CyberArk PAS Studying - Install and Configure - 3. CPM and PVWA - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Friday, April 3, 2020

CyberArk PAS Studying - Install and Configure - 3. CPM and PVWA

CyberArk PAS Studying - Install and Configure - 3. CPM and PVWA


OBJECTIVES
By the end of this post you will be able to:
• Describe the main functionality of the CPM and PVWA
• How to Install the CPM and PVWA
• How to Secure and Harden the CPM and PVWA


Related Posts:
CyberArk PAS Studying - Install and Configure - 1. Core PAS Review and Security
CyberArk PAS Studying - Install and Configure - 2. The Enterprise Password Vault
CyberArk PAS Studying - Install and Configure - 3. CPM and PVWA
CyberArk PAS Studying - Install and Configure - 4. Vault Integrations
CyberArk PAS Studying - Install and Configure - 5. Authentication Methods
CyberArk PAS Studying - Install and Configure - 6. Pre Implementation
CyberArk PAS Studying - Install and Configure - 7. Privileged Session Manager Installation and Configuration
CyberArk PAS Studying - Install and Configure - 8. PSM Load Balancing
CyberArk PAS Studying - Install and Configure - 9. PSM for SSH Servers
CyberArk PAS Studying - Install and Configure - 10. Securing CyberArk
CyberArk PAS Studying - Install and Configure - 11. Disaster Recovery and the Vault Backup Solution
CyberArk PAS Studying - Install and Configure - 12. Vault Availability Cluster Vault
CyberArk PAS Studying - Install and Configure - 13. EPV Configuration and Performance Tuning


PVWA AND CPM FUNCTIONALITY
03-WS-PAS-Install-CPM-and-PVWA-04
CENTRAL POLICY MANAGER
• The CPM is responsible for:
• Password Management Operations
  1. • Changing and verifying all target account password
  2. • Enforces Password Policy

• The CPM Accounts Feed and Auto Detection Operations
  1. • Discover Automate privileged account discovery, designed to quickly locate critical accounts and credentials.
  2. • Analyze Provides a view of all discovered accounts analysis to assess the risk of each account.
  3. • Provision Accounts targeted for management can be provisioned in the Vault in a simple and intuitive way.
03-WS-PAS-Install-CPM-and-PVWA-06

PVWA PREREQUISITES INSTALLATION
03-WS-PAS-Install-CPM-and-PVWA-08

03-WS-PAS-Install-CPM-and-PVWA-09

03-WS-PAS-Install-CPM-and-PVWA-10

03-WS-PAS-Install-CPM-and-PVWA-11
PVWA INSTALLATION
03-WS-PAS-Install-CPM-and-PVWA-13

03-WS-PAS-Install-CPM-and-PVWA-14

03-WS-PAS-Install-CPM-and-PVWA-15

03-WS-PAS-Install-CPM-and-PVWA-16

03-WS-PAS-Install-CPM-and-PVWA-17

03-WS-PAS-Install-CPM-and-PVWA-18

03-WS-PAS-Install-CPM-and-PVWA-19

03-WS-PAS-Install-CPM-and-PVWA-20

03-WS-PAS-Install-CPM-and-PVWA-21
PVWA VERIFY SERVER ENVIRONMENT
03-WS-PAS-Install-CPM-and-PVWA-23

03-WS-PAS-Install-CPM-and-PVWA-24

03-WS-PAS-Install-CPM-and-PVWA-25
PVWA VERIFY VAULT ENVIRONMENT
03-WS-PAS-Install-CPM-and-PVWA-27

03-WS-PAS-Install-CPM-and-PVWA-28

03-WS-PAS-Install-CPM-and-PVWA-29
HARDENING THE PVWA 
03-WS-PAS-Install-CPM-and-PVWA-31

03-WS-PAS-Install-CPM-and-PVWA-32

03-WS-PAS-Install-CPM-and-PVWA-33
MULTIPLE PVWAS

USE CASES
• Fault Tolerance and Disaster Recovery in the Web Interface
• Reduce web traffic over WAN lines
• Provide a second less privileged web interface for external users (vendors or contractors).
03-WS-PAS-Install-CPM-and-PVWA-36

03-WS-PAS-Install-CPM-and-PVWA-37

03-WS-PAS-Install-CPM-and-PVWA-38
CPM INSTALLATION
03-WS-PAS-Install-CPM-and-PVWA-40

