Perform Privilege Cloud Connector post-installation steps

This topic presents verification steps following the installation or upgrade of the Privilege Cloud Connector.

This topic describes the steps you should perform manually after installing the Privilege Cloud Connector, following a change in the environment (adding servers, upgrading a version), after an operating system upgrade, or as part of general maintenance activities.

These tasks are necessary for all types of deployments and are part of maintaining your system.

Update your operating system

Microsoft releases periodic updates (security updates and service packs) to address security issues that have been discovered in their software. Make sure your operating system is updated to the latest version.

You can install the updates in either of the following ways:

  • Manually install updates and service packs.
  • Automatically install with Server Update Services (WSUS), which is located on a corporate network.

Install antivirus

Install an industry standard antivirus software.

Validate proper server roles

Server roles can be set using the Server Manager. Ensure that unnecessary roles are not installed on the server

Restrict network protocols

Install only the required protocols and remove unnecessary ones.

For example, only TCP/IP are necessary, and ensure that no additional protocols such as IPX or NetBEUI are not allowed.

Rename default accounts

It is recommended to change the names of both the Administrator and the guest account to names that don't provide information about their permissions.

It is also recommended to create a new locked and unprivileged Administrator user name as bait.

Connector server hostname

Do not rename the Connector server hostname due to Microsoft renaming limitations.

Local Windows Service user permissions and plugins

During the CPM hardening process, three local Windows Service users are created to run the CPM service:

  • PasswordManagerUser

  • PluginManagerUser

  • ScannerUser

To reduce security risks, these local users only have the necessary permissions to run the required services and plugins.

For information about the user permissions, see Configures permissions for Local Windows Service users.

You can change the user permissions to run the plugins with higher privileges. For more information, see How local Windows user permissions may affect plugins.

Set Master Policy for privilege session monitoring and isolation

  1. Learn about setting Master Policy.

  2. Set Master Policy to automatically require privilege session monitoring and isolation.

Install the latest CPM plugins

To ensure enhanced security, download and deploy the most recent plugin release from the CyberArk Marketplace.

Define PSM as a secure zone (optional step)

Optionally, if using secure zones for controlled access, define the PSM's internet-facing IP address as a secure zone, to ensure it can communicate with the CyberArk backend.

If access is through a proxy, define the proxy address as a secure zone.

Learn about access control by applying secure zones.