Security best practices and product boundaries

This topic describes the best practices to implement when you deploy EPM.


CyberArk Endpoint Privilege Manager secures privileges on the endpoint (Windows servers, Windows desktops and Mac desktops) and helps contain attacks early in their lifecycle. It enables revocation of local administrator rights, while minimizing impact on user productivity, by seamlessly elevating privileges for authorized applications or tasks. CyberArk Endpoint Privilege Manager helps prevent malware such as ransomware from gaining a foothold and contains attacks on the endpoint.

As with any security solution, it is essential to secure the EPM service to ensure the controls you have implemented are not circumvented by an attacker.

Product boundaries

EPM provides a substantial layer of security that can help secure customers’ systems and mitigate multiple attack vectors. However, like any other software, EPM has limitations in its ability to protect in certain circumstances. These circumstances, which are outside EPM’s product boundaries, are set forth in the list below. This list is not exhaustive and additional scenarios may fall outside the boundaries of EPM. While EPM may provide certain protection in these circumstances on a reasonable commercial effort basis, it is the customer’s responsibility to be aware of the product’s boundaries and apply the Security guidelines and best practices, as well as follow other organizational security policies, strategies, and architectures, to keep their systems and data secure, and to protect themselves in such circumstances.

  • When a logged in user is a local admin/root on the endpoint or is granted more privileged permissions than needed.

  • An inappropriate EPM policy is defined, including policies designed for generic use (including EPM OOTB recommended policies) or EPM misconfiguration that grants user permissions, which could result in permitting unwanted activity on the endpoint, either maliciously or by mistake.

  • Escaping elevated or restricted applications allowed by misconfigurations of the Operating System, application manipulation, unsecured applications, or specific application behavior.

  • Software loaded at Operating System kernel level.

  • Specific file locations and processes that are excluded from EPM agents by customized EPM policies.

  • Executing elevated commands from file locations writable for users.

  • Applications, processes, or commands invoked from an elevated application with child processes enabled.

  • Threat attacks occurring during EPM agent installation or upgrade on an endpoint that is already compromised.

Security guidelines and best practices

The controls described in this section are the minimal requirements for protecting your EPM deployment, and therefore your endpoints. Consolidated by our team, these controls reflect our experience in implementing industry best practices when supporting our customers in installing and operating our products. The requirements are also based upon analysis of various reports made by companies that experienced a security incident and other research data generally available in the industry.

It is imperative that you follow as many of these steps as are practicable in your environment, recognizing there may be other methods that you may wish to use based on your organization’s expertise. Review your CyberArk deployment on a regular basis to ensure it complies with industry best practices, including those outlined in this topic. For questions or assistance with designing and implementing these controls or support in reviewing your deployment, contact your CyberArk or partner representative.

Update your system

  1. Define users on the endpoint as standard users to ensure no excessive administrator permissions.

  2. Run the endpoint Operating System with the latest security update installed.

  3. Run with the latest agent version. For details, see Install EPM agents on endpoint machines.

Apply policies

  1. Proper EPM policy definitions are fundamental for ensuring the required security of your system.

  2. Apply least privilege security when defining EPM policies by granting users only the minimum permissions necessary to perform their day-to-day job. Granting users more permissions than needed can permit unwanted activity on the endpoint, either maliciously or by mistake.

  3. Carefully consider the application and other system infrastructure elevations that could provide the ability to manipulate the security foundation of your system, such as system settings, local trust certificates, and others. Any tool or configuration that is allowed to the user and can be used to jeopardize the installed security tool’s foundational functionality.

  4. Create policies that securely identify the application by defining specific policy parameters and features, such as application location, application parameters, application checksum, a custom token, restriction rules, and more. When creating policies, CyberArk strongly recommends using a digital signature from a trusted vendor (or checksum, if a digital signature is unavailable), along with other identifiers, such as name and path. These combinations ensure the correct identification of the application without compromising performance.

  5. In elevation policies, to prevent command spoofing, make sure you only allow commands from locations that are not writable to users.

  6. In case of a configured elevated shell execution policy, ensure the shell scripts are written and configured with escape prevention in mind. Writing scripts with escape prevention will mitigate unauthorized privileged shell access.

