Symptom:

After following the hardening procedure for CPM, PVWA and PSM servers, you can no longer manage those servers



Cause:

Part of the hardening process the administrative shares on the CyberArk servers are disabled, along with additional security setting that prevent the CPM from managing the servers.



Solution:

To allow the CPM to manage the hardened servers, we will need to use the WMI platform. The problem is that WMI requires several pre-requisite to operate successfully:

  1. The WMI service should be running on the target machine.
    The service can be started via the command line:
    NET START winmgmt
  2. The firewall should allow WMI management properties. If the firewall is enabled, this can be enabled via the following command via the CLI:
    netsh advfirewall firewall set rule group="windows management instrumentation (WMI)" new enable=Yes
  3. The local security policy setting should allow for "Sharing and security model for local accounts" should be set to: "Classic-local users authenticate as themselves"
    This can be achieved by start > run > type secpol.msc > Local Policies > Security Options > scroll down to Network Access: Under the Policy column- "Sharing and security model for local accounts" This should be set to "Classic-local users authenticate as themselves" > Click OK > Exit Local Policy
  4. The local security policy for User Account Control: Run all administrators in Admin Approval Mode should be disabled. (This actively disables the UAC on the server)
    This can be achieved by start > run > type secpol.msc > Local Policies > Security Options > scroll down to User Account Control: Under the Policy column- "Run all administrators in Admin Approval Mode" This should be set to "Disabled" > Click OK > Exit Local Policy
  5. The local security policy for "Network security: LAN Manager authentication level" should be identical on the CPM and target servers.
    This can be achieved by start > run > type secpol.msc > Local Policies > Security Options > scroll down to Network security: Under the Policy column- "LAN Manager authentication level" This should be set to the same configuration on the CPM and target servers > Click OK > Exit Local Policy

The above is the basic prerequisite for WMI management via CPM. This also means this is related to Usage management, which is managed via WMI. In some cases, where all of the above exists but the CPM still fails to change the password, an additional setting need to be configured. If the CPM shows the error: "Access is denied. [0x00000005]", you need to do the following:

  1. Open the registry editor via Start > run > regedit
  2. navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  3. Create or modify 32-bit DWORD: LocalAccountTokenFilterPolicy
  4. Set the value to: 1

This setting will disable UAC for remote users connecting to this computer (In our case, the CPM connecting remotely via WMI).


On the CPM machine, do the following:

  1. Open the registry editor via Start > run > regedit
  2. navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  3. Set the value of "EnableLUA"  to 0
  4. Add an exception of the pmterminal.exe to DEP (under <CPM Installation Folder>\Password Manager\bin\)



Also, attached is a CyberArk document regarding management of account via WMI.