CAVaultHarden utility

This topic describes how to use the CAVaultHarden utility to harden the Digital Vault.

Overview

The CAVaultHarden utility hardens the Digital Vault so that it complies with security best practices.

The CAVaultHarden utility can be used for supported operating systems. For more information, see Digital Vault Server.

The CAVaultHarden utility hardens the following areas in the Digital Vault:

  • Policies

  • Audits

  • Services

  • Users

  • Network

  • Firewall

For more information about security fundamentals, see Security Fundamentals.

For more information about Digital Vault security standards, see Digital Vault Security Requirements.

The Vault hardening process is irreversible.

Configuration

Set the following parameters in the hardening configuration file, Hardening.ini, located in the /Server/Hardening/Conf folder.

Parameter

Description

HardenNetworkDevice

Hardens the network device.

Default value: Yes

Accepted values: Yes/No

HardenWindowsGroupPolicy

Hardens the Windows group policy.

Default value: Yes

Accepted values: Yes/No

HardenWindowsLocalUsers

Hardens the Windows local users.

Default value: Yes

Accepted values: Yes/No

HardenWindowsAuditPolicy

Hardens the Windows audit policy.

Default value: Yes

Accepted values: Yes/No

HardenWindowsFireWall

Hardens the Windows firewall.

Default value: Yes

Accepted values: Yes/No

HardenWindowsServices

Hardens the Windows services.

Default value: Yes

Accepted values: Yes/No

HardenWindowsRegistry

Hardens the Windows registry entries.

Default value: Yes

Accepted values: Yes/No

Run the CAVaultHarden utility

Before running the CAVaultHarden utility, make sure that you have configured the Vault Network cards and the firewall as follows:

  • The Network profile for The Vault Network cards must be set to Private.

  • The firewall must be configured in the Vault configuration file (not manually).

  1. Log in to the Vault as the Administrator user.

  2. Go to the /Server/Hardening folder.

  3. Run the CAVaultHarden utility as an administrator using the following syntax:

    CAVaultHarden.exe <VaultArchitecture> </AllowRDP>

    Example:

    CAVaultHarden.exe StandardVault /AllowRDP 10.10.10.10

    In the example above, the Vault machine will be hardened according to the configuration settings in the Hardening.ini file and will allow RDP access from IP: 10.10.10.10.

  4. After the hardening is successfully completed, reboot the host so that the hardening changes take effect.

CAVaultHarden utility Vault environment parameters

The following Vault environment parameters indicate the type of Vault environment in which the hardening process will take place.

If the AllowRDP parameter is not specified, there will be no RDP access to the Vault. Instead, Console access will be required.

Parameter

Description

StandardVault

Hardens the Vault in a Standalone Primary-DR or Standalone Distributed Vaults environment.

Flag:

  • /AllowRDP - Enables an RDP connection to the Vault from a single IP address.

    Accepted values: A single IPv4 address

HAVault

Hardens the Vault in a High Availability (HA) Primary-DR or HA Distributed Vaults environment.

Flag:

  • /AllowRDP - Enables an RDP connection to the Vault from a single IP address.

    Accepted values: A single IPv4 address

CAVaultHarden utility FAQs

No. Hardening of the Vault is irreversible. To return to the default configuration, you must reinstall the operating system.

You can only specify a single IP address in the hardening command. Specify your current IP address, and then edit the DBParm.ini file manually and add additional IP addresses. Restart the Vault.

Yes. Make sure to rerun the utility using the same configuration settings so that you do not lose access to the Vault machine.

Any manual configuration changes that you made will be overwritten when rerunning the CAVaultHarden utility. This includes changes to Firewall rules, which can cause the loss of remote access to the host. Make sure to configure the RDP access correctly through the Vault configuration file, or make sure that you have console access to the host.

The policies are intended to provide the best security to the Vault - a critical asset. Changing any of the policies can make the Vault vulnerable to security risks, and therefore is not allowed.

Yes. After adding a new local user to the the Vault, you must harden the Vault. In the hardening.ini file, set HardenWindowsLocalUsers to Yes, and all the other configuration options to No, and then run the hardening utility.

Yes. You must reboot the host for the hardening to take effect.

If the firewall was hardened, make sure that you have configured RDP access to the Vault correctly or that you have console access to the host.

