What is Session Protection?

This topic introduces you to Secure Web Sessions Session Protection security layer for applications.

The solution

CyberArk Identity Secure Web Sessions is able to provide client side protection for the users session. Session Protection is available using only Secure Web Sessions offered protections from the SWS browser extension OR via optional integration between CyberArk Endpoint Privilege Manager solution and the SWS browser extension.

Session Protection with SWS browser extension

Session Protection with SWS browser extension can apply protections at the browser level to protect the sensitive session, such as:

  • Block file downloads from the web application

  • Block access to clipboard and drag & drop to prevent copy/paste errors (or intentional exfiltration)

  • Block access to right-click context menu

Session Protection with CyberArk EPM integration

Secure Web Sessions provides an EPM policy template for applying additional endpoint protections for Chrome browser. The EPM policy template includes the following protections:

Protection

Additional details

Block abuse of Chrome "Debugging" feature

Implemented in EPM Advanced Policies.

Prevents launching Google Chrome with the '-remote-debugging-' argument.

Block Chrome launch from untrusted executables

Implemented in EPM Advanced Policies.

Prevents Chrome from being launched by any unsigned processes.

Block any unsigned DLL's from being loaded into Chrome

Implemented in EPM Advanced Policies.

Prevents Chrome from loading any unsigned DLL's.

Allow running Chrome with restricted access to evitable resources

Implemented in EPM Advanced Policies.

Chrome is set to 'Run Normally' (preventing it from being run with admin privileges), and with the following additional access restrictions applied:

  • Block access to network shares

  • Block access to local disk except those required for normal chrome functioning and accepted user actions with the following configured default's.

    Default exceptions:

    • C:\Users ( Block anything below at C:\Users\* therefore preventing access to data of other users)

    • %ProgramFiles%

    • %ALLUSERSPROFILE%

    • %LOCALAPPDATA%\Google\Chrome\User Data

    • %LOCALAPPDATA%\Microsoft\Windows\Caches

    • %USERPROFILE%\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData

    • %APPDATA%\Microsoft\Spelling

    • %USERPROFILE%\Desktop

    • %USERPROFILE%\Downloads

    • %SystemRoot%

  • Block access from Chrome to memory of other processes

SWS - EPM policy additional configurations

To ensure the Chrome browser protected as possible, the following additional configurations must be set in the SWS- EPM policy in the EPM management console.

EPM policy configuration

Additional info

In Default Policies, set Protect against ransomware to Restrict.

For more information, see Protect against Ransomeware in the Endpoint Privilege Manager docs.

In Privilege Threat Protection, set Memory Dump from Chromium Based Web Browsers to Block.

Requires using EPM SaaS.

For more information, see Threat protection rules in the Endpoint Privilege Manager docs.

Optionally, the following configurations can also be set:

  • Additional restrictions in Default Policies can be considered, such as, blocking of unhandled applications downloaded from the internet. For more information, see Control unhandled applications downloaded from the Internet in the Endpoint Privilege Manager docs.

  • Activation of Recommended Blocked Windows OS Applications in the pre-defined Application Group. For more information, see Policy recommendations in the Endpoint Privilege Manager docs.

EPM agent and SWS extension communication

The EPM agent and SWS extension communication channel is delivered via script within the EPM-SWS Protection package. This communication channel utilizes Chrome Native Messaging to allow the SWS browser extension to communicate with and validate that the EPM agent is installed.

The script creates a temporary executable which is registered to the SWS extension in Chrome as accessible by the SWS extension. This executable is called when a user accesses a web-application that according to SWS policy requires EPM enforcement. The executable then verifies for SWS the rest of the communication channel, and a running EPM agent.

The result is the ability for the SWS service, using the SWS extension, to validate that EPM is in fact installed and running on the users endpoint via a channel which is only provided as part of the SWS-EPM Protection package. This package includes the full list of above mentioned protection policies as well.