Info Security Memo
  • Blog
  • Sitemap
    • Categories
  • Contact
  • About
  • Resources
  • Tools
  • 51sec.org

Build Confidence

Focusing on Information Security 

Info Security Notes

CyberArk PAS (PSM) Installation - Part 4

8/1/2020

0 Comments

 
CyberArk PAS (PSM) Installation - Part 4

High Level Installation Steps:

Basically, follow the hardware requirements out of CyberArk Docs system requirements guide for hardware specs and prerequisite software needed, then do installation as show below.


EPV = Digital Vault + PVWA + CPM
PAS = EPV + PSM


Related Posts:
  • CyberArk PAS (Vault PrivateArk Server and Client) Installation - Part 1
  • CyberArk PAS (PVWA) Installation - Part 2
  • CyberArk PAS (CPM) Installation - Part 3
  • CyberArk PAS (PSM) Installation - Part 4
  • CyberArk PAS (PTA) Installation - Part 5
  • CyberArk PAS (PTA) Configuration - Part 5.1
  • CyberArk PSM HTML5 Gateway Installation and Configuration - Part 6



PSM Architect



PSM  Installation (High Level )
Enterprise Password Vault Solution (PSM) Installation High Level


For the PSMs
-        Install Windows 2012 R2 or Windows 2016

-        Install at least .NET Framework 4.6.2 (if that or a greater version not already included)

-        Install all the latest Windows OS patches

-        Add the domain account we are using to install PSM to the local administrators group of the new PSM VM build

-        The rest is performed during the install which includes:

o   Setting up the Remote Desktop Session Host role (not from individual checkboxed RD options) and selecting session-based (which will then ask for connection brokers and RD gateway servers in later steps).

Component
Description
PVWA
Password Vault Web Access (PVWA) is a fully featured web interface that provides a single console for requesting, accessing and managing privileged accounts throughout the enterprise by both end users and administrators.
CPM
Central Policy Manager is a integral part of the PAS controlling and managing the Master policy. This password management component can change passwords automatically on remote machines and store the new passwords in the EPV, with no human intervention, according to the organizational policy. It also enables organizations to verify passwords on remote machines, and reconcile them when necessary.
PSM
Privileged Session Manager enables organizations to isolate, monitor, record, and control privileged sessions on critical systems including Unix and Windows-based systems, databases and virtual machines. The solution acts as a jump server and single access control point. It prevents malware from jumping to a target system and records keystrokes and commands for continuous monitoring. The resulting detailed session recordings and audit logs are used to simplify compliance audits and accelerate forensics investigations.
PTA
Privileged Threat Analytics is an expert system for privileged account security intelligence, providing targeted, immediately actionable threat alerts by identifying previously undetectable malicious privileged user and account activity. The solution applies patent pending analytic technology to a rich set of privileged user and account behavior collected from multiple sources across the network. CyberArk Privileged Threat Analytics then produces highly accurate and immediately actionable intelligence, allowing incident response teams to respond directly to the attack.


PSM  Installation Overview

The PSM installation is divided into several configurable stages: set up, installation, post-installation, hardening and registration.

Note: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/PSM_AutomaticInstallation.htm

PSM  Installation - Set Up

This stage performs the following:
Step
Procedure
Default setting
.Net 4.5.2
This step verifies that a compatible version of .Net Framework is installed on the machine.
Enable = "Yes"
Install Remote Desktop Services
This step installs the Remote Desktop Services (RDS) Session Host Role
Enable = "Yes"
Disable NLA
This step disables NLA.
Enable ="Yes"
Update the RDS security layer
This step updates the RDS security layer to 1.
This step is disabled by default since we highly recommend that you configure secure RDP connections using SSL. For details, see Secure RDP Connections with SSL.
Enable this step if you do not secure RDP Connections with SSL.
Enable ="No"


Configure the set up stage



  1. From the installation CD, copy the PSM folder to the component server and unzip.

    Open InstallationAutomation\Prerequisites\PrerequisitesConfig.XML and select the steps to enable by setting Enable = "Yes".
Run the set up stage
To run the script in standard mode, open a PowerShell window and run the following command: 
CD “<CD-Image Path>\InstallationAutomation”
.\Execute-Stage.ps1 “<CD-Image Path>\InstallationAutomation\Prerequisites\PrerequisitesConfig.XML”

The Remote Desktop Services (RDS) installation requires a machine restart. You will be notified before the restart begins.

