Configure CyberArk Privilege Cloud to Onboard Azure Accounts

siwei 好物分享

This post is to summarize the configuration of CyberArk Privilege cloud for Azure Active Directory environment.

Groups, Users, Roles in Identity

G-CyberArk-Users
G-CyberArk-Admins
G-CyberArk-Auditors
G-CyberArk-Managers
G-<Safe>-CA-Managers
G-<Safe>-CA-Users
G-<Safe>-CA-Approvers

Platform

The nomenclature [Account type]-[Platform]-[Technology or OS Type]-[Environment]-[Workflow]-[Management]-[Expiry] is defined for Platforms, the suggested maximum length is 44 characters:

Length

Description

Sample

Legend

3

Account Type

SPA

Account type according to PAM name conventions (e.g., SPA: Shared Privileged Account, PPA: Personal Privileged Account, WBA: Windows Built in Account, etc.)

1

Delimiter

-

Delimiter

2

Technology Platform

DB

Platform or OS type (e.g., CL:Cloud, WN: Windows, NX: Linux/Unix, DB: Database, WB: Website, AP: Application, etc.) 

1

Delimiter

-

Delimiter

6

 

Technology type

MSSQL

Platform technology type, e.g. OS or DB variant (WIN, AIX, MSSQL, MYSQL, RHEL, Azure, etc.)

1

Delimiter

-

Delimiter

1

Environment

P

Environment type (e.g., P: Production, D: Development etc.) 

3-14

Workflow

Chkout

Workflows that are applicable to the platform (e.g., PSM, Chkout, etc.)

 

1

Delimiter

-

Delimiter

7-10

Management

Automatic

Password management type for the account (e.g., Managed, Unmanaged)

 

1

Delimiter

-

Delimiter

4

Expiry

30

Password expiry duration (e.g., 12H, 1Y, 30D, 90D, 180D, No)
Example:
SPA-DB-MSSQL-P-ChkoutApproval-Managed-90: The Platform is for Shared Privileged Account, to manage Production, Microsoft SQL Database accounts. Check-in/Check-out control and Approval workflow is enabled for this platform and it’s automatically managed by P-Cloud. Account password expiry period for this platform is 90 days.

Safe

Note:  Don't change safe name until you fully know the changes. The linked logon account, application account, and reconcile account in that safe will become empty. 

Shared Access Model:

  • P-Cloud safes can be assigned to different teams
  • Each team may have access to one or more safes
  • Permissions to safes are assigned via AD Security groups
  • The following roles are suggested for safe members:
    • Safe Admins
    • Safe Auditors
    • Safe Approvers
    • Safe Persistent Users (including nested groups)
    • Safe Ad-Hoc Users

Length

Description

Sample

Legend

1

Prefix for shared safe

S

Reserved for Shared Safes

1

Delimiter

-

Delimiter

5-8

Team name

Cyber

Six (6) characters abbreviation for Team name, such as EntSd

1

Delimiter

-

Delimiter

2-5

Technology

DB

Platform or OS type (e.g., WN: Windows, NX: Linux/Unix, DB: Database, WB: Website, AP: Application, AD: Active Directory, etc.)

1

Delimiter

-

Delimiter

3-5

PSM Control

NoPSM

Define if PSM should be enabled at Safe level

1

Delimiter

-

Delimiter

1

Environment

P

Environment type (e.g., P: Production, D: Development, etc.)

1

Delimiter

-

Delimiter

2

Sequence number

01

Sequence number (00-99) for teams with multiple safes

Master Policy

 

Onboarding Azure AD Accounts

Create Two Duplicated Platforms:

1. Microsoft Azure Application Keys Management
Enable PerformPeriodicChange
Enable VFPerformPeriodicVerification
NO for RCAutomaticReconcileWhenUnsynched
2. Microsoft Azure Password Management
Enable PerformPeriodicChange
Enable VFPerformPeriodicVerification
Enable RCAutomaticReconcileWhenUnsynched

Create Safes

1. for key 
2. for Azure AD accounts

Onboarding Azure AD Accounts for RDP

Two connectors: RDP and Microsoft Azure Portal

RDP connector should be automatically working. 
You will need to set up three linked accounts to get Reconcile and Password Change working:
1. Logon Account
2. Application Account
3. Reconcile Account

Onboarding Azure AD Accounts for Azure Portal

To get Azure Portal connector working, we will need to install Google Chrome and ChromeDriver
Step 1:
1. Download ChromeDriver.exe (Matching your chrome version, usualy it is x86)
  • for older version before 115: https://chromedriver.chromium.org/downloads
  • for newer version after 115: https://googlechromelabs.github.io/chrome-for-testing/
2. Put it into C:/Program Files (x86)/Cyberark/PSM/Components
Step 2:
1. Install chrome using script
It is inside your CyberArk Privilege Cloud Tools package: Cyberark PrivilegeCloud Tools-v13.3/Cyberark PrivilegeCloud Tools/Add-PSMApps
2. Unzip Add-PSMApps
3. Run script Add-PSMApps.ps1 from PowerSHell administrator window
It will automatically download Chromex86 version and add it with ChromeDriver into allow-list by AppLocker.

