CyberArk PAS Studying - Install and Configure - 2. The Enterprise Password Vault - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Friday, April 3, 2020

CyberArk PAS Studying - Install and Configure - 2. The Enterprise Password Vault


EPV = Digital Vault + PVWA + CPM

OBJECTIVES
By the end of this post you will be able to:
• Describe the main components of the Enterprise Password Vault
• Understand the Digital Vault Security Standard
• Describe the Vault server environment
• Describe the different Layers of Security that protect the Vault Data
• Install the Vault
• Review the process for HSM integration



Related Posts:
CyberArk PAS Studying - Install and Configure - 1. Core PAS Review and Security
CyberArk PAS Studying - Install and Configure - 2. The Enterprise Password Vault
CyberArk PAS Studying - Install and Configure - 3. CPM and PVWA
CyberArk PAS Studying - Install and Configure - 4. Vault Integrations
CyberArk PAS Studying - Install and Configure - 5. Authentication Methods
CyberArk PAS Studying - Install and Configure - 6. Pre Implementation
CyberArk PAS Studying - Install and Configure - 7. Privileged Session Manager Installation and Configuration
CyberArk PAS Studying - Install and Configure - 8. PSM Load Balancing
CyberArk PAS Studying - Install and Configure - 9. PSM for SSH Servers
CyberArk PAS Studying - Install and Configure - 10. Securing CyberArk
CyberArk PAS Studying - Install and Configure - 11. Disaster Recovery and the Vault Backup Solution
CyberArk PAS Studying - Install and Configure - 12. Vault Availability Cluster Vault
CyberArk PAS Studying - Install and Configure - 13. EPV Configuration and Performance Tuning


MULTIPLE LAYERS OF SECURITY
ENTERPRISE PASSWORD VAULT OVERVIEW
The Enterprise Password Vault (EPV) is:
• The core of CyberArk’s PAS (Privileged Account Security) solution
• The secure storage location for all privileged account information
• Secured using CyberArk’s patented Vaulting technology

02-WS-PAS-Install-The-Vault-05
There are 7 layers security between Vault users and Stored Credentials

  1. Session Encryption
  2. Firewall
  3. Authtication
  4. RBAC=Role Based Access Control
  5. MAC=Mandatory Access Control
  6. Auditing
  7. File Encryption

CyberArk Proprietary Protocol : TCP 1858
02-WS-PAS-Install-The-Vault-06

FIREWALL
•During installation, the Vault takes control of the Windows firewall and re-brands it the “CyberArk
Hardened Windows Firewall”
•By default, only the CyberArk Proprietary Protocol is allowed, via port (TCP 1858)
•The CyberArk Hardened Windows Firewall should be managed through CyberArk configuration files and not through the Windows OS tools
•If the Vault is down, the firewall is down and no external communication is allowed


02-WS-PAS-Install-The-Vault-08

02-WS-PAS-Install-The-Vault-09

02-WS-PAS-Install-The-Vault-10

02-WS-PAS-Install-The-Vault-11


FILE ENCRYPTION
 Modular structure Encryption, Hashing, and Authentication modules can be replaced by
the customer
 Supported Encryption and Hash Algorithms
 AES 256 / AES 128
 RSA 2048 / RSA 1024
 3DES
 SHA 256
 Every object has a unique encryption key
 When a user is removed from the system, they hold no encryption key
 Secure recovery mechanism for encryption keys
 Backups are always encrypted and always recoverable


STANDALONE VAULT INSTALLATION

HOW ENCRYPTION KEYS ARE DISTRIBUTED

Every New Customer will receive an Installation package consisting of:
• Two copies of the Operator CD
  1. • Operator CD contains:
    • • Server Key
    • • Recovery Public Key
  2. • Operator CD keys are required to install and start the Vault server
• Two copies of the Master CD
  1. • The Master CD contains the contents of the Operator CD plus;
    1. • Recovery Private Key
  2. • Master CD should only be used in emergency situations
• License Agreement


