PSM Hardening

The PSM hardening process enhances PSM security by defining a highly secured Windows server. This topic describes the PSM hardening stage, which is a series of hardening tasks that are performed after the server software is installed, as part of the overall installation process. The hardening stage, which disables multiple operating system services on the PSM server machine, is performed mostly by scripts. Some of the tasks require customer input and so must be done manually.

Work flow

This table describes the work flow of the hardening stage, what parts are automated, and what happens during each step.

Step	Automated	Details
Run the initial hardening tasks (PSM hardening script)	Yes (the default installation script configuration is Enabled=Yes)	The PSM hardening procedure on the PSM server machine enhances PSM security. Configurable parameters: SupportWebApplications Set this parameter to Enable="Yes" if you are using web applications. ClearRemoteDesktopUsers For security reasons, the hardening script clears the Remote Desktop Users group. The Remote Desktop Users group should include maintenance users that are not administrators.
Run the post-hardening tasks	Yes Default: Enabled = Yes	This step of the hardening process does the following: Hides PSM local drives in PSM sessions
Run the AppLocker script	Yes Default: Enabled = Yes	The PSM uses the Windows AppLocker feature, which defines a set of rules that allow or deny applications from running on the PSM machine based on unique file identities. To limit the applications that may be launched during a PSM session. These rules specify which users or groups can run those applications. All AppLocker rules are defined in the PSMConfigureAppLocker.xml file in the PSM installation folder > Hardening. If your environment includes executables that must be allowed in addition to those that are part of the PSM installation (such as PSM Universal Connectors executables), edit this file to add rules that allow these executables. If you have connectors deployed using shared universal connector deployment on multiple PSM servers, they are updated automatically in the AppLocker rules. Any changes or additions you make to the default configurations of the AppLocker file may affect the security of your environment, and are outside of CyberArk’s control. It is your responsibility to verify these changes are in line with your organization's security policies.
Harden the "Out of Domain" environment	Yes Default: Enabled = No	Set the parameter in the hardening file to Yes if you are installing the PSM server out of domain. This step of the hardening process does the following: Imports an INF file to the local machine Applies advanced audit Manually adds user changes for installation Sets a time limit for active but idle RDS sessions
	No	When this hardening task is done, complete the "Out of Domain" hardening with the manual part of the step described in 'Out of Domain' deployments.
OR
Harden the "In Domain" environment	No (manual task)	This task is required when you install the PSM server in domain. Do the following: Back up the current GPO file Import the GPO file from PSM installation folder > Hardening to overwrite the current GPO file Configure the GPO settings. See GPO Parameters for In-Domain Automatic Hardening Configure the group policy settings as described below in 'In Domain' deployments
Harden the TLS settings	Yes Default: Enabled = Yes	This step does the following: Disables SSL/TLS versions earlier than TLS 1.2. RemoteApp requires a connection broker and a session collection to be associated with it. When PSM is installed, the RD Connection Broker is installed on the machine. This step installs SQL Server Express and configures the RD Connection Broker to work with SQL Server Express. If the PSM Server machine is running on Windows 2016 and you have SQL server SP2 installed, select the TLS hardening checkbox to upgrade the SQL server to SP3. If you need to enable earlier versions of SSL/TLS after this script has run (for example, if your custom PSM connectors and installed clients utilize TLS 1.0/1.1), configure the Windows registry as follows: Go to [HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control \SecurityProviders\SCHANNEL \Protocols\<SSL/TLS version> Under Client and/or Server, change value for DisabledByDefault to 0 and the value for Enabled to 1.
Apply post-hardening configurations	No	These activities should be done for all deployments, regardless of where the server is installed. Update your operating system when patches are released Install an anti-virus solution Validate proper server roles Restrict network protocols Rename default accounts Enable Microsoft Edge

If you need to troubleshoot the automatic hardening or perform any of the tasks manually, see PSM Hardening Tasks.

Required manual hardening tasks

'Out of Domain' deployments

Part of hardening the PSM servers is adjusting the group policy based on your corporate security policy. This part of the hardening procedure is not included in the hardening script and must be performed manually.

The following settings control the administrative templates and Remote Desktop Services access.

Policy	Setting
Services
Administrative Templates → Windows components → Remote Desktop Services → Remote Desktop Session Host → Connections
Automatic reconnection	Disabled
Configure keep-alive connection interval	Enabled Keep-Alive interval:1
Deny logoff of an administrator logged in to the console session	Enabled
Set rules for remote control of Remote Desktop Services user sessions	Enabled Full Control without user's permission
Do not allow LPT port redirection	Enabled
Do not allow supported Plug and Play device redirection	Enabled
Administrative Templates → Windows components → Remote Desktop Services → Remote Desktop Session Host → Remote Session Environment
Remove "Disconnect" option from Shut Down dialog	Enabled
Remove Windows Security item from Start menu	Enabled
Administrative Templates → Windows components → Remote Desktop Services → Remote Desktop Session Host → Security
Do not allow local administrators to customize permissions	Not Defined
Require secure RPC communication	Enabled
Set client connection encryption level	Enabled Encryption Level: High Level
Administrative Templates → Windows components →  Remote Desktop Services → Remote Desktop Session Host → Session Time Limits
End session when time limits are reached	Enabled
Set time limit for active but idle Remote Desktop Services sessions	Not Defined
Set time limit for disconnected sessions	Enabled Set to one minute
Administrative Templates → Windows components → Remote Desktop Services → Remote Desktop Session Host → Temporary folders
Do not delete temp folders upon exit	Disabled
Do not use temporary folders per session	Disabled

This part of the hardening stage is customer specific, so it isn't configured in the INF file that is imported by the hardening script. The following settings should be configured based on your own security policy.

