This post is to summarize the configuration of CyberArk Privilege cloud for Azure Active Directory environment.
CyberArk Products Security Pillars (Access, Privilege, DevSecOps)
1. RBAC – Roles Based Access Control
2. SSO / MFA
3. Lifecycle management approval workflow
Table of Contents
Groups, Users, Roles in Identity
G-CyberArk-Users
G-CyberArk-Admins
G-CyberArk-Auditors
G-CyberArk-Managers
G-<Safe>-CA-Managers
G-<Safe>-CA-Users
G-<Safe>-CA-Approvers
Platform
The nomenclature [Account type]-[Platform]-[Technology or OS Type]-[Environment]-[Workflow]-[Management]-[Expiry] is defined for Platforms, the suggested maximum length is 44 characters:
Length | Description | Sample | Legend |
3 | Account Type | SPA | Account type according to PAM name conventions (e.g., SPA: Shared Privileged Account, PPA: Personal Privileged Account, WBA: Windows Built in Account, etc.) |
1 | Delimiter | – | Delimiter |
2 | Technology Platform | DB | Platform or OS type (e.g., CL:Cloud, WN: Windows, NX: Linux/Unix, DB: Database, WB: Website, AP: Application, etc.) |
1 | Delimiter | – | Delimiter |
6 | Technology type | MSSQL | Platform technology type, e.g. OS or DB variant (WIN, AIX, MSSQL, MYSQL, RHEL, Azure, etc.) |
1 | Delimiter | – | Delimiter |
1 | Environment | P | Environment type (e.g., P: Production, D: Development etc.) |
3-14 | Workflow | Chkout | Workflows that are applicable to the platform (e.g., PSM, Chkout, etc.) |
1 | Delimiter | – | Delimiter |
7-10 | Management | Automatic | Password management type for the account (e.g., Managed, Unmanaged) |
1 | Delimiter | – | Delimiter |
4 | Expiry | 30 | Password expiry duration (e.g., 12H, 1Y, 30D, 90D, 180D, No) |
Example:
SPA-DB-MSSQL-P-ChkoutApproval-Managed-90: The Platform is for Shared Privileged Account, to manage Production, Microsoft SQL Database accounts. Check-in/Check-out control and Approval workflow is enabled for this platform and it’s automatically managed by P-Cloud. Account password expiry period for this platform is 90 days.
Safe
Note: Don’t change safe name until you fully know the changes. The linked logon account, application account, and reconcile account in that safe will become empty.
Shared Access Model:
- P-Cloud safes can be assigned to different teams
- Each team may have access to one or more safes
- Permissions to safes are assigned via AD Security groups
- The following roles are suggested for safe members:
- Safe Admins
- Safe Auditors
- Safe Approvers
- Safe Persistent Users (including nested groups)
- Safe Ad-Hoc Users
Length | Description | Sample | Legend |
1 | Prefix for shared safe | S | Reserved for Shared Safes |
1 | Delimiter | – | Delimiter |
5-8 | Team name | Cyber | Six (6) characters abbreviation for Team name, such as EntSd |
1 | Delimiter | – | Delimiter |
2-5 | Technology | DB | Platform or OS type (e.g., WN: Windows, NX: Linux/Unix, DB: Database, WB: Website, AP: Application, AD: Active Directory, etc.) |
1 | Delimiter | – | Delimiter |
3-5 | PSM Control | NoPSM | Define if PSM should be enabled at Safe level |
1 | Delimiter | – | Delimiter |
1 | Environment | P | Environment type (e.g., P: Production, D: Development, etc.) |
1 | Delimiter | – | Delimiter |
2 | Sequence number | 01 | Sequence number (00-99) for teams with multiple safes |
Master Policy
Onboarding Azure AD Accounts
Create Two Duplicated Platforms:
1. Microsoft Azure Application Keys Management
Enable PerformPeriodicChange
Enable VFPerformPeriodicVerification
NO for RCAutomaticReconcileWhenUnsynched
Note: CyberArk university course:
2. Microsoft Azure Password Management
Enable PerformPeriodicChange
Enable VFPerformPeriodicVerification
Enable RCAutomaticReconcileWhenUnsynched
Create Safes
1. for key
2. for Azure AD accounts
Onboarding Azure AD Accounts for RDP
Two connectors: RDP and Microsoft Azure Portal
RDP connector should be automatically working.
You will need to set up three linked accounts to get Reconcile and Password Change working:
1. Logon Account
2. Application Account
3. Reconcile Account
Onboarding Azure AD Accounts for Azure Portal
To get Azure Portal connector working, we will need to install Google Chrome and ChromeDriver
Step 1:
1. Download ChromeDriver.exe (Matching your chrome version, usualy it is x86)
- for older version before 115: https://chromedriver.chromium.org/downloads
- for newer version after 115: https://googlechromelabs.github.io/chrome-for-testing/
2. Put it into C:\Program Files (x86)\Cyberark\PSM\Components
Step 2:
1. Install chrome using script
It is inside your CyberArk Privilege Cloud Tools package: Cyberark PrivilegeCloud Tools-v13.3\Cyberark PrivilegeCloud Tools\Add-PSMApps
2. Unzip Add-PSMApps
3. Run script Add-PSMApps.ps1 from PowerSHell administrator window
It will automatically download Chromex86 version and add it with ChromeDriver into allow-list by AppLocker.
PS C:\Installation\Add-PSMApps> .\Add-PSMApps.ps1 -Application GoogleChromeX86
Downloading and installing Chrome
Enabling web app support in PSMHardening script
Running PSM Configure AppLocker script
—
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsshclient.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmprivatearkclientdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmpvwadispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\mssqlmanagementstudiowindowsauthenticationdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psm3270client.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwebformdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwinscpdispatcher.exe¨C378CEvaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\winscp.exe¨C379CEvaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmrealvncdispatcher.exe¨C380CEvaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmxfocus.exe¨C381CEvaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmtokenholder.exe¨C382CEvaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsessionalert.exe¨C383CEvaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsuspendsession.exe¨C384CEvaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmpreventwindowhide.exe¨C385CEvaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmmessagealert.exe¨C386CEvaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwindowseventslogger.exe¨C387CEvaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\cyberark.psm.webappdispatcher.exe Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\dllinjector.exe Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\dllinjector64.exe Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\cyberark.progressbar.exe Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmticketvalidator.exe Evaluating the dlls consumed by c:\windows\system32\conhost.exe¨C388CEvaluating the dlls consumed by c:\windows\system32\taskhostw.exe¨C389CEvaluating the dlls consumed by c:\windows\system32\wermgr.exe¨C390CEvaluating the dlls consumed by c:\program files (x86)\vcxsrv\vcxsrv.exe¨C391CEvaluating the dlls consumed by c:\program files (x86)\vcxsrv\xkbcomp.exe¨C392CEvaluating the dlls consumed by c:\program files (x86)\internet explorer\iexplore.exe¨C393CEvaluating the dlls consumed by c:\program files\internet explorer\iexplore.exe¨C394CEvaluating the dlls consumed by c:\program files (x86)\google\chrome\application\chrome.exe¨C395CCheckSensitivePrivilegesForDirectories: Current Directory: c:\programdata\microsoft\windows defender\platform\4.18.23050.9-0¨C396CCheckSensitivePrivilegesForDirectories: Current Directory: c:\windows\assembly\nativeimages_v4.0.30319_64\mscorlib\4bc5e5252873c08797895d5b6fe6ddfd¨C397CCheckSensitivePrivilegesForDirectories: Current Directory: c:\windows\assembly\nativeimages_v4.0.30319_64\system\3ac991e343330dfdb660c4b0041bfe5e¨C398CLoading new AppLocker configuration…¨C399CConfiguring Application Identity service…¨C400CCyberArk AppLocker’s configuration script ended successfully.¨C401CTrue¨C402C—¨C403CEnd of PSM Configure AppLocker script output¨C404CRunning PSM Hardening script¨C405C—¨C406CNotice: In order to prevent unauthorized access to the PSM server, the local RemoteDesktopUsers group should contain ONLY the following users:¨C407C 1) Maintenance users who login remotely to the PSM server through Remote Desktop Services.¨C408C 2) Vault LDAP users who wish to connect to target systems through PSM directly from their desktop using an RDP client application such as MSTSC.¨C409CThese are the current members of the local RemoteDesktopUsers group:¨C410CWinNT://IMCOINVEST/Domain Users¨C411CWinNT://IMCOINVEST/VM-NETSEC-Test-1/PSMConnect¨C412CWinNT://IMCOINVEST/VM-NETSEC-Test-1/PSMAdminConnect¨C413CWould you like to remove all members of this group? (yes/no): no¨C414CSUCCESS: The file (or folder): “C:\Windows\explorer.exe” now owned by the administrators group.¨C415C0¨C416CC:\Windows\explorer.exe¨C417CC:\Windows\explorer.exe¨C418CC:\Windows\explorer.exe¨C419CSUCCESS: The file (or folder): “C:\Windows\SysWOW64\explorer.exe” now owned by the administrators group.¨C420C1¨C421CC:\Windows\SysWOW64\explorer.exe¨C422CC:\Windows\SysWOW64\explorer.exe¨C423CC:\Windows\SysWOW64\explorer.exe¨C424CSUCCESS: The file (or folder): “C:\Windows\system32\taskmgr.exe” now owned by the administrators group.¨C425C2¨C426CC:\Windows\system32\taskmgr.exe¨C427CC:\Windows\system32\taskmgr.exe¨C428CC:\Windows\system32\taskmgr.exe¨C429CSUCCESS: The file (or folder): “C:\Windows\SysWOW64\taskmgr.exe” now owned by the administrators group.¨C430C3¨C431CC:\Windows\SysWOW64\taskmgr.exe¨C432CC:\Windows\SysWOW64\taskmgr.exe¨C433CC:\Windows\SysWOW64\taskmgr.exe¨C434CSUCCESS: The file (or folder): “C:\program files\Internet Explorer\iexplore.exe” now owned by the administrators group.¨C435C4¨C436CC:\program files\Internet Explorer\iexplore.exe¨C437CC:\program files\Internet Explorer\iexplore.exe¨C438CC:\program files\Internet Explorer\iexplore.exe¨C439Cprocessed file: C:\program files\Internet Explorer\iexplore.exe¨C440CSUCCESS: The file (or folder): “C:\program files (x86)\Internet Explorer\iexplore.exe” now owned by the administrators group.¨C441C5¨C442CC:\program files (x86)\Internet Explorer\iexplore.exe¨C443CC:\program files (x86)\Internet Explorer\iexplore.exe¨C444CC:\program files (x86)\Internet Explorer\iexplore.exe¨C445Cprocessed file: C:\program files (x86)\Internet Explorer\iexplore.exe¨C446CChrome hardening completed successfully¨C447CIE hardening completed successfully¨C448CEdge hardening completed successfully¨C449CC:\Program Files (x86)\Cyberark\PSM¨C450CSUCCESS: The file (or folder): “C:\Program Files (x86)\Cyberark\PSM” now owned by the administrators group.¨C451C6¨C452CSUCCESS: The file (or folder): “C:\Program Files (x86)\Cyberark\PSM” now owned by the administrators group.¨C453CC:\Program Files (x86)\Cyberark\PSM¨C454CC:\Program Files (x86)\Cyberark\PSM¨C455CC:\Program Files (x86)\Cyberark\PSM¨C456CC:\Program Files (x86)\Cyberark\PSM\Vault¨C457CSUCCESS: The file (or folder): “C:\Program Files (x86)\Cyberark\PSM\Vault” now owned by the administrators group.¨C458C7¨C459CSUCCESS: The file (or folder): “C:\Program Files (x86)\Cyberark\PSM\Vault” now owned by the administrators group.¨C460CC:\Program Files (x86)\Cyberark\PSM\Vault¨C461CC:\Program Files (x86)\Cyberark\PSM\Vault¨C462CC:\Program Files (x86)\Cyberark\PSM\Vault¨C463CC:\Program Files (x86)\Cyberark\PSM\Recordings¨C464CSUCCESS: The file (or folder): “C:\Program Files (x86)\Cyberark\PSM\Recordings” now owned by the administrators group.¨C465C8¨C466CC:\Program Files (x86)\Cyberark\PSM\Recordings¨C467CC:\Program Files (x86)\Cyberark\PSM\Logs¨C468CSUCCESS: The file (or folder): “C:\Program Files (x86)\Cyberark\PSM\Logs” now owned by the administrators group.¨C469C9¨C470CC:\Program Files (x86)\Cyberark\PSM\Logs\Components¨C471CSUCCESS: The file (or folder): “C:\Program Files (x86)\Cyberark\PSM\Logs\Components” now owned by the administrators group.¨C472C10¨C473CC:\Program Files (x86)\Cyberark\PSM\Components¨C474CSUCCESS: The file (or folder): “C:\Program Files (x86)\Cyberark\PSM\Components” now owned by the administrators group.¨C475C11¨C476Cprocessed file: C:\Program Files (x86)\Cyberark\PSM\Components¨C477CSuccessfully processed 1 files; Failed processing 0 files¨C478CC:\oracle¨C479Cprocessed dir: C:\oracle¨C480CC:\oracle¨C481CTrue¨C482CC:¨C483Cprocessed dir: C:\¨C484Cprocessed file: C:\¨C485CSuccessfully processed 1 files; Failed processing 0 files¨C486CD:¨C487Cprocessed dir: D:\¨C488Cprocessed file: D:\¨C489CSuccessfully processed 1 files; Failed processing 0 files¨C490CSUCCESS: The file (or folder): “C:\Program Files (x86)\CyberArk\Password Manager” now owned by the administrators group.¨C491C12¨C492CC:\Program Files (x86)\CyberArk\Password Manager¨C493CC:\Program Files (x86)\CyberArk\Password Manager¨C494CC:\Program Files (x86)\CyberArk\Password Manager¨C495CSUCCESS: The file (or folder): “C:\WindowsAzure” now owned by the administrators group.¨C496C13¨C497CC:\WindowsAzure¨C498CC:\WindowsAzure¨C499CC:\WindowsAzure¨C500CSUCCESS: The file (or folder): “C:\Packages” now owned by the administrators group.¨C501C14¨C502CC:\Packages¨C503CC:\Packages¨C504CC:\Packages¨C505CExecuting (\VM-NETSEC-Test-1\root\CIMV2\TerminalServices:Win32_TSPermissionsSetting.TerminalName=”RDP-Tcp”)->AddAccount()¨C506CMethod execution successful.¨C507COut Parameters:¨C508Cinstance of ¨C1073C.LevelDisplayName -ne “Information”} |Format-Table -AutoSize| Out-File C:\AppLocker.txt -Width 1000¨C807CPS C:\Installation\Add-PSMApps> type c:\AppLocker.txt¨C808C¨C809C ProviderName: Microsoft-Windows-AppLocker¨C810CTimeCreated Id LevelDisplayName Message¨C811C———– — —————- ——-¨C812C9/7/2023 7:15:16 PM 8004 Error %WINDIR%\SHELLCOMPONENTS\TASKFLOWUI.DLL was prevented from running.¨C813C9/7/2023 7:15:16 PM 8004 Error %WINDIR%\SHELLEXPERIENCES\TILECONTROL.DLL was prevented from running.¨C814C9/7/2023 7:15:16 PM 8004 Error %WINDIR%\SHELLCOMPONENTS\WINDOWSINTERNAL.COMPOSABLESHELL.EXPERIENCES.SWITCHER.DLL was prevented from running.¨C815C9/7/2023 7:15:16 PM 8004 Error %SYSTEM32%\WLRMDR.EXE was prevented from running.¨C816C9/7/2023 7:15:12 PM 8004 Error %WINDIR%\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\MSCORLIB\FAF93F57AA8C4C5DDDD9CD0DE441D5A1\MSCORLIB.NI.DLL was prevented from running.¨C817C9/7/2023 7:15:12 PM 8004 Error %WINDIR%\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\MSCORLIB\FAF93F57AA8C4C5DDDD9CD0DE441D5A1\MSCORLIB.NI.DLL was prevented from running.¨C818C9/7/2023 7:14:54 PM 8004 Error %WINDIR%\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\MSCORLIB\FAF93F57AA8C4C5DDDD9CD0DE441D5A1\MSCORLIB.NI.DLL was prevented from running.¨C819C9/7/2023 7:14:54 PM 8004 Error %WINDIR%\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\MSCORLIB\FAF93F57AA8C4C5DDDD9CD0DE441D5A1\MSCORLIB.NI.DLL was prevented from running.¨C820C9/7/2023 7:14:54 PM 8004 Error %PROGRAMFILES%\CYBERARK\PSM\COMPONENTS\CHROMEDRIVER.EXE was prevented from running.¨C821C9/7/2023 7:14:53 PM 8004 Error %WINDIR%\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\MSCORLIB\FAF93F57AA8C4C5DDDD9CD0DE441D5A1\MSCORLIB.NI.DLL was prevented from running.¨C822C9/7/2023 7:14:53 PM 8004 Error %WINDIR%\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\MSCORLIB\FAF93F57AA8C4C5DDDD9CD0DE441D5A1\MSCORLIB.NI.DLL was prevented from running.¨C823C9/7/2023 7:14:52 PM 8004 Error %WINDIR%\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\MSCORLIB\FAF93F57AA8C4C5DDDD9CD0DE441D5A1\MSCORLIB.NI.DLL was prevented from running.¨C824C9/7/2023 7:14:52 PM 8004 Error %WINDIR%\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\MSCORLIB\FAF93F57AA8C4C5DDDD9CD0DE441D5A1\MSCORLIB.NI.DLL was prevented from running.¨C825C9/7/2023 7:14:47 PM 8004 Error %SYSTEM32%\SETHC.EXE was prevented from running.¨C826C9/7/2023 7:14:47 PM 8004 Error %SYSTEM32%\SVCHOST.EXE was prevented from running.¨C827C9/7/2023 7:14:47 PM 8004 Error %SYSTEM32%\SVCHOST.EXE was prevented from running.¨C828C9/7/2023 7:14:46 PM 8004 Error %SYSTEM32%\SVCHOST.EXE was prevented from running.¨C829C9/7/2023 7:14:46 PM 8004 Error %SYSTEM32%\CTFMON.EXE was prevented from running.¨C830C9/7/2023 7:14:46 PM 8004 Error %SYSTEM32%\CMD.EXE was prevented from running.¨C831C¨C832CPS C:\Installation\Add-PSMApps>
