CPM hardening task descriptions

This topic describes the tasks that the hardening script performs to harden the CPM server.

Overview

The following tasks are performed automatically when using the hardening script to harden the CPM server. Each task and the selected settings are described in detail below.

Imports the INF configuration

In the MS Management Console, the following tasks are performed.

Task

Details

Configure Export settings

Adds a Security template Snap-in, and saves it as a security INF file

Configure Import settings

Adds a Security Configuration and Analysis Snap-in

Create new database in Security Configuration and Analysis

Imports the INI file containing the hardening settings, and then configures the server security settings so that they match the imported INI file

Validates server roles

To minimize your attack surface, only the minimum roles and features that are required should be defined on the CPM server. In the hardening script, all unnecessary roles and features are removed.

The following lists contain the server roles and features that are automatically removed during hardening.

Application Server

  • TCP Port Sharing

  • Windows Process Activation Service Support

    • Named Pipes Activation

    • TCP Activation

Remote Access

  • DirectAccess and VPN (RAS)

  • Routing

  • Web Application Proxy (With dependent features)

Web Server (IIS)

  • Web Server

    • Health and Diagnostic

      • Logging Tools

      • Tracing

Security

  • Centralized SSL Certificate Support

  • Client Certificate Mapping Authentication

  • Digest Authentication

  • IIS Client Certificate Mapping Authentication

  • IP and Domain Restrictions

  • URL Authentication

Application Development

  • Server Side Includes

  • WebSocket Protocols

  • Windows Deployment Services (with dependent features) – including all child roles

  • Group Policy Management

  • IIS Hostable Web Core

  • Ink and Handwriting Services

  • Media foundation

  • RAS Connection Mananger Administration Kit (CMAK)

  • Remote Server Administration Tools – including all child features

  • Telnet Client (in case CPM is not managing account using the telnet plugin)

  • Windows Internal Database

  • SMB 1.0/CIFS File Sharing Support

 

This feature is incompatible with old targets (for example, Windows XP and 2003 which only support SMB 1.0).

Policy configuration

Enables screen saver policies

In Computer Configuration/User Configuration/Administrative Templates/Control Panel/Personalization the following screen saver policies are set in the Local Group Policy Editor.

Policy

Setting

Enable screen saver

Enabled

Force specific screen saver

Enabled
(for example,"C:\Windows\System32\Ribbons.scr")

Password protect the screen saver

Enabled

Screen saver timeout

Enabled
Seconds: 600

Configures advanced audit policies

In the Local Group Policy Editor, the Security setting, Audit: Force audit policy subcategory settings to override audit policy category settings is enabled. This setting allows advanced auditing in the operating system.

In Computer Configuration/Windows Settings/Security Settings/Advanced Audit Policy Configuration the following Audit policies are set.

Policy

Setting

Account Logon

Credential Validation

Success, Fail

Other Account Logon Event

Success, Fail

Account Management

Application Group Management

Success, Fail

Computer Account Management

Success, Fail

Distribution Group Management

Success, Fail

Other Account Management Events

Success, Fail

Security Group Management

Success, Fail

User Account Management

Success, Fail

Logon\Logoff

Account Lockout

Success, Fail

Logoff

Success, Fail

Logon

Success, Fail

Network Policy Server

Success, Fail

Other Logon\Logoff Event

Success, Fail

Special Logon

Success, Fail

Object Access

Application Generated

Success, Fail

Certification Services

Success, Fail

Detailed File Share

Fail

File Share

Success, Fail

File System

Success, Fail

Kernel Object

Success, Fail

Registry

Success, Fail

Removable Storage

Success

SAM

Success, Fail

Comment:

Operational aspects: Applying "Auditing for Success" can overload the system. If an overload is created, it is recommended to apply "Auditing for Failure" only.

Policy Change

Audit Policy Change

Success, Fail

Authentication Policy Change

Success, Fail

Authorization Policy Change

Success, Fail

Filtering Platform Policy Change

Success, Fail

MPSSVC Rule –Level Policy Change

Success, Fail

Privilege Use

Non Sensitive Privilege Use

Success, Fail

Sensitive Privilege Use

Fail

System

Other System Events

Success, Fail

Security State Change

Success, Fail

Security System Extension

Success, Fail

System Integrity

Success, Fail

Configures Remote Desktop Services policies

In Computer Configuration/User Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host, the following Remote Desktop Services policies are set.