To run the script in silent mode which includes an automatic restart, open a PowerShell window and run the following command: 
 .\Execute-Stage.ps1 .\Prerequisites\PrerequisitesConfig.XML silent


PSM  Installation Steps:


Run the PSM installation wizard.
To install PSM:
  1. Log on as a domain user who is a member of the local administrators group.
  2. Create a new folder on the PSM server machine. From the installation CD, copy the contents of the Privileged Session Manager folder to your new folder .
    Display the contents of the Privileged Session Manager folder.
  3. Start the installation procedure:
    Double-click Setup.exe or,
    On systems that are UAC-enabled, right-click Setup.exethen select Run as Administrator.
    The PSM installation wizard appears and displays a list of prerequisites that are installed before the PSM installation continues.
4. Click Install to begin the installation process; the installation process begins and the Setup window appears.
5. Click next until on the Destination Location window, click Next to accept the default location provided by the installation.
6. On the Recordings Folder window, click Next to accept the default recordings folder provided by the installation.

7. On the Password Vault Web Access Environment window, click Next to accept the default name of the PVWA Configuration Safe provided by the installation.

8. Click Next; the installation automatically installs the Oracle Instant Client, then displays the Vault's Connection Details window. Next.

9. On the Vault's Username and Password Details window, specify the username and password of the Vault user carrying out this installation, then click Next .

10. On the API Gateway Connection Details window, enter the protocol and hostname of the PVWA where the PSM connects to the API Gateway, then click Next to display the Setup Complete window. This information is used to generate an endpoint for API calls (<protocol>://<Host>/passwordvault/api).

11 Click Finish to complete the Privileged Session Manager installation.

12. Restart the PSM server. 
On the PVWA machine, run iisreset,



Activate the PSM server

To activate PSM:
  1. If you did not use the default recordings folder provided by the installation , you will need to update the path to the recordings folder.
    Go to PVWA > ADMINISTRATION > Options > Privileged Session Management > General settings > Recorder settings. Update the value of the recordings folder path on the PSM machine.
  2. You need to manually start the CyberArk Privileged Session Manager Service:
    1. Go to Start> Settings > Control Panel.
    2. Select Administrative Tools > Services.
    3. Right-click CyberArk Privileged Session Manager.
    4. Select Start.

Post Installation

The post installation stage configures the PSM server after it has been installed successfully.
The post installation stages does the following steps automatically. For troubleshooting or to perform the step manually, see the procedure:
Step
Procedure
Disables the screen saver for local PSM users
Disable the screen saver for the PSM local users
Configures users for PSM sessions
Configure users for PSM sessions
Enables PSM for web applications
Configure PSM to connect to Web applications
Enables users to print PSM sessions
Enable Users to Print PSM Sessions

Configure the post-installation stage
From the CD image, open InstallationAutomation\PostInstallation\PostInstallationConfig.XML. and select the steps you want to enable by setting Enable = "Yes"

Run the post-installation stage
Open a PowerShell window and run the following command:
  
CD “<CD-Image Path>\InstallationAutomation”
.\Execute-Stage.ps1 “<CD-Image Path>\Installation automation\PostInstallation\PostInstallationConfig.XML

Following the installation
Perform the following steps, if required:
Step
Description
Check the installation log files
Verify that the installation completed successfully.
Connect to a target system directly from desktop
If NLA is enabled in your environment and your users connect directly from their desktops.
Configure the PSM users’ passwords
This procedure describes how to configure the PSMConnect and PSMAdminConnect users’ passwords so that they are managed by the CPM.
Enable maintenance users to logon remotely
Maintenance users who need to logon remotely to the PSM server must be members of the RemoteDesktopUsers group in the PSM server and must also be added to the list of users with the “Allow log on through Remote Desktop Services” permission in the Windows security policy.





