Hardening CPM servers in a domain

This topic describes the hardening procedures that you perform when a CPM server is part of a domain.

When CPM servers are part of a domain, you must back up the existing Group Policy Object (GPO), and create a new one.

Import a GPO file to an Active Directory domain

  1. Open the Group Policy Management Console (GPMC.msc).

  2. Under your domain, right-click Group Policy Objects, and select New.

  1. Enter a new name for the GPO, for example, CyberArk CPMHardening, and then click OK.

     

    Specify a name that indicates the purpose of the GPO. This name is displayed to all users.

  2. In the list of Group Policy Objects, right-click the new GPO that you created, and select Import Settings….

    The Import Settings Wizard appears.

  3. In the Welcome to the Import Settings Wizard window, click Next.

    The Backup GPO window appears.

    You do not have to back up as this GPO is new.

  4. Click Next.

    The Backup location screen appears.

  5. Click Browse… , and select the location of the folder where the hardening settings are stored, for example, CPM\Hardening, and then click Next.

     

    Make sure you have unzipped the folder where the hardening settings are stored, CPM\InstallationAutomation.

    The Source GPO window appears.

  6. Select the GPO that you created, and then click Next.

    The Scanning Backup window appears.

  7. Click Next.

    The Completing the Import Settings Wizard window appears.

  8. Click Finish.

    The Import window appears and shows the progress of the GPO import.

  9. When the GPO import process is complete, click OK.

Add applicable accounts to the GPO object

  1. In the Group Policy Management Console, under <your domain> > Group Policy Objects, right-click the GPO that you created, and then click Edit.

  1. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignments.

  1. Double-click Logon as a service, and do one of the following actions:

    • If PasswordManagerUser and ScannerUser are local users, add the users without a prefix.

    • If PasswordManagerUser and ScannerUser are domain users, add the users with a <Domain> prefix.

    • If PasswordManagerUser and ScannerUser were renamed, add the renamed users.

To ensure that unauthorized users do not gain access to the CPM server, make sure that this setting is only allowed for PasswordManagerUser and PluginManagerUser and for maintenance users who are required to log on remotely to the CPM server.

Link GPO to a dedicated OU containing CyberArk servers

  1. Make sure all servers are located under a dedicated OU, so the GPO will not affect any other server.

  2. In the Group Policy Management Console, right-click the OU, and then select Link an Existing GPO.

  1. Select the relevant GPO, for example, PVWA Hardening, and then click OK.