INSTALLATION PACKAGE

• Vault Installation Package:
  • • Ensure that the following items are copied locally to the Vault Server before hardening.
  1. • CyberArk Server and Client Installation software
  2. • Operator CD, can be copied locally in preparation for HSM integration (recommended) or inserted into CD drive
  3. • CyberArk License File
  4. • Digital Certificates installed in support of LDAP Integration

02-WS-PAS-Install-The-Vault-16

02-WS-PAS-Install-The-Vault-17

02-WS-PAS-Install-The-Vault-18

02-WS-PAS-Install-The-Vault-19

02-WS-PAS-Install-The-Vault-20

02-WS-PAS-Install-The-Vault-21

02-WS-PAS-Install-The-Vault-22

02-WS-PAS-Install-The-Vault-23

02-WS-PAS-Install-The-Vault-24

02-WS-PAS-Install-The-Vault-25

02-WS-PAS-Install-The-Vault-26

02-WS-PAS-Install-The-Vault-27




VERIFY INSTALLATION SERVER AND VAULT ENVIRONMENT



02-WS-PAS-Install-The-Vault-30

02-WS-PAS-Install-The-Vault-31



VAULT HARDENING AND SECURITY

DIGITAL VAULT SECURITY STANDARD

• By implementing the CyberArk Digital Vault in accordance with the Digital Vault Security Standard at https://docs.cyberark.com/, customers will be able to apply the highest levels of protection to this
highly sensitive system.
• It is imperative that customers implement the security standard described in this document in order
to maintain the level of security that is built in to Digital Vault software and used to protect your most
sensitive information.


DIGITAL VAULT SECURITY STANDARD KEY RECOMMENDATIONS

• The Digital Vault should be installed on a dedicated physical machine (recommended)
from original Microsoft installation media.
• The dedicated Digital Vault Server should be built from the original Microsoft installation media,
and NO third party software , such as anti virus or remote management solutions, should be
installed.
• The Digital Vault Server shall NOT be a member of any enterprise domain Installing
the Digital Vault software on a domain member server requires enabling protocols and services
and exposes the Digital Vault to a wider array of attacks).
02-WS-PAS-Install-The-Vault-32

02-WS-PAS-Install-The-Vault-33

02-WS-PAS-Install-The-Vault-37

02-WS-PAS-Install-The-Vault-38

02-WS-PAS-Install-The-Vault-39


VAULT HARDENING AND SECURITY SUMMARY
• Isolate the Server

  • • Consider placing the Vault in a secure VLAN.
  • • No domain membership or trusts.
  • • Only TCP/IP v 4
  • • No DNS or WINS.
  1. • Uses a manually configured Host file when host name resolution is required.

• Harden the Server

  • • Remove unnecessary services.
  • • Restrict network access to CyberArk protocol only
  • • Only Vault Server and PrivateArk Client should be installed
  • • No 3 rd party applications or agents assuring a sterile environment.


HSM INTEGRATION
02-WS-PAS-Install-The-Vault-43

02-WS-PAS-Install-The-Vault-44

02-WS-PAS-Install-The-Vault-45

02-WS-PAS-Install-The-Vault-46

02-WS-PAS-Install-The-Vault-47

02-WS-PAS-Install-The-Vault-48

02-WS-PAS-Install-The-Vault-49

02-WS-PAS-Install-The-Vault-50

02-WS-PAS-Install-The-Vault-51

02-WS-PAS-Install-The-Vault-52

02-WS-PAS-Install-The-Vault-53

02-WS-PAS-Install-The-Vault-54

02-WS-PAS-Install-The-Vault-55

02-WS-PAS-Install-The-Vault-56


SUMMARY

This post covered:
• Hardened Vault Server
• Multiple Layers of Security Controls
• Installing a Standalone Vault Server
• CyberArk Digital Vault Standard
• Leverage an HSM when possible to store the Operator key.



No comments:

Post a Comment