Connector hardening
The automated hardening procedure is applied as part of the Connector's deployment step. It has been reviewed by CyberArk's Research and Development department and CyberArk's Security Team.
The Connector hardening procedure differs for Active Directory and non-Active Directory domains:
|
Environment |
Automatic hardening procedure |
|---|---|
|
Active Directory domain ('In Domain') |
Based on a prepared Group Policy Object (GPO) file |
|
Non-Active Directory domain ('Out of Domain') |
Based on an INF file |
To secure the Connector server when it is part of the domain, the Connector installation and setup procedure automatically applies a series of GPO hardening settings that enhance security on the Windows Server machine. The GPO hardening is applied by the PSM_CPM hardening file, which runs both PSM and CPM hardening steps.
The PSM settings override the CPM settings whenever both refer to the same parameters.
The following hardening steps are applied automatically when running the PSM_CPM hardening file.
PSM hardening
-
Disables the screen saver
-
Configures the PSM users
-
Improves non-RDP connector performance
-
Defines access to web applications
-
Reduces Windows certificate validation wait time (disabled by default)
-
Runs the hardening script
-
Applies post-hardening configuration
-
Runs Windows Applocker
-
Performs out-of-domain hardening
-
Hardens the TLS protocol
-
PSM health check hardening activities
-
Deletes IIS application pools
-
Disables IIS registry shares
-
Removes unnecessary IIS MIME types
-
Disables IIS WebDAV
CPM hardening
-
Imports the INF configuration
-
Validates server roles
-
Sets policy configuration for screen saver, advanced audit, and remote desktop services policies
- Sets EventLog size and retention
- Sets general, registry and file system auditing, and registry and file system permissions
- Creates the Local Windows user that runs the CPM service
- Disables services
-
Disables DEP on files used by the CPM
In this section:
