444 Questions
What is the primary function of CyberArk PAM's discover feature?
To identify and manage credentials
What is the purpose of password rotation frequency in CyberArk PAM?
To regularly change passwords
What is the primary goal of CyberArk PAM's remediate feature?
To mitigate risky behavior
What is the purpose of policies in CyberArk PAM?
To manage password complexity
What is the primary function of CyberArk PAM's record feature?
To audit sessions
What is the primary function of CyberArk PAM's monitor feature?
To monitor privileged activity
What is the primary purpose of the Vault in the given diagram?
To store credentials
What is the primary function of the Privileged Session Manager in the context of the Vault?
To manage and monitor privileged sessions of IT staff and auditors
What type of encryption model is used in the given diagram?
Hierarchical Encryption Model
What is the recommended factor of authentication in the given diagram?
Two Factor
What is the primary benefit of using a Password Vault in the context of the Vault?
To secure and manage sensitive credentials and prevent insider threats
What is the primary purpose of Auditing in the given diagram?
To track and analyze security events
What is the role of the Central Policy Manager in the context of the Vault?
To enforce centralized policy management on target accounts and servers
What is the benefit of using a Hierarchical Encryption Model?
Every object has a unique key.
What is the primary risk associated with unmanaged target accounts and servers?
Insider threats and security breaches
What is the primary purpose of the firewall in the given diagram?
To protect against external security breaches
What is the primary purpose of the Vault in the context of Privileged Account Management?
To secure and manage sensitive credentials and prevent insider threats
What is the primary benefit of using a Privileged Session Manager in the context of the Vault?
To monitor and control privileged access to sensitive resources
What is the benefit of using granular permissions in the given diagram?
It provides role-based access control
What is the primary purpose of the Authentication process in the given diagram?
To verify user identities
What task can be performed via the PVWA interface?
Disable a user or activate a suspended user
What type of users can be viewed via the PVWA interface?
Both LDAP and CyberArk users
What can be created manually through the PVWA interface?
New CyberArk users
What action can be taken on a user's password via the PVWA interface?
Reset the password
What is a feature of the User Management module in the PVWA interface?
Create and edit CyberArk users
What is a capability of the PVWA interface in terms of user management?
View all users
Where are users stored in PrivateArk Client?
Vault database
How can users be added to PrivateArk Client?
Manually through PrivateArk Client or via LDAP directory
What is the recommended approach to managing users in PrivateArk Client?
Using an external LDAP directory, such as Active Directory
What can be configured for a user in PrivateArk Client?
All of the above
What is the purpose of the General Tab in PrivateArk Client?
To manually add a new user
How can you change the Master user password in PrivateArk Client?
Through the User → Set Password option
What is the primary distinction between Users and Accounts in the context of User Management?
Users represent individual entities, while Accounts represent access points.
What is the main difference between Internal users and groups and Transparent users and groups?
Internal users and groups are managed by the system, while Transparent users and groups are managed by the administrator.
What is the purpose of directory mapping in User Management?
To synchronize user data between directories
What can be managed in PrivateArk Client and PVWA?
Internal users and groups
What is the primary benefit of using custom directory mapping?
Streamlines user management by automating user provisioning
What is the main difference between Vault authorizations and Safe authorizations?
Vault authorizations are used for managing privileged accounts, while Safe authorizations are used for managing shared accounts
What is the primary role of predefined users and groups in User Management?
To provide a default set of roles and permissions
What is the main benefit of using Transparent users and groups?
Streamlines user management by automating user provisioning
What is the significance of the '30' in the platform name 'LIN SSH 30'?
Indicates the password rotation frequency
What is the purpose of the 'Generate Password' section in the Edit Platform settings?
To manage password complexity
Why would a Vault administrator deactivate a platform?
To improve performance by reducing platforms
What is a key characteristic of the platform name 'LIN SSH 30'?
It is based on a logical naming convention
What can be modified in the Edit Platform settings?
Password policy settings
What is divided into two broad sections in the Edit Platform settings?
