PSM automatic installation

This topic describes the PSM installation process.

 

Before installing or upgrading, ensure that your system still complies with security requirements. To learn more, see Security Fundamentals.

Overview

The PSM installation is divided into several configurable stages: setup, installation, post-installation, hardening and registration.

The PSM installation package includes an automatic tool that executes the powershell scripts under the InstallationAutomation folder. This tool provides a more user-friendly way to invoke the InstallationAutomation scripts, with all stages, including hardening, invoked by default.

The tool, PSMAutoInstallation.exe, is located inside the PSMAutoInstallation directory in the PSM CD-Image package.

Installation notes

  • To run the automatic installation, you must be logged on as a user who is a member of the local administrators group. If PSM is joined to a domain, the user must be a domain user.

  • Install the PSM server on a separate from the Vault server.

  • Enable File and Printer Sharing for Microsoft Networks on the server during PSM installation. This is required to set the PSMInitSession.exe application as a RemoteApp application. You can disable it again after the installation is complete.

  • The PSM server is installed as a Windows service called CyberArk Privileged Session Manager.

  • If you download installation files from the internet, use the following PowerShell command to unblock the files:

     
    dir C:\Downloads -Recurse | Unblock-File

For details about installing the PSM in a load balancing environment, see Install PSM in a Load-Balancing Environment.

PSM automatic installation tool

PSMAutoInstallation.exe runs all the PSM installation stages: setup, installation, post-installation, hardening, and registration.

 

This tool DOES NOT support upgrade. Do NOT run it if PSM is already installed on your machine.

 
  • PSM installation runs the hardening steps, including PSMConfigureApplocker, with a default configuration. You can always re-run the PSMConfigureApplocker script at a later stage with a different configuration. For details, see Hardening.

  • The hardening stage blocks all administrators from navigating in the PSM server file system. To enable an administrator to explore folders on the PSM server, update the [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] registry key for the administrator to "NoRun"=dword:00000000.

  • The Registration stage creates the relevant PSM objects in the Vault each time it runs. When you run the tool, this stage is only run if it has not yet run or if the connection to the Vault failed. If registration started and was cancelled, you must run the repair via the installation Wizard.

The tool runs with the following default values:

Step Number

Step Name

Description

Default setting

 

Set up

1.1

.Net 4.8

This step verifies that a compatible version of .Net Framework is installed on the machine.

Enable = "Yes"

1.2

Install Remote Desktop Services rules

This step installs the Remote Desktop Services (RDS) Session Host Role

Enable = "Yes"

1.3

Disable NLA authentication

This step disables NLA.

Enable ="Yes"

1.4

Update the RDS security layer

This step updates the RDS security layer to 1.

Enable ="No"

Note: This step is disabled by default, since we highly recommend that you configure secure RDP connections using SSL. For details, see Secure RDP Connections with SSL. Enable this step if you do not secure RDP Connections with SSL.

 

Installation

2.1

Install PSM

 

Name

Your name

Windows User

Company

Your company name

My Company

InstallationDirectory

PSM installation folder location.

"C:\Program Files (x86)\CyberArk"

RecordingDirectory

Location of the local recordings folder (before the recordings are uploaded to the Vault).

"C:\Program Files (x86)\CyberArk\PSM\Recordings"

 

Post Installation

3.1

Disable screen saver for the PSM local users

During installation, the following two Windows users are created for the PSM environment on the PSM machine:

  • PSMConnect - A Windows user that is created in order to start PSM sessions on the PSM machine.

  • PSMAdminConnect - A Windows user that is created in order to monitor live privileged sessions.

After the PSM has been installed successfully, the Screen Saver for these users is disabled during the post-installation stage.

Enable = "Yes"

3.2

Configure users for PSM sessions

The step configures the PSMConnect and PSMAdminConnect Windows users created on the PSM Server machine during PSM installation and configured during the post-installation stage.

Enable = "Yes"

3.3

Improve Non RDP Connector Performance

This step disables Microsoft's Dynamic Fair Share Scheduling (DFSS) feature, which dynamically distributes and prioritizes resources across active RDP sessions.

This decreases the start-up time of non-RDP connection components, such as Toad, PLSQL, and CheckPoint.

Enable = "Yes"

3.4

Enable PSM for web applications

You can connect transparently through PSM to web sites and web applications with Internet Explorer or Google Chrome browser.

For configuration details, see Web applications for PSM.

After the post-installation stage, refer to the following sections:

Enable = "Yes"

3.5

Enable users to print PSM sessions

End users can print sessions initiated by the PSM on their local printers.

This procedure is required so that users who are connected though the PSM can print from clients that are installed on the PSM machine. For example, Toad.

Enable = "No"

3.6

Reduce Win Certificate Wait Time

This step reduces the time that Windows waits for a Certificate Revocation List when connecting to a target using SSL, to achieve better connection times from PSM to target machines.

You can set the [URLTimeout] and [PathValidationTimeout] parameters, which by default are each 3 seconds.

Note: Enable this step if the PSM does not have internet access or if your organization does not have access to the Certificate Revocation List.

Enable = "No"

 

Hardening

4.1

Run the Hardening script

The PSM hardening procedure on the PSM server machine enhances PSM security.

