Beruflich Dokumente
Kultur Dokumente
Security Standard
March 2018
The following are potential security risks associated with running a virtualized Digital
Vault Server and CyberArk’s recommendations to mitigate these risks
■ An attacker can potentially initiate multiple, simultaneous “brute force” password
attacks against existing CyberArk user accounts. This risk arises because an
attacker can create unlimited copies of the virtual machine, and with an unlimited
number of machines, account lockout mechanisms can be bypassed.
■ There is no mitigating control for the risk of brute force attacks. Customers who
run the Digital Vault Server in a virtualized environment assume this risk.
■ This risk of an attacker successfully reverse-engineering the encryption of the Digital
Vault data is increased in virtual environments. To start the Digital Vault software,
the virtual machine must have access to the Server Key. Because of this,
implementation practices in virtualized environments require the Server Key to be
placed on the Digital Vault Server OS file system. In a secure physical environment,
such as an enterprise datacenter, the risk of storing the Server Key on the file
system can be mitigated by implementing physical security controls. If an attacker
takes possession of a virtual machine, the attacker could have access to the
operating system, Server Key and encrypted data, making it possible to reverse-
engineer the encryption and gain access to the Digital Vault data.
■ There are two mitigating controls available for this risk:
■ Use a Hardware Security Module to securely store the Server Key separately
from the Digital Vault Server OS file system.
■ Manually mount the Server Key each time it is required. This approach will
improve security, but it will cause the DR Vault instance to not be available
automatically during a disaster.
Non-conformance
This topic describes security implications of not conforming to the CyberArk Digital Vault
Security Standard.
Security implications
It is essential to deploy CyberArk Solutions according to the standards and guidelines
described in CyberArk’s documentation. Adhering to the CyberArk Digital Vault Security
Standard and following CyberArk’s guidelines helps to ensure the security of your
deployment and significantly reduces the risk of an attacker being able to circumvent the
Digital Vault security controls.
Each security layer is built on top of the other, thus the removal of one layer (for example,
installing third-party software) will loosen another layer (for example, opening the firewall
to allow that third-party software to communicate) and eventually significantly reduce the
security of the Digital Vault.
Customers who choose to deviate from the CyberArk Digital Vault Security Standard
should be aware of the following security risks:
Domain membership
As mentioned above, installing the Digital Vault on a domain member server can result in
the following:
■ Added risk of domain level attacks, such as pass-the-hash or golden ticket attacks
■ Malicious or accidental changes in domain GPO
■ Vulnerability to external attack vectors due to opened firewall ports
■ Vulnerability to internal attack vectors and increased operational risk due to the
enablement of unnecessary services
■ Increased risk of inside attacks due to access by Domain, Enterprise and Schema
Administrators
Third-party software
As mentioned above, the installation of third-party software on the Digital Vault Server
introduces the following risks:
■ Vulnerability to external attack vectors due to opened firewall ports.
■ Exposure of the Digital Vault Server to all vulnerabilities and attack vectors present
in third-party software
■ Impacted Digital Vault availability due to conflict between internal components and
third-party software
■ Impacted support resolution due to the need for non-standard troubleshooting
RDP access
Customers may wish to use RDP as a convenient method of remotely accessing the
Digital Vault Server. However, as part of the hardening process, the Digital Vault Server
blocks communication via RDP. Customers should only remotely access the Digital Vault
Server via a remote console, such as KVM, HPiLO, or Dell iDRAC.
By removing this control, undoing the mentioned hardening, and enabling RDP
connections to the Digital Vault Server, the Digital Vault would become vulnerable to
attacks on Microsoft's RDP protocol.
Customers who wish to open the Digital Vault Server to RDP connections can select this
option during installation time if the Digital Vault is being installed via an RDP connection.
Note, the RDP connection will be configured to the specific IP address from which the
installation originated.
Support implications
CyberArk will provide best-effort support for Digital Vault Servers running in a non-
standard configuration.
However, running the Digital Vault application on a server that deviates from the
CyberArk Digital Vault Security Standard significantly reduces the security of the
solution. We strongly advise our customers to conform to the CyberArk Digital Vault
Security Standard so that our solution is able to operate in accordance with its
specifications.