  7. For the most efficient and secure blocking strategy, it is recommended to use the default block feature. To enable specific authorized applications, add them to the Allow list. In some specific cases, the correct solution may be to configure a block policy using the checksum parameter. However, in many cases, this practice is less recommended because a checksum can be changed. For example, between versions or by malicious activity.

  8. Create application policies for Windows endpoints using the Protect Installed Files definition property. When you create application policies for elevated application installations of EXEs, CyberArk recommends that you activate the Protect Installed Files property to protect temporary installation files.

  9. Only elevate macOS applications if notarized by Apple or protected by System Integrity Protection (SIP). When you apply restriction rules, we recommend you set the Monitor SIP files in Agent Configuration to On.

  10. Configure a least-privileged user token that will be used to elevate applications. Configure a token that applies the least privileges principle, to reduce the attack surface. For example, for an elevation policy that manages an application that does not need to load a driver, remove the 'SeLoadDriverPrivilege' privilege and other irrelevant privileges.

Manage third party tools

  1. Enable a Secure Boot tool, such as the Microsoft Secure Boot (Windows 8.1 and later), to help prevent malicious software applications from loading at the kernel level during the system start-up process.

  2. Only exclude third-party security programs on endpoints from the checks performed by the CyberArk Endpoint Privilege Manager agents.

    For the Exclude files from policies parameter in Agent Configuration, CyberArk recommends removing default paths that do not exist on endpoints from the list. This ensures malware and intruders cannot use these paths.

  3. Use the file location to exclude specific application files from the Application Catalog.

    When valuing the Exclude new or changed files from Applications Catalog and Inbox parameter in Agent Configuration, CyberArk recommends using the application file location to identify the application. For details, see Agent configuration settings.

Apply access control

  1. Enable multi-factor authentication on your IdP and using SAML to log in to EPM. For details, see Account administrator. If you cannot use SAML, create a strong password policy for logging in to EPM to minimize password theft and unauthorized entry to the system.

    When configuring account settings, CyberArk recommends using the parameter default values and setting all parameters to On in the Password Configuration section. For details, see Account settings.

  2. Review all the organization’s user lists regularly to ensure that all users are valid and are properly authorized to use the EPM service.

  3. Create a strong password for the support information file to minimize unauthorized access to information on endpoints and to the policies file.

    For the Support info file password parameter in Agent Configuration, CyberArk recommends that you create a strong password that contains letters, numbers, and special characters. For details, see Agent configuration settings.

  4. An EPM Set defines an isolated management group of endpoints that share settings and keys. Consider which endpoints to include when creating a Set to ensure compliance with your security policies and business needs.

  5. Separate user roles that define Set administrators from user roles that define account administrators, and ensure users do not have both roles for the same user. If a user requires both roles, it is recommended to create a dedicated email for each role and keep them separate.

  6. Logout from the EPM console or close your browser when you are finished working with EPM so that your session is not left open and unattended. Do not leave EPM open.

  7. Set a realistic session timeout so that your session is not left open and unattended.

    When configuring account settings, CyberArk recommends setting the Timeout for inactive session parameter in the Session Expiration section. For details, see Account settings.

Protect your environment

  1. On all Operating Systems, enable disk encryption.

  2. Enable the Protect against ransomware policy to protect your organization against ransomware attacks.

    If you do not enable this policy, CyberArk recommends that you manually set the Exclude Service Accounts from Access Restrictions parameter in Agent Configuration to Off.

  3. Enable Threat Protection to protect against credentials theft. For details, see Protect against credential theft.

  4. Consider the impact before protecting Administrative User Groups.

    When you create an elevation policy for Windows Administrative Tasks - Users and Groups, and the Agent Configuration > Protect Administrative User Groups parameter is set to On, this setting overrides the elevation policy and prevents changes to the following groups: Administrators, Backup Operators, Hyper-V Administrators, Network Configuration Operators, and Power Users.

    Activating Windows Protection Guard (WPG) in conjunction with Windows Local Administrator group protection, may cause endpoint performance issues.

  5. Use CyberArk Application Risk Analysis Service (ARA) or any other supported third-party services to analyze unknown applications. For details, see Assess threats.

  6. On macOS endpoints, make sure that System Integrity Protection (SIP) is enabled and that 'recovery mode' is password protected.