Manual change:
C:\Program Files (x86)\Cyberark\PSM\Hardening\PSMConfigureAppLocker.xml
<?xml version=”1.0″ encoding=”utf-8″?>
<PSMAppLockerConfiguration>
<GeneralConfiguration>
<!– SetAutoAndStart: To start the Application Identity service and set it to automatic startup –>
<!– mode, set this attribute’s value to ‘true’. Valid values: true/false. –>
<ServiceConfiguration SetAutoAndStart=”true” />
<RuleCollections>
<!– For each rule collection, you can define the following parameters: –>
<!– Enforce: To block applications of the relevant collection, set this attribute’s value to –>
<!– ‘true’. To prevent AppLocker from blocking applications of the relevant type, set this –>
<!– attribute’s value to ‘false’. –>
<!– Action: To apply new AppLocker configurations and lose any existing settings, set this –>¨C845C <!– attribute’s value to ‘override’. To merge new configurations with the existing –>¨C846C <!– settings, set this attribute’s value to ‘merge’. –>¨C847C <Executable Enforce=”true” Action=”Override” />¨C848C <WindowsInstaller Enforce=”true” Action=”Override” />¨C849C <Script Enforce=”true” Action=”Override” />¨C850C <PackagedApp Enforce=”true” Action=”Override” />¨C851C <DLL Enforce=”true” Action=”Override” />¨C852C </RuleCollections>¨C853C </GeneralConfiguration>¨C854C <!– This part is internal and should not be modified unless instructed to by CyberArk professional –>¨C855C <!– services. –>¨C856C <!– InternalApplications section is directed for PSMConnect and PSMAdminConnect. –>¨C857C <!– SessionType index: “Admin” for PSMAdminConnect, “Regular” for PSMConnect, “¨C1074C” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMInitSession.exe” Method=”Hash” />¨C860C <Application Name=”PSMRDPClient” Type=”Exe” SessionType=”¨C1075C” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMSessionAlert.exe” Method=”Hash” />¨C862C <Application Name=”PSMSuspendSession” Type=”Exe” SessionType=”¨C1076C” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMMessageAlert.exe” Method=”Hash” />¨C864C <Application Name=”PSMLauncher” Type=”Exe” SessionType=”¨C1077C” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMLiveMonitoringClient.exe” Method=”Hash” />¨C866C <Application Name=”PSMSessionSignalStatusNotification” Type=”Exe” SessionType=”¨C1078C” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMWindowsEventsLogger.exe” Method=”Hash” />¨C868C <Application Name=”UserInit” Type=”Exe” SessionType=”¨C1079C” Path=”c:\windows\splwow64.exe” Method=”Publisher” />¨C870C <Application Name=”RDPClip” Type=”Exe” SessionType=”¨C1080C” Path=”c:\windows\system32\tstheme.exe” Method=”Publisher” />¨C872C <Application Name=”ConsoleHost” Type=”Exe” SessionType=”¨C1081C” Path=”c:\windows\system32\taskhostw.exe” Method=”Publisher” />¨C874C <Application Name=”ErrorReporting” Type=”Exe” SessionType=”¨C1082C” Path=”c:\windows\system32\rdpinit.exe” Method=”Publisher” />¨C879C <Application Name=”RDPShell” Type=”Exe” SessionType=”¨C1083C” Path=”c:\windows\system32\sihost.exe” Method=”Publisher” />¨C881C <!– Added to support win 2016 –>¨C882C <Application Name=”RunOnce” Type=”Exe” SessionType=”¨C1084C” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMTicketValidator.exe” Method=”Hash” />¨C885C <!– Allowed DLLs –>¨C886C <!– If Dll Whitelist is deployed, the following dlls will be allowed –>¨C887C <Libraries Name=”ComponentsFolder” Type=”Dll” Path=”C:\Program Files (x86)\CyberArk\PSM\Components*” Method=”Path” SessionType=”¨C1085C” />¨C889C <Libraries Name=”WinSxS” Type=”Dll” Path=”%WINDIR%\WINSXS*” Method=”Path” SessionType=”¨C1086C” />¨C891C <Libraries Name=”DotNetFramework64Bit” Type=”Dll” Path=”%WINDIR%\Microsoft.NET\Framework64\v4.0.30319*” Method=”Path” SessionType=”*” />¨C892C </InternalApplications>¨C893C <!