PS C:/Installation/Add-PSMApps> ./Add-PSMApps.ps1 -Application GoogleChromeX86
Downloading and installing Chrome
Enabling web app support in PSMHardening script
Running PSM Configure AppLocker script
---
Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/psmsshclient.exe
Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/psmprivatearkclientdispatcher.exe
Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/psmpvwadispatcher.exe
Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/mssqlmanagementstudiowindowsauthenticationdispatcher.exe
Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/psm3270client.exe
Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/psmwebformdispatcher.exe
Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/psmwinscpdispatcher.exe
Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/winscp.exe
Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/psmrealvncdispatcher.exe
Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/psmxfocus.exe
Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/psmtokenholder.exe
Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/psmsessionalert.exe
Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/psmsuspendsession.exe
Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/psmpreventwindowhide.exe
Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/psmmessagealert.exe
Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/psmwindowseventslogger.exe
Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/cyberark.psm.webappdispatcher.exe        Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/dllinjector.exe                          Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/dllinjector64.exe                        Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/cyberark.progressbar.exe                 Evaluating the dlls consumed by c:/program files (x86)/cyberark/psm/components/psmticketvalidator.exe                   Evaluating the dlls consumed by c:/windows/system32/conhost.exe
Evaluating the dlls consumed by c:/windows/system32/taskhostw.exe
Evaluating the dlls consumed by c:/windows/system32/wermgr.exe
Evaluating the dlls consumed by c:/program files (x86)/vcxsrv/vcxsrv.exe
Evaluating the dlls consumed by c:/program files (x86)/vcxsrv/xkbcomp.exe
Evaluating the dlls consumed by c:/program files (x86)/internet explorer/iexplore.exe
Evaluating the dlls consumed by c:/program files/internet explorer/iexplore.exe
Evaluating the dlls consumed by c:/program files (x86)/google/chrome/application/chrome.exe
CheckSensitivePrivilegesForDirectories: Current Directory: c:/programdata/microsoft/windows defender/platform/4.18.23050.9-0
CheckSensitivePrivilegesForDirectories: Current Directory: c:/windows/assembly/nativeimages_v4.0.30319_64/mscorlib/4bc5e5252873c08797895d5b6fe6ddfd
CheckSensitivePrivilegesForDirectories: Current Directory: c:/windows/assembly/nativeimages_v4.0.30319_64/system/3ac991e343330dfdb660c4b0041bfe5e
Loading new AppLocker configuration...
Configuring Application Identity service...
CyberArk AppLocker's configuration script ended successfully.
True
---
End of PSM Configure AppLocker script output
Running PSM Hardening script
---
Notice: In order to prevent unauthorized access to the PSM server, the local RemoteDesktopUsers group should contain ONLY the following users:
   1) Maintenance users who login remotely to the PSM server through Remote Desktop Services.
   2) Vault LDAP users who wish to connect to target systems through PSM directly from their desktop using an RDP client application such as MSTSC.
These are the current members of the local RemoteDesktopUsers group:
WinNT://IMCOINVEST/Domain Users
WinNT://IMCOINVEST/VM-NETSEC-Test-1/PSMConnect
WinNT://IMCOINVEST/VM-NETSEC-Test-1/PSMAdminConnect
Would you like to remove all members of this group? (yes/no): no
SUCCESS: The file (or folder): "C:/Windows/explorer.exe" now owned by the administrators group.
0
C:/Windows/explorer.exe
C:/Windows/explorer.exe
C:/Windows/explorer.exe
SUCCESS: The file (or folder): "C:/Windows/SysWOW64/explorer.exe" now owned by the administrators group.
1
C:/Windows/SysWOW64/explorer.exe
C:/Windows/SysWOW64/explorer.exe
C:/Windows/SysWOW64/explorer.exe
SUCCESS: The file (or folder): "C:/Windows/system32/taskmgr.exe" now owned by the administrators group.