 

* Indicated settings are not available in the Local Policy settings.

Policy

Setting

Connections/Automatic reconnection*

Disabled

Connections/Configure keep-alive connection interval*

Enabled
Keep-Alive interval:1

Connections/Deny logoff of an administrator logged in to the console session*

Enabled

Connections/Set rules for remote control of Remote Desktop Services user sessions

Enabled
View Session without user's permission

Device and Resource Redirection/Do not allow Clipboard redirection

Enabled

Device and Resource Redirection/Do not allow COM port redirection*

Enabled

Device and Resource Redirection/Do not allow drive redirection*

Enabled

Device and Resource Redirection/Do not allow LPT port redirection*

Enabled

Device and Resource Redirection/Do not allow supported Plug and Play device redirection*

Enabled

Remote Session Environment/Remove "Disconnect" option from Shut Down dialog*

Enabled

Remote Session Environment/Remove Windows Security item from Start menu*

Enabled

Security/Do not allow local administrators to customize permissions*

Enabled

Security/Require secure RPC communication*

Enabled

Security/Set client connection encryption level*

Enabled
Encryption Level: High Level

Session Time Limits/End session when time limits are reached

Enabled

Session Time Limits/Set time limit for active but idle Remote Desktop Services sessions

Enabled

Session Time Limits/Set time limit for disconnected sessions*

Enabled

Session Time Limits/Set time limit for disconnected sessions*

Temporary Folders/Do not delete temp folders upon exit*

Disabled

Temporary Folders/Do not use temporary folders per session*

Disabled

Creates Local Windows Service users and configures permissions

During the hardening process, three Local Windows Service users are created to run the CPM service:

Windows user

Description
PasswordManagerUser The local Windows user that runs the CyberArk Password Manager service.
PluginManagerUser

The local Windows user used by the CyberArk Password Manager service to execute plugins.

Password storage:

The user's password is stored in the PasswordManager_Account Safe.
ScannerUser The local Windows user that runs the Scanner service

 

Local Windows Service user permissions

The following permissions are configured for the three CPM Local Windows Service users.

User

Folder permissions

PasswordManagerUser

Read permissions: Read & Execute, List folder content, Read

Folders:

  • [Drive]:\Python27

  • [Drive]:\Oracle

  • [Drive]:\Program Files (x86)\CyberArk

Full permissions: Full Control, Read & Execute, List, Read, Modify, Write

Folders:

  • [Drive]:\Program Files (x86)\CyberArk\PasswordManager\Logs

  • [Drive]:\Program Files (x86)\CyberArk\PasswordManager\tmp

  • [Drive]:\Program Files (x86)\CyberArk\PasswordManager\bin

  • [Drive]:\Program Files (x86)\ CyberArk\PasswordManager\Vault

  • [Drive]:\Program Files (x86)\CyberArk\PasswordManager\Scanner\Log

Remove permissions:

Folder:

  • [Drive]:\Program Files (x86)\CyberArk\PasswordManager\Scanner

PluginManagerUser

Read permissions: Read & Execute, List folder content, Read

Folder:

  • [Drive]:\Program Files (x86)\CyberArk\PasswordManager

Read & Write permissions: Read & Execute, List, Read, Modify, Write

Folder:

  • [Drive]:\Program Files (x86)\CyberArk\PasswordManager\Logs

Remove permissions:

Folder:

  • [Drive]:\Program Files (x86)\CyberArk\PasswordManager\Scanner

Read & Execute permissions:

Folder:

  • [Drive]:\Program Files (x86)\CyberArk\PasswordManager\bin

ScannerUser

Full permissions: Full Control, Read & Execute, List, Read, Modify, Write

Folder:

  • [Drive]:\Program Files (x86)\CyberArk\PasswordManager\Scanner

Full permissions: Full Control, Read & Execute, List, Read, Modify, Write

Folder:

  • [Drive]:\Program Files (x86)\CyberArk\PasswordManager\Logs

Full permissions: Full Control, Read & Execute, List, Read, Modify, Write

Folder:

  • [Drive]:\Program Files (x86)\CyberArk\PasswordManager\Vault

Read & Execute permissions:

Files in [Drive]:\Program Files (x86)\CyberArk\PasswordManager folder:

  • calibeay32102o.dll

  • cassleay32102o.dll

  • icudt58I.dat

  • msvcr71.dll

  • msvcr90.dll
 

If the three service users had additional permissions for the folders listed above, these permissions are removed from the folders during the hardening process, as well as any unnecessary users and groups.

