CYBERARK UNIVERSITY

Privileged Session Manager

Installation and Configuration

CyberArk Training
1
OBJECTIVES

By the end of this lesson you should be able to:

• Describe the main capabilities of the PSM

• Install the PSM

• Verify the Installation

• Perform Post installation tasks

• Harden and secure the PSM

2
REVIEW

3
VALUE OF PRIVILEGED SESSION MANAGEMENT

ISOLATE CONTROL MONITOR

Prevent cyber attacks Create accountability Deliver continuous

by isolating desktops and control over monitoring and
from sensitive target privileged session compliance with
machines access with policies, session recording with
workflows and privileged zero footprint on target
single sign on machines

4
CYBERARK PRIVILEGED SESSION MANAGER

Databases

PVWA

HTTPS
1 Windows/UNIX
Servers

RDP over SSL PSM 4

2
3 5 Web Sites

1. Logon through PVWA

2. Connect Routers and Switches
3. Fetch credential from Vault Vault
6
4. Connect using native protocols
5. Store session recording
ESX\vCenters
6. Logs forwarded to SIEM/Syslog

SIEM/Syslog

5
CONSIDERATIONS BEFORE INSTALLING
PSM

6
PLANNING CAPACITY

• The amount of storage in the Vault that is required for storing session recordings must be planned
before installation.

• The following considerations will help you determine the amount of Vault storage that you will need.

Consideration Description

The number of activities performed during each session and the

Size of session
session type (GUI or Text) determine the size of each recording.
recordings
Typically, recordings vary from 50-300 KB/minute

Activity in your The number of concurrent sessions that the PSM will create and store
enterprise in the Vault determine the size of your implementation.

Recordings The length of time that recordings will be retained according to your
Retention Period enterprise audit policy

7
PSM SYSTEM REQUIREMENTS

• The number of required PSM servers depends

on business requirements, network topology,
redundancy and load-balancing requirements

• The concurrency of 100 sessions per PSM

server must not be exceeded

• The maximum concurrency is up to 40%

lower installing PSM server on a virtual
machine with equivalent resources
• See “Recommended settings for installing
PSM on a virtual machine” on
docs.cyberark.com

8
 PSM SYSTEM REQUIREMENTS
• Running resource-intensive applications like MS SQL Server Manager Studio, Toad, etc., on the
PSM server will result in lower concurrency

• Connections from client machines with more than one HD screen, or with a high-resolution screen
will result in lower concurrency

9
PSM SOFTWARE PREREQUISITES

• Windows 2019, Windows 2016 Standard,

Windows 2012 R2

• .NET Framework 4.5.2 - 4.7.2

• Microsoft Remote Desktop Services (RDS)
Session Host
• Microsoft Remote Desktop Services Gateway
(optional)
• PSM can be installed on Amazon Web
Services (AWS), Microsoft Azure, and Google
Cloud Platforms

10
SIZING CALCULATIONS (PSM SERVER)

𝑆𝑃𝑆𝑀 = 𝐶𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑡𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑅𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑟𝑒𝑐𝑜𝑟𝑑𝑖𝑛𝑔 + 20𝐺𝐵

• SPSM = Required storage on PSM Server

• Csession = Maximum Number of Concurrent Sessions

• tsession = Average length of recorded session

• Rsession recording = Average bit rate of recorded video

• 100 KB/min – average SSH session
• 200 KB/min – average low activity RDP session
• 300 KB/min – average high activity RDP session with rich wallpaper

• (25 sessions) x (180 minutes/session) x (300 KB/minute) + 20GB = 21.35GB

11
SIZING CALCULATIONS (VAULT SERVER)

𝑆𝑉𝑎𝑢𝑙𝑡 = 𝑡𝑟𝑒𝑡𝑒𝑛𝑡𝑖𝑜𝑛 𝑁𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑡𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑅𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑟𝑒𝑐𝑜𝑟𝑑𝑖𝑛𝑔 + 20𝐺𝐵

• SVault = Required storage on Vault Server

• tretention = Retention history requirement

• Nsession = Average number of recorded sessions per day

• tsession = Average length of recorded session

• Rsession recording = Average bit rate of recorded video
• 100 KB/min – average SSH session
• 200 KB/min – average low activity RDP session
• 300 KB/min – average high activity RDP session with rich wallpaper

• (90 days) x (400 sessions/day) x (180 minutes/session) x (300 KB/minute) + 20GB = 1.96 TB

12
 PREREQUISITES
(REMOTE DESKTOP SERVICES INSTALLATION)

13
PREREQUISITES

• Copy all necessary files to

the PSM Server.

• Extract zip files before

launching Setup.

• Launch the deployment

scripts and software
installer locally.

14
INSTALLATION AUTOMATION

• CyberArk recommends using the PAS

deployment scripts provided with the installation
package to automatically install and deploy the
Core PAS component servers.
• The automatic installation is divided into several
configurable stages:
• prerequisites
• Installation
• post-installation
• Hardening
• registration

• Recommended options are enabled by default

but can be changed in a configuration file prior to
launching the script

15
INSTALLATION PREREQUISITES – BASIC PSM FUNCTIONALITY

• Basic PSM functionality requires

Windows 2012 R2 or Windows 2016 with
Remote Desktop Services (RDS) Session
Host Role only
• Remote Desktop Session Host requires
RDS CAL licensing
• PSM can work with any RDS CAL
License scheme (either per user or per
device).
• For more information about purchasing
an RDS CAL, contact your Microsoft
representative.

16
INSTALLATION PREREQUISITES – REMOTEAPP

• To take advantage of the RemoteApp feature of PSM, there are additional prerequisites:
• RD Connection Broker
• RD Web Access
• PSM server must be a member of an Active Directory Domain
• Must be a Domain User with local admin rights on the host server when installing Remote Desktop Session
Host role

17
RDS PREREQUISITE INSTALLATION - SCRIPTED

Configure the set-up stage

• From the Prerequisites folder, edit

file \PrerequisiteConfig.XML and
select the steps to enable by
setting Enable ="Yes".

These options tell the script to

1. Install .Net 4.5.2 if not already

installed

2. Install Remote Desktop Session

Host Role

3. Disables Network Level

Authentication

4. Updates the RDS security layer

18
REMOTE DESKTOP SERVICES INSTALLATION - SCRIPTED

Configure the set-up stage

1. Run the PowerShell script

Execute-Stage.ps1 specifying
the full path to the
PrerequisitesConfig.xml file.

2. Restart the Server when

prompted

.\Execute-Stage.ps1 'C:\Privileged Session Manager-Rls-v11.2\InstallationAutomation\Prerequisites\PrerequisitesConfig.xml'

19
REMOTE DESKTOP SERVICES INSTALLATION - SCRIPTED

Configure the set-up stage

1. Run the PowerShell script

Execute-Stage.ps1

2. Restart the Server when

prompted

3. Login as a Domain User with

Local Admin Privileges and allow
the deployment process to
complete

4. Close the PowerShell Window

20
RDSH PREREQUISITE INSTALLATION - MANUAL

• Installation Automation PowerShell scripts are

not required but are recommended

• To install RDSH manually open Server

Manager and select Add Roles and Features

• In the Add Roles and Features Wizard, select

Remote Desktop Services Installation in the
Installation Type window

• See “PSM Installation Tasks” on

docs.cyberark.com

21
SESSION COLLECTION

• A final step before

installing PSM software

• Remove the default

“Domain Users” group and
add a group of trusted
administrators that
authorized to connect to
the PSM via RDP

22
PSM INSTALLATION

23
PSM INSTALLATION INITIAL STEPS

• Run setup.exe from the

local disk

• Accept the installation of

Visual C++ Redistributable
packages

• Accept the SLA

• Enter name and company

• Select destination location
for the PSM root directory.

