Security Fundamentals for your

Privileged Account Security

Deployment

February 2016

Copyright © 1999-2016 CyberArk Software Ltd. All rights reserved.

CAVSEC-PASSF-0216
Compromising privileged accounts is a central objective for any attacker, and CyberArk’s
Privileged Account Security Solution is designed to help improve your organization’s ability to
control and monitor privileged activity. As with any security solution, it is essential to deploy the
CyberArk Privileged Account Security Solution in a secure manner and ensure the controls you
have implemented are not circumvented by an attacker.

The eight controls described in this document are all key recommendations for protecting your
CyberArk deployment, and therefore your privileged accounts. Consolidated by our team, these
controls reflect our experience in implementing industry best practices when supporting our
customers in installing and operating our products. The recommendations are also based upon
analysis of various reports made by companies that experienced a security incident and other
research data generally available in the industry. Details are included in the “CyberArk Digital
Vault Security Standards” document and CyberArk product documentation.

It is imperative that you follow as many of these steps as practicable in your environment,
recognizing there may be other methods that you may wish to use based on your organization’s
expertise. Please review your CyberArk deployment on a regular basis to ensure it complies
with industry best practices, including those outlined in this document. For questions or
assistance with designing and implementing these controls or support in reviewing your
deployment, contact your CyberArk or partner representative.

Recommendations for Protecting your CyberArk Deployment

1. Isolate and Harden the Digital Vault Server

Recent attacks have shown that it is common for threat actors to leverage vulnerabilities in
Kerberos protocol to move throughout the environment undetected. It is therefore required that
the Digital Vault server run on an isolated and trusted platform. For more information, see the
“CyberArk Secure Platform” document.

Critical principles of this control:

 The Digital Vault server is not a member of a Windows Domain

 Third-party software is not installed on the Digital Vault server

 Network traffic to the Digital Vault server is restricted to CyberArk protocols

© CyberArk Software Ltd. | cyberark.com 2

Eight Essential Security Controls

 Network traffic from the Digital Vault server is restricted to CyberArk protocols and approved
integrations such as LDAP for user and group provisioning or SMTP for email alerts

 The Digital Vault server operating system credentials are unique

 Any infrastructure hosting the Digital Vault server has the same controls applied to it as
those applied to the Digital Vault server

Due to the increased risk and complexity of assuring controls on the underlying infrastructure,
such as VMWare ESX and the SAN backing it, it is strongly recommended that Digital Vault
servers be physical servers.

2. Use Two-Factor Authentication

Using two-factor authentication to the CyberArk Privileged Account Security Solution for all
users and product administrators enables you to mitigate common credential theft techniques,
such as basic key loggers or more advanced attack tools that are capable of harvesting
plaintext passwords. CyberArk recommends that customers deploy two-factor authentication to
the CyberArk Digital Vault, preferably over RADIUS protocol.

3. Restrict Access to Component Servers

Like the Digital Vault server, CyberArk components, including the Password Vault Web Access,
Central Policy Manager and Privileged Session Manager, are sensitive assets. The core
principle of this control is to treat CyberArk infrastructure with the highest level of sensitivity.

Critical principles of this control:

 Follow Microsoft’s best-practices for mitigating credential theft1 and securing Active
Directory; CyberArk component servers are of the same security level as domain controllers
(tier 0)

 Consider keeping CyberArk component servers out of the domain

 Limit the accounts that can access component servers; ensure that any domain accounts
used to access CyberArk servers are unable to access domain controllers and other
member servers and workstations

1“Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques”

https://www.microsoft.com/en-us/download/details.aspx?id=36036

© CyberArk Software Ltd. | cyberark.com 3

Eight Essential Security Controls

 Limit the number of domain credentials that are able to access the component servers

 Use host-based firewalls and IPsec to restrict, encrypt and authenticate inbound
administrative traffic; use the CyberArk Privileged Session Manager and the local
administrator account to access component servers

 Deploy application whitelisting and limit execution to authorized applications

4. Limit Privileges and Points of Administration

Reducing the number of privileged accounts and/or the extent of their privileges reduces the
overall privileged account attack surface. This is true both for the enterprise as a whole and for
each solution implemented, including CyberArk. The core principle of this control is that there
should only be a few CyberArk administrators, and they should only possess limited privileges,
unless elevated through a strong approval process.

