Case - 03047143
Case - 03047143
Case - 03047143
Search...
Home (/S/) Knowledge Base Cases (/S/Case/Case/00B50000008krR0EAI) Engage Partners Tools Docs (Https://Docs.Cyberark.Com) Resources
Case Number
03047143
Contact Name
Kiranmayi Prattipati (/s/contact/0035000003JQF36AAH/kiranmayi-prattipati)
Product
Privileged Access Manager (PAM, self-hosted)
Contact Email
[email protected] (mailto:[email protected])
Component
Vault Server
Account Name
IBM Security Services - India (Alliance) (/s/account/0015000000OcY9mAAF/ibm-security-services-india-alliance)
Functional Area
Security
Version
10.10
Description Information
Subject
Local Security Parameters of Vault Servers
Description
Hi,
We have a requirement from our client to perform manual health checks on OS level for Vault servers in our environment. We have validated the security checks as per the
checks shared by client and found many of them are non-compliant. It means few of of the security checks in Vaults does not match the agreed value as per client.
Attaching the lists of OS level non-compliant security checks for your reference with this case.
Kindly advise or let us know if we can change the "Actual value" to "Agreed to value" as per the client keeping in mind that there should be no impact on Vault security layers.
Also, one application level security checks related to OSR logs artifacts in Vault servers. We get blank auditing entries while following the below path. Does this means the
OSR logs setting is disabled in Vault servers?
"C:\Windows then right click on system32 folder, select security tab, click on Advanced, select Auditing tab and then click in continue"
Please assist if we can enable the OSR logs setting inside Vault servers? Will there be an impact from this change setting? Do let us know the path location of OSR logs
setting if any.
BR,
Shahbazuddin Shaikh
System Information
Date/Time Opened
13/05/2022 10:54
Priority
Moderate
Date/Time Closed
Status
Waiting Support Level 2
Case Origin
Web
Contact Phone
9740143754
https://cyberark-customers.force.com/s/case/5002J00001YnrmXQAR/local-security-parameters-of-vault-servers 1/4
5/19/22, 7:18 PM Case: 03047143
-Days
CASE COMMENTS
Comment
Hi Sudhakar,
BR,
Kiranmayi
As a result, I am proceeding with taking exceptions for attached additional security measures in order to avoid any discrepancies on vault level.
As a result, I am proceeding with taking exceptions for attached additional security measures in order to avoid any discrepancies on vault level.
Hi Sudhakar,
Best regards,
Kiranmayi Prattipati
Hi Kiranmayi,
Thanks for the update. As you know the CyberArk Vault is secure component and all the hardening steps were performed according to CyberArk recommendations, the other security
measures need not to be apply for Vaults.
And the Vault component shouldn't be considered as like a windows machine, and more over it is built with some security standards. So, other hardening measures are not
required/can be exempted for vault machines.
In this case, the hardening measures outside of the CyberArk recommendations may impact on the vault functionality/performance, please avoid applying the same for vault.
Thank you,
Sudhakar Pujari
Hi Sudhakar,
We are not getting insisted by our customer to push additional security measures for vault servers as attached. Just let me know one line answer if this is actually recommended to
implement on vault servers or not. As far as I know, vault has its own set of GPO pushed during the hardening procedure in its installation steps. Making any further changes apart
from this would hamper security layers of vault in the background.
https://cyberark-customers.force.com/s/case/5002J00001YnrmXQAR/local-security-parameters-of-vault-servers 2/4
5/19/22, 7:18 PM Case: 03047143
And I do understand moving outside of the CyberArk recommendation scope, requires involvement of CyberArk Security Services engineer which includes additional costs. And this
should be only in the case of emergency scenario wherein the business is getting impacted, am I correct?
So can I say that in case of normal scenario, it is not actually recommended to do any sort of unnecessary changes in security parameters of vault servers other than what is carried
out during hardening process?
BR,
Kiranmayi Prattipati
Hello Kiranmayi,
Greetings of the day. CyberArk recommends and supports server hardening scope as described in our documentation (https://docs.cyberark.com/Product-
Doc/OnlineHelp/PAS/Latest/en/Content/Security/Security%20Fundamentals-Introduction.htm (https://docs.cyberark.com/Product-
Doc/OnlineHelp/PAS/Latest/en/Content/Security/Security%20Fundamentals-Introduction.htm)).