– AllowedApplications section is directed for PSMShadowUsers –>¨C894C <AllowedApplications>¨C895C <!– For each allowed application, specify the following attributes: –>¨C896C <!– Name: Name of the application for log proposes. Valid values: Any string value. –>¨C897C <!– Type: Type of application to allow. Valid values: Exe/Script. –>¨C898C <!– Path: Path of the application executable. Valid values: exact application path, –>¨C899C <!– wildcards are allowed only if the chosen method is “Path”. –>¨C900C <!– Method: The chosen identification method for the application. –>¨C901C <!– Valid values: Path/Hash/Publisher –>¨C902C <!– PSM Components –>¨C903C <Application Name=”PSMSSHClient” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMSSHClient.exe” Method=”Hash” />¨C904C <Application Name=”PSMPrivateArkClientDispatcher” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMPrivateArkClientDispatcher.exe” Method=”Hash” />¨C905C <Application Name=”PSMPVWADispatcher” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMPVWADispatcher.exe” Method=”Hash” />¨C906C <Application Name=”MSSQLManagementStudioWindowsAuthenticationDispatcher” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\MSSQLManagementStudioWindowsAuthenticationDispatcher.exe” Method=”Hash” />¨C907C <Application Name=”PSM3270Client” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSM3270Client.exe” Method=”Hash” />¨C908C <Application Name=”PSMWebFormDispatcher” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMWebFormDispatcher.exe” Method=”Hash” />¨C909C <Application Name=”PSMWinSCPDispatcher” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMWinSCPDispatcher.exe” Method=”Hash” />¨C910C <Application Name=”WinSCP” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\WinSCP.exe” Method=”Hash” />¨C911C <Application Name=”PSMRealVNCDispatcher” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMRealVNCDispatcher.exe” Method=”Hash” />¨C912C <Application Name=”PSMXFocus” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMXFocus.exe” Method=”Hash” />¨C913C <Application Name=”PSMTokenHolder” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMTokenHolder.exe” Method=”Hash” />¨C914C <Application Name=”PSMSessionAlert” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMSessionAlert.exe” Method=”Hash” />¨C915C <Application Name=”PSMSuspendSession” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMSuspendSession.exe” Method=”Hash” />¨C916C <Application Name=”PSMPreventWindowHide” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMPreventWindowHide.exe” Method=”Hash” />¨C917C <Application Name=”PSMMessageAlert” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMMessageAlert.exe” Method=”Hash” />¨C918C <Application Name=”PSMWindowsEventsLogger” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMWindowsEventsLogger.exe” Method=”Hash” />¨C919C <Application Name=”PSM-WebAppDispatcher” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\CyberArk.PSM.WebAppDispatcher.exe” Method=”Hash” />¨C920C <Application Name=”DLLInjector” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\DLLInjector.exe” Method=”Hash” />¨C921C <Application Name=”DLLInjector64″ Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\DLLInjector64.exe” Method=”Hash” />¨C922C <Application Name=”PSM-ProgressBar” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\CyberArk.ProgressBar.exe” Method=”Hash” />¨C923C <Application Name=”PSMTicketingValidationPage” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMTicketValidator.exe” Method=”Hash” />¨C924C <!– Microsoft session processes –>¨C925C <Application Name=”ConsoleHost” Type=”Exe” Path=”c:\windows\system32\conhost.exe” Method=”Publisher” />¨C926C <Application Name=”TaskHost” Type=”Exe” Path=”c:\windows\system32\taskhostw.exe” Method=”Publisher” />¨C927C <Application Name=”ErrorReporting” Type=”Exe” Path=”c:\windows\system32\WERMGR.EXE” Method=”Publisher” />¨C928C <!– Oracle connection clients –>¨C929C <!– If relevant, uncomment this part after installing Oracle client and Toad.¨C930C <Application Name=”Toad” Type=”Exe” Path=”C:\Program Files (x86)\Quest Software\Toad for Oracle 10.6\toad.exe” Method=”Publisher,Hash” />¨C931C <Application Name=”SQLPlus” Type=”Exe” Path=”c:\oracle\instantclient\sqlplus.exe” Method=”Hash” />¨C932C <Application Name=”Notepad” Type=”Exe” Path=”c:\windows\system32\notepad.exe” Method=”Publisher”/>¨C933C <Application Name=”SDFConverter” Type=”Exe” Path=”C:\Program Files (x86)\Quest Software\Toad for Oracle 10.6\ClientFiles\ScriptMgr\SDFConverter.exe” Method=”Hash” />¨C934C <Application Name=”QuestScriptRunner” Type=”Exe” Path=”C:\Program Files (x86)\Quest Software\Toad for Oracle 10.6\qsr.exe” Method=”Hash” />¨C935C <Application Name=”OptimizerEngine” Type=”Exe” Path=”C:\Program Files (x86)\Quest Software\Toad for Oracle 10.6\OptimizerEngine.exe” Method=”Hash” />¨C936C <Application Name=”FormatOptions” Type=”Exe” Path=”C:\Program Files (x86)\Quest Software\Toad for Oracle 10.6\FmtOptions.exe” Method=”Hash” />¨C937C <Application Name=”ToadScriptRuntime” Type=”Exe” Path=”C:\Program Files (x86)\Quest Software\Toad for Oracle 10.6\tsr.exe” Method=”Hash” />¨C938C <Application Name=”UninstallClientFiles” Type=”Exe” Path=”C:\Program Files (x86)\Quest Software\Toad for Oracle 10.6\UninstallClientFiles.exe” Method=”Hash” />¨C939C End of oracle connections comment –>¨C940C <!– vSphere client processes –>¨C941C <!– If relevant, uncomment this part after installing vSphere client (including .Net framework 2 and 3.5).¨C942C <Application Name=”VpxClient” Type=”Exe” Path=”C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe” Method=”Hash” />¨C943C <Application Name=”VMWare-VMRC” Type=”Exe” Path=”C:\Program Files (x86)\VMWARE\INFRASTRUCTURE\VIRTUAL INFRASTRUCTURE CLIENT\4.0\VMWARE-VMRC.EXE” Method=”Publisher” />¨C944C <Application Name=”VMWare-RemoteMKS.EXE” Type=”Exe” Path=”C:\Program Files (x86)\VMWARE\INFRASTRUCTURE\VIRTUAL INFRASTRUCTURE CLIENT\4.0\VMWARE-REMOTEMKS.EXE” Method=”Publisher” />¨C945C <Application Name=”CSC” Type=”Exe” Path=”c:\windows\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CSC.EXE” Method=”Publisher” />¨C946C <Application Name=”CVTRES” Type=”Exe” Path=”c:\windows\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CVTRES.EXE” Method=”Publisher” />¨C947C End of vSphere client comment –>¨C948C <!– SQL Server Management Studio 2012 processes –>¨C949C <!– If relevant, uncomment this part after installing SQL Server Management Studio 2012 processes¨C950C <Application Name=”SSMS2012″ Type=”Exe” Path=”C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\ManagementStudio\Ssms.exe” Method=”Publisher” />¨C951C End of SQL Server Management Studio 2012 processes comment –>¨C952C <!– SAP GUI processes –>¨C953C <!– If relevant, uncomment this part after installing SAP GUI processes and downloading the CyberArk PSMSAPGUI connection component from the Marketplace¨C954C <Application Name=”PSMSAPGUI” Type=”Exe” Path=”C:\Program Files (x86)\CyberArk\PSM\Components\PSMSAPGUI.exe” Method=”Hash” />¨C955C <Application Name=”saplogon” Type=”Exe” Path=”C:\Program Files (x86)\SAP\FrontEnd\SAPgui\saplogon.exe” Method=”Hash” />¨C956C <Application Name=”SAPgui” Type=”Exe” Path=”C:\Program Files (x86)\SAP\FrontEnd\SAPgui\SAPgui.exe” Method=”Hash” />¨C957C End of SAP GUI processes comment –>¨C958C <!– X Forwarding X Server processes –>¨C959C <Application Name=”VcXsrv” Type=”Exe” Path=”C:\Program Files (x86)\VcXsrv\vcxsrv.exe” Method=”Hash” />¨C960C <Application Name=”xkbcomp” Type=”Exe” Path=”C:\Program Files (x86)\VcXsrv\xkbcomp.exe” Method=”Hash” />¨C961C <!– Microsoft IExplore processes –>¨C962C <!