Security Fundamentals for your Privileged Account Security Deployment February 2016 Copyright 1999-2016 CyberArk Software Ltd. All rights reserved. CAVSEC-PASSF-0216
Compromising privileged accounts is a central objective for any attacker, and CyberArk s Privileged Account Security Solution is designed to help improve your organization s ability to control and monitor privileged activity. As with any security solution, it is essential to deploy the CyberArk Privileged Account Security Solution in a secure manner and ensure the controls you have implemented are not circumvented by an attacker. The eight controls described in this document are all key recommendations for protecting your CyberArk deployment, and therefore your privileged accounts. Consolidated by our team, these controls reflect our experience in implementing industry best practices when supporting our customers in installing and operating our products. The recommendations are also based upon analysis of various reports made by companies that experienced a security incident and other research data generally available in the industry. Details are included in the CyberArk Digital Vault Security Standards document and CyberArk product documentation. It is imperative that you follow as many of these steps as practicable in your environment, recognizing there may be other methods that you may wish to use based on your organization s expertise. Please review your CyberArk deployment on a regular basis to ensure it complies with industry best practices, including those outlined in this document. For questions or assistance with designing and implementing these controls or support in reviewing your deployment, contact your CyberArk or partner representative. Recommendations for Protecting your CyberArk Deployment 1. Isolate and Harden the Digital Vault Server Recent attacks have shown that it is common for threat actors to leverage vulnerabilities in Kerberos protocol to move throughout the environment undetected. It is therefore required that the Digital Vault server run on an isolated and trusted platform. For more information, see the CyberArk Secure Platform document. The Digital Vault server is not a member of a Windows Domain Third-party software is not installed on the Digital Vault server Network traffic to the Digital Vault server is restricted to CyberArk protocols CyberArk Software Ltd. cyberark.com 2
Network traffic from the Digital Vault server is restricted to CyberArk protocols and approved integrations such as LDAP for user and group provisioning or SMTP for email alerts The Digital Vault server operating system credentials are unique Any infrastructure hosting the Digital Vault server has the same controls applied to it as those applied to the Digital Vault server Due to the increased risk and complexity of assuring controls on the underlying infrastructure, such as VMWare ESX and the SAN backing it, it is strongly recommended that Digital Vault servers be physical servers. 2. Use Two-Factor Authentication Using two-factor authentication to the CyberArk Privileged Account Security Solution for all users and product administrators enables you to mitigate common credential theft techniques, such as basic key loggers or more advanced attack tools that are capable of harvesting plaintext passwords. CyberArk recommends that customers deploy two-factor authentication to the CyberArk Digital Vault, preferably over RADIUS protocol. 3. Restrict Access to Component Servers Like the Digital Vault server, CyberArk components, including the Password Vault Web Access, Central Policy Manager and Privileged Session Manager, are sensitive assets. The core principle of this control is to treat CyberArk infrastructure with the highest level of sensitivity. Follow Microsoft s best-practices for mitigating credential theft 1 and securing Active Directory; CyberArk component servers are of the same security level as domain controllers (tier 0) Consider keeping CyberArk component servers out of the domain Limit the accounts that can access component servers; ensure that any domain accounts used to access CyberArk servers are unable to access domain controllers and other member servers and workstations 1 Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques https://www.microsoft.com/en-us/download/details.aspx?id=36036 CyberArk Software Ltd. cyberark.com 3
Limit the number of domain credentials that are able to access the component servers Use host-based firewalls and IPsec to restrict, encrypt and authenticate inbound administrative traffic; use the CyberArk Privileged Session Manager and the local administrator account to access component servers Deploy application whitelisting and limit execution to authorized applications 4. Limit Privileges and Points of Administration Reducing the number of privileged accounts and/or the extent of their privileges reduces the overall privileged account attack surface. This is true both for the enterprise as a whole and for each solution implemented, including CyberArk. The core principle of this control is that there should only be a few CyberArk administrators, and they should only possess limited privileges, unless elevated through a strong approval process. Eliminate unnecessary CyberArk administrative accounts Reduce privileges of CyberArk administrative accounts Restrict personal accounts to business-as-usual permissions justified for their role; CyberArk administrators do not have justification to access all credentials Require privilege elevation (with Dual Control or Ticketing Integration) for system configuration changes or to access credentials that the CyberArk administrator otherwise does not have justification to access Use the CyberArk Privileged Session Manager to isolate and monitor CyberArk administration Require two-factor authentication for all avenues of administrative access 5. Protect Sensitive Accounts and Encryption Keys Like many applications, the CyberArk Digital Vault has sensitive accounts and encryption keys. These sensitive accounts come in two forms: business-as-usual administrators (addressed in Control #4) and out-of-band administrators (e.g. the Master user), to be used when the normal administration methods are not available. Furthermore, the CyberArk Digital Vault utilizes two encryption keys to secure data: the Operator Key is used for runtime encryption tasks and the Master Key is used for recovery operations. CyberArk Software Ltd. cyberark.com 4
Store the built-in Vault Administrator, OS Administrator and idrac/ilo root passwords in a physical safe (distribute copies to two or more locations); ensure that access requires more than one individual Store the Master Password and Master Key in a physical safe (distribute copies to two or more locations) and ensure that access requires more than one individual Do not store the Operator Key on the same media as the data Use a Hardware Security Module (HSM) to secure the Operator Key 6. Use Secure Protocols The use of insecure protocols can easily render other controls void. To reduce the risk of eavesdropping and other network-based attacks, use encrypted and authenticated protocols for all communications. For example, use HTTPS for the Password Vault Web Access, LDAPS for the Digital Vault LDAP integration, RDP/TLS for connections to the CyberArk Privileged Session Manager and SSH (instead of telnet) for password management. 7. Monitor Logs for Irregularities In order to detect problems early, it is essential to monitor the logs generated by both the CyberArk Privileged Account Security Solution and the infrastructure on which it runs. Early detection is one of the key elements in reducing the impact of any issue, whether security or operational. Aggregate CyberArk application and infrastructure logging within your SIEM Monitor and alert upon excessive authentication failures, logins to the Digital Vault server operating system, logins as Administrator or Master and important infrastructure events Consider implementing CyberArk Privileged Threat Analytics for automated analysis and alerting on anomalies in CyberArk s audit logging CyberArk Software Ltd. cyberark.com 5
8. Create and Periodically Test a CyberArk Disaster Recovery Plan Even with extensive controls and best practices in place, as attackers continuously seek evolved, sophisticated attack methods, things can still go wrong. Having a documented disaster recovery plan that specifically takes into account your organization s CyberArk deployment, and periodically validating it will ensure that you can quickly recover your data and restore operations. A good disaster recovery plan begins with an assessment of the various risks, the likelihood of occurrence and impact. The disaster recovery plan should provide information about the physical infrastructure, key contacts, processes to access out-of-band credentials and procedures to recover from likely and/or high-impact problems. Furthermore, it is important to ensure that your CyberArk solutions, Privileged Account Security in particular, are included and accounted for as a vital step in recovery as part of your general disaster recovery process, throughout the enterprise. CyberArk Software Ltd. cyberark.com 6