Hardening

The PSM hardening stage enhances PSM security by defining a highly secured Windows server. The hardening procedure, which disables multiple operating system services on the PSM server machine, is included as part of the PSM installation.

From the CD image, open InstallationAutomation\Hardening\HardeningConfig.XML and verify that the following parameters are set to Enable = Yes:
Step
Description
1. Runs the hardening script
The PSM hardening procedure on the PSM server machine enhances PSM security.
Default: Enabled = Yes
Additional step parameters:
  • SupportWebApplications - Set this parameter to Enable="Yes" if you are using web applications.
  • ClearRemoteDesktopUsers - For security reasons, the hardening stage clears the Remote Desktop Users group. The Remote Desktop Users group should include maintenance users that are not administrators or if, ActiveX is used, PSM local users. If you use ActiveX it is recommended to leave the ClearRemoteDesktopUsers parameter set to "No" and manually delete users from remote desktop users group after running the script.
2. Runs post hardening tasks
  • Block Internet Explorer developer tools,
  • Hide PSM local drives in PSM sessions
  • Block the Internet Explorer context menu
Default: Enabled = Yes
For details, see, After running the hardening script.
3. Run AppLocker rules
To create a hardened and secure PSM environment, the system must limit the applications that can be launched during a PSM session. To do this, the PSM uses the Windows AppLocker feature, which defines a set of rules that allow or deny applications from running on the PSM machine, based on unique file identities. These rules specify which users or groups can run those applications.
Default: Enabled = Yes
For details, see Run AppLocker rules
4. Automatic hardening in 'Out of Domain' deployments
Runs 'Out of Domain' PSM server including:
  • Imports an INF file to the local machine
  • Applies advanced audit
  • Manually Adds User Changes for Installation
  • Set time limit for active but idle RDS sessions
Default: Enabled = No
Set to Yes if you are using the PSM server out of domain.
For in domain deployments, see Automatic hardening in 'In Domain' deployments.
For configuration details, see Configure 'Out of Domain' PSM servers.
5. Harden TLS Settings
  • Disables SSL/TLS versions earlier than TLS 1.2.
  • RemoteApp requires a connection broker and a session collection to be associated with it. When PSM is installed, the RD Connection Broker is installed on the machine. This step installs SQL Server Express and configures RD Connection Broker to work with SQL Server Express.
Default: Enabled = Yes
Open a PowerShell window and run the following command:
  
CD “<CD-Image Path>\InstallationAutomation”
.\Execute-Stage.ps1 “<CD-Image Path>\Installation automation\Hardening\HardeningConfig.XML

Change PSM Server ID

  1. First, login to the PVWA, browse to Administration, System Configuration, Options, Privileged Session Management, Configured PSM Servers and select the PSM Server you need to change from the list of servers. In the properties pane, set the value of the ID property to the new Server ID, click Apply and OK. 
  2. Next, edit the basic_psm.ini file located on the PSM server in the PSM root directory and update the PSMServerlD parameter with the new Server ID, save the file and restart the "CyberArk Privileged Session Manager" service on the PSM server.
















References







via Blogger https://ift.tt/2Xbo07R
July 31, 2020 at 10:26PM CyberArk
0 Comments



Leave a Reply.

    Categories

    All
    Architecture
    Blog
    Checkpoint
    Cisco
    Cloud
    CyberArk
    F5
    Fortigate
    Guardium
    Juniper
    Linux
    Network
    Others
    Palo Alto
    Qualys
    Raspberry Pi
    Security
    SIEM
    Software
    Vmware
    VPN
    Wireless

    Archives

    March 2024
    February 2024
    January 2024
    December 2023
    November 2023
    October 2023
    September 2023
    August 2023
    July 2023
    June 2023
    May 2023
    April 2023
    March 2023
    February 2023
    January 2023
    December 2022
    November 2022
    October 2022
    September 2022
    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    October 2019
    September 2019
    June 2019
    July 2018
    May 2018
    December 2017
    August 2017
    April 2017
    March 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015

    Print Page:

    RSS Feed

    Email Subscribe
Powered by Create your own unique website with customizable templates.
  • Blog
  • Sitemap
    • Categories
  • Contact
  • About
  • Resources
  • Tools
  • 51sec.org