PSM Hardening Tasks

This section describes the hardening tasks in detail. Use this reference to troubleshoot your automatic installation or to perform one or more of the hardening tasks manually .

Run the hardening script

Manually perform the following to run the hardening script.

After running the hardening script

The following tasks should be done after the hardening script finishes running.

Hide PSM local drives in PSM sessions

This procedure hides the PSM local drives in the PSM sessions.

If you add a new local drive to the PSM machine, run the Hardening stage again with the Runs post hardening tasks step enabled to apply the hiding policy on the newly added drive. Before running the Hardening stage, any PSM local Shadow user in the system must be removed, along with its user profile.

Block Internet Explorer developer tools

This procedure blocks Internet Explorer development tools when connecting to web sites through the PSM.

Internet Explorer developer tools are blocked in the PSM in order to prevent end users who connect via the PSM from accessing it.

Block the Internet Explorer context menu

This procedure blocks Internet Explorer context menus when connecting to web sites through PSM.

The Internet Explorer context menu in the PSM is blocked in order to prevent end users from adding the developer tools.

Run AppLocker rules

To create a hardened and secure PSM environment, the system must limit the applications that can be launched during a PSM session. To do this, the PSM uses the Windows AppLocker feature, which defines a set of rules that allow or deny applications from running on the PSM machine, based on unique file identities. These rules specify which users or groups can run those applications.

The PSM installation includes an AppLocker script which enables PSM users to invoke internal PSM applications, mandatory Windows applications, and third- party external applications that are used as clients in the PSM.

All AppLocker rules are defined in the PSMConfigureAppLocker.xml file in the PSM installation folder > Hardening.

  • If your environment includes executables that must be allowed, in addition to those that are built-in to the PSM installation, such as PSM Universal Connectors executables, you must edit this file to add rules that will allow these executables.

  • If you have connectors deployed using shared universal connector deployment on multiple PSM servers they will be updated automatically in the AppLocker rules. For details, see Deploy Universal Connectors on multiple PSM servers.

  • Beginning in version 12.2.4, DLL files are allowed only if they are uploaded by the allowed executables included in the PSMConfigureApplocker.xml file. The PSMConfigureApplocker script automatically finds the relevant DLL files and adds a corresponding Applocker rule for these DLLs. However, we recommend that you verify that all PSM connectors are properly working after the upgrade. If any of the PSM connectors fail due to blocked DLL files, see Detect blocked DLL files.

Hardening 'In Domain' deployments

This section describes the hardening procedure for In Domain deployments, including each file type and its configuration, as well as the procedures for applying and editing these files in a customer's environment.

Hardening 'Out of Domain' deployments

This section describes how to apply hardening procedures in 'Out of Domain' deployments.

General hardening tasks

This section describes the manual hardening tasks that are necessary for all types of deployments and that are part of maintaining your system. Perform them after running the hardening script, and after completing the in-domain hardening tasks (if necessary). You should also perform them periodically, for example if you change something in the environment (add servers, upgrade a version), after an operating system upgrade, and as part of general maintenance activities.

Update your operating system

Microsoft releases periodic updates (security updates and service packs) to address security issues that have been discovered in their software. Make sure your operating system is updated to the latest version.

You can install the updates in either of the following ways:

  • Manually install updates and service packs.
  • Automatically install with Server Update Services (WSUS), which is located on a corporate network.

Install an anti-virus solution

In today’s world, the pace of virus development is very fast. Servers without anti-virus protection are exposed to two risks:

  • Server infected with viruses that might damage the server and the entire network.
  • Trojan horses that are planted to allow remote control of the server and to all the information on it.

Install an anti-virus solution and update it as needed.

Validate proper server roles

Server roles can be set using the Server Manager. Ensure that the unnecessary roles are not installed on the server

Restrict network protocols

Install only the required protocols and remove unnecessary ones.

For example, only TCP/IP are necessary, and ensure that no additional protocols such as IPX or NetBEUI are allowed.

Rename default accounts

It is recommended to change the names of both the Administrator and the guest account to names that don't provide information about their permissions.

It is also recommended to create a new locked and unprivileged Administrator user name as bait.

Enable Microsoft Edge

Configure AppLocker to enable Microsoft Edge

  1. Remove the read-only permission from the PSMConfigureAppLocker.xml file.

  2. In the Hardening subfolder of the PSM installation folder, open the PSMConfigureAppLocker.xml configuration file and edit the AllowedApplications section:

    Make sure that the following lines exist and are uncommented:

    <Application Name="PSM-WebAppDispatcher" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\CyberArk.PSM.WebAppDispatcher.exe" Method="Hash" /> 
    <Application Name="PSM-ProgressBar" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\CyberArk.ProgressBar.exe" Method="Hash" />
    <Application Name="Edge" Type="Exe" Path="C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" Method="Publisher" />
    <Application Name="msedgedriver" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\msedgedriver.exe" Method="Hash" />

    Verify that the path specified in the xml matches the browser installation path.

