07_PAM-I-and-C_PSM

Privileged Session Manager
Installation and Configuration

CyberArk University
© 2024 CyberArk Software Ltd. All rights reserved

Objectives
By the end of this session you
will be able to:
1. Describe the main

capabilities of the PSM
2. Install the PSM
3. Verify the Installation
4. Post installation tasks
5. Hardening and security

Review

Value of Privileged Session Management
Isolate Control Monitor
Prevent cyber attacks Create accountability Deliver continuous

by isolating desktops and control over monitoring and
from sensitive target privileged session compliance with
machines access with policies, session recording with
workflows and privileged zero footprint on target
single sign on machines

CyberArk Privileged Session Manager
Databases
PVWA
1 HTTPS
Windows/UNIX
Servers
PSM
RDP over SSL 4
2
3 5
Web Sites
1. Logon through PVWA

2. Connect Routers and Switches
Vault
6
3. Fetch credential from Vault
4. Connect using native protocols
ESX\vCenters
5. Store session recording
6. Logs forwarded to SIEM/Syslog SIEM/Syslog

Considerations Before Installing PSM

Planning Capacity
• The amount of storage in the Vault that is required for storing session recordings must be planned before
installation.
• The following considerations will help you determine the amount of Vault storage that you will need.
Consideration Description
The number of activities performed during each session and the session type
Size of session
(GUI or Text) determine the size of each recording. Typically, recordings vary from
recordings
50-300 KB/minute
Activity in your The number of concurrent sessions that the PSM will create and store in the Vault
enterprise determine the size of your implementation.
Recordings The length of time that recordings will be retained according to your enterprise
Retention Period audit policy

PSM System Requirements Small Mid-range Large
Implementation Implementation Implementation
(1-10 concurrent (11-50 concurrent (51-100 concurrent
• The number of required PSM servers RDP/SSH sessions) RDP/SSH sessions) RDP/SSH sessions)
depends on business requirements,

network topology, redundancy and load- Hardware specifications: Physical Servers
balancing requirements
• 8 core processor • 16 core processor • 32 core processors
• The concurrency of 100 sessions per PSM (Intel compatible) (Intel compatible) (Intel compatible 2.1
Ghz - 2.6 Ghx)
server must not be exceeded • 8GB RAM • 16GB RAM
• 32GB RAM
• 2X 80GB SATA/SAS • 2X 80GB SATA/SAS
• The maximum concurrency is up to 40% hot-swappable drives hot-swappable drives • 2X 250GB SAS hot-
swappable drives
• RAID Controller • RAID Controller
lower installing PSM server on a virtual (15K RPM)
• Network adapter • Network adapter
machine with equivalent resources (1Gb) (1Gb)
• RAID Controller
• Network adapter
• DVD ROM • DVD ROM
(1Gb)
• DVD ROM
See “Recommended Settings For
Installing PSM On A Virtual Machine” on
docs.cyberark.com

PSM System Requirements
• Running resource-intensive applications like MS SQL Server Manager Studio, Toad, etc., on the
PSM server will result in lower concurrency
• Connections from client machines with more than one HD screen, or with a high-resolution screen
will result in lower concurrency

Installation Prerequisites –
Basic PSM Functionality
• Basic PSM functionality requires
Windows 2016 or Windows 2019 with
Remote Desktop Services (RDS) Session
Host Role only
• Remote Desktop Session Host requires
RDS CAL licensing
⎼ PSM can work with any RDS CAL License
scheme, either per user or per device on
Windows server 2016 and earlier
⎼ We recommend using a per-device RDS For more information about
license when using Windows Server 2019 purchasing an RDS CAL, contact
your Microsoft representative.

