Configure CyberArk Privilege Cloud to Onboard Azure Accounts

This post is to summarize the configuration of CyberArk Privilege cloud for Azure Active Directory environment.

CyberArk Products Security Pillars (Access, Privilege, DevSecOps)

1. RBAC - Roles Based Access Control

2. SSO / MFA

3. Lifecycle management approval workflow

High Level Steps for Onboarding Azure Cloud Accounts

Pre-requisites for Onboard Azure Cloud Accounts:

1. One Azure APP Safe and Two Platforms to be created on CyberArk and be activated
1. Platforms
1. Microsoft Azure Application Keys Management  (Name and platform properties TBD)
2. Microsoft Azure Password Management  (Name and platform properties TBD)
2. Safe 
1. Azure App Safe (Name TBD)
2. From Azure cloud, register one App for CyberArk CPM APP.
1. This will require one Global admin to help get it done
2. Following information will be generated from this app registration
1. Display Name (TBD)
2. Application (Client) ID
3. Object ID
4. Directory (Tenant) ID
5. Client secret (Rotate at least once a year)
6. Assign proper API permissions
3. Grant User Administrator role to Step 2's new registered APP.
4. Add a new account to Azure APP Safe in CyberArk PVWA with following properties
1. Using Azure App Key Mgmt Platform and Azure APP Safe
2. Display Name (TBD)
3. Application (Client) ID
4. Object ID
5. Directory (Tenant) ID

Onboard Azure Cloud Accounts:

1. Create testing account in Azure Cloud
1. This is Cloud only account. This will be required for testing. 
2. Create Azure Admin Safe
1. Azure Admin Account Safe (Name TBD)
3. Add an Azure account into CyberArk 
1. using Azure Password Management platform and Azure admin account safe
2. Application id
3. Azure Directory ID
4. Link Application Account and Reconcile Account to this Azure Cloud Account
5. Change, verify, reconcile account to make sure all is working as expected
1. 
   

Create Connector for Azure Portal 

To make our Azure Admin Accounts able to automatically log into Azure portal, there are following steps to be done before we can enable PSM to monitor sessions:

1. Download ChromeDriver.exe 
2. Download script for installing ChromeDrive.exe from CyberArk Privilege Cloud Tools package.
3. install it on PSM servers using script
4. Verify and modify AppLocker allow-list
5. Modify Platform to get MFA supported
6. Assign new connector to the platform
7. Test and make sure it is working as expected.

Groups, Users, Roles in Identity

Here are some examples for Groups Name Convention:

G-CyberArk-Users

G-CyberArk-Admins

G-CyberArk-Auditors

G-CyberArk-Managers

G-<Safe>-CA-Managers

G-<Safe>-CA-Users

G-<Safe>-CA-Approvers

Platform

The nomenclature [Account type]-[Platform]-[Technology or OS Type]-[Environment]-[Workflow]-[Management]-[Expiry] is defined for Platforms, the suggested maximum length is 44 characters:

Length	Description	Sample	Legend
3	Account Type	SPA	Account type according to PAM name conventions (e.g., SPA: Shared Privileged Account, PPA: Personal Privileged Account, WBA: Windows Built in Account, etc.)
1	Delimiter	-	Delimiter
2	Technology Platform	DB	Platform or OS type (e.g., CL:Cloud, WN: Windows, NX: Linux/Unix, DB: Database, WB: Website, AP: Application, etc.)
1	Delimiter	-	Delimiter
6	Technology type	MSSQL	Platform technology type, e.g. OS or DB variant (WIN, AIX, MSSQL, MYSQL, RHEL, Azure, etc.)
1	Delimiter	-	Delimiter
1	Environment	P	Environment type (e.g., P: Production, D: Development etc.)
3-14	Workflow	Chkout	Workflows that are applicable to the platform (e.g., PSM, Chkout, etc.)
1	Delimiter	-	Delimiter
7-10	Management	Automatic	Password management type for the account (e.g., Managed, Unmanaged)
1	Delimiter	-	Delimiter
4	Expiry	30	Password expiry duration (e.g., 12H, 1Y, 30D, 90D, 180D, No)

Example:

SPA-DB-MSSQL-P-ChkoutApproval-Managed-90: The Platform is for Shared Privileged Account, to manage Production, Microsoft SQL Database accounts. Check-in/Check-out control and Approval workflow is enabled for this platform and it’s automatically managed by P-Cloud. Account password expiry period for this platform is 90 days.

Safe

Note:  Don't change safe name until you fully know the changes. The linked logon account, application account, and reconcile account in that safe will become empty. 

Shared Access Model:

• P-Cloud safes can be assigned to different teams
• Each team may have access to one or more safes
• Permissions to safes are assigned via AD Security groups
• The following roles are suggested for safe members:
• Safe Admins
• Safe Auditors
• Safe Approvers
• Safe Persistent Users (including nested groups)
• Safe Ad-Hoc Users

Safe Name Convention:

Note: https://cyberark.my.site.com/s/article/Safe-Naming-Convention-Best-Practices

Naming and Capacity Restrictions & Considerations

• A safe name cannot be more than 28 characters
• Due to performance considerations, a maximum number of objects stored in a safe is 20000. This includes versions of objects, therefore the recommended number of actual accounts or files stored in a safe is 3000-5000
• Due to security considerations, it is recommended to separate objects stored in safes in groups, following the “least privilege” concept, to avoid situations where providing access for a user to a group of accounts also gives said user access to unrelated accounts. For example: “Windows Accounts” vs “Window Local Administrators for HR App” (28 character limit was not enforced in this example) Heading 2 - RGB 23-69-123

Naming Convention Creation Steps

• Define business designations that are important for your environment. For example: Line of Business, Geographical Location, Data Center, Platform, Account Type, Application Association, Environment, etc
• List them in order of importance
• Discuss and agree on the resulting layered structure. This will be your Safe Naming Convention Base. Eliminate any layers that are redundant or not needed.
• List out as many examples of each designation as possible and define 2-4 letter translations for each. For example ORA for Oracle Database or LADM for Local Administrative Account. Alternatively, define a 1-2 digit number and its place in the Safe name instead of a 2-4 letter translation. For example 06 in the 8th and 9th spot for Oracle Database or 1 in the 1st spot for Production
• Create 7-10 examples of safe names to ensure the structure is sufficiently robust to account for any future need
• Document the Safe Naming Convention
• Examples
  • P-BOS-SRV-WIN-LADM – Local Administrative Accounts (LADM) for Production (P) Windows (WIN) Servers (SRV) in Boston DC (BOS)
  • P-BOS-SRV-WIN-DSVC-HR – Domain Service Accounts (DSVC) for the HR Application (HR) living on Production (P) Windows (WIN) Servers (SRV) in the Boston DC (BOS)
  • D-NYC-DB-ORA-LSVC-HR – Local Service Accounts (LSVC) for the HR Application (HR) living on Development (D) Oracle (ORA) Database (DB) in the NY Data Center (NYC)

Naming Convention Cheat Sheet

Category 1 - Environment:

Production (P), Development (D), Testing (T), Q/A (Q), etc

Category 2 (optional)   - Geographical Location or domain:

Datacenter 1 (DC1), Datacenter 2 (DC2), California Datacenter (CA), etc

Category 3 (optional)   - Business Unit/Access Groups/Application:

Security Team (SEC), Engineering Team (ENG), Support Desk (SUP), Network Team Routers (NWR), Network Team Switches (NWS), etc

Category 4 - Technology:

Server (SVR), Workstation (WKS), Network Device (NET), Database (DB), Mainframe (MF), Domain (DOM) etc

Category 5 - Technology Subtype (flavor):

Windows (WIN), UNIX (UNX), Linux (LNX), HP-UX (HP), Cisco (CSC), SQL Database (SQL), Oracle Database (ORC)

Category 6 - Account Type:

Local Account (LA), Domain Account (DA), Local Service Account (LS), Domain Service Account (DS), Root (RT), Enable Account (EN), SQL SA Account (SA)

Category 7 - Auto-Detection Enabled Safe   (required only if using auto-detection for local accounts):

Auto-detection (A)

Examples:

Length	Description	Sample	Legend
1	Prefix for shared safe	S	Reserved for Shared Safes
1	Delimiter	-	Delimiter
5-8	Team name	Cyber	Six (6) characters abbreviation for Team name, such as EntSd
1	Delimiter	-	Delimiter
2-5	Technology	DB	Platform or OS type (e.g., WN: Windows, NX: Linux/Unix, DB: Database, WB: Website, AP: Application, AD: Active Directory, etc.)
1	Delimiter	-	Delimiter
3-5	PSM Control	NoPSM	Define if PSM should be enabled at Safe level
1	Delimiter	-	Delimiter
1	Environment	P	Environment type (e.g., P: Production, D: Development, etc.)
1	Delimiter	-	Delimiter
2	Sequence number	01	Sequence number (00-99) for teams with multiple safes

Master Policy

 

Create Platforms and Safes for Azure App and CPM

Create Two Duplicated Platforms:

1. Microsoft Azure Application Keys Management

Enable PerformPeriodicChange

Enable VFPerformPeriodicVerification

NO for RCAutomaticReconcileWhenUnsynched

Note: CyberArk university course:

• Manage break-glass credentials for cloud consoles with CyberArk PAM

2. Microsoft Azure Password Management

Enable PerformPeriodicChange

Enable VFPerformPeriodicVerification

Enable RCAutomaticReconcileWhenUnsynched

Create two Safes

1. for key 

Safe Name Example: NETSEC-AZ-APP-KEY-MGMT

2. for Azure AD accounts

Safe Name Example: NETSEC-SHR-IT-AZ-P-1

Onboarding Azure App Key As Account

Create an account with system type Cloud Service, Assign App Key Mgmt platform, and proper safe as show below:

Password = Secret Value

Key ID = Secret ID

App registrations for CyberArk Password Manager:

Certificates & Secrets :

• Create a new secret
• The secret can be rotated by CyberArk CPM.

App Permission:

• Grant access to directory for read user in the directory
• Grant access to Application to read / write user accounts

Assign this app a role of user administrtors.

If you will need to change global admin's password, you will need to grant this app to have Global Admin role. 

Onboarding Azure AD Accounts for RDP

Two connectors: RDP and Microsoft Azure Portal

RDP connector should be automatically working. 

You will need to set up three linked accounts to get Reconcile and Password Change working:

1. Logon Account

2. Application Account

3. Reconcile Account

Onboarding Azure AD Accounts for Azure Portal

Note: https://docs.cyberark.com/PAS/10.10/en/Content/PASIMP/PSM-Azure-CloudServicesManagement.htm

To get Azure Portal connector working, we will need to install Google Chrome and ChromeDriver

Step 1:

1. Download ChromeDriver.exe (Matching your chrome version, usualy it is x86)

• for older version before 115: https://chromedriver.chromium.org/downloads
• for newer version after 115: https://googlechromelabs.github.io/chrome-for-testing/

2. Put it into C:\Program Files (x86)\Cyberark\PSM\Components

Step 2:

1. Install chrome using script

It is inside your CyberArk Privilege Cloud Tools package: Cyberark PrivilegeCloud Tools-v13.3\Cyberark PrivilegeCloud Tools\Add-PSMApps

2. Unzip Add-PSMApps

3. Run script Add-PSMApps.ps1 from PowerSHell administrator window

It will automatically download Chromex86 version and add it with ChromeDriver into allow-list by AppLocker.

PS C:\Installation\Add-PSMApps> .\Add-PSMApps.ps1 -Application GoogleChromeX86
Downloading and installing Chrome
Enabling web app support in PSMHardening script
Running PSM Configure AppLocker script
---
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsshclient.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmprivatearkclientdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmpvwadispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\mssqlmanagementstudiowindowsauthenticationdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psm3270client.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwebformdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwinscpdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\winscp.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmrealvncdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmxfocus.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmtokenholder.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsessionalert.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsuspendsession.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmpreventwindowhide.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmmessagealert.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwindowseventslogger.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\cyberark.psm.webappdispatcher.exe        Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\dllinjector.exe                          Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\dllinjector64.exe                        Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\cyberark.progressbar.exe                 Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmticketvalidator.exe                   Evaluating the dlls consumed by c:\windows\system32\conhost.exe
Evaluating the dlls consumed by c:\windows\system32\taskhostw.exe
Evaluating the dlls consumed by c:\windows\system32\wermgr.exe
Evaluating the dlls consumed by c:\program files (x86)\vcxsrv\vcxsrv.exe
Evaluating the dlls consumed by c:\program files (x86)\vcxsrv\xkbcomp.exe
Evaluating the dlls consumed by c:\program files (x86)\internet explorer\iexplore.exe
Evaluating the dlls consumed by c:\program files\internet explorer\iexplore.exe
Evaluating the dlls consumed by c:\program files (x86)\google\chrome\application\chrome.exe
CheckSensitivePrivilegesForDirectories: Current Directory: c:\programdata\microsoft\windows defender\platform\4.18.23050.9-0
CheckSensitivePrivilegesForDirectories: Current Directory: c:\windows\assembly\nativeimages_v4.0.30319_64\mscorlib\4bc5e5252873c08797895d5b6fe6ddfd
CheckSensitivePrivilegesForDirectories: Current Directory: c:\windows\assembly\nativeimages_v4.0.30319_64\system\3ac991e343330dfdb660c4b0041bfe5e
Loading new AppLocker configuration...
Configuring Application Identity service...
CyberArk AppLocker's configuration script ended successfully.
True
---
End of PSM Configure AppLocker script output
Running PSM Hardening script
---
Notice: In order to prevent unauthorized access to the PSM server, the local RemoteDesktopUsers group should contain ONLY the following users:
   1) Maintenance users who login remotely to the PSM server through Remote Desktop Services.
   2) Vault LDAP users who wish to connect to target systems through PSM directly from their desktop using an RDP client application such as MSTSC.
These are the current members of the local RemoteDesktopUsers group:
WinNT://IMCOINVEST/Domain Users
WinNT://IMCOINVEST/VM-NETSEC-Test-1/PSMConnect
WinNT://IMCOINVEST/VM-NETSEC-Test-1/PSMAdminConnect
Would you like to remove all members of this group? (yes/no): no
SUCCESS: The file (or folder): "C:\Windows\explorer.exe" now owned by the administrators group.
0
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
SUCCESS: The file (or folder): "C:\Windows\SysWOW64\explorer.exe" now owned by the administrators group.
1
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
SUCCESS: The file (or folder): "C:\Windows\system32\taskmgr.exe" now owned by the administrators group.
2
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\taskmgr.exe
SUCCESS: The file (or folder): "C:\Windows\SysWOW64\taskmgr.exe" now owned by the administrators group.
3
C:\Windows\SysWOW64\taskmgr.exe
C:\Windows\SysWOW64\taskmgr.exe
C:\Windows\SysWOW64\taskmgr.exe
SUCCESS: The file (or folder): "C:\program files\Internet Explorer\iexplore.exe" now owned by the administrators group.
4
C:\program files\Internet Explorer\iexplore.exe
C:\program files\Internet Explorer\iexplore.exe
C:\program files\Internet Explorer\iexplore.exe
processed file: C:\program files\Internet Explorer\iexplore.exe
SUCCESS: The file (or folder): "C:\program files (x86)\Internet Explorer\iexplore.exe" now owned by the administrators group.
5
C:\program files (x86)\Internet Explorer\iexplore.exe
C:\program files (x86)\Internet Explorer\iexplore.exe
C:\program files (x86)\Internet Explorer\iexplore.exe
processed file: C:\program files (x86)\Internet Explorer\iexplore.exe
Chrome hardening completed successfully
IE hardening completed successfully
Edge hardening completed successfully
C:\Program Files (x86)\Cyberark\PSM
SUCCESS: The file (or folder): "C:\Program Files (x86)\Cyberark\PSM" now owned by the administrators group.
6
SUCCESS: The file (or folder): "C:\Program Files (x86)\Cyberark\PSM" now owned by the administrators group.
C:\Program Files (x86)\Cyberark\PSM
C:\Program Files (x86)\Cyberark\PSM
C:\Program Files (x86)\Cyberark\PSM
C:\Program Files (x86)\Cyberark\PSM\Vault
SUCCESS: The file (or folder): "C:\Program Files (x86)\Cyberark\PSM\Vault" now owned by the administrators group.
7
SUCCESS: The file (or folder): "C:\Program Files (x86)\Cyberark\PSM\Vault" now owned by the administrators group.
C:\Program Files (x86)\Cyberark\PSM\Vault
C:\Program Files (x86)\Cyberark\PSM\Vault
C:\Program Files (x86)\Cyberark\PSM\Vault
C:\Program Files (x86)\Cyberark\PSM\Recordings
SUCCESS: The file (or folder): "C:\Program Files (x86)\Cyberark\PSM\Recordings" now owned by the administrators group.
8
C:\Program Files (x86)\Cyberark\PSM\Recordings
C:\Program Files (x86)\Cyberark\PSM\Logs
SUCCESS: The file (or folder): "C:\Program Files (x86)\Cyberark\PSM\Logs" now owned by the administrators group.
9
C:\Program Files (x86)\Cyberark\PSM\Logs\Components
SUCCESS: The file (or folder): "C:\Program Files (x86)\Cyberark\PSM\Logs\Components" now owned by the administrators group.
10
C:\Program Files (x86)\Cyberark\PSM\Components
SUCCESS: The file (or folder): "C:\Program Files (x86)\Cyberark\PSM\Components" now owned by the administrators group.
11
processed file: C:\Program Files (x86)\Cyberark\PSM\Components
Successfully processed 1 files; Failed processing 0 files
C:\oracle
processed dir: C:\oracle
C:\oracle
True
C:
processed dir: C:\
processed file: C:\
Successfully processed 1 files; Failed processing 0 files
D:
processed dir: D:\
processed file: D:\
Successfully processed 1 files; Failed processing 0 files
SUCCESS: The file (or folder): "C:\Program Files (x86)\CyberArk\Password Manager" now owned by the administrators group.
12
C:\Program Files (x86)\CyberArk\Password Manager
C:\Program Files (x86)\CyberArk\Password Manager
C:\Program Files (x86)\CyberArk\Password Manager
SUCCESS: The file (or folder): "C:\WindowsAzure" now owned by the administrators group.
13
C:\WindowsAzure
C:\WindowsAzure
C:\WindowsAzure
SUCCESS: The file (or folder): "C:\Packages" now owned by the administrators group.
14
C:\Packages
C:\Packages
C:\Packages
Executing (\\VM-NETSEC-Test-1\root\CIMV2\TerminalServices:Win32_TSPermissionsSetting.TerminalName="RDP-Tcp")->AddAccount()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\CIMV2\TerminalServices:Win32_TSPermissionsSetting.TerminalName="RDP-Tcp")->AddAccount()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
[SC] ChangeServiceConfig SUCCESS
[SC] OpenService FAILED 1060:
The specified service does not exist as an installed service.
WinSCP password storing has been disabled
CyberArk Hardening script ended successfully.
---
End of PSM Hardening script output
All tasks completed.

Now we can switch PSM server for testing Connect to Azure Portal

Onboarding Azure AD Accounts with MFA

Since Azure Portal login will need MFA, there are a couple of changes will need to make on Connector:

Remove validation in web form:

Disable Validation

Enable Trace:

From platform, disable default PSM-MS-AzurePortal and add new PSM-51SEC-AzurePortal

You will need to wait 0-3 minutes to get those connector configuration re-loaded into PSM server.

RDS License - Remote Desktop Service

Reset 120 Day Grace Period on RDS Server

Step 1: Win key + R
Step 2: Type in regedit and click ok


Step 3: Navigate to this folder path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod

Step 4: Delete the REG_BINARY

Change Permissions on the RDS GracePeriod key and delete the key

Open a command prompt, and type regedit. After you have navigated to the key documented above, right-click GracePeriod and select Permissions.

Navigate to the RDS GracePeriod key

For obvious reasons, there are no default permissions on this key for even Administrators. So you have to first take ownership of the key before you can delete the timebomb value. Click the Advanced button on the permissions dialog box.

Navigate to the Advanced permissions properties

Click the Change button next to the Owner.

Change the ownership of the registry key

Here I have selected local administrators group as the owner of the key. However, you will want to choose whichever user/group you want to use to delete the registry key. Select the options to replace owners and replace all child object permissions.

User for ownership selected and set to replace permissions on child objects

Confirm the replacement of permissions on the registry key.

Confirm replacing permissions

Now that we have changed ownership on the key, we can actually set permissions without getting permissions errors. Here I am granting administrators full control on the key.

Change permissions for the user you want to be able to delete the key

Step 5: Restart the Server for changes to take effect(For grace period to be restored back to 120 Days)

Troubleshooting

1. Check blocked applications by Applocker

PS C:\Installation\Add-PSMApps> Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" |Where-Object {$_.LevelDisplayName -ne "Information"} |Format-Table -AutoSize| Out-File C:\AppLocker.txt -Width 1000
PS C:\Installation\Add-PSMApps> type c:\AppLocker.txt

   ProviderName: Microsoft-Windows-AppLocker
TimeCreated           Id LevelDisplayName Message
-----------           -- ---------------- -------
9/7/2023 7:15:16 PM 8004 Error            %WINDIR%\SHELLCOMPONENTS\TASKFLOWUI.DLL was prevented from running.
9/7/2023 7:15:16 PM 8004 Error            %WINDIR%\SHELLEXPERIENCES\TILECONTROL.DLL was prevented from running.
9/7/2023 7:15:16 PM 8004 Error            %WINDIR%\SHELLCOMPONENTS\WINDOWSINTERNAL.COMPOSABLESHELL.EXPERIENCES.SWITCHER.DLL was prevented from running.
9/7/2023 7:15:16 PM 8004 Error            %SYSTEM32%\WLRMDR.EXE was prevented from running.
9/7/2023 7:15:12 PM 8004 Error            %WINDIR%\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\MSCORLIB\FAF93F57AA8C4C5DDDD9CD0DE441D5A1\MSCORLIB.NI.DLL was prevented from running.
9/7/2023 7:15:12 PM 8004 Error            %WINDIR%\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\MSCORLIB\FAF93F57AA8C4C5DDDD9CD0DE441D5A1\MSCORLIB.NI.DLL was prevented from running.
9/7/2023 7:14:54 PM 8004 Error            %WINDIR%\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\MSCORLIB\FAF93F57AA8C4C5DDDD9CD0DE441D5A1\MSCORLIB.NI.DLL was prevented from running.
9/7/2023 7:14:54 PM 8004 Error            %WINDIR%\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\MSCORLIB\FAF93F57AA8C4C5DDDD9CD0DE441D5A1\MSCORLIB.NI.DLL was prevented from running.
9/7/2023 7:14:54 PM 8004 Error            %PROGRAMFILES%\CYBERARK\PSM\COMPONENTS\CHROMEDRIVER.EXE was prevented from running.
9/7/2023 7:14:53 PM 8004 Error            %WINDIR%\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\MSCORLIB\FAF93F57AA8C4C5DDDD9CD0DE441D5A1\MSCORLIB.NI.DLL was prevented from running.
9/7/2023 7:14:53 PM 8004 Error            %WINDIR%\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\MSCORLIB\FAF93F57AA8C4C5DDDD9CD0DE441D5A1\MSCORLIB.NI.DLL was prevented from running.
9/7/2023 7:14:52 PM 8004 Error            %WINDIR%\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\MSCORLIB\FAF93F57AA8C4C5DDDD9CD0DE441D5A1\MSCORLIB.NI.DLL was prevented from running.
9/7/2023 7:14:52 PM 8004 Error            %WINDIR%\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\MSCORLIB\FAF93F57AA8C4C5DDDD9CD0DE441D5A1\MSCORLIB.NI.DLL was prevented from running.
9/7/2023 7:14:47 PM 8004 Error            %SYSTEM32%\SETHC.EXE was prevented from running.
9/7/2023 7:14:47 PM 8004 Error            %SYSTEM32%\SVCHOST.EXE was prevented from running.
9/7/2023 7:14:47 PM 8004 Error            %SYSTEM32%\SVCHOST.EXE was prevented from running.
9/7/2023 7:14:46 PM 8004 Error            %SYSTEM32%\SVCHOST.EXE was prevented from running.
9/7/2023 7:14:46 PM 8004 Error            %SYSTEM32%\CTFMON.EXE was prevented from running.
9/7/2023 7:14:46 PM 8004 Error            %SYSTEM32%\CMD.EXE was prevented from running.

PS C:\Installation\Add-PSMApps>

Manual change:

C:\Program Files (x86)\Cyberark\PSM\Hardening\PSMConfigureAppLocker.xml

<?xml version="1.0" encoding="utf-8"?>
<PSMAppLockerConfiguration>
  <GeneralConfiguration>
    <!-- SetAutoAndStart: To start the Application Identity service and set it to automatic startup    -->
    <!-- mode, set this attribute's value to 'true'. Valid values: true/false.                         -->
    <ServiceConfiguration SetAutoAndStart="true" />
    <RuleCollections>
      <!-- For each rule collection, you can define the following parameters:                            -->
      <!--     Enforce: To block applications of the relevant collection, set this attribute's value to  -->
      <!--        'true'. To prevent AppLocker from blocking applications of the relevant type, set this -->
      <!--        attribute's value to 'false'.                                                          -->
      <!--     Action: To apply new AppLocker configurations and lose any existing settings, set this    -->
      <!--        attribute's value to 'override'. To merge new configurations with the existing         -->
      <!--        settings, set this attribute's value to 'merge'.                                       -->
      <Executable Enforce="true" Action="Override" />
      <WindowsInstaller Enforce="true" Action="Override" />
      <Script Enforce="true" Action="Override" />
      <PackagedApp Enforce="true" Action="Override" />
      <DLL Enforce="true" Action="Override" />
    </RuleCollections>
  </GeneralConfiguration>
  <!-- This part is internal and should not be modified unless instructed to by CyberArk professional -->
  <!-- services.                                                                                      -->
  <!-- InternalApplications section is directed for PSMConnect and PSMAdminConnect.                   -->
  <!-- SessionType index: "Admin" for PSMAdminConnect, "Regular" for PSMConnect, "*" for both.        -->
  <InternalApplications>
    <Application Name="PSMInitSession" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMInitSession.exe" Method="Hash" />
    <Application Name="PSMRDPClient" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMRDPClient.exe" Method="Hash" />
    <Application Name="PSMSessionAlert" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMSessionAlert.exe" Method="Hash" />
    <Application Name="PSMSuspendSession" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMSuspendSession.exe" Method="Hash" />
    <Application Name="PSMMessageAlert" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMMessageAlert.exe" Method="Hash" />
    <Application Name="PSMLauncher" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMLauncher.exe" Method="Hash" />
    <Application Name="PSMLiveMonitoringClient" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMLiveMonitoringClient.exe" Method="Hash" />
    <Application Name="PSMSessionSignalStatusNotification" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMSessionSignalStatusNotification.exe" Method="Hash" />
    <Application Name="PSMWindowsEventsLogger" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMWindowsEventsLogger.exe" Method="Hash" />
    <Application Name="UserInit" Type="Exe" SessionType="*" Path="c:\windows\system32\userinit.exe" Method="Publisher" />
    <Application Name="SplWOW64" Type="Exe" SessionType="*" Path="c:\windows\splwow64.exe" Method="Publisher" />
    <Application Name="RDPClip" Type="Exe" SessionType="*" Path="c:\windows\system32\rdpclip.exe" Method="Publisher" />
    <Application Name="TSTheme" Type="Exe" SessionType="*" Path="c:\windows\system32\tstheme.exe" Method="Publisher" />
    <Application Name="ConsoleHost" Type="Exe" SessionType="*" Path="c:\windows\system32\conhost.exe" Method="Publisher" />
    <Application Name="TaskHost" Type="Exe" SessionType="*" Path="c:\windows\system32\taskhostw.exe" Method="Publisher" />
    <Application Name="ErrorReporting" Type="Exe" SessionType="*" Path="c:\windows\system32\WERMGR.EXE" Method="Publisher" />
    <Application Name="TSShadow" Type="Exe" SessionType="Admin" Path="c:\windows\system32\mstsc.exe" Method="Publisher" />
    <Application Name="RDPSA" Type="Exe" SessionType="Regular" Path="c:\windows\system32\RDPSA.EXE" Method="Publisher" />
    <Application Name="RDPSAPROXY" Type="Exe" SessionType="Regular" Path="c:\windows\system32\RDPSAPROXY.exe" Method="Publisher" />
    <Application Name="RDPInit" Type="Exe" SessionType="*" Path="c:\windows\system32\rdpinit.exe" Method="Publisher" />
    <Application Name="RDPShell" Type="Exe" SessionType="*" Path="c:\windows\system32\rdpshell.exe" Method="Publisher" />
    <Application Name="Sihost" Type="Exe" SessionType="*" Path="c:\windows\system32\sihost.exe" Method="Publisher" />
    <!-- Added to support win 2016 -->
    <Application Name="RunOnce" Type="Exe" SessionType="*" Path="c:\windows\system32\runonce.exe" Method="Publisher" />
    <!-- Added to support RemoteApp on first login -->
    <Application Name="PSMTicketingValidationPage" SessionType="*" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMTicketValidator.exe" Method="Hash" />
    <!-- Allowed DLLs -->
    <!-- If Dll Whitelist is deployed, the following dlls will be allowed -->
    <Libraries Name="ComponentsFolder" Type="Dll" Path="C:\Program Files (x86)\CyberArk\PSM\Components\*" Method="Path" SessionType="*" />
    <Libraries Name="System32" Type="Dll" Path="%SYSTEM32%\*" Method="Path" SessionType="*" />
    <Libraries Name="WinSxS" Type="Dll" Path="%WINDIR%\WINSXS\*" Method="Path" SessionType="*" />
    <Libraries Name="DotNetFramework32Bit" Type="Dll" Path="%WINDIR%\Microsoft.NET\Framework\v4.0.30319\*" Method="Path" SessionType="*" />
    <Libraries Name="DotNetFramework64Bit" Type="Dll" Path="%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\*" Method="Path" SessionType="*" />
  </InternalApplications>
  <!-- AllowedApplications section is directed for PSMShadowUsers -->
  <AllowedApplications>
    <!-- For each allowed application, specify the following attributes:                               -->
    <!--    Name:   Name of the application for log proposes. Valid values: Any string value.          -->
    <!--    Type:   Type of application to allow. Valid values: Exe/Script.                            -->
    <!--    Path:   Path of the application executable. Valid values: exact application path,          -->
    <!--            wildcards are allowed only if the chosen method is "Path".                         -->
    <!--    Method: The chosen identification method for the application.                              -->
    <!--            Valid values: Path/Hash/Publisher                                                  -->
    <!-- PSM Components -->
    <Application Name="PSMSSHClient" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMSSHClient.exe" Method="Hash" />
    <Application Name="PSMPrivateArkClientDispatcher" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMPrivateArkClientDispatcher.exe" Method="Hash" />
    <Application Name="PSMPVWADispatcher" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMPVWADispatcher.exe" Method="Hash" />
    <Application Name="MSSQLManagementStudioWindowsAuthenticationDispatcher" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\MSSQLManagementStudioWindowsAuthenticationDispatcher.exe" Method="Hash" />
    <Application Name="PSM3270Client" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSM3270Client.exe" Method="Hash" />
    <Application Name="PSMWebFormDispatcher" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMWebFormDispatcher.exe" Method="Hash" />
    <Application Name="PSMWinSCPDispatcher" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMWinSCPDispatcher.exe" Method="Hash" />
    <Application Name="WinSCP" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\WinSCP.exe" Method="Hash" />
    <Application Name="PSMRealVNCDispatcher" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMRealVNCDispatcher.exe" Method="Hash" />
    <Application Name="PSMXFocus" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMXFocus.exe" Method="Hash" />
    <Application Name="PSMTokenHolder" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMTokenHolder.exe" Method="Hash" />
    <Application Name="PSMSessionAlert" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMSessionAlert.exe" Method="Hash" />
    <Application Name="PSMSuspendSession" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMSuspendSession.exe" Method="Hash" />
    <Application Name="PSMPreventWindowHide" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMPreventWindowHide.exe" Method="Hash" />
    <Application Name="PSMMessageAlert" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMMessageAlert.exe" Method="Hash" />
    <Application Name="PSMWindowsEventsLogger" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMWindowsEventsLogger.exe" Method="Hash" />
    <Application Name="PSM-WebAppDispatcher" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\CyberArk.PSM.WebAppDispatcher.exe" Method="Hash" />
    <Application Name="DLLInjector" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\DLLInjector.exe" Method="Hash" />
    <Application Name="DLLInjector64" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\DLLInjector64.exe" Method="Hash" />
    <Application Name="PSM-ProgressBar" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\CyberArk.ProgressBar.exe" Method="Hash" />
    <Application Name="PSMTicketingValidationPage" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMTicketValidator.exe" Method="Hash" />
    <!-- Microsoft session processes -->
    <Application Name="ConsoleHost" Type="Exe" Path="c:\windows\system32\conhost.exe" Method="Publisher" />
    <Application Name="TaskHost" Type="Exe" Path="c:\windows\system32\taskhostw.exe" Method="Publisher" />
    <Application Name="ErrorReporting" Type="Exe" Path="c:\windows\system32\WERMGR.EXE" Method="Publisher" />
    <!-- Oracle connection clients -->
    <!-- If relevant, uncomment this part after installing Oracle client and Toad.
    <Application Name="Toad" Type="Exe" Path="C:\Program Files (x86)\Quest Software\Toad for Oracle 10.6\toad.exe" Method="Publisher,Hash" />
    <Application Name="SQLPlus" Type="Exe" Path="c:\oracle\instantclient\sqlplus.exe" Method="Hash" />
    <Application Name="Notepad" Type="Exe" Path="c:\windows\system32\notepad.exe" Method="Publisher"/>
    <Application Name="SDFConverter" Type="Exe" Path="C:\Program Files (x86)\Quest Software\Toad for Oracle 10.6\ClientFiles\ScriptMgr\SDFConverter.exe" Method="Hash" />
    <Application Name="QuestScriptRunner" Type="Exe" Path="C:\Program Files (x86)\Quest Software\Toad for Oracle 10.6\qsr.exe" Method="Hash" />
    <Application Name="OptimizerEngine" Type="Exe" Path="C:\Program Files (x86)\Quest Software\Toad for Oracle 10.6\OptimizerEngine.exe" Method="Hash" />
    <Application Name="FormatOptions" Type="Exe" Path="C:\Program Files (x86)\Quest Software\Toad for Oracle 10.6\FmtOptions.exe" Method="Hash" />
    <Application Name="ToadScriptRuntime" Type="Exe" Path="C:\Program Files (x86)\Quest Software\Toad for Oracle 10.6\tsr.exe" Method="Hash" />
    <Application Name="UninstallClientFiles" Type="Exe" Path="C:\Program Files (x86)\Quest Software\Toad for Oracle 10.6\UninstallClientFiles.exe" Method="Hash" />
    End of oracle connections comment -->
    <!-- vSphere client processes -->
    <!-- If relevant, uncomment this part after installing vSphere client (including .Net framework 2 and 3.5).
    <Application Name="VpxClient" Type="Exe" Path="C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe" Method="Hash" />
    <Application Name="VMWare-VMRC" Type="Exe" Path="C:\Program Files (x86)\VMWARE\INFRASTRUCTURE\VIRTUAL INFRASTRUCTURE CLIENT\4.0\VMWARE-VMRC.EXE" Method="Publisher" />
    <Application Name="VMWare-RemoteMKS.EXE" Type="Exe" Path="C:\Program Files (x86)\VMWARE\INFRASTRUCTURE\VIRTUAL INFRASTRUCTURE CLIENT\4.0\VMWARE-REMOTEMKS.EXE" Method="Publisher" />
    <Application Name="CSC" Type="Exe" Path="c:\windows\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CSC.EXE" Method="Publisher" />
    <Application Name="CVTRES" Type="Exe" Path="c:\windows\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CVTRES.EXE" Method="Publisher" />
    End of vSphere client comment -->
    <!-- SQL Server Management Studio 2012 processes -->
    <!-- If relevant, uncomment this part after installing SQL Server Management Studio 2012 processes
    <Application Name="SSMS2012" Type="Exe" Path="C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\ManagementStudio\Ssms.exe" Method="Publisher" />
    End of SQL Server Management Studio 2012 processes comment -->
    <!-- SAP GUI processes -->
    <!-- If relevant, uncomment this part after installing SAP GUI processes and downloading the CyberArk PSMSAPGUI connection component from the Marketplace
    <Application Name="PSMSAPGUI" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\PSMSAPGUI.exe" Method="Hash" />
    <Application Name="saplogon" Type="Exe" Path="C:\Program Files (x86)\SAP\FrontEnd\SAPgui\saplogon.exe" Method="Hash" />
    <Application Name="SAPgui" Type="Exe" Path="C:\Program Files (x86)\SAP\FrontEnd\SAPgui\SAPgui.exe" Method="Hash" />
    End of SAP GUI processes comment -->
    <!-- X Forwarding X Server processes -->
    <Application Name="VcXsrv" Type="Exe" Path="C:\Program Files (x86)\VcXsrv\vcxsrv.exe" Method="Hash" />
    <Application Name="xkbcomp" Type="Exe" Path="C:\Program Files (x86)\VcXsrv\xkbcomp.exe" Method="Hash" />
    <!-- Microsoft IExplore processes -->
    <!-- If relevant, uncomment this part to allow webform based connection clients -->
    <Application Name="IExplore32" Type="Exe" Path="c:\Program Files (x86)\Internet Explorer\iexplore.exe" Method="Publisher" />
    <Application Name="IExplore64" Type="Exe" Path="c:\Program Files\Internet Explorer\iexplore.exe" Method="Publisher" />
    <!-- End of Microsoft IExplore processes comment -->
    <!-- Google Chrome process -->
    <!-- If relevant, uncomment this part to allow Google Chrome webform based connection clients
    <Application Name="GoogleChrome" Type="Exe" Path="C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" Method="Publisher" />
    End of Google Chrome process comment -->
    <!-- Microsoft Edge process -->
    <!-- If relevant, uncomment this part to allow Edge webform based connection clients
    <Application Name="Edge" Type="Exe" Path="C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" Method="Publisher" />
    End of Microsoft Edge process comment -->
    <!-- Generic client support -->
    <!-- If relevant, uncomment this part to allow generic clients support and add a rule for each generic connection client
    <Application Name="GenericClient-Sample" Type="Exe" Path="C:\VNC-Viewer-5.0.5-Windows-64bit.exe" Method="Hash" />
    End of Generic client support comment -->
    <!-- Google Chrome section -->
    <Application Name="Chrome" Type="Exe" Path="C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" Method="Publisher" />
    <Application Name="ChromeDriver" Type="Exe" Path="C:\Program Files (x86)\Cyberark\PSM\Components\chromedriver.exe" Method="Path" />
    <!-- End of Google Chrome section -->
    <!-- Allowed DLLs -->
    <!-- If Dll Whitelist is deployed, the following dlls will be allowed -->
    <Libraries Name="ComponentsFolder" Type="Dll" Path="C:\Program Files (x86)\CyberArk\PSM\Components\*" Method="Path" />
    <Libraries Name="System32" Type="Dll" Path="%SYSTEM32%\*" Method="Path" />
    <Libraries Name="WinSxS" Type="Dll" Path="%WINDIR%\WINSXS\*" Method="Path" />
    <Libraries Name="DotNetFramework32Bit" Type="Dll" Path="%WINDIR%\Microsoft.NET\Framework\v4.0.30319\*" Method="Path" />
    <Libraries Name="DotNetFramework64Bit" Type="Dll" Path="%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\*" Method="Path" />
    <Libraries Name="DotNetFrameworkGAC" Type="Dll" Path="%WINDIR%\Microsoft.NET\assembly\*" Method="Path" />
    <Libraries Name="VcXsrv" Type="Dll" Path="%PROGRAMFILES%\VcXsrv\*" Method="Path" />
  </AllowedApplications>
</PSMAppLockerConfiguration>

Open PowerShell in C:\Program Files (x86)\CyberArk\PSM\Hardening and run the following command to start the script:

“.\PSMConfigureAppLocker.ps1”

Note: https://docs.cyberark.com/PAS/Latest/en/Content/PAS%20INST/Install_ConfigurePSMServerMachineForWebApps.htm#Configur

2. Add user into Safe Member

Got an error : Object reference not set to an instance of an object.

3. PSMSC025E LogonLocalUser: failed to logon with local user

NetLogon service is not started. Reboot PSM server.

CyberArk Useful Links

• Main CyberArk Site
• CyberArk Support Portal
• CyberArk Secure File Exchange (SFE) Support Vault
• UNOFFICIAL CyberArk REST API v9.8 Live Documentation (Postman)
• CyberArk REST API on GitHub.io
• RegEx101 - for configuring AllowedSafes++
• CyberArk Official YouTube

References

• Microsoft Azure Password Management
• Microsoft Azure Application Keys
• Microsoft Azure Application Keys Online Help
• Add Azure Active Directory as a directory service
• How to remove "automated test software" prompt in PSM webconnectors: https://cyberark-customers.force.com/s/article/PSM-web-application-shows-Chrome-is-being-controlled-by-automated-test-software-with-Chrome-98
• Set Edge to be browser for PSM: https://cyberark-customers.force.com/s/article/How-to-change-PSM-WebApp-to-use-Edge
• Plugin Generator Utility for mapping web sites to PSM connectors: https://cyberark-customers.force.com/mplace/s/#a3550000000EiC4AAK-a3950000000jjUeAAI
• Add additional apps with add-psmapps: https://cyberark-customers.force.com/s/article/How-to-use-Add-PSMApplication
• Configure WebDriverUpdate tool on each connector server: https://cyberark-customers.force.com/mplace/s/#a35Ht000000rjXlIAI-a39Ht000001kceVIAQ
• https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/MSAzurePasswordManagement.htm?tocpath=Administrator%7CComponents%7CCentral%20Policy%20Manager%7CCPM%20plugins%7CTarget%20account%20plugins%7CCloud%20services%7C_____3#Logon
• https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/MicrosoftAzureApplicationKeys.htm?tocpath=Administrator%7CComponents%7CCentral%20Policy%20Manager%7CCPM%20plugins%7CTarget%20account%20plugins%7CCloud%20services%7C_____4