Harden your Workforce Password Management deployment

This topic provides recommendations to harden your users' endpoints and browsers to ensure the controls you implement with Workforce Password Management are not circumvented by a malicious actor.

These recommendations are the minimal requirements for protecting your CyberArk Identity deployment. You must follow the recommendations in this topic or use equivalent methods (based on your organization's relevant expertise) to secure your deployment. Additional security measures may be applied based on your organization's standards.

Test these changes in a development or test environment first, in case they have an unexpected impact on CyberArk products.


Enforce secure authentication to CyberArk Identity

Requiring your users to authenticate with from Secure Zones with strong passwords and multi-factor authentication is the first step toward reducing the risks of a breach.

Require strong passwords

Update password requirements to make sure users don't create simple passwords that are easily compromised through techniques such as phishing, social engineering, or brute force attacks.

Refer to NIST Special Publication 800-63B Appendix A for more information about the recommended length and complexity of passwords.

Users can create strong passwords with the password generator included in the CyberArk Identity Browser Extension.
If you use CyberArk Identity as your identity provider, you can use policy settings to require strong passwords, as described in the following procedure.

To specify user password requirements

  1. Log in to the Admin Portal.

  2. Click Core Services > Policies.

  3. Select the relevant policy set or create a new one.

  4. Click User Security Policies > Password Settings.

  5. Specify the following user password requirements. Explanations for each option are available in the associated UI help.

    • Minimum password length (default 8)

    • Maximum password age (default 365 days)

      Users must have the “Enable users to change their passwords” policy (on the same UI page) set to Yes to reset their password (policy is set to Yes by default).

      If you have multifactor authentication enabled, users are prompted to create new passwords after they have fulfilled the multifactor authentication method.

      Enter 0 (zero) if you do not want to specify a password expiration period.

    • Password history (default 3)

      Enter 0 (zero) to let user use the same password.

    • Require at least one digit (default Yes)

    • Require at least one upper case and one lower case letter (default Yes)

    • Require at least one symbol (default No)

    • Show password complexity requirements when entering a new password (default No)

      The password complexity explanation/text string shown to CyberArk Cloud Directory users is automatically discovered. For Active Directory, LDAP, and Google directory users, you must manually enter the explanation/text string in the associated text box.

  6. Click Save.

Require multi-factor authentication from a Secure Zone

You can specify which authentication mechanisms users must provide to access the service (authentication profiles), as well as if and when multi-factor authentication is required (authentication rules). For example, you can create a rule to require that users provide a password and text message confirmation code if they are coming from an IP address that is outside of your corporate IP range. To specify this requirement, you need to create a rule and associate it with an authentication profile.

Before you configure MFA for anything, first decide what authentication mechanism you want to use, then make sure your users have that mechanism configured for their user account.

A built-in report is available to view whether users have setup the necessary information for multi-factor authentication challenges. For example, if you plan to use SMS confirmation codes as an authentication factor, you need to make sure all users impacted by the authentication policy have a mobile number associated with their account, otherwise they might be locked out.

Additional licenses might be required for access to all authentication mechanisms. Contact your account representative for more information.

To verify whether users have configured required MFA challenges

  1. From the Reports page in the Admin Portal, navigate to Builtin Reports > Security, and open User MFA challenge setup status.

    The Required Parameters window appears.

  2. Select the role that will be impacted by your Authentication Policy.

    For performance reasons, run this report on roles with approximately 1,000 users or less.

    The report opens, showing whether your users have configured the required information for authentication factors that could result in lockout if the required information is absent. For example, a user with no associated mobile phone will have false in the Sms column.

  3. Review the report and follow up with users missing required information.

To require MFA from a Secure Zone

  1. Define Secure Zones

  2. Create authentication profiles.

  3. Create authentication rules.

Enable security images

You can enable users to select security images for the CyberArk Identity User Portal sign in page. The security image reduces the risk of compromised credentials through phishing attacks by indicating to users that they are on the legitimate sign in page. The security image displays after the first successful sign in.

To enable security images

  1. Go to Settings > Authentication > Security Settings, then select Enable anti-phishing security image.

  2. Click Save.

    Users can now select a security image for the User Portal sign in page, as described in Select a security image.

Configure settings to transfer application credential ownership

If an application owner is deprovisioned from CyberArk Identity, application access is removed for all recipients that share the application. To allow recipients of the shared application to continue using the application, you can transfer application credential ownership to another user in the event that the original owner is deprovisioned from CyberArk Identity.