Critical principles of this control:

 Eliminate unnecessary CyberArk administrative accounts

 Reduce privileges of CyberArk administrative accounts

 Restrict personal accounts to business-as-usual permissions justified for their role; CyberArk
administrators do not have justification to access all credentials

 Require privilege elevation (with Dual Control or Ticketing Integration) for system
configuration changes or to access credentials that the CyberArk administrator otherwise
does not have justification to access

 Use the CyberArk Privileged Session Manager to isolate and monitor CyberArk
administration

 Require two-factor authentication for all avenues of administrative access

5. Protect Sensitive Accounts and Encryption Keys

Like many applications, the CyberArk Digital Vault has sensitive accounts and encryption keys.
These sensitive accounts come in two forms: business-as-usual administrators (addressed in
Control #4) and out-of-band administrators (e.g. the Master user), to be used when the normal
administration methods are not available. Furthermore, the CyberArk Digital Vault utilizes two
encryption keys to secure data: the Operator Key is used for runtime encryption tasks and the
Master Key is used for recovery operations.

© CyberArk Software Ltd. | cyberark.com 4

Eight Essential Security Controls

Critical principles of this control:

 Store the built-in Vault Administrator, OS Administrator and iDRAC/iLo root passwords in a
physical safe (distribute copies to two or more locations); ensure that access requires more
than one individual

 Store the Master Password and Master Key in a physical safe (distribute copies to two or
more locations) and ensure that access requires more than one individual

 Do not store the Operator Key on the same media as the data

 Use a Hardware Security Module (HSM) to secure the Operator Key

6. Use Secure Protocols

The use of insecure protocols can easily render other controls void. To reduce the risk of
eavesdropping and other network-based attacks, use encrypted and authenticated protocols for
all communications. For example, use HTTPS for the Password Vault Web Access, LDAPS for
the Digital Vault LDAP integration, RDP/TLS for connections to the CyberArk Privileged Session
Manager and SSH (instead of telnet) for password management.

7. Monitor Logs for Irregularities

In order to detect problems early, it is essential to monitor the logs generated by both the
CyberArk Privileged Account Security Solution and the infrastructure on which it runs. Early
detection is one of the key elements in reducing the impact of any issue, whether security or
operational.

Critical principles of this control:

 Aggregate CyberArk application and infrastructure logging within your SIEM

 Monitor and alert upon excessive authentication failures, logins to the Digital Vault server
operating system, logins as Administrator or Master and important infrastructure events

 Consider implementing CyberArk Privileged Threat Analytics for automated analysis and
alerting on anomalies in CyberArk’s audit logging

© CyberArk Software Ltd. | cyberark.com 5

Eight Essential Security Controls

8. Create and Periodically Test a CyberArk Disaster Recovery

Plan
Even with extensive controls and best practices in place, as attackers continuously seek
evolved, sophisticated attack methods, things can still go wrong. Having a documented disaster
recovery plan that specifically takes into account your organization’s CyberArk deployment,
and periodically validating it will ensure that you can quickly recover your data and restore
operations.

A good disaster recovery plan begins with an assessment of the various risks, the likelihood of
occurrence and impact. The disaster recovery plan should provide information about the
physical infrastructure, key contacts, processes to access out-of-band credentials and
procedures to recover from likely and/or high-impact problems. Furthermore, it is important to
ensure that your CyberArk solutions, Privileged Account Security in particular, are included
and accounted for as a vital step in recovery as part of your general disaster recovery
process, throughout the enterprise.

© CyberArk Software Ltd. | cyberark.com 6