2
C:/Windows/system32/taskmgr.exe
C:/Windows/system32/taskmgr.exe
C:/Windows/system32/taskmgr.exe
SUCCESS: The file (or folder): "C:/Windows/SysWOW64/taskmgr.exe" now owned by the administrators group.
3
C:/Windows/SysWOW64/taskmgr.exe
C:/Windows/SysWOW64/taskmgr.exe
C:/Windows/SysWOW64/taskmgr.exe
SUCCESS: The file (or folder): "C:/program files/Internet Explorer/iexplore.exe" now owned by the administrators group.
4
C:/program files/Internet Explorer/iexplore.exe
C:/program files/Internet Explorer/iexplore.exe
C:/program files/Internet Explorer/iexplore.exe
processed file: C:/program files/Internet Explorer/iexplore.exe
SUCCESS: The file (or folder): "C:/program files (x86)/Internet Explorer/iexplore.exe" now owned by the administrators group.
5
C:/program files (x86)/Internet Explorer/iexplore.exe
C:/program files (x86)/Internet Explorer/iexplore.exe
C:/program files (x86)/Internet Explorer/iexplore.exe
processed file: C:/program files (x86)/Internet Explorer/iexplore.exe
Chrome hardening completed successfully
IE hardening completed successfully
Edge hardening completed successfully
C:/Program Files (x86)/Cyberark/PSM
SUCCESS: The file (or folder): "C:/Program Files (x86)/Cyberark/PSM" now owned by the administrators group.
6
SUCCESS: The file (or folder): "C:/Program Files (x86)/Cyberark/PSM" now owned by the administrators group.
C:/Program Files (x86)/Cyberark/PSM
C:/Program Files (x86)/Cyberark/PSM
C:/Program Files (x86)/Cyberark/PSM
C:/Program Files (x86)/Cyberark/PSM/Vault
SUCCESS: The file (or folder): "C:/Program Files (x86)/Cyberark/PSM/Vault" now owned by the administrators group.
7
SUCCESS: The file (or folder): "C:/Program Files (x86)/Cyberark/PSM/Vault" now owned by the administrators group.
C:/Program Files (x86)/Cyberark/PSM/Vault
C:/Program Files (x86)/Cyberark/PSM/Vault
C:/Program Files (x86)/Cyberark/PSM/Vault
C:/Program Files (x86)/Cyberark/PSM/Recordings
SUCCESS: The file (or folder): "C:/Program Files (x86)/Cyberark/PSM/Recordings" now owned by the administrators group.
8
C:/Program Files (x86)/Cyberark/PSM/Recordings
C:/Program Files (x86)/Cyberark/PSM/Logs
SUCCESS: The file (or folder): "C:/Program Files (x86)/Cyberark/PSM/Logs" now owned by the administrators group.
9
C:/Program Files (x86)/Cyberark/PSM/Logs/Components
SUCCESS: The file (or folder): "C:/Program Files (x86)/Cyberark/PSM/Logs/Components" now owned by the administrators group.
10
C:/Program Files (x86)/Cyberark/PSM/Components
SUCCESS: The file (or folder): "C:/Program Files (x86)/Cyberark/PSM/Components" now owned by the administrators group.
11
processed file: C:/Program Files (x86)/Cyberark/PSM/Components
Successfully processed 1 files; Failed processing 0 files
C:/oracle
processed dir: C:/oracle
C:/oracle
True
C:
processed dir: C:/
processed file: C:/
Successfully processed 1 files; Failed processing 0 files
D:
processed dir: D:/
processed file: D:/
Successfully processed 1 files; Failed processing 0 files
SUCCESS: The file (or folder): "C:/Program Files (x86)/CyberArk/Password Manager" now owned by the administrators group.
12
C:/Program Files (x86)/CyberArk/Password Manager
C:/Program Files (x86)/CyberArk/Password Manager
C:/Program Files (x86)/CyberArk/Password Manager
SUCCESS: The file (or folder): "C:/WindowsAzure" now owned by the administrators group.
13
C:/WindowsAzure
C:/WindowsAzure
C:/WindowsAzure
SUCCESS: The file (or folder): "C:/Packages" now owned by the administrators group.
14
C:/Packages
C:/Packages
C:/Packages
Executing (//VM-NETSEC-Test-1/root/CIMV2/TerminalServices:Win32_TSPermissionsSetting.TerminalName="RDP-Tcp")->AddAccount()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/CIMV2/TerminalServices:Win32_TSPermissionsSetting.TerminalName="RDP-Tcp")->AddAccount()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
Executing (//VM-NETSEC-Test-1/root/cimv2/TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1//PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
[SC] ChangeServiceConfig SUCCESS
[SC] OpenService FAILED 1060:
The specified service does not exist as an installed service.
WinSCP password storing has been disabled
CyberArk Hardening script ended successfully.
---
End of PSM Hardening script output
All tasks completed.


