the following policies!
| Services Administrative Templates → Windows components → Remote Desktop Services → Remote Desktop Session Host → Device and Resource Redirection | |||||||
| Do not allow Clipboard redirection |
| ||||||
| Do not allow COM port redirection |
| ||||||
| Do not allow drive redirection |
|
Manually add user changes for installation
- At a command line, run gpedit.msc.
Display Computer Configuration, then display Windows Settings, and expand Security Settings.
- Expand Local Policies, then select User Rights Assignment.
- Add the PSMShadowUsers group to the Allow log on locally list.
Add the PSMConnect / PSMAdminConnect users to the Allow log on through Remote Desktop Services list. To ensure that unauthorized users will not gain access to the PSM server, this setting must only be allowed for the PSMConnect and PSMAdminConnect users, and for maintenance users who are required to logon remotely to the PSM server. You will have to redefine this setting after each PSM server upgrade. Make sure that the effective policy, including configurations made at domain level, defines this setting as described above.
Detect blocked DLL files
If a connector fails, run the executable related to this connector and rerun the AppLocker script.
If the connector is still blocked, do the following:
Open the Windows Event viewer.
Go to Applications and Services Logs\Microsoft\Windows\Applocker\EXE and DLL.
Check for Error 8004.
For example, if the sqlplus.exe DLLs dependencies are not allowed, the following PSM exception appears in the PSM log:
[12/12/2021 | 19:33:06.608333] | {pid= 2108} | {tid= 3040} | class CPSMBaseException * | PSM\[68] | ::
| PSMSR009I Privileged Session Manager exception occurred. PSMSR278I [4380081f-4041-44ef-a6ed-992f0ee4e77f] Session component [CommandLineConnectionClient] has stopped. Ending session. [Codes: -1, -1]In the Windows Event viewer, the following errors appear: