BeyondTrust Hardening Guide
Remote access security for PRA, session monitoring, and credential injection
Overview
BeyondTrust is a Privileged Access Management (PAM) platform serving 20,000+ customers including 75% of Fortune 500. The December 2024 breach via Chinese APT compromised the U.S. Treasury Department through a stolen Remote Support API key. Zero-day vulnerabilities (CVE-2024-12356, CVSS 9.8; CVE-2024-12686, CVSS 6.6) exposed how PAM solutions become supply chain vectors when API keys are compromised. 17 Remote Support SaaS customers were affected; attackers accessed Treasury workstations and unclassified documents.
Intended Audience
- Security engineers managing PAM infrastructure
- IT administrators configuring BeyondTrust
- GRC professionals assessing privileged access compliance
- Third-party risk managers evaluating remote access solutions
How to Use This Guide
- L1 (Baseline): Essential controls for all organizations
- L2 (Hardened): Enhanced controls for security-sensitive environments
- L3 (Maximum Security): Strictest controls for government/regulated industries
Scope
This guide covers BeyondTrust-specific security configurations with emphasis on API key security, remote access hardening, and lessons learned from the December 2024 Treasury breach.
Table of Contents
- Authentication & Access Controls
- API Security
- Network Access Controls
- Session Security
- Monitoring & Detection
- Incident Response
- Compliance Quick Reference
1. Authentication & Access Controls
1.1 Enforce Multi-Factor Authentication for All Access
Profile Level: L1 (Baseline) - CRITICAL CIS Controls: 6.3, 6.5 NIST 800-53: IA-2(1), IA-2(6)
Description
Require MFA for all BeyondTrust console access, remote support sessions, and API authentication where possible.
Rationale
Why This Matters:
- BeyondTrust provides remote access to sensitive systems
- Compromised console = access to all managed endpoints
- December 2024 breach bypassed authentication via stolen API key
Attack Prevented: Credential theft, session hijacking
Real-World Incidents:
- December 2024 BeyondTrust Breach: Chinese APT (Salt Typhoon suspected) used stolen Remote Support API key to access U.S. Treasury Department workstations and unclassified documents
Prerequisites
- BeyondTrust console admin access
- MFA provider integration (RADIUS, SAML)
- User inventory for enrollment
ClickOps Implementation
Step 1: Configure SAML/OIDC Authentication
- Navigate to: Management → Security Providers
- Click Add Security Provider
- Configure:
- Type: SAML 2.0 or OIDC
- IdP Entity ID: From your identity provider
- SSO URL: IdP login URL
- Certificate: IdP signing certificate
- Enable: Require MFA at IdP
Step 2: Configure Local MFA (Backup)
- Navigate to: Management → Security → Authentication
- Enable: Two-Factor Authentication
- Configure:
- Provider: TOTP or RADIUS
- Enforcement: All users
- Grace period: None (L2/L3)
Step 3: Require MFA for Remote Sessions
- Navigate to: Configuration → Options → Security
- Enable: Require two-factor for representatives
- Enable: Require two-factor for customers (if applicable)
Code Implementation
# BeyondTrust API - Configure SAML provider
curl -X POST "https://${BEYONDTRUST_HOST}/api/config/security-provider" \
-H "Authorization: Bearer ${API_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"type": "saml",
"name": "Corporate SSO",
"idpEntityId": "https://idp.company.com",
"ssoUrl": "https://idp.company.com/saml/sso",
"certificate": "-----BEGIN CERTIFICATE-----...",
"signatureAlgorithm": "RSA-SHA256",
"requireMfa": true
}'
Compliance Mappings
| Framework | Control ID | Control Description |
|---|---|---|
| SOC 2 | CC6.1 | Logical access controls |
| NIST 800-53 | IA-2(1), IA-2(6) | MFA for privileged access |
| PCI DSS | 8.3.1 | MFA for administrative access |
| CISA BOD 22-01 | MFA | Required for internet-facing systems |
1.2 Implement Role-Based Access Control
Profile Level: L1 (Baseline) NIST 800-53: AC-3, AC-6
Description
Configure granular roles separating administrative functions. Avoid using built-in Administrator account for daily operations.
