High Level Installation Steps:
EPV = Digital Vault + PVWA + CPM
PAS = EPV + PSM
Related Posts:
- CyberArk PAS (Vault PrivateArk Server and Client) Installation - Part 1
- CyberArk PAS (PVWA) Installation - Part 2
- CyberArk PAS (CPM) Installation - Part 3
- CyberArk PAS (PSM) Installation - Part 4
- CyberArk PAS (PTA) Installation - Part 5
- CyberArk PAS (PTA) Configuration - Part 5.1
- CyberArk PSM HTML5 Gateway Installation and Configuration - Part 6
PSM Architect
PSM Installation (High Level )
Component
|
Description
|
---|---|
PVWA
|
Password Vault Web Access (PVWA) is a fully featured web interface that provides a single console for requesting, accessing and managing privileged accounts throughout the enterprise by both end users and administrators.
|
CPM
|
Central Policy Manager is a integral part of the PAS controlling and managing the Master policy. This password management component can change passwords automatically on remote machines and store the new passwords in the EPV, with no human intervention, according to the organizational policy. It also enables organizations to verify passwords on remote machines, and reconcile them when necessary.
|
PSM
|
Privileged Session Manager enables organizations to isolate, monitor, record, and control privileged sessions on critical systems including Unix and Windows-based systems, databases and virtual machines. The solution acts as a jump server and single access control point. It prevents malware from jumping to a target system and records keystrokes and commands for continuous monitoring. The resulting detailed session recordings and audit logs are used to simplify compliance audits and accelerate forensics investigations.
|
PTA
|
Privileged Threat Analytics is an expert system for privileged account security intelligence, providing targeted, immediately actionable threat alerts by identifying previously undetectable malicious privileged user and account activity. The solution applies patent pending analytic technology to a rich set of privileged user and account behavior collected from multiple sources across the network. CyberArk Privileged Threat Analytics then produces highly accurate and immediately actionable intelligence, allowing incident response teams to respond directly to the attack.
|
PSM Installation Overview
Note: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/PSM_AutomaticInstallation.htm
PSM Installation - Set Up
Step
|
Procedure
|
Default setting
|
---|---|---|
.Net 4.5.2
|
This step verifies that a compatible version of .Net Framework is installed on the machine.
|
Enable = "Yes"
|
Install Remote Desktop Services
|
This step installs the Remote Desktop Services (RDS) Session Host Role
|
Enable = "Yes"
|
Disable NLA
|
This step disables NLA.
|
Enable ="Yes"
|
Update the RDS security layer
|
This step updates the RDS security layer to 1.
This step is disabled by default since we highly recommend that you configure secure RDP connections using SSL. For details, see Secure RDP Connections with SSL.
Enable this step if you do not secure RDP Connections with SSL.
|
Enable ="No"
|
-
From the installation CD, copy the PSM folder to the component server and unzip.
Open InstallationAutomation\Prerequisites\PrerequisitesConfig.XML and select the steps to enable by setting Enable = "Yes".
CD “<CD-Image Path>\InstallationAutomation”
.\Execute-Stage.ps1 “<CD-Image Path>\InstallationAutomation\Prerequisites\PrerequisitesConfig.XML”
|
The Remote Desktop Services (RDS) installation requires a machine restart. You will be notified before the restart begins.
|
To run the script in silent mode which includes an automatic restart, open a PowerShell window and run the following command:
.\Execute-Stage.ps1 .\Prerequisites\PrerequisitesConfig.XML silent
|
PSM Installation Steps:
Run the PSM installation wizard.
-
Log on as a domain user who is a member of the local administrators group.
-
Create a new folder on the PSM server machine. From the installation CD, copy the contents of the Privileged Session Manager folder to your new folder .Display the contents of the Privileged Session Manager folder.
-
Start the installation procedure:Double-click Setup.exe or,On systems that are UAC-enabled, right-click Setup.exethen select Run as Administrator.The PSM installation wizard appears and displays a list of prerequisites that are installed before the PSM installation continues.
5. Click next until on the Destination Location window, click Next to accept the default location provided by the installation.
6. On the Recordings Folder window, click Next to accept the default recordings folder provided by the installation.
7. On the Password Vault Web Access Environment window, click Next to accept the default name of the PVWA Configuration Safe provided by the installation.