24
PSM RECORDINGS DIRECTORY

• Select the folder on the

PSM server where PSM
recordings will be saved
temporarily before they
are uploaded to the Vault.

• Recordings vary from 100-

300 KB/minute.

25
PVWA CONFIGURATION SAFE - PVWACONFIG

• Click Next to accept the

default name of the PVWA
Configuration Safe
provided by the installation

• During installation, the

PSM will update
parameters in the
PVWAConfig.
• These parameters can be
modified later if necessary,
in the System
Configuration page in the
PVWA

26
VAULT CONNECTION DETAILS

• Specify the IP address

and the port number of the
Password Vault

27
VAULT USERNAME AND PASSWORD DETAILS

• Specify the username and

password of the Vault user
carrying out this
installation.

• Use the built-in

Administrator user for
PSM installation

• Installing multiple PSMs

you must install all PSMs
with the same Vault user

28
 API GATEWAY
• Leave the host name field
blank and click Next >

• The API GW configuration can

be updated later if not
configured during PSM
installation

29
 PSM PKI AUTHENTICATION
• If configuring PSM PKI
Authentication, select the
check box and click Next >

• Do not use this option unless

PKI is actively used in your
organization

30
RESTART

• Select “Yes, I want to

restart my computer now”

31
VERIFY INSTALLATION

• Inspect the PSMInstall.log

to ensure the installation
completed successfully

• This log file is created in

the Temp folder and
contains a list of all the
activities performed when
the PSM environment in
the Vault is created

32
VERIFY SERVER ENVIRONMENT

33
PSM INSTALLATION FOLDER AND SERVICE
• Components – This folder
contains the main PSM
configuration files and all
the executable files
required to run the PSM.
• Logs – This folder
contains the PSM activity
log files.
• Recordings – This folder
stores the session
recordings temporarily
until they are uploaded to
the Vault.
• The basic_psm.ini file is
the primary configuration
file for the PSM server.

34
PSM USERS
• These users are created
locally on the PSM Server:
• PSMConnect – used by
end users to launch a
session via the PSM.
• PSMAdminConnect –
used by auditors to
monitor live sessions.

• A local group is created;

PSMShadowUsers – a
group that contains the
PSM shadow users.

• Members of this group

must have the “logon
locally” user right
assignment.

35
VERIFY VAULT ENVIRONMENT

36
PSM SAFES

• Verify that the following

safes were created for the
PSM

• The PSMRecordings safe

will be created dynamically
when the first PSM
recording is created.

37
PSM SAFE

• The PSM Safe contains

the password objects of
the unique PSM users
created locally.
• By default, this safe is only
accessible to the built in
Administrator user. The
Vault Admins group must PSMConnect
be added, if appropriate. PSMAdminConnect

• Account properties specify

the user name
(PSMConnect or
PSMAdminConnect), and
the IP address of the PSM
server machine

38
PSM RECORDING SAFES

• The Default recording safe

is called:
“PSMRecordings”
• Custom recording safes
can be defined at the
platform level and are
created automatically by
the PSM when it uploads
the first recordings to the
Vault
• Members of the Auditors
group are automatically
granted permissions on all
Recording Safes

39
PSM USERS AND GROUPS

• PSMGW_<MachineName>
• This is the Gateway user
through which the PSM
user will access the Vault
to retrieve the target
machine password.
• PSMApp_<MachineName>
• This user is used by the
PSM for internal
processing.
• The credential files for these
users is PSMGW.ini and
PSMApp.ini respectfully, and
are located on the PSM
server.

40
 PSM USERS AND CREDENTIALS
Credentials are retrieved
from the Vault
RDP using PSMConnect

Unix
Administrator

PSMGW_PSM1

PSM1

Auditor
Credentials are retrieved from cred
file on PSM server: “PSMGW.ini “
RDP using PSMAdminConnect

41 41
PSM POST INSTALLATION

42
PSM POST INSTALLATION - SCRIPTED

Configure the Post Installation stage

From the PostInstallation folder, edit

file \PostInstallationConfig.xml and
select the steps to enable by setting
Enable ="Yes".