– If relevant, uncomment this part to allow webform based connection clients –>¨C963C <Application Name=”IExplore32″ Type=”Exe” Path=”c:\Program Files (x86)\Internet Explorer\iexplore.exe” Method=”Publisher” />¨C964C <Application Name=”IExplore64″ Type=”Exe” Path=”c:\Program Files\Internet Explorer\iexplore.exe” Method=”Publisher” />¨C965C <!– End of Microsoft IExplore processes comment –>¨C966C <!– Google Chrome process –>¨C967C <!– If relevant, uncomment this part to allow Google Chrome webform based connection clients¨C968C <Application Name=”GoogleChrome” Type=”Exe” Path=”C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” Method=”Publisher” />¨C969C End of Google Chrome process comment –>¨C970C <!– Microsoft Edge process –>¨C971C <!– If relevant, uncomment this part to allow Edge webform based connection clients¨C972C <Application Name=”Edge” Type=”Exe” Path=”C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe” Method=”Publisher” />¨C973C End of Microsoft Edge process comment –>¨C974C <!– Generic client support –>¨C975C <!– If relevant, uncomment this part to allow generic clients support and add a rule for each generic connection client¨C976C <Application Name=”GenericClient-Sample” Type=”Exe” Path=”C:\VNC-Viewer-5.0.5-Windows-64bit.exe” Method=”Hash” />¨C977C End of Generic client support comment –>¨C978C <!– Google Chrome section –>¨C979C <Application Name=”Chrome” Type=”Exe” Path=”C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” Method=”Publisher” />¨C980C <Application Name=”ChromeDriver” Type=”Exe” Path=”C:\Program Files (x86)\Cyberark\PSM\Components\chromedriver.exe” Method=”Path” />¨C981C <!– End of Google Chrome section –>¨C982C <!– Allowed DLLs –>¨C983C <!– If Dll Whitelist is deployed, the following dlls will be allowed –>¨C984C <Libraries Name=”ComponentsFolder” Type=”Dll” Path=”C:\Program Files (x86)\CyberArk\PSM\Components*” Method=”Path” />¨C985C <Libraries Name=”System32″ Type=”Dll” Path=”%SYSTEM32%*” Method=”Path” />¨C986C <Libraries Name=”WinSxS” Type=”Dll” Path=”%WINDIR%\WINSXS*” Method=”Path” />¨C987C <Libraries Name=”DotNetFramework32Bit” Type=”Dll” Path=”%WINDIR%\Microsoft.NET\Framework\v4.0.30319*” Method=”Path” />¨C988C <Libraries Name=”DotNetFramework64Bit” Type=”Dll” Path=”%WINDIR%\Microsoft.NET\Framework64\v4.0.30319*” Method=”Path” />¨C989C <Libraries Name=”DotNetFrameworkGAC” Type=”Dll” Path=”%WINDIR%\Microsoft.NET\assembly*” Method=”Path” />¨C990C <Libraries Name=”VcXsrv” Type=”Dll” Path=”%PROGRAMFILES%\VcXsrv*” Method=”Path” />¨C991C </AllowedApplications>¨C992C</PSMAppLockerConfiguration>
Open PowerShell in C:\Program Files (x86)\CyberArk\PSM\Hardening and run the following command to start the script:
| “.\PSMConfigureAppLocker.ps1” |
Note: https://docs.cyberark.com/PAS/Latest/en/Content/PAS%20INST/Install_ConfigurePSMServerMachineForWebApps.htm#Configur
2. Add user into Safe Member
Got an error : Object reference not set to an instance of an object.
3. PSMSC025E LogonLocalUser: failed to logon with local user
NetLogon service is not started. Reboot PSM server.
References
- Microsoft Azure Password Management
- Microsoft Azure Application Keys
- Microsoft Azure Application Keys Online Help
- Add Azure Active Directory as a directory service
- How to remove “automated test software” prompt in PSM webconnectors: https://cyberark-customers.force.com/s/article/PSM-web-application-shows-Chrome-is-being-controlled-by-automated-test-software-with-Chrome-98
- Set Edge to be browser for PSM: https://cyberark-customers.force.com/s/article/How-to-change-PSM-WebApp-to-use-Edge
- Plugin Generator Utility for mapping web sites to PSM connectors: https://cyberark-customers.force.com/mplace/s/#a3550000000EiC4AAK-a3950000000jjUeAAI
- Add additional apps with add-psmapps: https://cyberark-customers.force.com/s/article/How-to-use-Add-PSMApplication
- Configure WebDriverUpdate tool on each connector server: https://cyberark-customers.force.com/mplace/s/#a35Ht000000rjXlIAI-a39Ht000001kceVIAQ
