Академический Документы
Профессиональный Документы
Культура Документы
February 2016
CAVSEC-PASSF-0216
Compromising privileged accounts is a central objective for any attacker, and CyberArk’s
Privileged Account Security Solution is designed to help improve your organization’s ability to
control and monitor privileged activity. As with any security solution, it is essential to deploy the
CyberArk Privileged Account Security Solution in a secure manner and ensure the controls you
have implemented are not circumvented by an attacker.
The eight controls described in this document are all key recommendations for protecting your
CyberArk deployment, and therefore your privileged accounts. Consolidated by our team, these
controls reflect our experience in implementing industry best practices when supporting our
customers in installing and operating our products. The recommendations are also based upon
analysis of various reports made by companies that experienced a security incident and other
research data generally available in the industry. Details are included in the “CyberArk Digital
Vault Security Standards” document and CyberArk product documentation.
It is imperative that you follow as many of these steps as practicable in your environment,
recognizing there may be other methods that you may wish to use based on your organization’s
expertise. Please review your CyberArk deployment on a regular basis to ensure it complies
with industry best practices, including those outlined in this document. For questions or
assistance with designing and implementing these controls or support in reviewing your
deployment, contact your CyberArk or partner representative.
Network traffic from the Digital Vault server is restricted to CyberArk protocols and approved
integrations such as LDAP for user and group provisioning or SMTP for email alerts
Any infrastructure hosting the Digital Vault server has the same controls applied to it as
those applied to the Digital Vault server
Due to the increased risk and complexity of assuring controls on the underlying infrastructure,
such as VMWare ESX and the SAN backing it, it is strongly recommended that Digital Vault
servers be physical servers.
Follow Microsoft’s best-practices for mitigating credential theft1 and securing Active
Directory; CyberArk component servers are of the same security level as domain controllers
(tier 0)
Limit the accounts that can access component servers; ensure that any domain accounts
used to access CyberArk servers are unable to access domain controllers and other
member servers and workstations
Limit the number of domain credentials that are able to access the component servers
Use host-based firewalls and IPsec to restrict, encrypt and authenticate inbound
administrative traffic; use the CyberArk Privileged Session Manager and the local
administrator account to access component servers
Restrict personal accounts to business-as-usual permissions justified for their role; CyberArk
administrators do not have justification to access all credentials
Require privilege elevation (with Dual Control or Ticketing Integration) for system
configuration changes or to access credentials that the CyberArk administrator otherwise
does not have justification to access
Use the CyberArk Privileged Session Manager to isolate and monitor CyberArk
administration
Store the built-in Vault Administrator, OS Administrator and iDRAC/iLo root passwords in a
physical safe (distribute copies to two or more locations); ensure that access requires more
than one individual
Store the Master Password and Master Key in a physical safe (distribute copies to two or
more locations) and ensure that access requires more than one individual
Do not store the Operator Key on the same media as the data
Monitor and alert upon excessive authentication failures, logins to the Digital Vault server
operating system, logins as Administrator or Master and important infrastructure events
Consider implementing CyberArk Privileged Threat Analytics for automated analysis and
alerting on anomalies in CyberArk’s audit logging
A good disaster recovery plan begins with an assessment of the various risks, the likelihood of
occurrence and impact. The disaster recovery plan should provide information about the
physical infrastructure, key contacts, processes to access out-of-band credentials and
procedures to recover from likely and/or high-impact problems. Furthermore, it is important to
ensure that your CyberArk solutions, Privileged Account Security in particular, are included
and accounted for as a vital step in recovery as part of your general disaster recovery
process, throughout the enterprise.