CyberArk PAS (PSM) Installation - Part 4 - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Friday, July 31, 2020

CyberArk PAS (PSM) Installation - Part 4

Privileged Session Manager enables organizations to isolate, monitor, record, and control privileged sessions on critical systems including Unix and Windows-based systems, databases and virtual machines. The solution acts as a jump server and single access control point. It prevents malware from jumping to a target system and records keystrokes and commands for continuous monitoring. The resulting detailed session recordings and audit logs are used to simplify compliance audits and accelerate forensics investigations.

High Level Installation Steps:

Basically, follow the hardware requirements out of CyberArk Docs system requirements guide for hardware specs and prerequisite software needed, then do installation as show below.
EPV = Digital Vault + PVWA + CPM

Related Posts:

PSM Architect

PSM  Installation (High Level )

Enterprise Password Vault Solution (PSM) Installation High Level

For the PSMs
-        Install Windows 2012 R2 or Windows 2016
-        Install at least .NET Framework 4.6.2 (if that or a greater version not already included)
-        Install all the latest Windows OS patches
-        Add the domain account we are using to install PSM to the local administrators group of the new PSM VM build
-        The rest is performed during the install which includes:
o   Setting up the Remote Desktop Session Host role (not from individual checkboxed RD options) and selecting session-based (which will then ask for connection brokers and RD gateway servers in later steps).

Password Vault Web Access (PVWA) is a fully featured web interface that provides a single console for requesting, accessing and managing privileged accounts throughout the enterprise by both end users and administrators.
Central Policy Manager is a integral part of the PAS controlling and managing the Master policy. This password management component can change passwords automatically on remote machines and store the new passwords in the EPV, with no human intervention, according to the organizational policy. It also enables organizations to verify passwords on remote machines, and reconcile them when necessary.
Privileged Session Manager enables organizations to isolate, monitor, record, and control privileged sessions on critical systems including Unix and Windows-based systems, databases and virtual machines. The solution acts as a jump server and single access control point. It prevents malware from jumping to a target system and records keystrokes and commands for continuous monitoring. The resulting detailed session recordings and audit logs are used to simplify compliance audits and accelerate forensics investigations.
Privileged Threat Analytics is an expert system for privileged account security intelligence, providing targeted, immediately actionable threat alerts by identifying previously undetectable malicious privileged user and account activity. The solution applies patent pending analytic technology to a rich set of privileged user and account behavior collected from multiple sources across the network. CyberArk Privileged Threat Analytics then produces highly accurate and immediately actionable intelligence, allowing incident response teams to respond directly to the attack.

PSM  Installation Overview

The PSM installation is divided into several configurable stages: set up, installation, post-installation, hardening and registration.


PSM  Installation - Set Up

This stage performs the following:
Default setting
.Net 4.5.2
This step verifies that a compatible version of .Net Framework is installed on the machine.
Enable = "Yes"
Install Remote Desktop Services
Enable = "Yes"
Disable NLA
This step disables NLA.
Enable ="Yes"
Update the RDS security layer
This step updates the RDS security layer to 1.
This step is disabled by default since we highly recommend that you configure secure RDP connections using SSL. For details, see Secure RDP Connections with SSL.
Enable this step if you do not secure RDP Connections with SSL.
Enable ="No"

PSM  Installation Steps:

Run the PSM installation wizard.
To install PSM:
  1. Log on as a domain user who is a member of the local administrators group.
  2. Create a new folder on the PSM server machine. From the installation CD, copy the contents of the Privileged Session Manager folder to your new folder .
    Display the contents of the Privileged Session Manager folder.
  3. Start the installation procedure:
    Double-click Setup.exe or,
    On systems that are UAC-enabled, right-click Setup.exethen select Run as Administrator.
    The PSM installation wizard appears and displays a list of prerequisites that are installed before the PSM installation continues.
4. Click Install to begin the installation process; the installation process begins and the Setup window appears.
5. Click next until on the Destination Location window, click Next to accept the default location provided by the installation, or click Change and select another location.
6. On the Recordings Folder window, click Next to accept the default recordings folder provided by the installation, or click Change and select another location.

7. On the Password Vault Web Access Environment window, click Next to accept the default name of the PVWA Configuration Safe provided by the installation, or specify the name of another Safe name that is used as the PVWA Configuration Safe.

8. Click Next; the installation automatically installs the Oracle Instant Client, then displays the Vault's Connection Details window. Specify the IP or DNS address and the port number of the Digital Vault, then click Next.

9. On the Vault's Username and Password Details window, specify the username and password of the Vault user carrying out this installation, then click Next .

10. On the API Gateway Connection Details window, enter the protocol and hostname of the PVWA where the PSM connects to the API Gateway, then click Next to display the Setup Complete window. This information is used to generate an endpoint for API calls (<protocol>://<Host>/passwordvault/api).

11 Click Finish to complete the Privileged Session Manager installation.

12. Restart the PSM server. You can also restart the PSM server at a later stage.

13. On the PVWA machine, run iisreset,

Activate the PSM server

To activate PSM:
  1. If you did not use the default recordings folder provided by the installation , you will need to update the path to the recordings folder.
    Go to PVWA > ADMINISTRATION > Options > Privileged Session Management > General settings > Recorder settings. Update the value of the recordings folder path on the PSM machine.
  2. You need to manually start the CyberArk Privileged Session Manager Service:
    1. Go to Start> Settings > Control Panel.
    2. Select Administrative Tools > Services.
    3. Right-click CyberArk Privileged Session Manager.
    4. Select Start.

Post Installation

The post installation stage configures the PSM server after it has been installed successfully.
The post installation stages does the following steps automatically. For troubleshooting or to perform the step manually, see the procedure:
Disables the screen saver for local PSM users
Configures users for PSM sessions
Enables PSM for web applications
Enables users to print PSM sessions

Configure the post-installation stage
From the CD image, open InstallationAutomation\PostInstallation\PostInstallationConfig.XML. and select the steps you want to enable by setting Enable = "Yes"

Run the post-installation stage
Open a PowerShell window and run the following command:
CD “<CD-Image Path>\InstallationAutomation”
.\Execute-Stage.ps1 “<CD-Image Path>\Installation automation\PostInstallation\PostInstallationConfig.XML

Following the installation
Perform the following steps, if required:
Verify that the installation completed successfully.
If NLA is enabled in your environment and your users connect directly from their desktops.
This procedure describes how to configure the PSMConnect and PSMAdminConnect users’ passwords so that they are managed by the CPM.
Maintenance users who need to logon remotely to the PSM server must be members of the RemoteDesktopUsers group in the PSM server and must also be added to the list of users with the “Allow log on through Remote Desktop Services” permission in the Windows security policy.


The PSM hardening stage enhances PSM security by defining a highly secured Windows server. The hardening procedure, which disables multiple operating system services on the PSM server machine, is included as part of the PSM installation.

From the CD image, open InstallationAutomation\Hardening\HardeningConfig.XML and verify that the following parameters are set to Enable = Yes:
1. Runs the hardening script
The PSM hardening procedure on the PSM server machine enhances PSM security.
Default: Enabled = Yes
Additional step parameters:
  • SupportWebApplications - Set this parameter to Enable="Yes" if you are using web applications.
  • ClearRemoteDesktopUsers - For security reasons, the hardening stage clears the Remote Desktop Users group. The Remote Desktop Users group should include maintenance users that are not administrators or if, ActiveX is used, PSM local users. If you use ActiveX it is recommended to leave the ClearRemoteDesktopUsers parameter set to "No" and manually delete users from remote desktop users group after running the script.
2. Runs post hardening tasks
  • Block Internet Explorer developer tools,
  • Hide PSM local drives in PSM sessions
  • Block the Internet Explorer context menu
Default: Enabled = Yes
3. Run AppLocker rules
To create a hardened and secure PSM environment, the system must limit the applications that can be launched during a PSM session. To do this, the PSM uses the Windows AppLocker feature, which defines a set of rules that allow or deny applications from running on the PSM machine, based on unique file identities. These rules specify which users or groups can run those applications.
Default: Enabled = Yes
For details, see Run AppLocker rules
4. Automatic hardening in 'Out of Domain' deployments
Runs 'Out of Domain' PSM server including:
  • Imports an INF file to the local machine
  • Applies advanced audit
  • Manually Adds User Changes for Installation
  • Set time limit for active but idle RDS sessions
Default: Enabled = No
Set to Yes if you are using the PSM server out of domain.
For in domain deployments, see Automatic hardening in 'In Domain' deployments.
For configuration details, see Configure 'Out of Domain' PSM servers.
5. Harden TLS Settings
  • Disables SSL/TLS versions earlier than TLS 1.2.
  • RemoteApp requires a connection broker and a session collection to be associated with it. When PSM is installed, the RD Connection Broker is installed on the machine. This step installs SQL Server Express and configures RD Connection Broker to work with SQL Server Express.
Default: Enabled = Yes
Open a PowerShell window and run the following command:
CD “<CD-Image Path>\InstallationAutomation”
.\Execute-Stage.ps1 “<CD-Image Path>\Installation automation\Hardening\HardeningConfig.XML

Change PSM Server ID

  1. First, login to the PVWA, browse to Administration, System Configuration, Options, Privileged Session Management, Configured PSM Servers and select the PSM Server you need to change from the list of servers. In the properties pane, set the value of the ID property to the new Server ID, click Apply and OK. 
  2. Next, edit the basic_psm.ini file located on the PSM server in the PSM root directory and update the PSMServerlD parameter with the new Server ID, save the file and restart the "CyberArk Privileged Session Manager" service on the PSM server.

PSM VIP Configuration for Load Balancer

  1. After installing all PSMs, take a look at the 'Configured PSM Servers' list in PVWA. You should have an entry for each PSM that says PSMServer or PSMServer_hostname01 etc. In a default environment, your first PSM will have ID "PSMServer" and that will be the default PSM assigned to each platform. That's why we copy this one when doing load balancing.

  2. Copy "PSMServer" and rename the ID to PSMServer_hostname01. You can keep the same PSMAdmin objects here as these are the local password objects for this server or you can them switch to domain users. This reference will really only be used when troubleshooting or assigning to an individual PSM outside the load balancer. This individual PSM ID is only called if a platform is associated with it.

  3. RDP into the PSM server whose ID you just changed and open up basic_psm.ini. Change the ID field to your new PSMServer_hostname01. You'll see a PSMAdmin field here and you'll be tempted to change it but have no fear, it is only a red herring and is not pulled unless you are load balancing with RD Connection broker which don't do its terrible.

  4. Take your copied PSMServer and change the address to your load balancer VIP or GSLB name. Now this will be the default PSM for all platforms so you don't have to go through and change each one. Hooray!

  5. Now take a look at the PSMServer and PSMAdmin objects for your PSMServer object. Notice that they are local. So the PSM will try to use local objects for one server when connecting to all your PSM servers through the LB address. That won't do. That's why we swap these to refer to domain users.

  6. So, you can do this a couple ways. CyberArk tells you to modify the ones that are in PSM safe, which works. But be wary that there are some hoops to jump through if you want to manage those passwords as the built-in 'PSM' safe has no password manager associated with it. If you do it the CyberArk way, just note that you don't have to use PrivateArk as the doc says. Just open them up with admin or vault admin on the PVWA and change those address fields. Personally, I like to create a brand spanking new safe 'PSM-CompanyName', assign a CPM to it and copy off the PVWAAppUsers and PSMAppUsers permissions off the built-in 'PSM' safe in PrivateArk and put them on your new safe. Then, finally, edit the safe, PSMServer object, PSMAdmin object fields in your 'PSMServer' reference in PVWA, restart any services and voila, load balanced, single domain users with the ability to rotate/reconcile as you should choose.



No comments:

Post a Comment