426520217 Hardening the Cyber Ark CPM and PVWA Servers PDF

Preview

Summary

CyberArk Notes...

Description

Hardening the CyberArk CPMand PVWA Servers Version 10.5

Copyright © 1999-2018 CyberArk Software Ltd. All rights reserved. This document contains information and ideas, which are proprietary to CyberArk Software Ltd. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, without the prior written permission of CyberArk Software Ltd. CAHEPV-10-5-0-1

2

Table of Contents

Table of Contents Harden the CyberArk CPMand PVWA Servers 'In Domain' Deployments Backing Up the GPOFile (In Domain) Importing a GPO file to an Active Directory Domain (In Domain)

'Out of Domain' Deployments Automatic implementation Harden the CPM server Hardening the PVWA After running the scripts Additional manual steps Manual implementation Importing an INF File to the Local Machine

General Configuration for all Deployments Update your Operating System Install an Anti-Virus Solution Restrict Network Protocols Rename Default Accounts Validate Proper Server Roles Roles Features IIS Hardening (PVWA Only) Shares Application Pool Web Distributed Authoring and Versioning (WebDAV) MIME Types SSL/TLS Settings Cipher Suites Minimal key length Secure PKI Authentication (PVWA Only) Cryptography Mode Settings (CPM only) Cryptography Mode Settings for PVWA

4 5 10 12

16 17 17 17 18 18 19 20

21 22 22 22 22 22 23 24 24 24 25 26 26 27 31 32 33 33 34

Configure PVWA and CPM Servers in 'In Domain' Deployments 35 Automatic procedures (handled by GPO and installation scripts) Manual procedures

Configure PVWA and CPM Servers in 'Out of Domain' Deployments Automatic procedures (Handled by INF files) Manual Procedures Screen Saver Advanced audit policy configuration Remote desktop services General auditing configuration, registry and file system

Privileged Access Security

36 36

40 41 41 42 43 44 46

Table of Contents Additional manual steps

48

GPOSettings

52

Privileged Access Security

3

4

Harden the CyberArk CPMand PVWA Servers This section describes automatic and manual procedures for hardening CyberArk's CPM and PVWA servers. These procedures were tested and reviewed by CyberArk's Research and Development department and CyberArk's Security Team. The automatic procedure and the manual procedure complement each other and, therefore, both must be applied. When the CPM and PVWA server environments are part of Active Directory domain ('In Domain'), the automatic hardening procedure is based on a prepared GPO (Group Policy Object) file. However, when the CPM and PVWAserver environments are not a part of Active Directory domain ('Out of Domain'), it is based on an INF file. This section describes how to harden CyberArk's CPM and PVWA servers that are installed on Windows 2012R2 and Windows 2016 Servers in 'In Domain' deployments as well as in 'Out of Domain' deployments.

Privileged Access Security

Hardening the CyberArk CPMand PVWA Servers

'In Domain' Deployments Backup the GPOfile (In Domain) 1. In Group Policy Objects, right-click the same GPO and select Back Up.

The Back Up Group Policy Object window appears. 2. Click Browse and navigate to the new target backup folder, then click Back Up.

The Backup window appears and displays the backup progress.

Privileged Access Security

5

6

3. When the backup has finished, click OK. Import a GPO file to an Active Directory domain (In Domain) 1. Get the most recent Group Policy Object (GPO) backup. Create this backup manually from your GPO as described in Backing Up the GPOFile (In Domain), page 10. 2. Open the Group Policy Management Console (GPMC.msc). 3. Create a new GPO that will inherit the settings of the latest GPO backup: Display and right-click Group Policy Objects and select New.

4. Specify a new name for the GPO, then click OK. Note: Specify a name that indicates the purpose of the GPO. This name is displayed to all users.

Privileged Access Security

Hardening the CyberArk CPMand PVWA Servers

5. In the list of Group Policy Objects, right-click the new GPO and select Import Settings….

The Import Settings Wizard appears.