PSM Software
Prerequisites
• Windows 2019, Windows 2016
Standard
• NET Framework 4.8
• Microsoft Remote Desktop Services
(RDS) Session Host
• Microsoft Remote Desktop Services
Gateway (optional)
• PSM can be installed on Amazon
Web Services (AWS), Microsoft
Azure, and Google
See PSM Installation

Considerations online

Sizing Calculations (PSM Server)
𝑆𝑃𝑆𝑀 = 𝐶𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑡𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑅𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑟𝑒𝑐𝑜𝑟𝑑𝑖𝑛𝑔 + 20𝐺𝐵
SPSM = Required storage on PSM Server

Csession = Maximum Number of Concurrent Sessions
tsession = Average length of recorded session
Rsession recording = Average bit rate of recorded video
⎼ 100 KB/min – average SSH session
⎼ 200 KB/min – average low activity RDP session
⎼ 300 KB/min – average high activity RDP session with rich wallpaper
(25 sessions) x (180 minutes/session) x (300 KB/minute) + 20GB = 21.35GB

Sizing Calculations (Vault Server)
𝑆𝑉𝑎𝑢𝑙𝑡 = 𝑡𝑟𝑒𝑡𝑒𝑛𝑡𝑖𝑜𝑛 𝑁𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑡𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑅𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑟𝑒𝑐𝑜𝑟𝑑𝑖𝑛𝑔 + 20𝐺𝐵
SVault = Required storage on Vault Server

tretention = Retention history requirement
Nsession = Average number of recorded sessions per day
tsession = Average length of recorded session
Rsession recording = Average bit rate of recorded video
⎼ 100 KB/min – average SSH session
⎼ 200 KB/min – average low activity RDP session
⎼ 300 KB/min – average high activity RDP session with rich wallpaper
(90 days) x (400 sessions/day) x (180 minutes/session) x (300 KB/minute) + 20GB = 1.96 TB

Installation
Automation Options
1. Use Installation Automation
deployment scripts individually to
automatically install and deploy the
Core PAM component servers
2. Use the Wizard installation that

includes Post-installation and PSM
Hardening tasks
3. Use the PSM automatic installation

tool

Installation
Automation Scripts
Use Installation Automation deployment scripts individually to
automatically install and deploy the Core PAM component servers
Each script is launched separately and

includes a configuration file for custom
deployment options
• Prerequisites
Checks .NET version and installs the
Remote Desktop Session Host role
• Installation
Installs the Privileged Session Manager
software. Does not register with the vault!
• Hardening
Launches the local hardening script
• Post Installation
Disables screen saver and other options
• Registration
Registers the PSM with the Digital Vault
PSM Wizard
Installation
Reduced to 3 total steps
1. Prerequisites installation
2. PSM Wizard installation now
includes:
⎼ Post-installation
⎼ PSM Hardening
3. Active Directory Domain joined

PSM servers require the
CyberArk PSM Hardening
Group Policy applied

PSM Automatic Installation Tool
• PSMAutoInstallation.exe runs all the PSM installation stages:
⎼ Setup, i.e., prerequisites; Installation; Post-installation; Hardening; Registration
See docs.cyberark.com for more information

Prerequisites
Remote Desktop Services Installation

using Installation Automation Scripts

Prerequisites
• Copy all necessary files to the

PSM Server.
• Extract zip files before launching
Setup.
• Launch the deployment scripts
and software installer locally.

Installation
Prerequisites:
RemoteApp
To take advantage of the RemoteApp
feature of PSM, there are additional
prerequisites:
• RD Connection Broker
• RD Web Access
• PSM server must be a member of an
Active Directory Domain
• Must be a Domain User with local
admin rights on the host server when
installing Remote Desktop Session
Host role

RDS Prerequisite
Installation: Scripted
Configure the set-up stage
• From the Prerequisites folder, edit file
\PrerequisiteConfig.XML and select
the steps to enable by setting Enable
="Yes".
These options tell the script to:

1. Install .Net 4.8 if not already installed
2. Install Remote Desktop Session Host
Role
3. Updates the RDS security layer
4. Disables Network Level
Authentication
– If NLA authentication is enabled
connection through the PVWA is not
supported

Remote Desktop Services
1. Run the PowerShell script
Execute-Stage.ps1 specifying
the full path to the
PrerequisitesConfig.xml file.
2. Restart the Server when
prompted
.\Execute-Stage.ps1 'C:\Privileged
Session Manager-Rls
v11.2\InstallationAutomation\
Prerequisites\PrerequisitesConfig.xml'

Remote Desktop Services
3. Login as a Domain User with
Local Admin Privileges and allow
the deployment process to
complete
4. Close the PowerShell Window

RDSH Prerequisite
Installation: Manual
• Installation Automation
PowerShell scripts are not
required but are recommended
• To install RDSH manually open
Server Manager and select Add
Roles and Features
• In the Add Roles and Features
Wizard, select Remote Desktop
Services Installation in the
Installation Type window
See “PSM post-installation

tasks” on docs.cyberark.com

Session Collection
• A final step before installing PSM
software
• Remove the default “Domain
Users” group and add a group of
trusted administrators that are
authorized to connect to the PSM
via RDP
• Post PSM hardening, the
CyberArk PSM Group Policy will
enforce “Allow logon through
Terminal Services” allowing only
⎼ BuiltIn\Administrators
⎼ PSMConnect
⎼ PSMAdminConnect

Session Collection
• CyberArk Vault Admins group
should also be added to the Local
Administrators group to allow RDP
access
• External Directory User Groups
created for CyberArk must be
added to “Allow log on through
Terminal Services“ if PSM for
Windows (Native RDP)
functionality is required

PSM Installation Wizard Installation Method

PSM Installation
Initial Steps
• Run setup.exe from the local disk
• Accept the installation of Visual
C++ Redistributable packages
• Accept the SLA
• Enter name and company
• Select destination location for the
PSM root directory.

PSM Recordings
Directory
• Select the folder on the PSM
server where PSM recordings will
be saved temporarily before they
are uploaded to the Vault.
• Recordings vary from
100-300 KB/minute.

PVWA Configuration
Safe – PVWAConfig
• Click Next to accept the default

name of the PVWA Configuration
Safe provided by the installation
• During installation, the PSM will
update parameters in the
PVWAConfig
• These parameters can be
modified later if necessary, in the
System Configuration page in the
PVWA

Vault Connection
Details
• Specify the IP address and the
port number of the Password Vault

Vault Username and
Password Details
• Specify the username and

password of the Vault user
carrying out this installation
• Use the built-in Administrator user
for PSM installation
• Installing multiple PSMs you must
install all PSMs with the same
Vault user

API Gateway
• Leave the host name field blank

and click Next >
• The API GW configuration can be
updated later if not configured
during PSM installation

PSM PKI
Authentication
• If configuring PSM PKI
Authentication, select the check
box and click Next >
• Do not use this option unless PKI
is actively used in your
organization

Harden the PSM
Server
• Select “Harden the PSM server
machine”, then select the
“Advanced” button

Harden the PSM
Server
• Review and select the appropriate
options for your environment
• Before proceeding, edit file
“PSMConfigureApplocker.xml”
and add a rule for each client
application intended for use with
PSM
• Option “Configure Out of
Domain PSM Server” should
only be selected for installs on
Windows Workgroup servers

Restart
• Select “No, I will restart my

computer later”
• Install the PrivateArk Client and
restart the server

Verify
Installation This log file is created in the Temp
folder and contains a list of all the
activities performed when the PSM
environment in the Vault is created
Inspect the PSMInstall.log to ensure

the installation completed
successfully

PSM Hardening
for In-Domain
Deployments
• Enable the PSM Hardening GPO
for the PSM Servers in Active
Directory Group Policy
Management
• Import the PSM Hardening settings
to a GPO in your Active Directory
domain
• Apply to the PSM Servers in a
dedicated Organizational Unit
See “GPO Parameters for

In-Domain Automatic Hardening”
on docs.cyberark.com

Verify Server Environment

PSM Installation
Folder and Service
Components – contains the main
PSM configuration files and all the
executable files required to run the
PSM.
Logs – contains the PSM activity log
files.
Recordings – stores the session
recordings temporarily until they are
uploaded to the Vault.
The basic_psm.ini file is the

primary configuration file for
the PSM server.