These options tell the script to

1. Disables the screen saver for

local PSM users

2. Configures users for PSM

sessions

3. Enables PSM for web

applications (optional)

4. Enables users to print PSM

sessions (optional)

43
PSM POST INSTALLATION - SCRIPTED

Configure the set up stage

1. Run the PowerShell script

Execute-Stage.ps1 specifying
the full path to the
PostInstallationConfig.xml file.

2. Confirm the script execution was

successful and review the log file
shown.

44
HARDENING AND SECURITY
(CONFIGURING RDP OVER TLS)

45
USE RDP OVER SSL

• Enable client connection

encryption on the PSM
(set to high) and enable
use of SSL on the PSM
(set to TLS 1.0).

• This step is configured in

the pre-requisites stage, if
using the Installation
Automation scripts.

46
USE RDP OVER SSL

• Configure all connection components to use

RDP over SSL.

• Add new Component Parameter;

authentication level:I with a value of 1
• Value of 2 equals negotiate and is not
recommended for this parameter!

• See “Secure RDP Connections with SSL” on

docs.cyberark.com for more information

47
 USE RDP OVER SSL

• Configure the PSM address

to specify the exact common
name of the certificate used
by the PSM.

• Recommended to use a
certificate issued by a
trusted Certificate Authority.

48
USE RDP OVER SSL (TARGET MACHINES)

• Users should configure secure PSM-RDP

connections to target machines by using an
SSL connection.

• The target machine must have its own

certificate

• Add an additional parameter to PSM-RDP

under Target Settings, Client Specific.
(AuthenticationLevel).
• Value = 1

• See “Secure RDP Connections with SSL” on

docs.cyberark.com for more information

49
DISABLE PSM USERS’ SCREENSAVERS

• Screensavers for both the

PSMAdminConnect and
PSMConnect users must
be disabled.

• Use the MMC Snap-in

Group Policy Object Editor

• This step is configured in

the post installation stage,
if using the Installation
Automation scripts.

50
PRINTERS CONNECTIONS

• Optional: A user logged in

via the PSMConnect
account may need to print
while connected to the
Target Server

• An Auditor (logged in via

PSMAdminConnect) may
not need to print while
auditing a session.

• Enabling the ability to print

is configured in the post
installation stage, if using
the Installation Automation
scripts.

51
CONFIGURE PSM USER SESSIONS

• “Active session limit” and

“Idle session limit” must be
set to Never.

• A value other than Never

can result in corrupted
recordings. Session
duration should be set at
the platform level.
• These parameters are pre-
configured on the PSM
accounts but should be
verified, after PSM
installation completes.

52
HARDENING AND SECURITY
(HARDEN THE PSM SERVER )

53
PSM HARDENING - SCRIPTED

Configure the Hardening stage

From the Hardening folder, edit file

\HardeningConfig.xml and select the
steps to enable by setting Enable
="Yes".

These options tell the script to

1. Run the hardening script

2. Support Web App Components

3. Clears the Remote Desktop Users

Group

4. Run the After Hardening Script

5. Run the AppLocker script

6. Imports the INF file for “Out of

Domain” deployments

7. Disables insecure SSL and TLS

versions and enables TLS1.2

54
PSM HARDENING - SCRIPTED

Launch the Hardening script

1. Run the PowerShell script

Execute-Stage.ps1 specifying
the full path to the
HardeningConfig.xml file.

2. Confirm the script execution was

successful and review the log file
shown.

3. See “Hardening Guidelines for

PSM Servers” on
docs.cyberark.com

55
PSM HARDENING - SCRIPTED

Final Step

1. Add “CyberArk Vault Admins”

group from Cyber-ark-demo.local
to the Remote Desktop Users
group.

2. This will allow the select

members of this group to RDP to
the PSM server to perform
maintenance tasks.