6. In the Welcome to the Import Settings Wizard window, click Next; the Backup GPO window appears.

Privileged Access Security

7

8

You do not have to configure backup as this GPO is new. 7. Click Next; the Backup location screen appears.

8. Click Browse… , and select the location of the folder where the hardening settings are stored, then click Next; the Source GPO window appears.

Privileged Access Security

Hardening the CyberArk CPMand PVWA Servers

9. Select the displayed backed up GPO, then click Next; the Scanning Backup window appears. Note: No references to domain/UNC paths should be found.

10. Click Next; the Completing the Import Settings Wizard window appears.

11. Click Finish; the Import window appears and shows the progress of the GPO import.

Privileged Access Security

9

10

Backing Up the GPOFile (In Domain)

12. When the GPO import process has been completed, click OK. Update the GPOfile (In Domain) 1. In Group Policy Objects, right-click the GPO that you created in the previous step and select Edit.

Note: Do not add any domain-specific settings to the GPO, and make sure that there are no domain-specific settings in the GPO, unless configured manually by the customers. For example, "Domain\Domain Admins", "Domain\Connect", "Domain\AdminConnect".

Backing Up the GPOFile (In Domain) 1. In Group Policy Objects, right-click the same GPO and select Back Up.

The Back Up Group Policy Object window appears. 2. Click Browse and navigate to the new target backup folder, then click Back Up.

Privileged Access Security

Hardening the CyberArk CPMand PVWA Servers

The Backup window appears and displays the backup progress.

3. When the backup has finished, click OK.

Privileged Access Security

11

12

Importing a GPO file to an Active Directory Domain (In Domain)

Importing a GPO file to an Active Directory Domain (In Domain) 1. Get the most recent Group Policy Object (GPO) backup. Create this backup manually from your GPO as described in Backing Up the GPOFile (In Domain), page 10. 2. Open the Group Policy Management Console (GPMC.msc). 3. Create a new GPO that will inherit the settings of the latest GPO backup: Display and right-click Group Policy Objects and select New.

4. Specify a new name for the GPO, then click OK. Note: Specify a name that indicates the purpose of the GPO. This name is displayed to all users.

5. In the list of Group Policy Objects, right-click the new GPO and select Import Settings….

Privileged Access Security

Hardening the CyberArk CPMand PVWA Servers

The Import Settings Wizard appears.

6. In the Welcome to the Import Settings Wizard window, click Next; the Backup GPO window appears.

You do not have to configure backup as this GPO is new. 7. Click Next; the Backup location screen appears.

Privileged Access Security

13

14

Importing a GPO file to an Active Directory Domain (In Domain)

8. Click Browse… , and select the location of the folder where the hardening settings are stored, then click Next; the Source GPO window appears.

9. Select the displayed backed up GPO, then click Next; the Scanning Backup window appears. Note: No references to domain/UNC paths should be found.

Privileged Access Security

Hardening the CyberArk CPMand PVWA Servers

10.Click Next; the Completing the Import Settings Wizard window appears.

11.Click Finish; the Import window appears and shows the progress of the GPO import.

12.When the GPO import process has been completed, click OK.

Privileged Access Security

15

16

'Out of Domain' Deployments This section describes how to apply automatic hardening procedures in 'Out of Domain' deployments. CyberArk offers two methods of implementation for hardening the CPM and PVWA servers.

Privileged Access Security

Hardening the CyberArk CPMand PVWA Servers

Automatic implementation This automatic method covers all post-installation and hardening steps that are required to secure your server. If the CPM and PVWA are both installed on the same server, run both scripts. This method uses PowerShell scripts. Note: When installing PSM on the same machine as CPM and/or PVWA, run the CPM/PVWA hardening scripts before installing the PSM.

