CyberArk plugins and Connection Components use web drivers to connect to web-based targets.
For the connection to succeed, the driver and browser versions must be the same.This applies to both Chrome and Edge drivers.
Browser | Download info |
---|---|
Google Chrome (32-bit), version 100 or later | Click here to download this version |
Microsoft Edge (32-bit), version 103 or later | Click here to download this version |
To prevent incompatibility issues with the PSM Webapp infrastructure, with every new browser version update, make sure to also update the browser's driver with the same version. For example, when updating the Chrome browser to version 104, the Chrome driver on the machine must also be updated to version 104.
Download and install the latest driver:
For Google Chrome, use this link to download the latest stable 32-bit (x86) driver.
For Microsoft Edge, use this link to download the latest stable 32-bit (x86) driver.
Copy the relevant downloaded exe file, Chromedriver.exe or msedgedriver.exe to the PSM Components folder.
WebDriverUpdater
URL:https://cyberark.my.site.com/mplace/s/#a35Ht000000rjXlIAI-a39Ht000001kceVIAQVendor: | CyberArk Internal EMEA |
Vendor Product: | WebDriverUpdater |
Vendor Category: | Application |
Product Versions: | 1.0.0.6 |
CyberArk Solution: | Administrative Tools |
CyberArk Product: | Tools |
CyberArk Versions: | Version 13.1 and above |
Run it as an administrator. Check the logs to verify the version update completed. |
04/01/2024 02:25:22.808 | ================================================================================
04/01/2024 02:25:22.808 | 1/4/2024 2:25:22 PM
04/01/2024 02:25:22.808 | ================================================================================
04/01/2024 02:25:22.808 |
04/01/2024 02:25:22.808 | Info -> <>c :: <Main>b__0_0 -> Launching update web drivers...
04/01/2024 02:25:22.808 | Info -> <>c :: <Main>b__0_0 -> Updating drivers in: C:\Program Files (x86)\Cyberark\PSM\Components\.
04/01/2024 02:25:22.825 | Info -> <>c :: <Main>b__0_0 -> Version of browser chrome.exe: 120.0.6099.
04/01/2024 02:25:23.706 | Info -> <>c :: <Main>b__0_0 -> Version of driver chromedriver.exe: 111.0.5563
04/01/2024 02:25:24.816 | Warning -> <>c :: <Main>b__0_1 -> The driver was not found on page: https://chromedriver.storage.googleapis.com/LATEST_RELEASE_120.0.6099
04/01/2024 02:25:26.238 | Info -> <>c :: <Main>b__0_0 -> Downloading web driver from url: https://edgedl.me.gvt1.com/edgedl/chrome/chrome-for-testing/120.0.6099.109/win32/chromedriver-win32.zip
04/01/2024 02:25:26.363 | Info -> <>c :: <Main>b__0_0 -> Checking if certificate is valid
04/01/2024 02:25:26.363 | Info -> <>c :: <Main>b__0_0 -> The SSL certificate is valid.
04/01/2024 02:25:28.182 | Info -> <>c :: <Main>b__0_0 -> Unzipping...
04/01/2024 02:25:33.800 | Info -> <>c :: <Main>b__0_0 -> Adding applocker exception for application C:\Program Files (x86)\Cyberark\PSM\Components\chromedriver.exe
04/01/2024 02:25:38.821 | Warning -> <>c :: <Main>b__0_1 -> App msedge.exe not found in registry. Drivers for that browser will not be updated
04/01/2024 02:25:38.821 | Info -> <>c :: <Main>b__0_0 -> The web drivers updated
Update Chrome Driver in PSM Server
Open Chrome browser -> three dots in the right top corner for setting menu
<optional> if Chrome browser is needed to reinstall, uninstall current Chrome from control panel first and download 32bit chrome browser from below link to install.
https://chromeenterprise.google/intl/en_US/browser/download/#windows-tab
2. Go to Chrome driver download page using below URL and download matching version of driver.
https://chromedriver.chromium.org/downloads.
3. Move the downloaded chromedriver.exe file to Component folder of PSM installation location. By default, it's location is below:
C:\Program Files (x86)\CyberArk\PSM\Components
4. Right click on the chromedriver.exe file -> Select Properties -> Check the "Unblock File" checkbox -> Click Apply/Ok to save.
5 Re-run powershell command PSMConfigureAppLocker.ps1 under C:\Program Files (x86)\CyberArk\PSM\Hardening to generate a new hash for Chromedriver.exe
Restart the PSM server and test the connection.
Note: https://cyberark.my.site.com/s/article/How-to-update-Chrome-Driver-in-PSM-server
=======================================================================
Step 1) Update Chrome browser, remember chrome should be a 32 bit version installed in the Program Files (x86) path.
Step 2) Download the latest chrome driver for your new version:
https://chromedriver.chromium.org/downloads
Step 3) Copy the chromedriver.exe to ...\PSM\Components, overwrite the previous file.
Step 4) Check the marketplace to see if there are any newer versions of the Secure Web Application Connectors Framework. If there are, Download the latest and copy the zip to the PSM(s)
> https://cyberark-customers.force.com/mplace/s/#a3550000000EiCMAA0-a3950000000jjUwAAI
Step 5) Take a backup of the PSM's components folder, copy paste it to your desktop (just in case).
Step 6) Copy only the contents of the components folder from the downloaded file from the marketplace (only the components folder, we don't need any other folder contents). Copy these files to ...\PSM\Components and overwrite files if prompted.
Step 7) Open the ...\PSM\PSMHardening.ps1 script in a text editor, and check the value of $SUPPORT_WEB_APPLICATIONS. make sure it is set to: $true
Step 8) From Administrative Powershell, Run ...\PSM\Hardening\PSMHardening.PS1
Step 9) From Administrative Powershell, Run ...\PSM\Hardening\PSMConfigureAppLocker.PS1
Step 10) Test your connections from PVWA
Note: If still having issues, restart the PSM, hardening often requires a reboot.
Note: https://cyberark.my.site.com/s/article/PSM-How-to-update-Chrome
Download / Update Browser Driver in PSM
1. Download the WebDriverUpdater tool from CyberArk's marketplace:
https://cyberark.my.site.com/mplace/s/#a35Ht000000rjXlIAI-a39Ht000001kceVIAQ
*This tool operates independently as a standalone and portable application.*
2. Unzip the downloaded file and place it on your PSM server.
3. Update the "PathToPSMDrivers" field value in the "WebDriverUpdater.exe.config" file to point to the PSM Components folder. (Default location: C:\Program Files(x86)\CyberArk\PSM\Components)
4. Execute the WebDriverUpdater.exe as an administrator. Review the logs folder to confirm successful web driver updates.
5. Ensure rules for chromedriver\msedgedriver are added to PSMConfigureAppLocker.xml:
chromedriver: <Application Name="chromedriver" Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\chromedriver.exe" Method="Hash" />
msedgedriver: <Application Name="msedgedriver " Type="Exe" Path="C:\Program Files (x86)\CyberArk\PSM\Components\msedgedriver.exe" Method="Hash" />
*You can configure the Method to "Publisher" for future compatibility and to prevent AppLocker from blocking future updated versions of the drivers.
6. Execute the PSMConfigureAppLocker.ps1 script as an administrator located in the Hardening folder.
*If you prefer not to utilize the tool, an alternative method is available for downloading the drivers specific to your installed Chrome or Edge browser. You can obtain the drivers by visiting the following links:
Chrome driver: https://github.com/GoogleChromeLabs/chrome-for-testing/blob/main/data/known-good-versions-with-downloads.json (Search for the Chrome version that installed on the PSM server and download the relevent chromedriver)
Edge driver: https://msedgewebdriverstorage.z22.web.core.windows.net/?form=MT00IS (Click on "Next" you find the folder for the Edge version that installed on the PSM server)
Place the downloaded file in the PSM Components folder. (Default location: C:\Program Files(x86)\CyberArk\PSM\Components) and follow steps 5-6.
Onboarding Azure AD Accounts for Azure Portal
- for older version before 115: https://chromedriver.chromium.org/downloads
- for newer version after 115: https://googlechromelabs.github.io/chrome-for-testing/
Downloading and installing Chrome
Enabling web app support in PSMHardening script
Running PSM Configure AppLocker script
---
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsshclient.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmprivatearkclientdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmpvwadispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\mssqlmanagementstudiowindowsauthenticationdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psm3270client.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwebformdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwinscpdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\winscp.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmrealvncdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmxfocus.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmtokenholder.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsessionalert.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsuspendsession.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmpreventwindowhide.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmmessagealert.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwindowseventslogger.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\cyberark.psm.webappdispatcher.exe Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\dllinjector.exe Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\dllinjector64.exe Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\cyberark.progressbar.exe Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmticketvalidator.exe Evaluating the dlls consumed by c:\windows\system32\conhost.exe
Evaluating the dlls consumed by c:\windows\system32\taskhostw.exe
Evaluating the dlls consumed by c:\windows\system32\wermgr.exe
Evaluating the dlls consumed by c:\program files (x86)\vcxsrv\vcxsrv.exe
Evaluating the dlls consumed by c:\program files (x86)\vcxsrv\xkbcomp.exe
Evaluating the dlls consumed by c:\program files (x86)\internet explorer\iexplore.exe
Evaluating the dlls consumed by c:\program files\internet explorer\iexplore.exe
Evaluating the dlls consumed by c:\program files (x86)\google\chrome\application\chrome.exe
CheckSensitivePrivilegesForDirectories: Current Directory: c:\programdata\microsoft\windows defender\platform\4.18.23050.9-0
CheckSensitivePrivilegesForDirectories: Current Directory: c:\windows\assembly\nativeimages_v4.0.30319_64\mscorlib\4bc5e5252873c08797895d5b6fe6ddfd
CheckSensitivePrivilegesForDirectories: Current Directory: c:\windows\assembly\nativeimages_v4.0.30319_64\system\3ac991e343330dfdb660c4b0041bfe5e
Loading new AppLocker configuration...
Configuring Application Identity service...
CyberArk AppLocker's configuration script ended successfully.
True
---
End of PSM Configure AppLocker script output
Running PSM Hardening script
---
Notice: In order to prevent unauthorized access to the PSM server, the local RemoteDesktopUsers group should contain ONLY the following users:
1) Maintenance users who login remotely to the PSM server through Remote Desktop Services.
2) Vault LDAP users who wish to connect to target systems through PSM directly from their desktop using an RDP client application such as MSTSC.
These are the current members of the local RemoteDesktopUsers group:
WinNT://51SEC/Domain Users
WinNT://51SEC/VM-NETSEC-Test-1/PSMConnect
WinNT://51SEC/VM-NETSEC-Test-1/PSMAdminConnect
Would you like to remove all members of this group? (yes/no): no
SUCCESS: The file (or folder): "C:\Windows\explorer.exe" now owned by the administrators group.
0
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
SUCCESS: The file (or folder): "C:\Windows\SysWOW64\explorer.exe" now owned by the administrators group.
1
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
SUCCESS: The file (or folder): "C:\Windows\system32\taskmgr.exe" now owned by the administrators group.
2
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\taskmgr.exe
SUCCESS: The file (or folder): "C:\Windows\SysWOW64\taskmgr.exe" now owned by the administrators group.
3
C:\Windows\SysWOW64\taskmgr.exe
C:\Windows\SysWOW64\taskmgr.exe
C:\Windows\SysWOW64\taskmgr.exe
SUCCESS: The file (or folder): "C:\program files\Internet Explorer\iexplore.exe" now owned by the administrators group.
4
C:\program files\Internet Explorer\iexplore.exe
C:\program files\Internet Explorer\iexplore.exe
C:\program files\Internet Explorer\iexplore.exe
processed file: C:\program files\Internet Explorer\iexplore.exe
SUCCESS: The file (or folder): "C:\program files (x86)\Internet Explorer\iexplore.exe" now owned by the administrators group.
5
C:\program files (x86)\Internet Explorer\iexplore.exe
C:\program files (x86)\Internet Explorer\iexplore.exe
C:\program files (x86)\Internet Explorer\iexplore.exe
processed file: C:\program files (x86)\Internet Explorer\iexplore.exe
Chrome hardening completed successfully
IE hardening completed successfully
Edge hardening completed successfully
C:\Program Files (x86)\Cyberark\PSM
SUCCESS: The file (or folder): "C:\Program Files (x86)\Cyberark\PSM" now owned by the administrators group.
6
SUCCESS: The file (or folder): "C:\Program Files (x86)\Cyberark\PSM" now owned by the administrators group.
C:\Program Files (x86)\Cyberark\PSM
C:\Program Files (x86)\Cyberark\PSM
C:\Program Files (x86)\Cyberark\PSM
C:\Program Files (x86)\Cyberark\PSM\Vault
SUCCESS: The file (or folder): "C:\Program Files (x86)\Cyberark\PSM\Vault" now owned by the administrators group.
7
SUCCESS: The file (or folder): "C:\Program Files (x86)\Cyberark\PSM\Vault" now owned by the administrators group.
C:\Program Files (x86)\Cyberark\PSM\Vault
C:\Program Files (x86)\Cyberark\PSM\Vault
C:\Program Files (x86)\Cyberark\PSM\Vault
C:\Program Files (x86)\Cyberark\PSM\Recordings
SUCCESS: The file (or folder): "C:\Program Files (x86)\Cyberark\PSM\Recordings" now owned by the administrators group.
8
C:\Program Files (x86)\Cyberark\PSM\Recordings
C:\Program Files (x86)\Cyberark\PSM\Logs
SUCCESS: The file (or folder): "C:\Program Files (x86)\Cyberark\PSM\Logs" now owned by the administrators group.
9
C:\Program Files (x86)\Cyberark\PSM\Logs\Components
SUCCESS: The file (or folder): "C:\Program Files (x86)\Cyberark\PSM\Logs\Components" now owned by the administrators group.
10
C:\Program Files (x86)\Cyberark\PSM\Components
SUCCESS: The file (or folder): "C:\Program Files (x86)\Cyberark\PSM\Components" now owned by the administrators group.
11
processed file: C:\Program Files (x86)\Cyberark\PSM\Components
Successfully processed 1 files; Failed processing 0 files
C:\oracle
processed dir: C:\oracle
C:\oracle
True
C:
processed dir: C:\
processed file: C:\
Successfully processed 1 files; Failed processing 0 files
D:
processed dir: D:\
processed file: D:\
Successfully processed 1 files; Failed processing 0 files
SUCCESS: The file (or folder): "C:\Program Files (x86)\CyberArk\Password Manager" now owned by the administrators group.
12
C:\Program Files (x86)\CyberArk\Password Manager
C:\Program Files (x86)\CyberArk\Password Manager
C:\Program Files (x86)\CyberArk\Password Manager
SUCCESS: The file (or folder): "C:\WindowsAzure" now owned by the administrators group.
13
C:\WindowsAzure
C:\WindowsAzure
C:\WindowsAzure
SUCCESS: The file (or folder): "C:\Packages" now owned by the administrators group.
14
C:\Packages
C:\Packages
C:\Packages
Executing (\\VM-NETSEC-Test-1\root\CIMV2\TerminalServices:Win32_TSPermissionsSetting.TerminalName="RDP-Tcp")->AddAccount()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\CIMV2\TerminalServices:Win32_TSPermissionsSetting.TerminalName="RDP-Tcp")->AddAccount()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
Executing (\\VM-NETSEC-Test-1\root\cimv2\TerminalServices:Win32_TSAccount.AccountName="VM-NETSEC-Test-1\\PSMAdminConnect",TerminalName="RDP-Tcp")->ModifyPermissions()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
[SC] ChangeServiceConfig SUCCESS
[SC] OpenService FAILED 1060:
The specified service does not exist as an installed service.
WinSCP password storing has been disabled
CyberArk Hardening script ended successfully.
---
End of PSM Hardening script output
All tasks completed.
Onboarding Azure AD Accounts with MFA
Troubleshooting
PSM WebApp unable to locate webform fields
PSM WebApp is unable to locate web form fields under the following conditions:
- The target web application uses invalid/untrusted self signed certificate.
- PSM chrome browser hardening in place.
- PSM chrome browser version (including chrome browser driver) is 102 and above.
You may encounter the following error when launching chrome browser from PSM server to the target web application server in concern.
Resolution
The answer or the steps taken to resolve the issue.
Workaround solution :
------------------------
- Set SSLErrorOverwriteAllowed to yes (value of 1) under Chrome browser hardening at the PSM server. If you using GPO, make sure you set the correct setting. By default, we set this to no (value 0) in our PSM chrome browser hardening
- Ensure that EnforceCertificateValidation is set to “No” in the PSM-PVWA webApp connector. The default is set to yes.
- Change the webform connection component webform settings to add the first two action below highlighted in red:
details-button>(button)(searchby=id)
proceed-link>(click)(searchby=id)
pvBody_PageTemplate_innerHolder_ctrlLogon_txtUsername>{username} (searchby=id)
pvBody_PageTemplate_innerHolder_ctrlLogon_txtPassword>{password}(searchby=id)
LogonButton>(Button)(searchby=class)
Restart your PSM services or wait 10 minutes.
The default PSM parameter, refresh interval, is 10 minutes. In version 10, you can control it in Administration | Options | Privileged Session Management | General Settings | Server Settings | Configuration Refresh Interval = 600 seconds.
--------------------------------------------
Permanent solution:
---------------------------------------------
This issue would be fixed next version of PSM Secure Web Application framework (version 12.7) marketplace plugin which will be released in the next future.
Look out for the availability of version 12.7 at the CyberArk marketplace : https://cyberark-customers.force.com/mplace/s/#a3550000000EiCMAA0-a3950000000jjUwAAI
-----------------------------------------------
Note: The above solutions will lower the security posture of the PSM server for webApp connection components. The recommendation solution is to ensure that all managed web applications are installed with CA signed certificates or Trusted self signed certificates.
PSM - After updating Google Chrome on the PSM, Chrome-based connection components fail to connect
The PSM Web App Dispatcher fails to interact with Google Chrome version 69, although it successfully worked with Chrome versions 62 to 64.
The following error appears:
For Chrome version 89, see Article Chrome 89 update | upgrade breaks PSM functionality.
The cause for the problem is the DisableDeveloperTools group policy. When set to Yes, as in the Chrome hardening shipped with PSM, it prevents the dispatcher application from interacting with the Chrome 69 browser and performing the secured login. Setting DisableDeveloperTools to No resolves this problem.
The Developer Tools window itself remains inaccessible to the user due to the URL Blacklist policy that also exists in the shipped Chrome hardening.
If the environment uses In-Domain hardening (by applying the CyberArk Hardening – In Domain) :
1. Open Group Policy Management Editor (Run -> gpmc.msc) and login to the domain the PSM server is joined to.
2. Expand the relevant domain node. Under Group Policy Objects locate the GPO where the CyberArk In-Domain hardening policies are applied.
3. Right-click on the GPO and then click on "Edit…"
4. In the opened editor window, navigate to:
Computer Configuration > Policies > Administrative Templates > Classic Administrative Templates (ADM) > Google > Google Chrome.
Click on the Google Chrome node to select it.
5. Set the Disable Developer Tools setting to Not Configured.
6. Run the command gpupdate /force on all relevant PSM machines.
If the environment does not use In-Domain hardening:
1. Logon to the PSM machine.
2. Navigate to Hardening directory under the PSM installation path. For example: C:\ProgramFiles (x86)\CyberArk\PSM\Hardening.