PSM Users
These users are created locally on
the PSM Server:
PSMConnect – used by end
users to launch a session via the
PSM.
PSMAdminConnect – used by
auditors to monitor live sessions.
• A local group is created;
PSMShadowUsers – a group that
contains the PSM shadow users.
• Members of this group must have
the “logon locally” user right
assignment.

PSM Shadow
Users
What is a PSM Shadow User?
• The PSM creates a local PSM
user called "PSM-<user-id>" for
each Vault user who connects to
the PSM
• An internal group is also created
that contains all local PSM
Shadow users as members

PSM Shadow
Users
What is a PSM Shadow User?
• PSM Shadow users are
automatically created during a
PSM connection to isolate the
session
• This enables programs launched
on the same server by different
Vault users to run under different
identities without the risk of
information leak between these
sessions

Verify Vault Environment

PSM Safes
• Verify that the following safes
were created for the PSM:
• PSM
• PSMLiveSessions
• PSMSessions
• PSMUnmanagedSessionAccounts
• The PSMRecordings safe will

be created dynamically when the
first PSM recording is created

PSM Safe
• The PSM Safe contains the
password objects of the unique
PSM users created locally.
• By default, this safe is only
accessible to the built in
Administrator user. The Vault PSMAdminConnect PSMConnect
Admins group must be added, if
appropriate.
• Account properties specify the
user name (PSMConnect or
PSMAdminConnect), and the IP
address of the PSM server
machine

PSM Recording
Safes
• The Default recording safe is
called: “PSMRecordings”
• Custom recording safes can be
defined at the platform level and
are created automatically by the
PSM when it uploads the first
recordings to the Vault
• Members of the Auditors group
are automatically granted
permissions on all Recording
Safes

PSM Users and Groups
PSMAppUsers
This group is used to retrieve configuration from the Vault, create
Recording Safes, upload recordings and perform other PSM activities.
PSMMaster
This group manages the Safes where recordings are stored.
It is added to the Recordings Safes with all authorizations.
PSMGW_<MachineName>
is the Gateway user through which the PSM user will access the Vault to
retrieve the target machine password. The credentials file for this user
are stored on the PSM Server in a file named: PSMGW.ini
PSMApp_<MachineName>
This user is used by the PSM for internal processing
The credential files for these users is PSMGW.ini and PSMApp.ini

respectfully, and are located on the PSM server

PSM Users and Credentials
Credentials are
retrieved from the Vault
RDP using PSMConnect
Unix
Administrator
PSMGW_PSM1
PSM1
Auditor Credentials are retrieved from cred

file on PSM server: “PSMGW.ini “
RDP using PSMAdminConnect

Hardening and Security (Configuring RDP over TLS)

Use RDP
Over SSL
• Enable Set client connection
encryption level to High Level
• Enable Require use of specific
security layer for remote (RDP)
connections to TLS 1.0
This is a Windows interface,

and this is the only option, but
TLS 1.2 is the only enabled
protocol

Use RDP
Over SSL
• Configure all connection
components to use RDP over SSL
• Add new Component Parameter;
authentication level:I with a value
of 1
⎼ Value of 2 equals negotiate and is
not recommended for this
parameter!
See “Secure RDP Connections

with SSL” on docs.cyberark.com
for more information

Use RDP
Over SSL
• Configure the PSM address to
specify the exact common name
of the certificate used by the PSM.
• Recommended to use a certificate
issued by a trusted Certificate
Authority.