Policy	Setting
Services Administrative Templates  → Windows components → Remote Desktop Services → Remote Desktop Session Host → Device and Resource Redirection
Do not allow Clipboard redirection	If this feature is used: Not defined If this feature is not used: Enabled
Do not allow COM port redirection	If this feature is used: Not defined If this feature is not used: Enabled
Do not allow drive redirection	If this feature is used: Not defined If this feature is not used: Enabled

'In Domain' deployments

This section describes how to manually apply hardening to the PSM server when it is deployed in domain. You can configure the parameters listed below to align with the corporate security policy of your organization.

1. If smart cards are not used with the PSM server(s), use the following to disable this feature.

   Policy	Setting
   Services Vulnerability: Unnecessary services are expose the server to  vulnerabilities and increasing the attack surface
   Smart Card	Disabled
   Smart Card Removal Policy	Disabled

   1. To Harden via a Group Policy Object (GPO),

      Create a new group policy object (Services): Computer Configuration → Policies → Windows Settings → Security Settings → System Services

      Policy	Setting
      Services Vulnerability: Unnecessary services expose the server to  vulnerabilities and increase the attack surface
      Do not allow smart card device redirection	Enabled

   2. To Harden via a Group Policy Object (GPO), do the following:

      Create a new group policy object (Services): Computer Configuration → Policies → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Device and Resource Redirection

2. To Enable the Firewall, do the following:

   Assuming all required network rules for proper PSM functioning are known (user machines, target machines and other servers and services), it is recommended to enable the Windows firewall.

   Policy	Setting
   Services Vulnerability: Unnecessary services expose the server to vulnerabilities and increase the attack surface.
   Windows Firewall	Enabled

   1. To Harden via a Group Policy Object (GPO):

      Create a new group policy object (Services): Computer Configuration → Policies → Windows Settings → Security Settings → System Services

3. To Disable Remote Desktop Services Redirection, do the following:

   If Clipboard/Drive/Printer redirection are not being used, disable them.

   Policy	Setting
   Terminal Service Hardening Vulnerability: Clipboard mapping enables the client to transfer a virus or a malicious application to the server as well as copy configuration or sensitive data from the server back to the client machine. There is a risk of infecting to the whole network or damaging the system.
   Do not allow Clipboard redirection	Enabled
   Do not allow drive redirection	Enabled
   Do not allow printer redirection	Enabled

   1. To Harden via a Group Policy Object (GPO):

      Create a new group policy object (Services): Computer Configuration → Policies → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Device and Resource Redirection

Ongoing manual hardening tasks

This section describes the manual hardening tasks that are necessary for all types of deployments and that are part of maintaining your system. Perform them after running the hardening script, and after completing the in-domain hardening tasks (if necessary). You should also perform them periodically, for example if you change something in the environment (add servers, upgrade a version), after an operating system upgrade, and as part of general maintenance activities.

Update your operating system

Microsoft releases periodic updates (security updates and service packs) to address security issues that have been discovered in their software. Make sure your operating system is updated to the latest version.

You can install the updates in either of the following ways:

• Manually install updates and service packs.
• Automatically install with Server Update Services (WSUS), which is located on a corporate network.

Install an anti-virus solution

In today’s world, the pace of virus development is very fast. Servers without anti-virus protection are exposed to two risks:

• Server infected with viruses that might damage the server and the entire network.
• Trojan horses that are planted to allow remote control of the server and to all the information on it.

Install an anti-virus solution and update it as needed.

Validate proper server roles

Server roles can be set using the Server Manager. Ensure that the unnecessary roles are not installed on the server

Restrict network protocols

Install only the required protocols and remove unnecessary ones.

For example, only TCP/IP are necessary, and ensure that no additional protocols such as IPX or NetBEUI are allowed.

Rename default accounts

It is recommended to change the names of both the Administrator and the guest account to names that don't provide information about their permissions.

It is also recommended to create a new locked and unprivileged Administrator user name as bait.

Enable Microsoft Edge

Configure AppLocker to enable Microsoft Edge

1. Remove the read-only permission from the PSMConfigureAppLocker.xml file.

2. In the Hardening subfolder of the PSM installation folder, open the PSMConfigureAppLocker.xml configuration file and edit the AllowedApplications section:

   Make sure that the following lines exist and are uncommented:

   <Application Name="PSM-WebAppDispatcher" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\CyberArk.PSM.WebAppDispatcher.exe" Method="Hash" /> 
   <Application Name="PSM-ProgressBar" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\CyberArk.ProgressBar.exe" Method="Hash" /> 
   <Application Name="Edge" Type="Exe" Path="C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" Method="Publisher" /> 
   <Application Name="msedgedriver" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\msedgedriver.exe" Method="Hash" />

   Verify that the path specified in the xml matches the browser installation path.

3. Save the PSMConfigureAppLocker.xml configuration file and close it.

4. Use the following command to run PowerShell and start the script:

   CD “C:\Program Files (x86)\CyberArk\PSM\Hardening” PSMConfigureAppLocker.ps1

For more information, see Run AppLocker rules.

Harden the Edge browser on the PSM server