The hardening stage blocks all administrators from navigating in the PSM server file system. To enable an administrator to explore folders on the PSM server, update the [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] registry key for the administrator to "NoRun"=dword:00000000.

Enable = "Yes"

4.2

Post hardening tasks

  • Block Internet Explorer developer tools,

  • Hide PSM local drives in PSM sessions

  • Block the Internet Explorer context menu

For details, see, After running the hardening script.

Enable = "Yes"

4.3

Set up AppLocker rules

To create a hardened and secure PSM environment, the system must limit the applications that can be launched during a PSM session. To do this, the PSM uses the Windows AppLocker feature, which defines a set of rules that allow or deny applications from running on the PSM machine, based on unique file identities. These rules specify which users or groups can run those applications.

For details, see Run AppLocker rules

Enable = "Yes"

4.4

Configure Out-of-domain PSM server

Runs 'Out of Domain' PSM server including:

  • Imports an INF file to the local machine

  • Applies advanced audit

  • Manually Adds User Changes for Installation

  • Set time limit for active but idle RDS sessions

Enable = "Yes"

Note: This step is enabled only for out of domain machines. If you enable this step on a domain joint machine, update the following group policy setting:

In Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service\, set the Log on as a service property to include NT SERVICE\ALL SERVICES.

4.5

Harden TLS settings

  • Disables SSL/TLS versions earlier than TLS 1.2.
  • RemoteApp requires a connection broker and a session collection to be associated with it. When PSM is installed, the RD Connection Broker is installed on the machine. This step installs SQL Server Express and configures RD Connection Broker to work with SQL Server Express.
  • Before running this step, verify that Windows update KB2919355 is installed.
  • If you need to enable earlier versions of SSL/TLS after this script has run (for example, if your custom PSM connectors and installed clients utilize TLS 1.0/1.1), configure the Windows registry as follows:

    1. Go to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\
      SCHANNEL\Protocols\<SSL/TLS version>

    2. Under Client and/or Server, change value for DisabledByDefault to 0 and the value for Enabled to 1.

Enable = "Yes"

 

Registration

5.1

Register PSM to Vault

 

vaultip

IP address or hostname of the vault server

When you register PSM to a DR Vault environment, value Vaultip with <vault ip>,<DR ip>

 

Vaultport

Vault’s configured communication port. Default Vault port: 1858

1858

Vaultusername

Vault user performing the installation.

 
  • We recommend using the Vault administrator user to install Privileged Session Manager as this user has the appropriate Vault authorizations and is created in the appropriate location in the Vault hierarchy.
  • If you install multiple PSMs in the same Vault environment, you must install all PSMs with the same Vault user.

 

Usercredfile

The path to the user credential file.

For details on creating a cred file, see CreateCredFile utility.

 

The user credential file must be placed in a folder that is accessible only for the machine or domain administrator who runs the PSM installation. We highly recommend that you delete the credential file after completing the registration.

{PSMInstallDir}\vault\userCred.ini

Accepteula

Accept the end user License agreement

No

EnablePKI

This parameter enables PKI authentication to the Vault via a smart card for PSM connections.

 
  • Do not enable this setting if PKI authentication is not used in your organization.
  • If you do not enable this setting during installation and want to enable PKI authentication for PSM, follow the instructions in During PSM installation.

No

APIHost

The PVWA host name.

In a Distributed Vaults environment, you must define the PVWA where PSM will send REST API calls.

To automatically unlock accounts, you must define the PVWA.

""

APIProtocol

To automatically unlock accounts, you must define the protocol.

Https

Run the installation tool

  1. From the installation CD, copy the PSM folder to the component server and unzip.

  2. Open CMD and run

     
    CD <PSM CD-Image Path>\PSMAutoInstallationTool
    PSMAutoInstallationTool /vaultip <Vault IP address> /vaultuser <Vault username for installation> /accepteula yes
    • Restart - The tool runs the PSM installation stages. When a restart is required, the user is prompted to press Enter, restarting the machine. When the user logs in to the machine again, the tool continues from the relevant step.

    • Vault user credentials - If you are using a Vault username and password, after the last restart you are prompted to enter a password. Enter the password and click Enter. You can use the cred file to avoid entering the password interactively.

  3. The tool receives the following parameters:

    Parameter

    Description

    Vaultip

    This parameter is mandatory

    vaultuser

    This parameter is mandatory

    usercredfile

    If there is no user credential file, you are prompted to enter the Vault password when you reach the Registration stage

    accepteula

    This parameter is mandatory

    apihost

     

    usepki

     

    Name

     

    Company

     

    InstallDir

     

    RecordingDir

     

    Include

    Steps you want to enable that are disabled by default. Step numbers are shown in the default values table above.

    For example: /include 3.6 will enable the Reduce Win Certificate Wait Time step

    Exclude

    Steps you want to disable that are enabled by default. Step numbers are shown in the default values table above.

    For example: /exclude 1.2 will disable the Install RDS Rules step

     

    If the same step number appears in both the /include and /exclude lists, it is ignored and the default value remains in effect.

Run PSM installation in stages