ClickOps Implementation
Step 1: Create Functional Roles
- Navigate to: Management → User Accounts → Roles
- Create roles:
Help Desk Representative:
- Start remote sessions
- View session history (own only)
- NO: Configure systems, access API
Senior Support:
- All Help Desk permissions
- View all session recordings
- Access knowledge base
Security Administrator:
- Manage users and roles
- Configure security settings
- Access audit logs
- NO: Start remote sessions
API Administrator:
- Manage API credentials
- View API usage logs
- NO: Start sessions, access recordings
Step 2: Disable/Rename Default Admin
- Navigate to: Management → User Accounts
- Rename or disable built-in Administrator account
- Create named admin accounts with audit trail
1.3 Configure IP-Based Access Restrictions
Profile Level: L1 (Baseline) - CRITICAL (Post-Breach Lesson) NIST 800-53: AC-3(7), SC-7
Description
Restrict console and API access to known IP ranges. This control would have limited the December 2024 breach impact.
Rationale
Why This Matters:
- December 2024: Attackers used stolen API key from unknown IPs
- IP restrictions prevent credential use from attacker infrastructure
- Defense-in-depth for token theft scenarios
ClickOps Implementation
Step 1: Configure Console IP Restrictions
- Navigate to: Management → Security → Network Restrictions
- Add allowed IP ranges:
- Corporate network CIDRs
- VPN egress IPs
- Trusted partner IPs
- Set default action: Deny
Step 2: Configure API IP Restrictions (Critical)
- Navigate to: Management → API Configuration → Access Control
- For each API credential:
- Assign specific allowed IPs
- Enable: Reject requests from unlisted IPs
- Block: All public internet (unless required)
# API configuration - Restrict API key to specific IPs
curl -X PUT "https://${BEYONDTRUST_HOST}/api/config/api-keys/${KEY_ID}" \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"name": "Integration-ServiceNow",
"allowedIps": [
"10.0.1.0/24",
"203.0.113.50/32"
],
"enabled": true
}'
2. API Security
2.1 API Key Management and Rotation
Profile Level: L1 (Baseline) - CRITICAL NIST 800-53: IA-5, SC-12
Description
Implement strict API key management including regular rotation, IP binding, and monitoring. The December 2024 breach was enabled by a single unrotated API key.
Rationale
Why This Matters:
- Stolen API key = full platform access
- December 2024 breach used single compromised key
- Long-lived keys create extended exposure window
Attack Scenario: Attacker obtains API key from compromised integration, accesses all managed endpoints, exfiltrates data from Treasury workstations.
ClickOps Implementation
Step 1: Audit Existing API Keys
- Navigate to: Management → API Configuration → API Keys
- Export list of all active API keys
- Document for each key:
- Creation date
- Last used date
- Purpose/integration
- IP restrictions (if any)
- Assigned permissions
Step 2: Implement Key Rotation Schedule
| Key Type | Rotation Frequency | Maximum Age |
|---|---|---|
| Production integration | Quarterly | 90 days |
| Development/Test | Monthly | 30 days |
| Emergency/Break-glass | After each use | Single use |
Step 3: Rotate All Existing Keys
- For each API key:
- Generate new key
- Update integration configuration
- Verify integration works
- Revoke old key
- Document rotation
Step 4: Enable Key Expiration
- Navigate to: API Configuration → Settings
- Enable: Automatic key expiration
- Set maximum age: 90 days
- Enable: Expiration warning notifications
Code Implementation
#!/usr/bin/env python3
# api-key-rotation.py - Automated BeyondTrust API key rotation
import requests
import json
from datetime import datetime, timedelta
BEYONDTRUST_HOST = "https://beyondtrust.company.com"
def rotate_api_key(admin_token, key_id, key_name, allowed_ips):
"""Rotate an API key and return new credentials"""
# Create new key
response = requests.post(
f"{BEYONDTRUST_HOST}/api/config/api-keys",
headers={"Authorization": f"Bearer {admin_token}"},
json={
"name": f"{key_name}-{datetime.now().strftime('%Y%m%d')}",
"allowedIps": allowed_ips,
"expiresAt": (datetime.now() + timedelta(days=90)).isoformat()
}
)
new_key = response.json()
# Store new key securely (e.g., Vault)
store_in_vault(key_name, new_key['apiKey'])
# Revoke old key
requests.delete(
f"{BEYONDTRUST_HOST}/api/config/api-keys/{key_id}",
headers={"Authorization": f"Bearer {admin_token}"}
)
return new_key
def audit_api_keys(admin_token):
"""Audit all API keys for compliance"""
response = requests.get(
f"{BEYONDTRUST_HOST}/api/config/api-keys",
headers={"Authorization": f"Bearer {admin_token}"}
)
keys = response.json()
issues = []
for key in keys:
# Check age
created = datetime.fromisoformat(key['createdAt'])
age_days = (datetime.now() - created).days
if age_days > 90:
issues.append(f"Key '{key['name']}' is {age_days} days old (max 90)")
# Check IP restrictions
if not key.get('allowedIps'):
issues.append(f"Key '{key['name']}' has no IP restrictions")
# Check last usage
if not key.get('lastUsed'):
issues.append(f"Key '{key['name']}' has never been used - consider removal")
return issues
2.2 Implement API Rate Limiting
Profile Level: L2 (Hardened) NIST 800-53: SC-5
Description
Configure rate limiting for API endpoints to detect and prevent abuse.