Adds users to Local group policy Security settings

In the Local group policy Security settings (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment), the following users are added to Log on as a service:

  • NT SERVICE\ALL SERVICES

  • PasswordManagerUser

  • ScannerUser

 

The Log on as a service configuration is cleared from all other users.

Sets EventLog size and retention

The maximum log size for Window logs is set to 100032 (KB) for the following items:

  • Application

  • Security

  • System

Overwrite events as needed is selected for each item.

General auditing, registry, and file system configuration

Registry audits

The following registry keys are edited:

  • HKLM\SOFTWARE

  • HKLM\SYSTEM

In the Permissions window (right-click the registry key), under Advanced > Auditing, the following changes were made to each registry key:

Field

Setting

Principal

Everyone

Type

Success

Applies to

This key and sub keys

Advanced permissions

Set Value

A second auditing entry is added with the following settings:

Field

Setting

Principal

Everyone

Type

Success

Applies to

This key and sub keys

Advanced permissions

Create Subkey, Create Link, Delete, Write DAC, Read Control

Registry permissions

The following registry key is edited:

  • HKLM\System\CurrentControlSet\Control\
    SecurePipeServers\Winreg

In the Permissions window (right-click the registry key), the Administrators group has all permissions, Full control. Any remaining groups and/or users are removed.

FileSystem permissions

Permissions are set for the following folders:

  • %SystemRoot%\System32\Config

  • %SystemRoot%\System32\Config\RegBack

In the Properties window (right-click the folder), under Security > Edit, both the Administrators and SYSTEM folders have all permissions, Full control. Any remaining groups and/or users are removed.

FileSystem audit

Auditing is set for the following folders:

  • %SystemRoot%\System32\Config

  • %SystemRoot%\System32\Config\RegBack

In the Properties window (right-click the folder), under Security > Advanced > Auditing, an auditing entry is added with the following settings:

Field

Setting

Principal

Everyone

Type

Fail

Applies to

This folder, subfolders, and files

Advanced permissions

Traverse Folder\ Execute File, List Folder\ Read Data, Read Attributes, Read Extended Attribute

A second auditing entry is added with the following settings:

Field

Setting

Principal

Everyone

Type

All

Applies to

This folder, subfolders, and files

Advanced permissions

Create Files\Write Data, Create Folders\Append Data, Write Attributes, Write Extended Attributes, Delete Subfolders And Files, Delete, Change Permissions, Take Ownership

Disables services

The following services are disabled in the policy settings:

  • Routing and Remote Access

  • Smart Card

  • Smart Card Removal Policy

  • SNMP Trap

  • Special Administration Console Helper

  • Windows Error Reporting Service

  • WinHTTP Web Proxy Auto-Discovery Service

Enables FIPS cryptography

 

FIPS cryptography is disabled by default in the hardening script. To enable FIPS cryptography during hardening, before running the hardening script, make sure you set the EnableFIPSCryptography parameter to Yes in the hardening script configuration file, CPM_Hardening_Config.xml.

When FIPS cryptography is enabled in the hardening script, the AdvancedFIPSCryptography parameter is added to the registry key in the following folder:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CyberArk Password Manager\ImagePath

As shown in the following example:

  
ImagePath= C:\Program Files (x86)\CyberArk\Password Manager\PMEngine.exe /SERVICE /AdvancedFipsCryptography

Disables DEP on files used by the CPM

On the CPM machine, DEP is disabled for the following executable files used by the CPM.

  • PMTerminal.exe

  • Telnet.exe

  • Plink.exe

For more information about implementing DEP, refer to Microsoft documentation.

Updates IIS SSL/TLS settings

It is important that the SSL/TLS settings on your server are up to date. Among other settings, the different protocols and cipher suites can be vulnerable to different attacks on SSL/TLS.

The hardening script enables TLS 1.2, and disables older SSL/TLS versions as they have known vulnerabilities.

For more information about registry values for SSL/TLS settings, see https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs.