Upgrade Privileged Cloud PSM to 14.4 and Higher - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo
Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

Monday, November 25, 2024

Upgrade Privileged Cloud PSM to 14.4 and Higher

This post is to record all steps for upgrading PSM component from 14.2 to 14.4, which is latest version.



Strongly suggest to get CyberArk support engineer be online with you since it always has some surprise.

Upgrade via CM: ========== https://docs.cyberark.com/ispss-deployment/latest/en/content/privilege%20cloud/privcloud-upgrade-connector-12.7-later-cm.htm?tocpath=Upgrade%20CyberArk%20services%7CUpgrade%20Privilege%20Cloud%20connectors%7CUpgrade%20the%20Privilege%20Cloud%20Connector%7C_____1 Upgrade via Pcloud installer: =================== https://docs.cyberark.com/ispss-deployment/latest/en/content/privilege%20cloud/privcloud-upgrade-connector-12.7-later.htm?tocpath=Upgrade%20CyberArk%20services%7CUpgrade%20Privilege%20Cloud%20connectors%7CUpgrade%20the%20Privilege%20Cloud%20Connector%7C_____2 Once upgrade is done to rerun the PSMhardneing.ps1 and PSMConfigurAppLocker.ps1 scripts here is link to follow: https://docs.cyberark.com/ispss-deployment/latest/en/content/pas%20inst/optional-moving-the-psmconnec-and-psmadminconnect-users-to-your-domain.htm?Highlight=psm%20domain%20accounts#RunthePSMHardeningandApplockerscripts Here is the market place link to download the package: https://community.cyberark.com/marketplace/s/#software-aK4Ht0000008PWcKAM-

Make sure you have failed over your PSM server from load balancer to one of PSM servers. In this case, your ungrade for another PSM server will not cause any downtime. Check if there is any user are using your PSM server before starting upgrade since during the upgrade, the PSM service will be stopped by script. 

Pre-requisites

1. change installuser's password
2. Get a domain admin username and password
3. Download installation files from CyberArk Marketplace (Optional)
4. Snapshot and backup
 
- Take a snapshot of the server - Generate a Group Policy report of the Connector server.
  • Gpresult /h C:\PolicyBeforeUpgrade.html
- Check the zip files are not blocked - Extract the PSM GPO package - CyberArk Hardening - In-Domain - PSM v[latest].zi - Disable Antivirus (Optional, uninstall if possible) - Backup files: PSM\Hardening\PSMHardening.ps1 PSM\Hardening\PSMConfigureAppLocker.xml PSM\basic_psm.ini PSM\Vault\Vault.ini All logs from PSM\Logs folder - Check that the local PSMConnect and PSMAdminConnect users are in the Built-in\Users - Check the PSMConfigureAppLocker.xml file, If you have an edited PSMConfigureAppLocker.xml file that contains tailored rules for your executable files, retain your current file - On PSM with high availability, divert traffic away from the upgrading PSM Update GPO - using CyberArk Hardening - In-Domain - PSM v[latest].zi https://docs.cyberark.com/ispss-deployment/latest/en/content/privilege%20cloud/privcloud-upgrade-connector-cm-standard.htm#DeploytheupdatedGPOhardeningpackage Or Manually update GPO to keep customized GPO settings https://docs.cyberark.com/ispss-deployment/latest/en/content/privilege%20cloud/privcloud-upgrade-connector-cm-standard.htm#ManuallyaddCPMandPSMhardeningsettings As a side note, sometimes a customized GPO may have installation problems. So, in the case of failure, disabling the GPO to run the upgrade is a viable workaround.

GPO Settings mostly will be same, no changes .

Here are steps for verifying the GPOs. 
  1. Open the Group Policy Management Console (GPMC.msc).
  2. Click the OU that stores your legacy CPM and PSM hardening setup.
  3. Apply the following changes, which are the updates made to the GPO settings in this version:

    Go to User Rights Assignment:

    Location: Computer Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment

    Apply the following:

Policy

Setting

Adjust memory quotas for a process

NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE, BUILTIN\Administrators, PasswordManagerUser

Allow log on locally

BUILTIN\Administrators, PSMShadowUsers, PluginManagerUser

Log on as a service

NT AUTHORITY/LOCAL SERVICE, NT AUTHORITY/NETWORK SERVICE, PasswordManagerUser, ScannerUser

Replace a process level token

NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, PasswordManagerUser





Connector Manager Upgrade

CyberArk has made a nice improvement to upgrade PSM directly from Connector Manager. But unfortunately, there is a long way to go. Hopefully 15.x version is more stable and mature enough for customer to use. 


Installing component failed
Error : The installation stage of the installation is blocked due to 1 error(s) and 0 warning(s). Error #1: An error occurred during installation. For more information check the log: C:\Windows\Temp\PSM\ManifestInstallationTool.log. Check the log to resolve the error(s) and then click Reinstall.



Restart CyberArk Management Agent to get rid of this error message. 



Manual Upgrade PSM

Since Connector Manager upgrade failed, we will have to go through this classic manual upgrade process:

1 Download package

rename package to a shorter folder name such as PSM14.4



2 unzip the file and unblock download files in the folder

PS C:\CyberArk\PSM14.4> dir -r | Unblock-File

PS C:\CyberArk\PSM14.4> dir C:\CyberArk\PSM14.4 -r | Unblock-File

PS C:\CyberArk\PSM14.4>

3 Run setup.exe as administrator

Follow wizard to complete the installation. 

make sure not fully harden. click advanced to uncheck two settings which we will need to run manually:


Or we can enable two more settings in Post Installation section.



We will need to manual adjust hardening script and applocker script for two users. 

Ignore following error if you got this:

This is a legacy registry key for IE. 

4 Restart System after completed the upgrade. 



Manual changes after rebooted machine

 
The following steps might not needed based on the version your running and the version you are upgrading from. Please check if you got the same situation.

1. Administration Options - Privileged Session Management  : Configured PSM Servers


There will be a new PSM server added in for each existing PSM server. Copy settings from old PSM server item to this new one 

Before the change:

The PSM server address is ip, and it has to be changed. Object and AdminObject has wrong info as well. 

After the change:
You will need to copy PSM Gateway settings to new PSM server as well. 


2. Change PSMServerAdminID in basic_psm.ini file


C:\Program Files (x86)\Cyberark\PSM

basic_psm.ini :



Do not forget restart service:
  • CyberArk Privileged Session Manager 
3. Change Hardening files


Search PSMConnect  in PSMHardening.ps1

Since we are using domain accounts for PSMConnect and PSMAdminConnect, here is what I changed to :


For PSMConfigureAppLocker.ps1 file
Before the change:
After the change:


4. Execute both ps files one by one


PS C:\Program Files (x86)\Cyberark\PSM\Hardening> .\PSMHardening.ps1
Notice: In order to prevent unauthorized access to the PSM server, the local RemoteDesktopUsers group should contain ONLY the following users:
1) Maintenance users who login remotely to the PSM server through Remote Desktop Services.
2) Vault LDAP users who wish to connect to target systems through PSM directly from their desktop using an RDP client application such as MSTSC.
These are the current members of the local RemoteDesktopUsers group:
WinNT://CTY/Domain Users
WinNT://CTY/EE-CARK01/PSMConnect
WinNT://CTY/EE-CARK01/PSMAdminConnect
WinNT://CTY/svc_CArk_PSMConnect
WinNT://CTY/svc_CArk_PSMAdmn
WinNT://CTY/SEC-Infrastructure Administrators
WinNT://CTY/SEC-Infrastructure Operators
WinNT://CTY/SEC-Infrastructure Managers
Would you like to remove all members of this group? (yes/no): no
True
WinSCP password storing has been disabled
WinSCP editor definition has been disabled
CyberArk Hardening script ended successfully.
True
PS C:\Program Files (x86)\Cyberark\PSM\Hardening>





PS C:\Program Files (x86)\Cyberark\PSM\Hardening> .\PSMConfigureAppLocker.ps1
PSM connection user is CTY\svc_CArk_PSMConnect
PSM admin connection user is CTY\svc_CArk_PSMAdmn
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsshclient.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmprivatearkclientdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmpvwadispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\mssqlmanagementstudiowindowsauthenticationdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psm3270client.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwebformdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwinscpdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\winscp.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmrealvncdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmxfocus.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmtokenholder.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsessionalert.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsuspendsession.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmpreventwindowhide.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmmessagealert.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwindowseventslogger.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\cyberark.psm.webappdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\dllinjector.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\dllinjector64.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\cyberark.progressbar.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmticketvalidator.exe
Evaluating the dlls consumed by c:\windows\system32\conhost.exe
Evaluating the dlls consumed by c:\windows\system32\taskhostw.exe
Evaluating the dlls consumed by c:\windows\system32\wermgr.exe
Evaluating the dlls consumed by c:\program files (x86)\vcxsrv\vcxsrv.exe
Evaluating the dlls consumed by c:\program files (x86)\vcxsrv\xkbcomp.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsapgui.exe
Evaluating the dlls consumed by c:\program files\google\chrome\application\chrome.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\chromedriver.exe
Evaluating the dlls consumed by c:\program files (x86)\internet explorer\iexplore.exe
Evaluating the dlls consumed by c:\program files\internet explorer\iexplore.exe
Loading new AppLocker configuration...
Configuring Application Identity service...
CyberArk AppLocker's configuration script ended successfully.
True
PS C:\Program Files (x86)\Cyberark\PSM\Hardening>



Some Issues Found After Upgrade


Issues when manually upgrading from 14.3 to 14.4 

In my environment, there are three PSM servers. Now it shows old ones disconnected. Three new ones are showing correct component_users, but version is showing 14.3, which should be 14.4.

This is probably just for this version 14.4. 

No issue found in the upgrade from 14.4 to 14.5


References




No comments:

Post a Comment