Application credentials shared by suspended users continue to be available to share recipients.

To configure settings to transfer application credential ownership

  1. In the Admin Portal select Core Services > Policies > User Security Policies > User Account Settings > User Shared Apps.

  2. Click the checkbox next to Transfer ownership of shared app credentials.

  3. Select the Owner type (Manager or Specified User) and click Add to enter a priority list to transfer ownership.

    Credential ownership is transferred in the order specified in the Owner List and one at a time. For example, if the owner list includes two names, ownership is transferred to the first name or Manager in the list. If the first person is not available in CyberArk Identity, then next person in the list is used and so on.

    Owner Type Description
    Manager Transfers ownership of the shared application to the manager specified in the Users > Account page (for the original application owner). If no manager is specified in the Users > Account page and the original owner is deprovisioned from CyberArk Identity, the shared application is no longer available to recipients of the shared application.
    Specified User Transfers ownership of the shared application to the user(s) you select.
    If you want the new owner to have the ability to share the application with new recipients, make sure they are in a Role with the Shared Credentials Administrative Right; otherwise the new owner can't share the application credentials with new recipients.
  4. Click Save.

Harden endpoints

Removing administrator privileges for end users is a critical step toward preventing security breaches. Refer to CyberArk Endpoint Privilege Manager documentation for details about how we can help limit or remove administrator privileges.

Harden browsers

CyberArk recommends the following steps to harden endpoints in your environment.

Step 1: Ensure that your environment does not allow unapproved HTTPS proxy, sniffer, or similar software.

Attackers can use phishing and social engineering to trick users into downloading their malicious HTTPS proxy, sniffer, or similar software. If a user installs malicious software, it provides attackers with access to all internet traffic.

Step 2: Manage browsers in your organization.

Managing browsers in your organization offers the following security benefits.

  • The ability to disable the less secure, built-in password managers that might conflict with the CyberArk Identity Browser Extension

  • Silent installation of the CyberArk Identity Browser Extension without requiring user interaction

  • Prevent users from uninstalling or disabling the CyberArk Identity Browser Extension

  • Deploy updates to the CyberArk Identity Browser Extension

Refer to the following links for specifics for each supported browser.

Browser Procedure link







Step 3: Disable developer tools.

The developer tools console can be exploited for cross-site scripting attacks. For example, an attacker might use social engineering to convince someone in your organization to paste a malicious script into the console, which then steals a session cookie.

Refer to the following links for specifics for each supported browser.

Browser Policy link







Step 4: Ensure that the CyberArk Identity Browser Extension can't be removed or disabled, and only apps and extensions approved by your organization can be installed in each browser.

Unapproved browser extensions are a security vulnerability because they often have extensive access to browsing data.

Refer to the following links for specifics about managing extensions in each supported browser.

Browser Documentation link(s)




Manage Add-Ons in your organization

Step 5: Prevent modification to the following paths using a third-party software of your choice.

These paths contain user data stored by the browser. If any program except the browser can access them, sensitive data might be compromised.

Refer to the following table for specifics for each supported browser.

Browser Object


  • %LOCALAPPDATA%\Google\Chrome\User Data\

  • HKCU\SOFTWARE\Google\Chrome\





Step 6: Disable the browser's password manager and autofill settings.

Allowing browsers to autofill passwords or other data exposes that data to any malicious scripts on the website. In addition, the browser's password manager might conflict with CyberArk Identity Browser Extension features, such as Land & Catch.

Refer to the following links for specifics for each supported browser.

Browser Recommended policy changes



  • Enable the policy Browser sign in settings, then click Options and select Disable browser sign in

  • Disable the policy Enable AutoFill for Addresses

  • Disable the policy Enable AutoFill for credit cards

  • Under Password Manager, disable the policy Enable saving passwords to the password manager



  • Disable the policy Enable AutoFill for addresses

  • Disable the policy Enable AutoFill for credit cards

  • Under Password manager and protection, disable the policy Enable saving passwords to the password manager

  • Optionally, you can enable the policy Disable synchronization of data using Microsoft sync services



  • Disable the policy Disable Firefox Accounts

  • Disable the policy Offer to save logins

  • Disable the policy Offer to save logins (default)

  • Disable the policy Password Manager

Step 7: Follow industry standards, such as Benchmarks by Center for Internet Security.

Refer to the following links for CIS recommendations for hardening supported browsers.

Browser CIS Benchmark