Harden the CPM server 1. In the Installation CD Image InstallationAutomation folder (...\Central Policy Manager\InstallationAutomation), locate the "CPM_Hardening.ps1" script. 2. Open PowerShell as Administrator and run this script. This script creates a log file that lists all the steps that were carried out (successful or failed). For each step, the log includes the value before the change and after the change. The script log is created in the same folder as the script and is called "HardeningScript.log". The steps performed by the script are explained below, in Manual implementation, page 19. This script also creates a log file that analyzes the changes made when the Hardening INF file is imported. The log file is called "CYBR_Hardening_secedit.log". After the script has finished running, each customer should review this log to verify that no errors occurred. The steps performed when the Hardening INF file is imported are explained below, in Manual implementation, page 19. After the script has finished running, review the log files to ensure that all hardening steps were completed successfully. If one of the steps failed, you can perform it manually using the steps described below, in Manual implementation, page 19.

Hardening the PVWA 1. In the Installation CD Image InstallationAutomation folder (...\Password Vault Web Access\InstallationAutomation) locate the "PVWA_Hardening.ps1" script. 2. Open PowerShell as Administrator and run this script. This script creates a log file that lists all the steps that were carried out (successful or failed). For each step, the log includes the value before the change and after the change.

Privileged Access Security

17

18

Automatic implementation

The script log is created in the same folder as the script and is called "HardeningScript.log". The steps performed by the script are explained below, in Manual implementation, page 19. This script also creates a log file that analyzes the changes made when the Hardening INF file is imported. The log file is called "CYBR_Hardening_secedit.log". The steps performed when the Hardening INF file is imported are explained below, in Manual implementation, page 19.

After running the scripts 1. Review the script logs to verify that no errors occurred and that all hardening steps were completed successfully. If one of the steps failed, you can perform it manually using the steps described below, in Manual implementation, page 19. 2. Restart the server machine.

Additional manual steps The following additional manual steps harden your CPM/PVWA server even further: Update your Operating System, page 22 Install an Anti-Virus Solution, page 22 Restrict Network Protocols, page 22 Rename Default Accounts, page 22 Application Pool, page 25 Cipher Suites, page 31 Minimal key length, page 32 Secure PKI Authentication (PVWA Only), page 33 Manual procedures, page 36 Clear the "Log on as a service" configuration from all other users, as listed in Additional manual steps, page 48

Privileged Access Security

Hardening the CyberArk CPMand PVWA Servers

Manual implementation Import an INF file to the local machine Tip: This step is performed automatically using the PowerShell script.

1. Open MS Management Console by running mmc.exe. 2. Configure the export settings: If you are configuring a hardening environment, skip this step and go to step 3 where you configure the import settings. a. From File, select Add/Remote Snap-ins, and add the Security Templates. b. Right click, select New template and name it. c. Expand the template and configure it according to your hardening definitions. Note: Pay attention to the following: Only security settings are there. Other settings should be set manually. Audit settings also doesn’t appear here, they must be set via the gpedit.msc

d. Right click on the template and save it as an inf file. 3. Configure the import settings: In the mmc, display Add/Remove Snap-ins and add Security Configuration and Analysis. 4. Create a new database: a. Right click Security Configuration and Analysis then, from the pop-up menu, select Open Database. b. Type the name of the new database or select an existing one, then click Open. c. Select the ini file of the hardening settings. For example, CyberArk_PAS_Local Security Templates.ini. d. Right click the imported file and select Import template , then select your ini file. e. Right click the imported file again, then select Configure Computer Now. f. Right click the imported file again, then select Analyze Computer now. g. Expand the Console Root and review the settings in Local policies/User Rights Assignment and Local policies/Security Options. Check the differences between the database and the computer and match the settings that were not imported. Note the green/red indications and the "Database Setting" vs. "Computer Setting". Note: Importing the local security policy will overwrite the local group policy. Use the above guide to make a backup of your current settings.

Privileged Access Security

19

20

Importing an INF File to the Local Machine

Importing an INF File to the Local Machine 1. Open MS Management Console by running mmc.exe. 2. Configure the export settings: If you are configuring a hardening environment, skip this step and go to step 3 where you configure the import settings. From File, select Add/Remote Snap-ins, and add the Security Templates. 3. Right click, new template, name it. 4. Expand it and configure it according to your hardening definitions. Note: Pay attention to the following: Only security settings are there. Other settings should be set manually. Audit settings do not appear here either; they must be set via the gpedit.msc.