ClickOps Implementation
- Navigate to: Management → API Configuration → Rate Limiting
- Configure:
- Requests per minute: 100 (adjust based on usage)
- Burst limit: 200
- Lockout duration: 5 minutes
- Enable: Alert on rate limit exceeded
2.3 Monitor API Usage Anomalies
Profile Level: L1 (Baseline) NIST 800-53: AU-6, SI-4
Description
Implement monitoring for unusual API activity patterns that may indicate compromise.
Detection Use Cases
-- Detect API access from new IPs
SELECT api_key_name, source_ip, COUNT(*) as requests
FROM api_access_log
WHERE source_ip NOT IN (
SELECT DISTINCT source_ip
FROM api_access_log
WHERE timestamp < DATE_SUB(NOW(), INTERVAL 7 DAY)
)
AND timestamp > DATE_SUB(NOW(), INTERVAL 1 DAY)
GROUP BY api_key_name, source_ip;
-- Detect after-hours API usage
SELECT api_key_name, timestamp, endpoint, source_ip
FROM api_access_log
WHERE HOUR(timestamp) NOT BETWEEN 6 AND 20
OR DAYOFWEEK(timestamp) IN (1, 7)
ORDER BY timestamp DESC
LIMIT 100;
-- Detect bulk data access patterns
SELECT api_key_name, endpoint, COUNT(*) as request_count
FROM api_access_log
WHERE timestamp > DATE_SUB(NOW(), INTERVAL 1 HOUR)
AND endpoint LIKE '/api/sessions%'
GROUP BY api_key_name, endpoint
HAVING COUNT(*) > 50;
3. Network Access Controls
3.1 Segment Remote Access Infrastructure
Profile Level: L2 (Hardened) NIST 800-53: SC-7
Description
Deploy BeyondTrust in a segmented network zone with strict ingress/egress controls.
Implementation
Network Architecture:
Internet
│
▼
┌─────────────────┐
│ WAF / CDN │
└────────┬────────┘
│ HTTPS only
▼
┌─────────────────┐
│ DMZ Zone │
│ ┌───────────┐ │
│ │ BT Proxy │ │
│ └─────┬─────┘ │
└────────┼────────┘
│ Internal only
▼
┌─────────────────┐
│ Internal Zone │
│ ┌───────────┐ │
│ │ BT Server │ │
│ └───────────┘ │
└─────────────────┘
Firewall Rules:
- Inbound: HTTPS (443) from WAF only
- Outbound: Target systems on specific ports
- Block all other traffic
3.2 Configure Jump Server Integration
Profile Level: L2 (Hardened) NIST 800-53: AC-17
Description
Configure BeyondTrust to work with existing jump server architecture for defense in depth.
4. Session Security
4.1 Enable Comprehensive Session Recording
Profile Level: L1 (Baseline) NIST 800-53: AU-14
Description
Record all privileged sessions for forensic analysis and compliance.