Now we can switch PSM server for testing Connect to Azure Portal

Since Azure Portal login will need MFA, there are a couple of changes will need to make on Connector:

Remove validation in web form:
Disable Validation

Enable Trace:

From platform, disable default PSM-MS-AzurePortal and add new PSM-51SEC-AzurePortal

You will need to wait 0-3 minutes to get those connector configuration re-loaded into PSM server.

RDS License

Troubleshooting

1. Check blocked applications by Applocker


PS C:/Installation/Add-PSMApps> Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" |Where-Object {$_.LevelDisplayName -ne "Information"} |Format-Table -AutoSize| Out-File C:/AppLocker.txt -Width 1000
PS C:/Installation/Add-PSMApps> type c:/AppLocker.txt

   ProviderName: Microsoft-Windows-AppLocker
TimeCreated           Id LevelDisplayName Message
-----------           -- ---------------- -------
9/7/2023 7:15:16 PM 8004 Error            %WINDIR%/SHELLCOMPONENTS/TASKFLOWUI.DLL was prevented from running.
9/7/2023 7:15:16 PM 8004 Error            %WINDIR%/SHELLEXPERIENCES/TILECONTROL.DLL was prevented from running.
9/7/2023 7:15:16 PM 8004 Error            %WINDIR%/SHELLCOMPONENTS/WINDOWSINTERNAL.COMPOSABLESHELL.EXPERIENCES.SWITCHER.DLL was prevented from running.
9/7/2023 7:15:16 PM 8004 Error            %SYSTEM32%/WLRMDR.EXE was prevented from running.
9/7/2023 7:15:12 PM 8004 Error            %WINDIR%/ASSEMBLY/NATIVEIMAGES_V4.0.30319_32/MSCORLIB/FAF93F57AA8C4C5DDDD9CD0DE441D5A1/MSCORLIB.NI.DLL was prevented from running.
9/7/2023 7:15:12 PM 8004 Error            %WINDIR%/ASSEMBLY/NATIVEIMAGES_V4.0.30319_32/MSCORLIB/FAF93F57AA8C4C5DDDD9CD0DE441D5A1/MSCORLIB.NI.DLL was prevented from running.
9/7/2023 7:14:54 PM 8004 Error            %WINDIR%/ASSEMBLY/NATIVEIMAGES_V4.0.30319_32/MSCORLIB/FAF93F57AA8C4C5DDDD9CD0DE441D5A1/MSCORLIB.NI.DLL was prevented from running.
9/7/2023 7:14:54 PM 8004 Error            %WINDIR%/ASSEMBLY/NATIVEIMAGES_V4.0.30319_32/MSCORLIB/FAF93F57AA8C4C5DDDD9CD0DE441D5A1/MSCORLIB.NI.DLL was prevented from running.
9/7/2023 7:14:54 PM 8004 Error            %PROGRAMFILES%/CYBERARK/PSM/COMPONENTS/CHROMEDRIVER.EXE was prevented from running.
9/7/2023 7:14:53 PM 8004 Error            %WINDIR%/ASSEMBLY/NATIVEIMAGES_V4.0.30319_32/MSCORLIB/FAF93F57AA8C4C5DDDD9CD0DE441D5A1/MSCORLIB.NI.DLL was prevented from running.
9/7/2023 7:14:53 PM 8004 Error            %WINDIR%/ASSEMBLY/NATIVEIMAGES_V4.0.30319_32/MSCORLIB/FAF93F57AA8C4C5DDDD9CD0DE441D5A1/MSCORLIB.NI.DLL was prevented from running.
9/7/2023 7:14:52 PM 8004 Error            %WINDIR%/ASSEMBLY/NATIVEIMAGES_V4.0.30319_32/MSCORLIB/FAF93F57AA8C4C5DDDD9CD0DE441D5A1/MSCORLIB.NI.DLL was prevented from running.
9/7/2023 7:14:52 PM 8004 Error            %WINDIR%/ASSEMBLY/NATIVEIMAGES_V4.0.30319_32/MSCORLIB/FAF93F57AA8C4C5DDDD9CD0DE441D5A1/MSCORLIB.NI.DLL was prevented from running.
9/7/2023 7:14:47 PM 8004 Error            %SYSTEM32%/SETHC.EXE was prevented from running.
9/7/2023 7:14:47 PM 8004 Error            %SYSTEM32%/SVCHOST.EXE was prevented from running.
9/7/2023 7:14:47 PM 8004 Error            %SYSTEM32%/SVCHOST.EXE was prevented from running.
9/7/2023 7:14:46 PM 8004 Error            %SYSTEM32%/SVCHOST.EXE was prevented from running.
9/7/2023 7:14:46 PM 8004 Error            %SYSTEM32%/CTFMON.EXE was prevented from running.
9/7/2023 7:14:46 PM 8004 Error            %SYSTEM32%/CMD.EXE was prevented from running.

