PSM Hardening

The PSM hardening process enhances PSM security by defining a highly secured Windows server. This topic describes the PSM hardening stage, which is a series of hardening tasks that are performed after the server software is installed, as part of the overall installation process. The hardening stage, which disables multiple operating system services on the PSM server machine, is performed mostly by scripts. Some of the tasks require customer input and so must be done manually.

Work flow

This table describes the work flow of the hardening stage, what parts are automated, and what happens during each step.

Step

Automated

Details

  1. Run the initial hardening tasks (PSM hardening script)

Yes

(the default installation script configuration is Enabled=Yes)

The PSM hardening procedure on the PSM server machine enhances PSM security.

Configurable parameters:

  • SupportWebApplications

    Set this parameter to Enable="Yes" if you are using web applications.

  • ClearRemoteDesktopUsers

    For security reasons, the hardening script clears the Remote Desktop Users group.

    The Remote Desktop Users group should include maintenance users that are not administrators.

  1. Run the post-hardening tasks

Yes

Default: Enabled = Yes

This step of the hardening process does the following:

  • Hides PSM local drives in PSM sessions
  1. Run the AppLocker script

Yes

Default: Enabled = Yes

The PSM uses the Windows AppLocker feature, which defines a set of rules that allow or deny applications from running on the PSM machine based on unique file identities. To limit the applications that may be launched during a PSM session. These rules specify which users or groups can run those applications.

All AppLocker rules are defined in the PSMConfigureAppLocker.xml file in the PSM installation folder > Hardening. If your environment includes executables that must be allowed in addition to those that are part of the PSM installation (such as PSM Universal Connectors executables), edit this file to add rules that allow these executables. If you have connectors deployed using shared universal connector deployment on multiple PSM servers, they are updated automatically in the AppLocker rules.

Any changes or additions you make to the default configurations of the AppLocker file may affect the security of your environment, and are outside of CyberArk’s control. It is your responsibility to verify these changes are in line with your organization's security policies.

  1. Harden the "Out of Domain" environment

 

Yes

Default: Enabled = No

Set the parameter in the hardening file to Yes if you are installing the PSM server out of domain.

This step of the hardening process does the following:

  • Imports an INF file to the local machine
  • Applies advanced audit
  • Manually adds user changes for installation
  • Sets a time limit for active but idle RDS sessions

No

When this hardening task is done, complete the "Out of Domain" hardening with the manual part of the step described in 'Out of Domain' deployments.

OR

Harden the "In Domain" environment

No

(manual task)

This task is required when you install the PSM server in domain. Do the following:

  1. Harden the TLS settings

Yes

Default: Enabled = Yes

This step does the following:

  • Disables SSL/TLS versions earlier than TLS 1.2.
  • RemoteApp requires a connection broker and a session collection to be associated with it. When PSM is installed, the RD Connection Broker is installed on the machine. This step installs SQL Server Express and configures the RD Connection Broker to work with SQL Server Express.
  • If the PSM Server machine is running on Windows 2016 and you have SQL server SP2 installed, select the TLS hardening checkbox to upgrade the SQL server to SP3.

  • If you need to enable earlier versions of SSL/TLS after this script has run (for example, if your custom PSM connectors and installed clients utilize TLS 1.0/1.1), configure the Windows registry as follows:

    1. Go to [HKEY_LOCAL_MACHINE\SYSTEM
      \CurrentControlSet\Control
      \SecurityProviders\SCHANNEL
      \Protocols\<SSL/TLS version>

    2. Under Client and/or Server, change value for DisabledByDefault to 0 and the value for Enabled to 1.
  1. Apply post-hardening configurations

No

These activities should be done for all deployments, regardless of where the server is installed.

 

If you need to troubleshoot the automatic hardening or perform any of the tasks manually, see PSM Hardening Tasks.

Required manual hardening tasks

'Out of Domain' deployments

Part of hardening the PSM servers is adjusting the group policy based on your corporate security policy. This part of the hardening procedure is not included in the hardening script and must be performed manually.

The following settings control the administrative templates and Remote Desktop Services access.

Policy Setting
Services

Administrative Templates → Windows components → Remote Desktop Services → Remote Desktop Session Host → Connections

Automatic reconnection Disabled
Configure keep-alive connection interval

Enabled

Keep-Alive interval:1

Deny logoff of an administrator logged in to the console session

Enabled

Set rules for remote control of Remote Desktop Services user sessions

Enabled

Full Control without user's permission

Do not allow LPT port redirection

Enabled

Do not allow supported Plug and Play device redirection

Enabled

Administrative Templates → Windows components → Remote Desktop Services → Remote Desktop Session Host → Remote Session Environment

Remove "Disconnect" option from Shut Down dialog Enabled
Remove Windows Security item from Start menu

Enabled

Administrative Templates → Windows components → Remote Desktop Services → Remote Desktop Session Host → Security

Do not allow local administrators to customize permissions Not Defined
Require secure RPC communication

Enabled

Set client connection encryption level

Enabled
Encryption Level: High Level

Administrative Templates → Windows components →  Remote Desktop Services → Remote Desktop Session Host → Session Time Limits

End session when time limits are reached Enabled
Set time limit for active but idle Remote Desktop Services sessions

Not Defined

Set time limit for disconnected sessions

Enabled

Set to one minute

Administrative Templates → Windows components → Remote Desktop Services → Remote Desktop Session Host → Temporary folders

Do not delete temp folders upon exit Disabled
Do not use temporary folders per session

Disabled

This part of the hardening stage is customer specific, so it isn't configured in the INF file that is imported by the hardening script. The following settings should be configured based on your own security policy.