Additional security measures/hardenings may be applied in Vault and component servers (incl. PVWA and CPM) on top of CyberArk Hardening's supported scope - But we are not in
the position to provide comprehensive answers as to what the impact on CyberArk products may be for each additional hardening / measure. These particular settings (GPO, UAC,
etc.) were not tested or certified in any ways, and may or may not cause different behaviors / impacts in different environments.
It is suggested that if you or your customer insist on applying hardening measures outside of the CyberArk recommendation scope, that you test these extensively in advance in a
development or testing environment prior to Production deployment. A CyberArk Security Services engineer may be able to assist you or your customer in this testing process,
please contact CyberArk Account Manager / Executive for additional information on this.
Thank you,
Sudhakar Pujari
Hello Krianmayi,
Thank you for contacting CyberArk Enterprise Support, my name is Sudhakar Pujari and I will be assisting you on this case.
We are checking on the requested Case, and will come back with our findings.
Please don’t hesitate to email me back if you have any more questions.
Kind Regards,
Sudhakar Pujari
Hello Kiranmayi.
Thank you for your time working on this issue. I am now transferring this case to the product specialist team for further review and handling. Once complete they will come back to
you with the next steps.
If you do need anything in the meantime please update the case or give us a call.
Thanks
Alejandro Barrantes.
Hi Alejandro,
1. What is the current business impact? (This helps us to make sure the case has the appropriate severity level)
2. Has this worked before? (This allows us to determine if this is a break / fix case or a new implementation)
Ans: This is the first time we received a requirement from client to perform manual health checks on OS level for CyberArk vault servers.
https://cyberark-customers.force.com/s/case/5002J00001YnrmXQAR/local-security-parameters-of-vault-servers 3/4
5/19/22, 7:18 PM Case: 03047143
3. What recent changes have been made in the environment before this occurred? (This question can be skipped if your case is merely a question or request for clarification)
Ans: NA
4. What was the date and time of occurrence? (This question can be skipped if your case is merely a question or request for clarification)
Ans: NA
5. If this is a technical issue can this be reproduced or is it intermittent? (This question can be skipped if your case is merely a question or request for clarification)
Ans: NA
6. Which users or group of users (if any) is affected? (This question can be skipped if your case is merely a question or request for clarification)
Ans: NA
7. Is there any additional information you would like to provide that may assist us in resolving the issue or answering the question?
Ans: I have already attached relevant files which includes security parameters on OS level and which are non-compliant (excel sheet value doesn't match with security values in vault
servers).
BR,
Kiranmayi
Hello Kiranmayi,
Thank you for contacting CyberArk Technical Support. I am Alejandro and will be assisting you with this case.
To proceed, I would like to establish a clear understanding of the issue: according to the description your customer wants to know if they can change the "Actual value" to "Agreed to
value" as per the client keeping in mind that there should be no impact on Vault security layers.
"Also, one application level security checks related to OSR logs artifacts in Vault servers. We get blank auditing entries while following the below path. Does this means the OSR logs
setting is disabled in Vault servers?
"C:\Windows then right click on system32 folder, select security tab, click on Advanced, select Auditing tab and then click in continue"
Please assist if we can enable the OSR logs setting inside Vault servers? Will there be an impact from this change setting? Do let us know the path location of OSR logs setting if
any. "
Is this correct? If so
1. What is the current business impact? (This helps us to make sure the case has the appropriate severity level)
2. Has this worked before? (This allows us to determine if this is a break / fix case or a new implementation)
3. What recent changes have been made in the environment before this occurred? (This question can be skipped if your case is merely a question or request for clarification)
4. What was the date and time of occurrence? (This question can be skipped if your case is merely a question or request for clarification)
5. If this is a technical issue can this be reproduced or is it intermittent? (This question can be skipped if your case is merely a question or request for clarification)
6. Which users or group of users (if any) is affected? (This question can be skipped if your case is merely a question or request for clarification)
7. Is there any additional information you would like to provide that may assist us in resolving the issue or answering the question?
Thank you,
Alejandro Barrantes.
Articles
Attachments
https://cyberark-customers.force.com/s/case/5002J00001YnrmXQAR/local-security-parameters-of-vault-servers 4/4