UI & Workflows and Automatic Password Management
What is the primary purpose of plug-ins in Platform Management?
To connect to different target systems
What is a key aspect of password policy settings in Platform Management?
Defining the technical settings for password management
How are platforms organized in Platform Management?
By target system type
What is the basis for exceptions to the Master Policy?
The specific requirements of each platform
Why is it necessary to duplicate a platform in Platform Management?
To create a new platform with different password policy settings
Where are platforms located in the interface?
Under the Administration tab
What can be viewed in the Platform Management page?
Password management policies applied to different platforms
What was discussed in this session?
The general workflow when working with CyberArk PAM
What is the next exercise after completing this session?
Securing Windows Domain Accounts
What is the purpose of the CyberArk Marketplace?
To access additional resources and exercises
What can be done in the Platform Management page?
All of the above
What is the result of configuring key parameters in Platforms?
Password management policies
What is the relationship between the Master Policy and Platforms?
The Master Policy is used to configure key parameters in Platforms
What is the purpose of editing the Master Policy?
To configure password management policies
What is the maximum number of objects recommended to be stored in a Safe?
3,000 to 5,000
What is the principle that should be followed when storing objects in Safes?
Least privilege
What type of accounts should have separate Safes?
Windows Desktop Accounts, Windows Local Administrators, and Windows Domain Accounts
What is the character limit for safe names?
28 characters
What is the recommended approach to managing access control to privileged identities in CyberArk?
Least privilege
How many characters are double-byte characters limited to?
Not supported
Who can be granted access to a Safe?
Users and groups
What is the purpose of permissions in a Safe?
To manage accounts and their passwords
How are permissions organized in a Safe?
Into groups for convenience
What can be done to a Safe if you have the appropriate permissions?
Add new members and assign permissions
What is a benefit of using granular permissions in a Safe?
It provides more flexibility in managing access
What is managed through the permissions assigned to Members of a Safe?
Access to accounts and their passwords
What is the maximum number of characters allowed in a safe name?
28
What is the purpose of the AllowedSafes parameter?
To limit the scope of a platform to specific safes
Why is object-level access control not recommended?
No reason is given in the text
What can be used to add members and manage permissions in a safe?
The new wizard
What is the benefit of using permission presets?
Simplifies the permission management process
What can be searched for in the Vault or LDAP using the new wizard?
Users or groups
What is the purpose of predefined users and groups?
To simplify user management
What is the significance of the string 'Lin-' in the AllowedSafes parameter?
It is a regular expression pattern for limiting scope
What is the purpose of the Scan Vault for Account step?
To retrieve account information and current passwords
What happens after a successful login using new credentials?
The system stores new credentials
What is discussed in this session?
How to add an account to CyberArk PAM via the PVWA
What is the outcome of the Change Process?
A successful or failed login using new credentials
What is the purpose of the Generate Password step?
To generate a new password
What happens after a successful connection and run of the change password process?
The system logs in using new credentials
What is the purpose of the Login using current credentials step?
To validate current credentials
What is the outcome of the Login using current credentials step?
A successful or failed login using current credentials
What is the purpose of the Store new credentials step?
To store new credentials
What is the purpose of the Change Process diagram?
To illustrate the password management process
What is the purpose of using CyberArk PAM to push private keys to application servers?
To authenticate using SSH keys
What is the benefit of securing Unix accounts with SSH keys?
To provide an additional layer of security
What is the purpose of the 'Verify you can login with the Private Key' exercise?
To verify secure login using a private key
What is the benefit of using linked accounts in CyberArk PAM?
To provide secure access to multiple platforms
What is the purpose of generating a key-pair in SSH key management?
To generate a private and public key pair
What is the benefit of securing Windows Server Local Accounts via a reconcile account?
To reduce the risk of unauthorized access
What is the main benefit of using SSH keys instead of passwords?
More secure and less vulnerable to attacks
What is the role of the Central Policy Manager in the context of the Vault?
To manage and change key-pairs frequently
What is the primary purpose of storing private keys in the Vault?