8. Click Next; the installation automatically installs the Oracle Instant Client, then displays the Vault's Connection Details window. Next.
9. On the Vault's Username and Password Details window, specify the username and password of the Vault user carrying out this installation, then click Next .
10. On the API Gateway Connection Details window, enter the protocol and hostname of the PVWA where the PSM connects to the API Gateway, then click Next to display the Setup Complete window. This information is used to generate an endpoint for API calls (<protocol>://<Host>/passwordvault/api).
11 Click Finish to complete the Privileged Session Manager installation.
12. Restart the PSM server.
On the PVWA machine, run iisreset,
Activate the PSM server
To activate PSM:
-
If you did not use the default recordings folder provided by the installation , you will need to update the path to the recordings folder.Go to PVWA > ADMINISTRATION > Options > Privileged Session Management > General settings > Recorder settings. Update the value of the recordings folder path on the PSM machine.
-
You need to manually start the CyberArk Privileged Session Manager Service:
- Go to Start> Settings > Control Panel.
- Select Administrative Tools > Services.
- Right-click CyberArk Privileged Session Manager.
- Select Start.
Post Installation
Step
|
Procedure
|
---|---|
Disables the screen saver for local PSM users
|
|
Configures users for PSM sessions
|
|
Enables PSM for web applications
|
|
Enables users to print PSM sessions
|
Configure the post-installation stage
From the CD image, open
InstallationAutomation\PostInstallation\PostInstallationConfig.XML.
and select the steps you want to enable by setting Enable = "Yes"Run the post-installation stage
CD “<CD-Image Path>\InstallationAutomation”
.\Execute-Stage.ps1 “<CD-Image Path>\Installation automation\PostInstallation\PostInstallationConfig.XML
|
Following the installation
Step
|
Description
|
---|---|
Verify that the installation completed successfully.
|
|
If NLA is enabled in your environment and your users connect directly from their desktops.
|
|
This procedure describes how to configure the PSMConnect and PSMAdminConnect users’ passwords so that they are managed by the CPM.
|
|
Maintenance users who need to logon remotely to the PSM server must be members of the RemoteDesktopUsers group in the PSM server and must also be added to the list of users with the “Allow log on through Remote Desktop Services” permission in the Windows security policy.
|
Hardening
The PSM hardening stage enhances PSM security by defining a highly secured Windows server. The hardening procedure, which disables multiple operating system services on the PSM server machine, is included as part of the PSM installation.
Step
|
Description
|
---|---|
1. Runs the hardening script
|
The PSM hardening procedure on the PSM server machine enhances PSM security.
Default: Enabled = Yes
Additional step parameters:
|
2. Runs post hardening tasks
|
Default: Enabled = Yes
For details, see, After running the hardening script.
|
3. Run AppLocker rules
|
To create a hardened and secure PSM environment, the system must limit the applications that can be launched during a PSM session. To do this, the PSM uses the Windows AppLocker feature, which defines a set of rules that allow or deny applications from running on the PSM machine, based on unique file identities. These rules specify which users or groups can run those applications.
Default: Enabled = Yes
For details, see Run AppLocker rules
|
4. Automatic hardening in 'Out of Domain' deployments
|
Runs 'Out of Domain' PSM server including:
Default: Enabled = No
Set to Yes if you are using the PSM server out of domain.
For in domain deployments, see Automatic hardening in 'In Domain' deployments.
For configuration details, see Configure 'Out of Domain' PSM servers.
|
5. Harden TLS Settings
|
Default: Enabled = Yes
|
CD “<CD-Image Path>\InstallationAutomation”
.\Execute-Stage.ps1 “<CD-Image Path>\Installation automation\Hardening\HardeningConfig.XML
|
Change PSM Server ID
- First, login to the PVWA, browse to Administration, System Configuration, Options, Privileged Session Management, Configured PSM Servers and select the PSM Server you need to change from the list of servers. In the properties pane, set the value of the ID property to the new Server ID, click Apply and OK.
- Next, edit the basic_psm.ini file located on the PSM server in the PSM root directory and update the PSMServerlD parameter with the new Server ID, save the file and restart the "CyberArk Privileged Session Manager" service on the PSM server.
References
via Blogger https://ift.tt/2Xbo07R
July 31, 2020 at 10:26PM CyberArk