Policy Setting
Services

Administrative Templates  → Windows components → Remote Desktop Services → Remote Desktop Session Host → Device and Resource Redirection

Do not allow Clipboard redirection
  • If this feature is used: Not defined
  • If this feature is not used: Enabled
Do not allow COM port redirection
  • If this feature is used: Not defined
  • If this feature is not used: Enabled
Do not allow drive redirection
  • If this feature is used: Not defined
  • If this feature is not used: Enabled

'In Domain' deployments

This section describes how to manually apply hardening to the PSM server when it is deployed in domain. You can configure the parameters listed below to align with the corporate security policy of your organization.

  1. If smart cards are not used with the PSM server(s), use the following to disable this feature.

    Policy Setting

    Services

    Vulnerability: Unnecessary services are expose the server to  vulnerabilities and increasing the attack surface

    Smart Card

    Disabled

    Smart Card Removal Policy

    Disabled

    1. To Harden via a Group Policy Object (GPO),

      Create a new group policy object (Services): Computer Configuration → Policies → Windows Settings → Security Settings → System Services

      Policy Setting

      Services

      Vulnerability: Unnecessary services expose the server to  vulnerabilities and increase the attack surface

      Do not allow smart card device redirection

      Enabled

    2. To Harden via a Group Policy Object (GPO), do the following:

      Create a new group policy object (Services): Computer Configuration → Policies → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Device and Resource Redirection

  2. To Enable the Firewall, do the following:

    Assuming all required network rules for proper PSM functioning are known (user machines, target machines and other servers and services), it is recommended to enable the Windows firewall.

    Policy Setting

    Services

    Vulnerability: Unnecessary services expose the server to vulnerabilities and increase the attack surface.

    Windows Firewall Enabled
    1. To Harden via a Group Policy Object (GPO):

      Create a new group policy object (Services): Computer Configuration → Policies → Windows Settings → Security Settings → System Services

  3. To Disable Remote Desktop Services Redirection, do the following:

    If Clipboard/Drive/Printer redirection are not being used, disable them.

    Policy Setting

    Terminal Service Hardening

    Vulnerability: Clipboard mapping enables the client to transfer a virus or a malicious application to the server as well as copy configuration or sensitive data from the server back to the client machine. There is a risk of infecting to the whole network or damaging the system.

    Do not allow Clipboard redirection Enabled
    Do not allow drive redirection Enabled
    Do not allow printer redirection Enabled
    1. To Harden via a Group Policy Object (GPO):

      Create a new group policy object (Services): Computer Configuration → Policies → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Device and Resource Redirection

Ongoing manual hardening tasks

This section describes the manual hardening tasks that are necessary for all types of deployments and that are part of maintaining your system. Perform them after running the hardening script, and after completing the in-domain hardening tasks (if necessary). You should also perform them periodically, for example if you change something in the environment (add servers, upgrade a version), after an operating system upgrade, and as part of general maintenance activities.

Update your operating system

Microsoft releases periodic updates (security updates and service packs) to address security issues that have been discovered in their software. Make sure your operating system is updated to the latest version.

You can install the updates in either of the following ways:

  • Manually install updates and service packs.
  • Automatically install with Server Update Services (WSUS), which is located on a corporate network.

Install an anti-virus solution

In today’s world, the pace of virus development is very fast. Servers without anti-virus protection are exposed to two risks:

  • Server infected with viruses that might damage the server and the entire network.
  • Trojan horses that are planted to allow remote control of the server and to all the information on it.

Install an anti-virus solution and update it as needed.

Validate proper server roles

Server roles can be set using the Server Manager. Ensure that the unnecessary roles are not installed on the server

Restrict network protocols

Install only the required protocols and remove unnecessary ones.

For example, only TCP/IP are necessary, and ensure that no additional protocols such as IPX or NetBEUI are allowed.

Rename default accounts

It is recommended to change the names of both the Administrator and the guest account to names that don't provide information about their permissions.

It is also recommended to create a new locked and unprivileged Administrator user name as bait.

Enable Microsoft Edge

Configure AppLocker to enable Microsoft Edge

  1. Remove the read-only permission from the PSMConfigureAppLocker.xml file.

  2. In the Hardening subfolder of the PSM installation folder, open the PSMConfigureAppLocker.xml configuration file and edit the AllowedApplications section:

    Make sure that the following lines exist and are uncommented:

    <Application Name="PSM-WebAppDispatcher" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\CyberArk.PSM.WebAppDispatcher.exe" Method="Hash" /> 
    <Application Name="PSM-ProgressBar" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\CyberArk.ProgressBar.exe" Method="Hash" />
    <Application Name="Edge" Type="Exe" Path="C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" Method="Publisher" />
    <Application Name="msedgedriver" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\msedgedriver.exe" Method="Hash" />

    Verify that the path specified in the xml matches the browser installation path.

  3. Save the PSMConfigureAppLocker.xml configuration file and close it.

  4. Use the following commands to run PowerShell and start the script:

    • In a PowerShell window, open the PSM installation >\Hardening folder.

       
      CD “C:\Program Files (x86)\CyberArk\PSM\Hardening”
    • To start the script, run the following command:

       
      ./PSMConfigureAppLocker.ps1

For more information, see Run AppLocker rules.

Harden the Edge browser on the PSM server