Use RDP over SSL
(Target Machines)
• Users should configure secure
PSM-RDP connections to target
machines by using an SSL
connection.
• The target machine must have its
own certificate
• Add an additional parameter to
PSM-RDP under Target Settings,
Client Specific.
(AuthenticationLevel).
Value = 1
See “Secure RDP Connections

with SSL” on docs.cyberark.com
for more information
Printers
Connections
Optional:
A user logged in via the
PSMConnect account may need to
print while connected to the Target
Server
• An Auditor (logged in via
PSMAdminConnect) may not need
to print while auditing a session
• Enabling the ability to print is
configured in the post installation
stage, if using the Installation
Automation scripts

Configure PSM
User Sessions
• “Active session limit” and “Idle
session limit” must be set to Never
• A value other than Never can
result in corrupted recordings.
Session duration should be set at
the platform level
• These parameters are
pre-configured on the PSM
accounts but should be verified,
after PSM installation completes

Hardening and Security (Harden the PSM Server)

Run the Hardening Script
Again, If Needed
PSMHardening.ps1 is the main hardening
script. The script will set permissions
appropriately on directories and files
• Edit PSMHardening.ps1 as required before
running the script
⎼ To support Web Applications, change the value
of parameter
$SUPPORT_WEB_APPLICATIONS
from $false to $true
⎼ If the PSMConnect user has been changed to a
domain user, update $PSM_CONNECT_USER
to “Domain\PSMConnect”

Running the Hardening
Script Again
• Running PSM Hardening Script is a mandatory
step that enhances PSM security
• Running the PSMHardening.ps1 script is
simply a matter of executing it from a
PowerShell interface
• Run “set-executionpolicy RemoteSigned –
force” prior to running the script
• After successfully running the script, reset the
execution policy to restricted with the following
command, “set-executionpolicy Restricted –
force”
• You can check the status by running
“get-executionpolicy”

Adding AppLocker Rules
• AppLocker is a Microsoft security utility that

allows PSM to whitelist applications based on
unique identities of the executable files
• If additional clients are installed, you will need
to add AppLocker rules to enable them
• The PSM installation includes an AppLocker
script which enables PSM Administrators to
whitelist internal PSM applications, mandatory
Windows applications and 3rd party external
applications that are used as clients in the
PSM

Configuring AppLocker
Rules
• All AppLocker rules should be defined in
PSMConfigureAppLocker.xml located in the
Hardening sub folder
• RDP, Putty and WINSCP are whitelisted by
default (SQL*Plus is not)
• Configuring new or custom connection
components where new client software will be
installed on the PSM server, requires the script
to be updated and run again

Configuring AppLocker
Rules
• If Method= “Hash” Applocker compares the
current hash to the one recorded when the
applocker rule was written
• If Method=“Publisher” Applocker allows the
client application to launch and does not check
the hash value
• The “Publisher” value is an option reserved
only for applications that are frequently
updated

Running the AppLocker
Script
• After adding the relevant rules, run the
AppLocker script:
PSMConfigureApplocker.ps1
• By default, after running the script SQL*Plus
will no longer be allowed to run in the context
of a PSM connection component on the PSM
server.

Running the AppLocker Script
• Edit
PSMConfigureApplocker.xml
to add SQL*Plus to the list of
allowed applications and run
the script again
• After adding SQL*Plus to the
whitelist, it will be enabled to
run in the context of the PSM-
SQL*Plus connection
component

Register the PSM

Register the PSM
• The registration directory is \InstallationAutomation\Registration
• Modify the RegistrationConfig.xml file

Enable and Configure PSM

Enabling PSM in the Master Policy
PSM can be enabled globally for all accounts assigned to every platform, or selectively for only
specific platforms via exceptions to the Master Policy rule

PSM Server
Configuration
Address – the IP address or DNS
name of the PSM server
Safe – the safe where the objects