PS C:/Installation/Add-PSMApps>


Manual change:

C:/Program Files (x86)/Cyberark/PSM/Hardening/PSMConfigureAppLocker.xml

<?xml version="1.0" encoding="utf-8"?>
<PSMAppLockerConfiguration>
  <GeneralConfiguration>
    <!-- SetAutoAndStart: To start the Application Identity service and set it to automatic startup    -->
    <!-- mode, set this attribute's value to 'true'. Valid values: true/false.                         -->
    <ServiceConfiguration SetAutoAndStart="true" />
    <RuleCollections>
      <!-- For each rule collection, you can define the following parameters:                            -->
      <!--     Enforce: To block applications of the relevant collection, set this attribute's value to  -->
      <!--        'true'. To prevent AppLocker from blocking applications of the relevant type, set this -->
      <!--        attribute's value to 'false'.                                                          -->
      <!--     Action: To apply new AppLocker configurations and lose any existing settings, set this    -->
      <!--        attribute's value to 'override'. To merge new configurations with the existing         -->
      <!--        settings, set this attribute's value to 'merge'.                                       -->
      <Executable Enforce="true" Action="Override" />
      <WindowsInstaller Enforce="true" Action="Override" />
      <Script Enforce="true" Action="Override" />
      <PackagedApp Enforce="true" Action="Override" />
      <DLL Enforce="true" Action="Override" />
    </RuleCollections>
  </GeneralConfiguration>
  <!-- This part is internal and should not be modified unless instructed to by CyberArk professional -->
  <!-- services.                                                                                      -->
  <!-- InternalApplications section is directed for PSMConnect and PSMAdminConnect.                   -->
  <!-- SessionType index: "Admin" for PSMAdminConnect, "Regular" for PSMConnect, "*" for both.        -->
  <InternalApplications>
    <Application Name="PSMInitSession" Type="Exe" SessionType="*" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMInitSession.exe" Method="Hash" />
    <Application Name="PSMRDPClient" Type="Exe" SessionType="*" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMRDPClient.exe" Method="Hash" />
    <Application Name="PSMSessionAlert" Type="Exe" SessionType="*" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMSessionAlert.exe" Method="Hash" />
    <Application Name="PSMSuspendSession" Type="Exe" SessionType="*" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMSuspendSession.exe" Method="Hash" />
    <Application Name="PSMMessageAlert" Type="Exe" SessionType="*" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMMessageAlert.exe" Method="Hash" />
    <Application Name="PSMLauncher" Type="Exe" SessionType="*" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMLauncher.exe" Method="Hash" />
    <Application Name="PSMLiveMonitoringClient" Type="Exe" SessionType="*" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMLiveMonitoringClient.exe" Method="Hash" />
    <Application Name="PSMSessionSignalStatusNotification" Type="Exe" SessionType="*" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMSessionSignalStatusNotification.exe" Method="Hash" />
    <Application Name="PSMWindowsEventsLogger" Type="Exe" SessionType="*" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMWindowsEventsLogger.exe" Method="Hash" />
    <Application Name="UserInit" Type="Exe" SessionType="*" Path="c:/windows/system32/userinit.exe" Method="Publisher" />
    <Application Name="SplWOW64" Type="Exe" SessionType="*" Path="c:/windows/splwow64.exe" Method="Publisher" />
    <Application Name="RDPClip" Type="Exe" SessionType="*" Path="c:/windows/system32/rdpclip.exe" Method="Publisher" />
    <Application Name="TSTheme" Type="Exe" SessionType="*" Path="c:/windows/system32/tstheme.exe" Method="Publisher" />
    <Application Name="ConsoleHost" Type="Exe" SessionType="*" Path="c:/windows/system32/conhost.exe" Method="Publisher" />
    <Application Name="TaskHost" Type="Exe" SessionType="*" Path="c:/windows/system32/taskhostw.exe" Method="Publisher" />
    <Application Name="ErrorReporting" Type="Exe" SessionType="*" Path="c:/windows/system32/WERMGR.EXE" Method="Publisher" />