03-WS-PAS-Install-CPM-and-PVWA-41

03-WS-PAS-Install-CPM-and-PVWA-42

03-WS-PAS-Install-CPM-and-PVWA-43

03-WS-PAS-Install-CPM-and-PVWA-44

03-WS-PAS-Install-CPM-and-PVWA-45

03-WS-PAS-Install-CPM-and-PVWA-46

03-WS-PAS-Install-CPM-and-PVWA-47

03-WS-PAS-Install-CPM-and-PVWA-48
CPM VERIFY SERVER ENVIRONMENT
03-WS-PAS-Install-CPM-and-PVWA-50

03-WS-PAS-Install-CPM-and-PVWA-51

03-WS-PAS-Install-CPM-and-PVWA-52
CPM VERIFY VAULT ENVIRONMENT
03-WS-PAS-Install-CPM-and-PVWA-54

03-WS-PAS-Install-CPM-and-PVWA-55

03-WS-PAS-Install-CPM-and-PVWA-56

03-WS-PAS-Install-CPM-and-PVWA-57

HARDENING THE CPM

HARDENING THE CYBERARK CPM AND PVWA SERVERS
The Hardening the CyberArk CPM and PVWA Servers webpage and document is designed to help you secure and harden the Windows servers that have CyberArk components installed on them
• CPM or PVWA hardening is accomplished via a combination of PowerShell scripts and GPO settings
• Instructions are provided for GPO deployment for in Domain environments and a manual procedure for out of domain environments
• PowerShell scripts are provided to compliment the deployment of the hardened configuration
• Both procedures must be completed to consider the hardening complete

HARDENING OVERVIEW GPO/INF
• In Domain Automatic Hardening via GPO
  1. • When the CPM and / or the PVWA server environments are part of Active Directory domain (' InDomain ’), a Group Policy Object can be applied to enforce security policies.
• Out of Domain Hardening via INF Import
  1. • When the CPM and PVWA server environments are not a part of Active Directory domain ('Out of Domain'), the hardening procedure is applied via an INF file.
• The CyberArk CPM and PVWA Servers guide provides a complete list of all GPO settings.
03-WS-PAS-Install-CPM-and-PVWA-61
MULTIPLE CPMS
03-WS-PAS-Install-CPM-and-PVWA-63

03-WS-PAS-Install-CPM-and-PVWA-64

03-WS-PAS-Install-CPM-and-PVWA-65

03-WS-PAS-Install-CPM-and-PVWA-66

03-WS-PAS-Install-CPM-and-PVWA-67

03-WS-PAS-Install-CPM-and-PVWA-68

03-WS-PAS-Install-CPM-and-PVWA-69

03-WS-PAS-Install-CPM-and-PVWA-70

03-WS-PAS-Install-CPM-and-PVWA-71

03-WS-PAS-Install-CPM-and-PVWA-72

03-WS-PAS-Install-CPM-and-PVWA-73

03-WS-PAS-Install-CPM-and-PVWA-74

03-WS-PAS-Install-CPM-and-PVWA-75
GENERAL CONFIGURATION AND RECOMMENDATIONS
03-WS-PAS-Install-CPM-and-PVWA-77
GENERAL CONFIGURATION FOR ALL DEPLOYMENTS CONT.
• Restrict Network Protocols
  1. • Install only the required protocols and remove unnecessary ones. For example, only TCP/IP are  necessary, and ensure that no additional protocols such as IPX or NetBEUI are allowed. 
• Rename Default Accounts
  1. • It is recommended to change the names of both the Administrator and the guest to names that will not testify about their permissions. It is also recommended to create a new locked and unprivileged Administrator user name as bait.
• Validate Proper Server Roles
  1. • To minimize your attack surface, as a best practice, make sure that only the minimum roles and features that are required are defined on the CPM and PVWA server(s).
  2. • Remove all unnecessary roles and features.
• IIS Hardening (PVWA Only)
03-WS-PAS-Install-CPM-and-PVWA-79

03-WS-PAS-Install-CPM-and-PVWA-80

03-WS-PAS-Install-CPM-and-PVWA-81

03-WS-PAS-Install-CPM-and-PVWA-82


SUMMARY

This post covered:
•  Installing the CPM and PVWA
•  Configuring the CPM and PVWA
•  The CPM and PVWA Server Environment
•  The CPM and PVWA Vault Environment
•  Securing the CPM and PVWA









No comments:

Post a Comment