(passwords) for PSMConnect and
PSMAdminConnect are stored
Object – the name of the

PSMConnect object (password)
AdminObject – the name of the

PSMAdminConnect object

PSM Platform
Settings
• The “ID” field contains the name
of the PSM server targeted by this
platform.
⎼ Enter a new value in this field to
associate this platform with an
alternate PSM Server
• The “Show Recorded Session”
and the “Show Live Monitoring”
notifications can be disabled and
their display times can be modified
• DisableDualControlForPSM
Connections allows you disable
Dual Control when accessing an
account via PSM

Summary

Summary In this session we covered:
• The main capabilities of the PSM
• Installing the PSM
• Verifying the Installation
• Performing Post installation tasks
• Hardening and securing the PSM

07_PAM-I-and-C_PSM

Uploaded by

Copyright:

Available Formats

07_PAM-I-and-C_PSM

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

07_PAM-I-and-C_PSM

Uploaded by

Copyright:

Available Formats

Privileged Session Manager

Installation and Configuration

© 2024 CyberArk Software Ltd. All rights reserved

1. Describe the main

2. Install the PSM

3. Verify the Installation

4. Post installation tasks

5. Hardening and security

© 2024 CyberArk Software Ltd. All rights reserved

© 2024 CyberArk Software Ltd. All rights reserved

Prevent cyber attacks Create accountability Deliver continuous

© 2024 CyberArk Software Ltd. All rights reserved

1. Logon through PVWA

© 2024 CyberArk Software Ltd. All rights reserved

© 2024 CyberArk Software Ltd. All rights reserved

© 2024 CyberArk Software Ltd. All rights reserved

depends on business requirements,

© 2024 CyberArk Software Ltd. All rights reserved

© 2024 CyberArk Software Ltd. All rights reserved

© 2024 CyberArk Software Ltd. All rights reserved

See PSM Installation

© 2024 CyberArk Software Ltd. All rights reserved

SPSM = Required storage on PSM Server

(25 sessions) x (180 minutes/session) x (300 KB/minute) + 20GB = 21.35GB

© 2024 CyberArk Software Ltd. All rights reserved

SVault = Required storage on Vault Server

© 2024 CyberArk Software Ltd. All rights reserved

2. Use the Wizard installation that

3. Use the PSM automatic installation

© 2024 CyberArk Software Ltd. All rights reserved

Each script is launched separately and

3. Active Directory Domain joined

© 2024 CyberArk Software Ltd. All rights reserved

See docs.cyberark.com for more information

Remote Desktop Services Installation

© 2024 CyberArk Software Ltd. All rights reserved

• Copy all necessary files to the

© 2024 CyberArk Software Ltd. All rights reserved

© 2024 CyberArk Software Ltd. All rights reserved

These options tell the script to:

© 2024 CyberArk Software Ltd. All rights reserved

© 2024 CyberArk Software Ltd. All rights reserved

© 2024 CyberArk Software Ltd. All rights reserved

See “PSM post-installation

© 2024 CyberArk Software Ltd. All rights reserved

© 2024 CyberArk Software Ltd. All rights reserved

© 2024 CyberArk Software Ltd. All rights reserved

© 2024 CyberArk Software Ltd. All rights reserved

© 2024 CyberArk Software Ltd. All rights reserved

© 2024 CyberArk Software Ltd. All rights reserved

• Click Next to accept the default

© 2024 CyberArk Software Ltd. All rights reserved

© 2024 CyberArk Software Ltd. All rights reserved

• Specify the username and

© 2024 CyberArk Software Ltd. All rights reserved

• Leave the host name field blank

© 2024 CyberArk Software Ltd. All rights reserved

© 2024 CyberArk Software Ltd. All rights reserved

© 2024 CyberArk Software Ltd. All rights reserved

© 2024 CyberArk Software Ltd. All rights reserved