    <Application Name="TSShadow" Type="Exe" SessionType="Admin" Path="c:/windows/system32/mstsc.exe" Method="Publisher" />
    <Application Name="RDPSA" Type="Exe" SessionType="Regular" Path="c:/windows/system32/RDPSA.EXE" Method="Publisher" />
    <Application Name="RDPSAPROXY" Type="Exe" SessionType="Regular" Path="c:/windows/system32/RDPSAPROXY.exe" Method="Publisher" />
    <Application Name="RDPInit" Type="Exe" SessionType="*" Path="c:/windows/system32/rdpinit.exe" Method="Publisher" />
    <Application Name="RDPShell" Type="Exe" SessionType="*" Path="c:/windows/system32/rdpshell.exe" Method="Publisher" />
    <Application Name="Sihost" Type="Exe" SessionType="*" Path="c:/windows/system32/sihost.exe" Method="Publisher" />
    <!-- Added to support win 2016 -->
    <Application Name="RunOnce" Type="Exe" SessionType="*" Path="c:/windows/system32/runonce.exe" Method="Publisher" />
    <!-- Added to support RemoteApp on first login -->
    <Application Name="PSMTicketingValidationPage" SessionType="*" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMTicketValidator.exe" Method="Hash" />
    <!-- Allowed DLLs -->
    <!-- If Dll Whitelist is deployed, the following dlls will be allowed -->
    <Libraries Name="ComponentsFolder" Type="Dll" Path="C:/Program Files (x86)/CyberArk/PSM/Components/*" Method="Path" SessionType="*" />
    <Libraries Name="System32" Type="Dll" Path="%SYSTEM32%/*" Method="Path" SessionType="*" />
    <Libraries Name="WinSxS" Type="Dll" Path="%WINDIR%/WINSXS/*" Method="Path" SessionType="*" />
    <Libraries Name="DotNetFramework32Bit" Type="Dll" Path="%WINDIR%/Microsoft.NET/Framework/v4.0.30319/*" Method="Path" SessionType="*" />
    <Libraries Name="DotNetFramework64Bit" Type="Dll" Path="%WINDIR%/Microsoft.NET/Framework64/v4.0.30319/*" Method="Path" SessionType="*" />
  </InternalApplications>
  <!-- AllowedApplications section is directed for PSMShadowUsers -->
  <AllowedApplications>
    <!-- For each allowed application, specify the following attributes:                               -->
    <!--    Name:   Name of the application for log proposes. Valid values: Any string value.          -->
    <!--    Type:   Type of application to allow. Valid values: Exe/Script.                            -->
    <!--    Path:   Path of the application executable. Valid values: exact application path,          -->
    <!--            wildcards are allowed only if the chosen method is "Path".                         -->
    <!--    Method: The chosen identification method for the application.                              -->
    <!--            Valid values: Path/Hash/Publisher                                                  -->
    <!-- PSM Components -->
    <Application Name="PSMSSHClient" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMSSHClient.exe" Method="Hash" />
    <Application Name="PSMPrivateArkClientDispatcher" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMPrivateArkClientDispatcher.exe" Method="Hash" />
    <Application Name="PSMPVWADispatcher" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMPVWADispatcher.exe" Method="Hash" />
    <Application Name="MSSQLManagementStudioWindowsAuthenticationDispatcher" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/MSSQLManagementStudioWindowsAuthenticationDispatcher.exe" Method="Hash" />
    <Application Name="PSM3270Client" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSM3270Client.exe" Method="Hash" />
    <Application Name="PSMWebFormDispatcher" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMWebFormDispatcher.exe" Method="Hash" />
    <Application Name="PSMWinSCPDispatcher" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMWinSCPDispatcher.exe" Method="Hash" />
    <Application Name="WinSCP" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/WinSCP.exe" Method="Hash" />
    <Application Name="PSMRealVNCDispatcher" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMRealVNCDispatcher.exe" Method="Hash" />
    <Application Name="PSMXFocus" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMXFocus.exe" Method="Hash" />
    <Application Name="PSMTokenHolder" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMTokenHolder.exe" Method="Hash" />
