Harden the CPM server

This topic describes how to automatically harden the CPM server using the hardening script.

If the PVWA and CPM are installed on the same machine, make sure to run the CPM hardening script after you have run the PVWA hardening script.

Overview

You can harden the CPM server automatically using a script file. The hardening script file performs the following tasks:

  • Imports the INF configuration

  • Validates server roles

  • Sets policy configuration

    • Enables screen saver policies

    • Configures advanced audit policies

    • Configures Remote Desktop Services policies

  • Sets EventLog size and retention
  • General auditing, registry, and file system configuration 
    • Registry audits

    • Registry permissions

    • FileSystem permissions

    • FileSystem audit

  • Creates three local Windows users that run the CPM services
  • Disables services
  • Disables DEP on files used by the CPM

Run the hardening script

 
  • If you have installed PSM on the same machine as CPM, the following automated tasks may affect the PSM installation:

    • Importing INF configuration

    • Validating Server Roles

    • Remote Desktop Services

    Before you run the hardening script, in the CPM\InstallationAutomation folder, locate and open the CPM_Hardening_Config.xml file, and set the IsPSMInstalled parameter to True.

  • If you want to automatically enable FIPS cryptography during hardening, before you run the hardening script, in the CPM\InstallationAutomation folder, locate and open the CPM_Hardening_Config.xml file. Set the EnableFIPSCryptography parameter to Yes.

To run the hardening script:

  • In a PowerShell window, run the CPM_Hardening.ps1 script as Administrator.

To run only specific steps in the hardening script:

  1. In the CPM\InstallationAutomation folder, locate and open the CPM_Hardening_Config.xml file.

  2. Set the hardening steps:

    • To run a hardening step in the script, set the step to Yes.

    • To exclude a step from running in the script, set the step to No.