Configure Applocker

This section describes how to configure the AppLocker policy by editing PSMConfigureAppLocker.xml file. Use this reference when you run the AppLocker script manually.

AppLocker rules

To create a hardened and secure PSM environment, the system must limit the applications that can be launched during a PSM session. To do this, the PSM uses the Windows AppLocker feature, which defines a set of rules that allow or deny applications from running on the PSM machine, based on unique file identities. These rules specify which users or groups can run those applications.

The PSM installation includes an AppLocker script which enables PSM users to invoke internal PSM applications, mandatory Windows applications, and third- party external applications that are used as clients in the PSM.

All AppLocker rules are defined in the PSMConfigureAppLocker.xml file in the PSM installation folder > Hardening.

• If your environment includes executables that must be allowed, in addition to those that are built-in to the PSM installation, such as PSM Universal Connectors executables, you must edit this file to add rules that will allow these executables.

  Any changes or additions you make to the default configurations of the AppLocker file may affect the security of your environment, and are outside of CyberArk’s control. It is your responsibility to verify these changes are in line with your organization's security policies.

• If you have connectors deployed using shared universal connector deployment on multiple PSM servers they will be updated automatically in the AppLocker rules. For details, see Deploy Universal Connectors on multiple PSM servers. Associated executables are automatically updated in the AppLocker rules.

Configure and run the AppLocker script

1. Edit the PSMConfigureAppLocker.xml file, if necessary, so that all applications you need to run exist as <Application> tags under <AllowedApplications>.

2. To run the PSMConfigureAppLocker.ps1 script, open a PowerShell window and run the following command:

   “<PSM installation folder>\Hardening\PSMConfigureAppLocker.ps1”

Detect blocked DLL files

If a connector fails, run the executable related to this connector and rerun the AppLocker script. See Run AppLocker rules.

If the connector is still blocked, do the following:

1. Open the Windows Event viewer.

2. Go to Applications and Services Logs\Microsoft\Windows\Applocker\EXE and DLL.

3. In the left page, right-click EXE and DLL and select clear log…. Select Save and clear to back up the logged events.

4. Initiate a connection with the relevant connection through the PVWA.

5. Go back to Applications and Services Logs\Microsoft\Windows\Applocker\EXE and DLL.

6. in the left pane, right-click EXE and DLL and click refresh.

7. In the right pane, click Filter Current Log… and under Event Level only select Error and click OK.

8. Filter for Error 8004.

   

9. For each blocked dll error found, add a relevant line to the PSMConfigureAppLocker.xml under AllowedApplications in the dll section.

   

   1. Convert the AppLocker path into an absolute path based on the Microsoft documentation.

      For example, if the AppLocker path is %OSDRIVE%\ORACLE\INSTANTCLIENT\OCI.DLL, replace %OSDRIVE% with %SystemDrive%, a Windows environment variable. The new path will be %SystemDrive%\ORACLE\INSTANTCLIENT\OCI.DLL.

   2. Open PowerShell, type in the following command, and press Enter:

      [System.Environment]::ExpandEnvironmentVariables("<Converted Full Path Of DLL>")

   3. Using the absolute path returned from the previous step (in our example, ORACLE\INSTANTCLIENT\OCI.DLL), add the new dll exception under AllowedApplications. The method should be Hash, but can also be Publisher or Path.

      <Libraries Name="UniqueName" Type="Dll" Path="<DLL Absolute Full Path>" Method="Hash" />

   4. To run the PSMConfigureAppLocker.ps1 script, open a PowerShell window and run the following command:

      “<PSM installation folder>\Hardening\PSMConfigureAppLocker.ps1”

Repeat the process (steps 1-9) until the connector works properly.