3. Open the file PSMChromeHardening.csv in a text editor
4. Replace the following line:
Software\Policies\Google\Chrome,DeveloperToolsDisabled,REG_DWORD,1
with:
Software\Policies\Google\Chrome,DeveloperToolsDisabled,REG_DWORD,0
5. Save the changes and close the text editor.
6. Open a cmd window As Administrator and navigate to the same Hardening directory as earlier.
7. In the cmd window, run the following command: GroupPolicyLoader.exe machine PSMChromeHardening.csv PSMChromeHardening.log
8. Run the following command: gpupdate /force
9. Repeat the process for each relevant PSM machine.
Note: The user will not be able to open the Developer Tools since they are blocked for user access by the URL Blacklist policy.
Our Chrome hardening allows only URLs beginning with http:// https:// and ftp://.
This causes internal Chrome windows such as chrome://settings, chrome://flags, etc. to be inaccessible, and the same holds for the Developer Tools window (this has been tested before recommending the procedure) - with the URL policy in place, the user cannot access Developer Tools from the menu or using the hotkeys.
Troubleshooting - Parameter BrowsePath is invalid
When tried to launch Azure Portal Connection, it failed with this message.
Each change, you might need to wait 5-10 minutes to take the changes into effect.
Troubleshooting - Failed to initialize web browser.
We can check those executable rules and dll rules for which dll was in the exceptions.
You also can check event viewer to see any error for AppLocker
In this case, you will need to add following line into PSMConfigureAppLocker.xml
<!-- Google Chrome process -->
<Application Name="GoogleChrome" Type="Exe" Path="C:\Program Files\Google\Chrome\Application\chrome.exe" Method="Publisher" />
<Application Name="GoogleChromeDriver" Type="Exe" Path="C:\Program Files (x86)\Cyberark\PSM\Components\chromedriver.exe" Method="Hash" />
Then re-run PSMConfigureAppLocker.ps1
PS C:\Program Files (x86)\Cyberark\PSM\Hardening> ls *.ps1
Directory: C:\Program Files (x86)\Cyberark\PSM\Hardening
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2023-04-03 11:16 AM 38239 PSMConfigureAppLocker.ps1
-a---- 2023-04-03 11:11 AM 70729 PSMHardening.ps1
-a---- 2023-03-13 2:34 PM 16777 PSMHardeningInternal.ps1
-a---- 2022-09-15 3:55 PM 36470 test-psm-applocker.ps1
-a---- 2022-09-15 3:55 PM 65764 test-psmhardening.ps1
PS C:\Program Files (x86)\Cyberark\PSM\Hardening> .\PSMConfigureAppLocker.ps1
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsshclient.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmprivatearkclientdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmpvwadispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\mssqlmanagementstudiowindowsauthenticationdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsapgui.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psm3270client.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwebformdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwinscpdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\winscp.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmrealvncdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmxfocus.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmtokenholder.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsessionalert.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsuspendsession.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmpreventwindowhide.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmmessagealert.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwindowseventslogger.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\cyberark.psm.webappdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\dllinjector.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\dllinjector64.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\cyberark.progressbar.exe
Evaluating the dlls consumed by c:\windows\system32\conhost.exe
Evaluating the dlls consumed by c:\windows\system32\taskhostw.exe
Evaluating the dlls consumed by c:\windows\system32\wermgr.exe
Evaluating the dlls consumed by c:\program files (x86)\vcxsrv\vcxsrv.exe
Evaluating the dlls consumed by c:\program files (x86)\vcxsrv\xkbcomp.exe
Evaluating the dlls consumed by c:\program files\google\chrome\application\chrome.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\chromedriver.exe
Loading new AppLocker configuration...
Configuring Application Identity service...
CyberArk AppLocker's configuration script ended successfully.
True
PS C:\Program Files (x86)\Cyberark\PSM\Hardening>
No comments:
Post a Comment