CPM post-hardening tasks

This topic describes on-going tasks that you must perform manually after running the hardening script, and on a periodic basis, for example, if you change something in the environment (add servers, upgrade a version), after an operating system upgrade, or as part of general maintenance activities.

These tasks are necessary for all types of deployments and are part of maintaining your system.

Update your operating system

Microsoft releases periodic updates (security updates and service packs) to address security issues that have been discovered in their software. Make sure your operating system is updated to the latest version.

You can install the updates in either of the following ways:

  • Manually install updates and service packs.
  • Automatically install with Server Update Services (WSUS), which is located on a corporate network.

Install an anti-virus solution

In today’s world, the pace of virus development is very fast. Servers without anti-virus protection are exposed to two risks:

  • Server infected with viruses that might damage the server and the entire network.
  • Trojan horses that are planted to allow remote control of the server and to all the information on it.

Install an anti-virus solution and update it as needed.

Validate proper server roles

Server roles can be set using the Server Manager. Ensure that unnecessary roles are not installed on the server

Restrict network protocols

Install only the required protocols and remove unnecessary ones.

For example, only TCP/IP are necessary, and ensure that no additional protocols such as IPX or NetBEUI are not allowed.

Rename default accounts

It is recommended to change the names of both the Administrator and the guest account to names that don't provide information about their permissions.

It is also recommended to create a new locked and unprivileged Administrator user name as bait.

Local Windows Service user permissions and plugins

During the CPM hardening process, three local Windows Service users are created to run the CPM service:

  • PasswordManagerUser

  • PluginManagerUser

  • ScannerUser

To reduce security risks, these local users only have the necessary permissions to run the required services and plugins. For specific information about the user permissions, see Creates Local Windows Service users and configures permissions.

Because these users have least privilege, plugins that are run by these users may not work after installing or upgrading to version 12.2 or later.

You can change the user permissions to run the plugins with higher privileges. For more information, see How local Windows user permissions may affect plugins.