To follow security best practices, we hardened the clipboard that enforces copy/paste capability to the Vault. It is possible to re-enable this functionality by performing the following steps:

Removing the hardening from these services is not recommended and may impact the security of the Vault server.

  1. Open the Registry editor, and go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services.

  2. Set the value of the following keys to 0:

    • fDisableCDM

  3. Reboot the Vault server.

To follow security best practices, we hardened the public network profile to the Vault so all network traffic, inbound or outbound, is blocked. It is possible to re-enable this functionality by performing the following steps:

Removing the hardening from these services is not recommended and may impact the security of the Vault server.

  1. Open the Registry editor, and go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile.

  2. Set the value of the following keys to 1:

    • DisableNotifications

    • AllowLocalPolicyMerge

    • AllowLocalPsecPolicyMerge

    • EnableFirewall

    • DefaultInboundAction

  3. Set the DefaultOutboundAction key value to 0.

  4. Reboot the Vault server.

To follow security best practices, we hardened the RDP services to the Vault. It is possible to re-enable this functionality by performing the following steps:

Removing the hardening from these services is not recommended and may impact the security of the Vault server.

  1. Open the Registry editor, and go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services.

  2. Set the value of the following keys to 0:

    • DisablePasswordSaving

    • fPromptForPassword

  3. Reboot the Vault server.

To follow security best practices, we hardened the user password expiration policy and set all the users of the Vault machine to expire after 30 days. It is possible to customize this value.

Changing the hardening is not recommended and may impact the security of the Vault server.

To customize the maximum time length for passwords, see https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/maximum-password-age.

To follow security best practices, we hardened the built-in Administrator user and set this user of the Vault machine to expire. It is possible to customize this value by performing the following steps:

Changing the hardening is not recommended and may impact the security of the Vault server.

  1. Open Powershell as an Administrator.

  2. Run the following command with the relevant user name that will be set to Never expire:

    Set-LocalUser -Name <Administrator User Name> -PasswordNeverExpires $True

    It is not required to reboot the Vault server.

Yes. Hardening the Vault after every upgrade ensures that the most up-to-date hardening requirements, configuration, and policies are applied.

The hardening procedure overwrites any manual configuration changes that you have made. This can result in breaking the integration and RDP access. Make sure to set the hardening parameters correctly in the Vault configuration files, instead of changing settings manually.

To follow security best practices, the hardening comes with a default logon legal notice. You can modify the notice by performing the following steps:

  1. Open the Registry Editor.

  2. Locate Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.

  3. Customize the following entries:

    • LegalNoticeCaption

    • LegalNoticeText

  4. Restart the Vault server.

You must perform these steps after you harden the Vault server. The hardening procedure overwrites any manual configuration changes that you have made.

The LogicContainerUser is set to be a service user during installation of the Vault. This user's password is randomly generated during installation. You can manually change the password on a single Vault server or multiple Vault servers.

  1. Go to Local Users and Groups.

  2. Locate the LogicContainerUser user.

  3. Reset the user's password.

    We recommend to set the password policy as follows:

    • At least 15 characters long

    • Contains both uppercase and lowercase letters

    • Contains at least one number

    • Contains at least one special character

    • Do not use a dictionary password

  4. Open Services and locate the CyberArk Logic Container service.
  5. Right-click the service and select Properties.
  6. Select the Log On tab.
  7. In the Password field, enter the password that you set in Step 3, above. And then confirm the password.

  8. Restart the Vault application and the CyberArk Logic Container service.

You must restart both the Vault application and the CyberArk Logic Container server after changing the password. This ensures that the Logic Container service is able to start with the new credentials.

Troubleshooting

Error: Hardening process was not completed successfully. code: <error code>

This is a general summary error for the hardening process. Review the log files for more details about errors that occurred during the hardening process.

Error: Configuration directory [<confDir>] is missing.

A mandatory configuration folder is missing. Verify that you have the appropriate Server installation package.

Error: Some Hardening configuration files are missing, abort hardening

Mandatory files are missing in the configuration folder. Look at the log files to see which files are missing.

Error: When using AllowRDP option, rdp client ip address must be specified.

The AllowRDP parameter requires a valid IP address, which was not specified. Specify a valid IP address.

Error: Invalid client IP address specified.

The specified IP address is invalid. Specify a single, valid IPv4 address.

Error: XXX was not successfully hardened.

Look at the logs for additional information about the failed stage or rerun the hardening process.