ClickOps Implementation
Step 1: Configure Recording Settings
- Navigate to: Configuration → Recording
- Enable:
- Record all sessions: Yes
- Record audio: Per policy
- Record keystrokes: Yes (for forensics)
- Storage encryption: AES-256
Step 2: Configure Retention
- Set retention period: Minimum 1 year
- Configure secure storage location
- Enable: Tamper-evident logging
4.2 Implement Session Approval Workflows
Profile Level: L2 (Hardened) NIST 800-53: AC-2(6)
Description
Require approval for access to sensitive systems.
ClickOps Implementation
- Navigate to: Configuration → Jump Policies
- Create policy for sensitive systems:
- Approval required: Yes
- Approvers: Security team
- Maximum duration: 4 hours
- Justification required: Yes
5. Monitoring & Detection
5.1 Configure Security Alerting
Profile Level: L1 (Baseline) NIST 800-53: SI-4
Description
Configure alerts for security-relevant events based on lessons from December 2024 breach.
Critical Alerts
| Alert | Threshold | Priority |
|---|---|---|
| Failed login attempts | >5 in 5 minutes | High |
| API access from new IP | Any | High |
| After-hours admin access | Any | Medium |
| Bulk session access | >10 in 10 minutes | High |
| API key created/modified | Any | High |
| Security setting changed | Any | Critical |
ClickOps Implementation
- Navigate to: Management → Alerts → Alert Rules
- Create rules for each scenario
- Configure notification channels:
- Email to security team
- SIEM integration
- PagerDuty for critical
5.2 Forward Logs to SIEM
Profile Level: L1 (Baseline) NIST 800-53: AU-6
Description
Export all audit logs to SIEM for correlation and long-term retention.
# Configure syslog forwarding
# In BeyondTrust configuration:
# Management → System → Logging → Syslog
# Syslog configuration
Protocol: TLS
Server: siem.company.com
Port: 6514
Format: CEF (Common Event Format)
Events: All security events
6. Incident Response
6.1 December 2024 Breach Response Lessons
Based on the Treasury Department breach, implement these immediate actions:
Immediate Actions (0-24 hours)
- Rotate ALL API keys immediately
- Review all API access logs for past 90 days
- Identify any access from unusual IPs
- Enable IP restrictions on all API keys
- Apply CVE-2024-12356 and CVE-2024-12686 patches
Short-term Actions (1-7 days)
- Audit all sessions for unauthorized access
- Review all endpoint access during breach window
- Implement API key rotation automation
- Enable enhanced logging and alerting
- Conduct tabletop exercise
Long-term Actions (30+ days)
- Implement network segmentation
- Deploy API gateway with rate limiting
- Establish quarterly API key rotation
- Conduct penetration testing
- Review third-party integrations
6.2 Vulnerability Management
Profile Level: L1 (Baseline)
Recent Critical CVEs
| CVE | CVSS | Description | Remediation |
|---|---|---|---|
| CVE-2024-12356 | 9.8 | Command injection in RS | Patch immediately |
| CVE-2024-12686 | 6.6 | Authentication bypass | Patch immediately |
# Check current version
curl -s "https://${BEYONDTRUST_HOST}/api/system/version" \
-H "Authorization: Bearer ${API_TOKEN}"
# Verify patches applied
# Compare version against BeyondTrust security advisories
7. Compliance Quick Reference
SOC 2 Mapping
| Control ID | BeyondTrust Control | Guide Section |
|---|---|---|
| CC6.1 | MFA enforcement | 1.1 |
| CC6.2 | RBAC | 1.2 |
| CC6.6 | IP restrictions | 1.3 |
| CC7.2 | Session recording | 4.1 |
NIST 800-53 Mapping
| Control | BeyondTrust Control | Guide Section |
|---|---|---|
| IA-2(6) | MFA for privileged | 1.1 |
| IA-5 | API key management | 2.1 |
| AC-3(7) | IP-based access | 1.3 |
| AU-14 | Session recording | 4.1 |
CISA Guidance (Post-Treasury Breach)
Following the December 2024 incident:
- Immediately apply all security patches
- Rotate API credentials
- Implement IP allowlisting for API access
- Enable comprehensive audit logging
- Review all third-party integrations
Appendix A: References
Official BeyondTrust Documentation:
Incident Reports:
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-12-14 | 0.1.0 | draft | Initial guide with Treasury breach lessons | Claude Code (Opus 4.5) |