    <Application Name="PSMSessionAlert" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMSessionAlert.exe" Method="Hash" />
    <Application Name="PSMSuspendSession" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMSuspendSession.exe" Method="Hash" />
    <Application Name="PSMPreventWindowHide" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMPreventWindowHide.exe" Method="Hash" />
    <Application Name="PSMMessageAlert" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMMessageAlert.exe" Method="Hash" />
    <Application Name="PSMWindowsEventsLogger" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMWindowsEventsLogger.exe" Method="Hash" />
    <Application Name="PSM-WebAppDispatcher" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/CyberArk.PSM.WebAppDispatcher.exe" Method="Hash" />
    <Application Name="DLLInjector" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/DLLInjector.exe" Method="Hash" />
    <Application Name="DLLInjector64" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/DLLInjector64.exe" Method="Hash" />
    <Application Name="PSM-ProgressBar" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/CyberArk.ProgressBar.exe" Method="Hash" />
    <Application Name="PSMTicketingValidationPage" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMTicketValidator.exe" Method="Hash" />
    <!-- Microsoft session processes -->
    <Application Name="ConsoleHost" Type="Exe" Path="c:/windows/system32/conhost.exe" Method="Publisher" />
    <Application Name="TaskHost" Type="Exe" Path="c:/windows/system32/taskhostw.exe" Method="Publisher" />
    <Application Name="ErrorReporting" Type="Exe" Path="c:/windows/system32/WERMGR.EXE" Method="Publisher" />
    <!-- Oracle connection clients -->
    <!-- If relevant, uncomment this part after installing Oracle client and Toad.
    <Application Name="Toad" Type="Exe" Path="C:/Program Files (x86)/Quest Software/Toad for Oracle 10.6/toad.exe" Method="Publisher,Hash" />
    <Application Name="SQLPlus" Type="Exe" Path="c:/oracle/instantclient/sqlplus.exe" Method="Hash" />
    <Application Name="Notepad" Type="Exe" Path="c:/windows/system32/notepad.exe" Method="Publisher"/>
    <Application Name="SDFConverter" Type="Exe" Path="C:/Program Files (x86)/Quest Software/Toad for Oracle 10.6/ClientFiles/ScriptMgr/SDFConverter.exe" Method="Hash" />
    <Application Name="QuestScriptRunner" Type="Exe" Path="C:/Program Files (x86)/Quest Software/Toad for Oracle 10.6/qsr.exe" Method="Hash" />
    <Application Name="OptimizerEngine" Type="Exe" Path="C:/Program Files (x86)/Quest Software/Toad for Oracle 10.6/OptimizerEngine.exe" Method="Hash" />
    <Application Name="FormatOptions" Type="Exe" Path="C:/Program Files (x86)/Quest Software/Toad for Oracle 10.6/FmtOptions.exe" Method="Hash" />
    <Application Name="ToadScriptRuntime" Type="Exe" Path="C:/Program Files (x86)/Quest Software/Toad for Oracle 10.6/tsr.exe" Method="Hash" />
    <Application Name="UninstallClientFiles" Type="Exe" Path="C:/Program Files (x86)/Quest Software/Toad for Oracle 10.6/UninstallClientFiles.exe" Method="Hash" />
    End of oracle connections comment -->
    <!-- vSphere client processes -->
    <!-- If relevant, uncomment this part after installing vSphere client (including .Net framework 2 and 3.5).
    <Application Name="VpxClient" Type="Exe" Path="C:/Program Files (x86)/VMware/Infrastructure/Virtual Infrastructure Client/Launcher/VpxClient.exe" Method="Hash" />
    <Application Name="VMWare-VMRC" Type="Exe" Path="C:/Program Files (x86)/VMWARE/INFRASTRUCTURE/VIRTUAL INFRASTRUCTURE CLIENT/4.0/VMWARE-VMRC.EXE" Method="Publisher" />
    <Application Name="VMWare-RemoteMKS.EXE" Type="Exe" Path="C:/Program Files (x86)/VMWARE/INFRASTRUCTURE/VIRTUAL INFRASTRUCTURE CLIENT/4.0/VMWARE-REMOTEMKS.EXE" Method="Publisher" />
    <Application Name="CSC" Type="Exe" Path="c:/windows/MICROSOFT.NET/FRAMEWORK/V2.0.50727/CSC.EXE" Method="Publisher" />
    <Application Name="CVTRES" Type="Exe" Path="c:/windows/MICROSOFT.NET/FRAMEWORK/V2.0.50727/CVTRES.EXE" Method="Publisher" />
    End of vSphere client comment -->
    <!-- SQL Server Management Studio 2012 processes -->
    <!-- If relevant, uncomment this part after installing SQL Server Management Studio 2012 processes