5. Right click on the template and save it as an inf file. 6. Configure the import settings: In the mmc, display Add/Remove Snap-ins and add Security Configuration and Analysis. 7. Create a new database: a. Right click Security Configuration and Analysis then, from the pop-up menu, select Open Database. b. Type the name of the new database or select an existing one, then click Open. c. Select the ini file of the hardening settings. For example, CyberArk_PAS_Local Security Templates.ini. d. Right click the imported file and select Import template , then select your ini file. e. Right click the imported file again, then select Configure Computer Now. f. Right click the imported file again, then select Analyze Computer now. g. Expand the Console Root and review the settings in Local policies/User Rights Assignment and Local policies/Security Options. Check the differences between the database and the computer and match the settings that were not imported. Note the green/red indications and the "Database Setting" vs. "Computer Setting". Note: Importing the local security policy will overwrite the local group policy. You can use the above guide to make a backup of your current settings.

Privileged Access Security

21

General Configuration for all Deployments This section describes configuration that must be performed in 'In Domain' deployments as well as in 'Out of Domain' deployments.

Privileged Access Security

Hardening the CyberArk CPMand PVWA Servers

Update your Operating System Microsoft releases periodic updates (security updates and service packs) to address security issues that were discovered in operating systems. Make sure your operating system is updated to the latest version. You can install the updates in either of the following ways: Manually install updates and service packs Automatically install with Server Update Services (WSUS), which is located on a corporate network

Install an Anti-Virus Solution In today’s world, the pace of virus development is very fast. Servers without anti-virus protection are exposed to two risks: Infection with viruses that might damage the server and the entire network Trojan horses that are planted to allow remote control of the server and to all the information on it Install an anti-virus solution and update it as needed.

Restrict Network Protocols Install only the required protocols and remove unnecessary ones. For example, only TCP/IP are necessary, and ensure that no additional protocols such as IPX or NetBEUI are allowed.

Rename Default Accounts It is recommended to change the names of both the Administrator and the guest to names that will not testify about their permissions. It is also recommended to create a new locked and unprivileged Administrator user name as bait.

Validate Proper Server Roles Tip: This step is performed automatically using the PowerShell script.

Privileged Access Security

22

23

Validate Proper Server Roles

To minimize your attack surface, as a best practice, make sure that only the minimum roles and features that are required are defined on the CPM and PVWA server(s). Remove all unnecessary roles and features. ■

For information about installing and enabling the required roles and features for the PVWA and CPM, refer to the Privileged Access Security Installation Guide. Note: ■

■

Unless otherwise specified, the roles and features below are listed by specific name. There is no specified parent roles that assume the removal of child dependencies, and you should only remove the roles that are listed. However, when removing roles, you will sometimes be prompted to remove dependent features and/or roles, which is acceptable for the roles listed below. Always elect to remove these dependent features and/or roles when prompted (unless they are required by your environment for some reason). Removing the "SMB 1.0/CIFS File Sharing Support" feature will disable Windows accounts management and the discovery of Scheduled Task dependencies using the CPM Scanner in old target machines which only support SMB 1.0, e.g. Windows XP, Windows 2003. It is recommended to disable SMB 1.0 due to known security issues.

The following list enumerates the server roles and features that can be safely removed.

Roles Application Server ■ ■

TCP Port Sharing Windows Process Activation Service Support ■ Named Pipes Activation ■ TCP Activation

Remote Access ■ ■ ■

DirectAccess and VPN (RAS) Routing Web Application Proxy (With dependent features)

Web Server (IIS) ■

Web Server ■ Health and Diagnostic ■ Logging Tools ■ Tracing

Security ■ ■

Centralized SSL Certificate Support Client Certificate Mapping Authentication

Privileged Access Security

Hardening the CyberArk CPMand PVWA Servers

Dig...