3. Restart the PSM Server.

56
RUN THE HARDENING SCRIPT AGAIN, IF NEEDED

• PSMHardening.ps1 is the
main hardening script. The
script will set permissions
appropriately on directories
and files.
• Edit PSMHardening.ps1 as
required before running the
script:
• To support Web
Applications, change the
value of parameter
$SUPPORT_WEB_APPLI
CATIONS from $false to
$true
• If the PSMConnect user
has been changed to a
domain user, update
$PSM_CONNECT_USER
to “Domain\PSMConnect”

57
RUNNING THE HARDENING SCRIPT AGAIN

• Running PSM Hardening Script

is a mandatory step that
enhances PSM security.
• Running the
PSMHardening.ps1 script is
simply a matter of executing it
from a PowerShell interface.
• Run “set-executionpolicy
RemoteSigned –force” prior to
running the script.
• After successfully running the
script, reset the execution
policy to restricted with the
following command, “set-
executionpolicy Restricted –
force”
• You can check the status by
running “get-executionpolicy”

58
ADDING APPLOCKER RULES

• AppLocker is a Microsoft security utility that

allows PSM to whitelist applications based on
unique identities of the executable files.

• If additional clients are installed, you will need

to add AppLocker rules to enable them.

• The PSM installation includes an AppLocker

script which enables PSM Administrators to
whitelist internal PSM applications, mandatory
Windows applications and 3rd party external
applications that are used as clients in the
PSM.

59
CONFIGURING APPLOCKER RULES

• All AppLocker rules are defined in

PSMConfigureAppLocker.xml located in the
Hardening sub folder.

• RDP, Putty and WINSCP are whitelisted by

default (SQL*Plus is not)

• Configuring new or custom connection

components where new client software will be
installed on the PSM server, requires the script
to be updated and run again.

60
 CONFIGURING APPLOCKER RULES

• If Method= “Hash” Applocker

compares the current hash
to the one recorded when
the applocker rule was
written

• If Method=“Publisher”
Applocker allows the client
application to launch and
does not check the hash
value

• The “Publisher” value is an

option reserved only for
applications that are
frequently updated.

61
 RUNNING THE APPLOCKER SCRIPT
• After adding the relevant rules,
run the AppLocker script:
PSMConfigureApplocker.ps1
• By default, after running the
script SQL*Plus will no longer
be allowed to run in the context
of a PSM connection
component on the PSM server.
• Edit
PSMConfigureApplocker.xml to
add SQL*Plus to the list of
allowed applications and run
the script again
• After adding SQL*Plus to the
whitelist, it will be enabled to
run in the context of the PSM-
SQL*Plus connection
component.
62
REGISTER THE PSM

63
REGISTER THE PSM

• The registration directory is \InstallationAutomation\Registration.

• Modify the RegistrationConfig.xml file.

64
ENABLE AND CONFIGURE PSM

65
ENABLING PSM IN THE MASTER POLICY
PSM can be enabled globally for all accounts assigned to every platform, or selectively for only specific
platforms via exceptions to the Master Policy rule.

66
PSM SERVER CONFIGURATION

• Address – the IP address

or DNS name of the PSM
server

• Safe – the safe where the

objects (passwords) for
PSMConnect and
PSMAdminConnect are
stored
• Object – the name of the
PSMConnect object
(password)
• AdminObject – the name
of the PSMAdminConnect
object

67
PSM PLATFORM SETTINGS

• The “ID” field contains the

name of the PSM server
targeted by this platform.
Enter a new value in this
field to associate this
platform with an alternate
PSM Server.
• The “Show Recorded
Session” and the “Show
Live Monitoring”
notifications can be
disabled and their display
times can be modified.
• DisableDualControlForPSM
Connections allows you
disable Dual Control when
accessing an account via
PSM.

68
SUMMARY

69
OBJECTIVES

• In this session we covered:

• The main capabilities of the PSM
• Installing the PSM
• Verifying the Installation
• Performing Post installation tasks
• Hardening and securing the PSM

70
THANK YOU

71