    <Application Name="SSMS2012" Type="Exe" Path="C:/Program Files (x86)/Microsoft SQL Server/110/Tools/Binn/ManagementStudio/Ssms.exe" Method="Publisher" />
    End of SQL Server Management Studio 2012 processes comment -->
    <!-- SAP GUI processes -->
    <!-- If relevant, uncomment this part after installing SAP GUI processes and downloading the CyberArk PSMSAPGUI connection component from the Marketplace
    <Application Name="PSMSAPGUI" Type="Exe" Path="C:/Program Files (x86)/CyberArk/PSM/Components/PSMSAPGUI.exe" Method="Hash" />
    <Application Name="saplogon" Type="Exe" Path="C:/Program Files (x86)/SAP/FrontEnd/SAPgui/saplogon.exe" Method="Hash" />
    <Application Name="SAPgui" Type="Exe" Path="C:/Program Files (x86)/SAP/FrontEnd/SAPgui/SAPgui.exe" Method="Hash" />
    End of SAP GUI processes comment -->
    <!-- X Forwarding X Server processes -->
    <Application Name="VcXsrv" Type="Exe" Path="C:/Program Files (x86)/VcXsrv/vcxsrv.exe" Method="Hash" />
    <Application Name="xkbcomp" Type="Exe" Path="C:/Program Files (x86)/VcXsrv/xkbcomp.exe" Method="Hash" />
    <!-- Microsoft IExplore processes -->
    <!-- If relevant, uncomment this part to allow webform based connection clients -->
    <Application Name="IExplore32" Type="Exe" Path="c:/Program Files (x86)/Internet Explorer/iexplore.exe" Method="Publisher" />
    <Application Name="IExplore64" Type="Exe" Path="c:/Program Files/Internet Explorer/iexplore.exe" Method="Publisher" />
    <!-- End of Microsoft IExplore processes comment -->
    <!-- Google Chrome process -->
    <!-- If relevant, uncomment this part to allow Google Chrome webform based connection clients
    <Application Name="GoogleChrome" Type="Exe" Path="C:/Program Files (x86)/Google/Chrome/Application/chrome.exe" Method="Publisher" />
    End of Google Chrome process comment -->
    <!-- Microsoft Edge process -->
    <!-- If relevant, uncomment this part to allow Edge webform based connection clients
    <Application Name="Edge" Type="Exe" Path="C:/Program Files (x86)/Microsoft/Edge/Application/msedge.exe" Method="Publisher" />
    End of Microsoft Edge process comment -->
    <!-- Generic client support -->
    <!-- If relevant, uncomment this part to allow generic clients support and add a rule for each generic connection client
    <Application Name="GenericClient-Sample" Type="Exe" Path="C:/VNC-Viewer-5.0.5-Windows-64bit.exe" Method="Hash" />
    End of Generic client support comment -->
    <!-- Google Chrome section -->
    <Application Name="Chrome" Type="Exe" Path="C:/Program Files (x86)/Google/Chrome/Application/chrome.exe" Method="Publisher" />
    <Application Name="ChromeDriver" Type="Exe" Path="C:/Program Files (x86)/Cyberark/PSM/Components/chromedriver.exe" Method="Path" />
    <!-- End of Google Chrome section -->
    <!-- Allowed DLLs -->
    <!-- If Dll Whitelist is deployed, the following dlls will be allowed -->
    <Libraries Name="ComponentsFolder" Type="Dll" Path="C:/Program Files (x86)/CyberArk/PSM/Components/*" Method="Path" />
    <Libraries Name="System32" Type="Dll" Path="%SYSTEM32%/*" Method="Path" />
    <Libraries Name="WinSxS" Type="Dll" Path="%WINDIR%/WINSXS/*" Method="Path" />
    <Libraries Name="DotNetFramework32Bit" Type="Dll" Path="%WINDIR%/Microsoft.NET/Framework/v4.0.30319/*" Method="Path" />
    <Libraries Name="DotNetFramework64Bit" Type="Dll" Path="%WINDIR%/Microsoft.NET/Framework64/v4.0.30319/*" Method="Path" />
    <Libraries Name="DotNetFrameworkGAC" Type="Dll" Path="%WINDIR%/Microsoft.NET/assembly/*" Method="Path" />
    <Libraries Name="VcXsrv" Type="Dll" Path="%PROGRAMFILES%/VcXsrv/*" Method="Path" />
  </AllowedApplications>
</PSMAppLockerConfiguration>

Open PowerShell in C:/Program Files (x86)/CyberArk/PSM/Hardening and run the following command to start the script:

 

“./PSMConfigureAppLocker.ps1”

Note: https://docs.cyberark.com/PAS/Latest/en/Content/PAS%20INST/Install_ConfigurePSMServerMachineForWebApps.htm#Configur

2. Add user into Safe Member

Got an error : Object reference not set to an instance of an object.

3. PSMSC025E LogonLocalUser: failed to logon with local user

NetLogon service is not started. Reboot PSM server.
https://blog.51sec.org

版权声明:
作者:siwei
链接:https://www.techfm.club/p/68257.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>