Skip to content

A utility to check CyberArk component servers hardening status

License

Notifications You must be signed in to change notification settings

cyberark/CYBRHardeningCheck

Repository files navigation

release license downloads

CyberArk Hardening Health Check

One of the most important recommendations for any application, and especially for security applications is to harden the server. CyberArk provides recommendations and automation scripts to harden its servers to make sure best security.

This tool provides a simple way to report on whether the recommendations were implemented fully or partly. This tool does not replace running the hardening procedures from CyberArk and cannot be taken as a guarantee for making sure the server is fully secured - it is always good to run your own security check up tools. Note that these settings are security best practices and the tool is “AS IS without warranty” for you to use and build on.

General

CyberArk provides automatic hardening to the Vault and component servers (CPM, PVWA and PSM) through automated scripts and procedures. Hardening is not an easy task and it covers a great deal of configurations and settings that one needs to apply in order to be compliant to the hardening best practice.

  • How can you verify that you actually did all the required steps?
  • How do you know that the hardening script finished successfully and applied all recommendations? (besides inspecting the log files)
  • How can an organization verify if they are compliant if they applied their own hardening best practices?

Wouldn't it be nice if we could ask the server - are you hardened?

Well, the answer is here - CyberArk Hardening Health Check.

What is this tool?

This tool is based on the Automated Hardening scripts that are provided by CyberArk and will allow you, as a CyberArk customer, to verify if a server is hardened based on CyberArk best practices. The tool is based on the same hardening XML that comes with the automated hardening scripts and allows to disable some of the checks as well. What this means is that if you disabled a specific hardening step, you can disable the same one in the hardening health check to prevent false positives. The tool also provides links to documentation to most of the hardening checks and relevant information in a report where the hardening is not complete or missing. Example report

Usage

The package ZIP includes a few folders, a Powershell script (Main.ps1) and a HTML template for the report. Download the ZIP and extract it on a CyberArk component server you wish to check Open Powershell (as an Administrator) and run the Main.ps1 script

PS> .\Main.ps1

For troubleshooting or getting more information about the checks done, you can run the script using Verbose logging

PS> .\Main.ps1 -Debug -Verbose

The tool creates a log file by default that contains all steps taken by the script (when using Verbose logging you will get a lot more info in the log file) Other relevant information will be referenced in the log and the report.

Use case examples

Run the tool to get the report on local machine

PS> .\Main.ps1

Result: The HTML report will open and show hardening results

Run the tool on remote machine

# region -------- EXAMPLE: remote execution script block to get the report path --------
$RunRemoteHardeningReport = {
    $ReportPath = .\CYBRHardeningCheck\Main.ps1 -Verbose -Debug -DisableAutoReportOpening
    return $ReportPath
}

# Execute remote script block and return the report file path
$RemoteReportPath = Invoke-Command -Session $mysession -ScriptBlock $RunRemoteHardeningReport

# Copy remote report file to the network path
Copy-Item -Path $RemoteReportPath -Destination $NetworkHardeningReportPath -Force -FromSession $mysession -Verbose

Result: The HTML report will be copied from remote machine to network path

Available Hardening tests

Cross-Component hardening checks

Hardening check Description
ImportingINFConfiguration Importing an INF File to the Local Machine
ValidateServerRoles This function checks for unnecessary roles
EnableScreenSaver Checks if the screen saver is disabled
AdvancedAuditPolicyConfiguration Advanced Audit Policy Configuration
RemoteDesktopServices Check Remote Desktop Services settings
EventLogSizeAndRetention Check Event Log and Retention settings
RegistryAudits Check Registry Audits access control
RegistryPermissions Check Registry permissions
FileSystemPermissions Validates unnecessary permissions on %SystemRoot%\System32\Config and %SystemRoot%\System32\Config\RegBack.
FileSystemAudit Check audit access rules on %SystemRoot%\System32\Config and %SystemRoot%\System32\Config\RegBack.
DisableServices Check that the following services are disabled: "Routing and Remote Access", "Smart Card", "Smart Card Removal Policy", "SNMP Trap", "Special Administration Console Helper","Windows Error Reporting Service", "WinHTTP Web Proxy Auto-Discovery Service"

Vault specific hardening checks

Hardening check Description
Vault_NICHardening Network Interface Configuration Hardening
Vault_StaticIP Check that the Vault has Static IP
Vault_WindowsFirewall Check that the Vault has the Firewall active
Vault_DomainJoined Check that the Vault was not joined to a Domain
Vault_LogicContainerServiceLocalUser Vault Logic Container Service LocalUser
Vault_FirewallNonStandardRules Vault Firewall Rule
Vault_ServerCertificate Vault Server Certificate

CPM specific hardening checks

Hardening check Description
CPM_Password_Manager_Services_LocalUser CPM Password Manager Services LocalUser
CPM_EnableFIPSCryptography CPM Enable FIPS Cryptography
CPM_DisableDEPForExecutables CPM Disable DEP For Executables
CPM_CredFileHardening Credential File Hardening

PVWA specific hardening checks

Hardening check Description
PVWA_IIS_Registry_Shares PVWA IIS Registry Shares
PVWA_IIS_WebDAV PVWA IIS WebDAV
PVWA_Cryptography_Settings PVWA Cryptography Mode Settings
PVWA_IIS_MimeTypes PVWA IIS MimeTypes
PVWA_AnonymousAuthentication PVWA IIS Anonymous Authentication
PVWA_DirectoryBrowsing PVWA IIS Directory Browsing
PVWA_IIS_SSL_TLS_Settings PVWA IIS SSL TLS Settings
PVWA_IIS_Cypher_Suites PVWA IIS Cypher Suites
PVWA_Scheduled_Task_Service_LocalUser PVWA Scheduled Task Service LocalUser
PVWA_NonSystemDrive PVWA not installed on System drive
PVWA_IIS_Hardening PVWA IIS Hardening
PVWA_AdditionalAppPool PVWA Application Pool configuration
PVWA_CredFileHardening Credential File Hardening

PSM specific hardening checks

Hardening check Description
ConfigureUsersForPSMSessions Configure users for PSM sessions
PSMForWebApplications PSM for web applications
EnableUsersToPrintPSMSessions Enable users to print PSM sessions
SupportWebApplications Support Web Applications on PSM
ClearRemoteDesktopUsers Clear Remote Desktop Users group from PSM Server
RunApplocker Check up AppLocker Rules
ConfigureOutOfDomainPSMServer Configure Out Of Domain PSM Server
DisableTheScreenSaverForThePSMLocalUsers Disable ScreenSaver for PSM Local users
HidePSMDrives Hide PSM Drives
BlockIETools Block IE Developer Tools and Context menu
HardenRDS Harden Remote Desktop Services
HardenPSMUsersAccess Harden PSM Users Access
HardenSMBServices Harden SMB and XB Services
PSM_CredFileHardening Credential File Hardening

Privilege Cloud Secure Tunnel specific hardening checks

Hardening check Description
SecureTunnel_Permissions Check Secure Tunnel folder hardening

Contributing

Please see our CONTRIBUTING for more details.

Licensing

Copyright (c) 2020 CyberArk Software Ltd. All rights reserved

This repository is licensed under GNU GENERAL PUBLIC LICENSE Version 3 - see LICENSE for more details.