Integrate the Digital Vault with a Windows Patch Server (WSUS)

Overview

You can integrate the Vault with a Windows Server Update Services (WSUS) server, which handles the installation of Microsoft security patches that are provided by your organization's IT department or system administrator.

If you integrate the Digital Vault with a WSUS server, we recommend hardening it according to the following guidelines:

  • Make sure your WSUS server is configured for Microsoft Security best practices.

  • Use a dedicated WSUS Server for updating the Digital Vault. If this isn't possible, create a dedicated computer group for updates in WSUS with relevant updates for the Vault.

  • Configure WSUS to work with HTTPS and a certificate.

  • Use the actual WSUS IP address (don't use a DNS).

  • Ensure that the connection between the WSUS server and the Vault is disabled when not applying actual updates. The CyberArk Vault installation package includes WSUS scripts for this purpose.

There are two steps to the integration:

  1. Configure the WSUS server

  2. Install security updates

Prerequisites

  • To prevent the GPO from overriding the configuration explained below, make sure that the Vault is not a member of the domain.

  • The Vault must be hardened according to CyberArk's Security Standards. For more information, refer to Digital Vault Security Standard.

  • Customers who use DNS records for the WSUS server must manually add them to the hosts file.

  • Customers who use TLS (https) to communicate with the WSUS server must manually install the CA that signed the WSUS server on the Vault machine.

Configure the WSUS server

This section describes how to set up and configure the Vault and the WSUS server for the first time. Either use the ConfigureWSUS.ps1 script OR set up configuration manually.

Copy the WSUS scripts to the Vault machine

All the scripts required to configure and update monthly Microsoft security patches are included in the PAM installation package, in the WSUS folder.

Configure the Vault and the WSUS server

OR

Install security updates

This is a recurring process that must be run each time you apply an OS update.