  3. Save the PSMConfigureAppLocker.xml configuration file and close it.

  4. Use the following commands to run PowerShell and start the script:

    • In a PowerShell window, open the PSM installation >\Hardening folder.

       
      CD “C:\Program Files (x86)\CyberArk\PSM\Hardening”
    • To start the script, run the following command:

       
      ./PSMConfigureAppLocker.ps1

For more information, see Run AppLocker rules.

Harden the Edge browser on the PSM server

Harden the PSM server in 'In Domain' deployments

This section describes how to harden the PSM server in 'In Domain' deployments, which involves the GPO file. The GPO should be imported during the installation process. You will receive the hardening package from CyberArk as a zipped file. Unzip this file so that you can import the hardening GPO. Follow your organization's security policy when customizing the GPO settings.

  1. If smart cards are not used with the PSM server(s), use the following to disable this feature.

    Policy Setting

    Services

    Vulnerability: Unnecessary services are expose the server to  vulnerabilities and increasing the attack surface

    Smart Card

    Disabled

    Smart Card Removal Policy

    Disabled

 

  1. To Harden via a Group Policy Object (GPO),

    Create a new group policy object (Services): Computer Configuration → Policies → Windows Settings → Security Settings → System Services

    Policy Setting

    Services

    Vulnerability: Unnecessary services expose the server to  vulnerabilities and increase the attack surface

    Do not allow smart card device redirection

    Enabled

  1. To Harden via a Group Policy Object (GPO), do the following:

    Create a new group policy object (Services): Computer Configuration → Policies → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Device and Resource Redirection

  1. To Enable the Firewall, do the following:

    Assuming all required network rules for proper PSM functioning are known (user machines, target machines and other servers and services), it is recommended to enable the Windows firewall.

    Policy Setting

    Services

    Vulnerability: Unnecessary services expose the server to vulnerabilities and increase the attack surface.

    Windows Firewall Enabled
  1. To Harden via a Group Policy Object (GPO):

    Create a new group policy object (Services): Computer Configuration → Policies → Windows Settings → Security Settings → System Services

  1. To Disable Remote Desktop Services Redirection, do the following:

    If Clipboard/Drive/Printer redirection are not being used, disable them.

    Policy Setting

    Terminal Service Hardening

    Vulnerability: Clipboard mapping enables the client to transfer a virus or a malicious application to the server as well as copy configuration or sensitive data from the server back to the client machine. There is a risk of infecting to the whole network or damaging the system.

    Do not allow Clipboard redirection Enabled
    Do not allow drive redirection Enabled
    Do not allow printer redirection Enabled
  1. To Harden via a Group Policy Object (GPO)

    Create a new group policy object (Services): Computer Configuration → Policies → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Device and Resource Redirection

Harden the PSM server in 'Out of Domain' deployments

Use the following procedures to harden PSM servers in ‘Out of Domain’ deployments. You will receive the hardening package from CyberArk as a zipped file. Unzip this file so that you can import the hardening INF and CSV files.

Administrative templates

To manually configure Remote Desktop Services, do the following:

Policy Setting
Services

Administrative Templates → Windows components → Remote Desktop Services → Remote Desktop Session Host → Connections

Automatic reconnection Disabled
Configure keep-alive connection interval

Enabled

Keep-Alive interval:1

Deny logoff of an administrator logged in to the console session

Enabled

Set rules for remote control of Remote Desktop Services user sessions

Enabled

Full Control without user's permission

Do not allow LPT port redirection

Enabled

Do not allow supported Plug and Play device redirection

Enabled

Administrative Templates → Windows components → Remote Desktop Services → Remote Desktop Session Host → Remote Session Environment

Remove "Disconnect" option from Shut Down dialog Enabled
Remove Windows Security item from Start menu

Enabled

Administrative Templates → Windows components → Remote Desktop Services → Remote Desktop Session Host → Security

Do not allow local administrators to customize permissions Not Defined
Require secure RPC communication

Enabled

Set client connection encryption level

Enabled

Encryption Level: High Level

Administrative Templates → Windows components →  Remote Desktop Services → Remote Desktop Session Host → Session Time Limits

End session when time limits are reached Enabled
Set time limit for active but idle Remote Desktop Services sessions

Not Defined

Set time limit for disconnected sessions

Enabled

Set to one minute

Administrative Templates → Windows components → Remote Desktop Services → Remote Desktop Session Host → Temporary folders

Do not delete temp folders upon exit Disabled
Do not use temporary folders per session

Disabled

 

Policy Setting
Services

Administrative Templates  → Windows components → Remote Desktop Services → Remote Desktop Session Host → Device and Resource Redirection

Do not allow Clipboard redirection
If this feature is used: Not defined
If this feature is not used: Enabled
Do not allow COM port redirection
If this feature is used: Not defined
If this feature is not used: Enabled
Do not allow drive redirection
If this feature is used: Not defined
If this feature is not used: Enabled