To allow users to retrieve private keys for authentication
What is the benefit of using unique key-pairs for each target system?
More secure and reduces the risk of compromised systems
What happens when a target system is compromised?
All systems that trust the compromised system are vulnerable
What is the primary function of the SSH Key Manager?
To create unique key-pairs for each target system
What is the purpose of the Central Policy Manager changing key-pairs frequently?
To reduce the risk of compromised systems
What is the benefit of using the SSH Key Manager to authenticate to target systems?
More secure and less vulnerable to attacks
What is the main purpose of a Logon account?
To authenticate users to a system
What is a best practice for Root account management?
Using the username 'root'
What is the primary purpose of SSH key management?
To configure SSH keys
What is the purpose of password reconciliation?
To synchronize passwords
What is the primary concern of Privileged Access Security?
Securing sensitive credentials
What is a key aspect of SSH policy configuration?
Defining access controls
What type of files can the CPM manage application accounts in?
Plain text files, INI files, XML files, and Web configuration files
What happens when the CPM changes the password for a privileged account?
The CPM pushes the updated password to the config file used by the application
What is required to add a configuration file usage?
Manually add the relevant usage in the target account platform
What type of file is used by the application to retrieve credentials?
Configuration file
What is the purpose of the CPM in relation to the config file?
To update the password in the config file
What is the role of the CPM in managing application accounts?
To manage application accounts in various file types
What is the purpose of Usages in CyberArk PAM?
To synchronize an account password with all other occurrences of the same password
What happens when the password for a target account is changed in CyberArk PAM?
The password is updated on all occurrences of the same password anywhere in the network
What is the purpose of Dependent Platforms in CyberArk PAM?
To manage Usages of account passwords
How does the CPM synchronize account passwords in CyberArk PAM?
By scanning for usages anywhere in the network
What is an example of a Dependent Platform in CyberArk PAM?
A local Windows user used to run a scheduled task
What is the result of setting SearchForUsages to Yes in CyberArk PAM?
The CPM scans for usages anywhere in the network
What is the purpose of specifying the section and parameter in the INI config file usage?
To specify the location of the password in the file
What is the benefit of encrypting passwords in configuration files?
To enhance the security of the password storage
What is the purpose of associating a logon account with the usage?
To log onto the remote machine where the usage exists
What is the purpose of the Encryption Command parameter?
To encrypt the password using an external command
What is the effect of the CPM changing the password for dba01?
It changes the password in the database and the INI file
What is the purpose of the INI file in the context of the CPM?
To store the password for the server
What is required to log onto the remote machine where the usage exists?
A logon account
What is the benefit of using the CPM to manage passwords?
It enhances the security of password storage
What is the primary purpose of requiring users to specify a reason for access in Privileged Account Management?
To track accountability and ensure responsible access
What is the primary role of Safe membership in Dual Control policies?
To authorize access requests from managers or peers
What is the primary benefit of using Dual Control policies in Privileged Account Management?
To provide an additional layer of security and control
What is the primary purpose of the Privileged Account Request section in a Platform?
To create a list of choices for users when accessing a password
Who are the Requesters in the context of Dual Control policies?
The users who want to access privileged accounts
What is the primary benefit of requiring users to specify a reason for access in a Platform?
To provide an audit trail for access requests
What is the primary function of the multi-level approval process in Dual Control?
To require approval from multiple groups before a request is fulfilled
What is the purpose of selecting 'All' in the number of confirmers for a request?
To require approval from all members of the group
How does the multi-group approval process work?
At least one person from each group must approve the request before it is fulfilled
What is the purpose of the IT Directors group in the multi-level approval process?
To approve requests after they have been approved by the IT Managers group
What is the benefit of using a multi-level approval process?
It provides an additional layer of security and accountability
What is the purpose of enabling direct manager approval?
To require approval from the manager of the requester
What happens to the password when multiple users access it simultaneously?
It is reset as each user accesses
What is the purpose of the password release mechanism?
To release the password after the Minimum validity period
What is an essential component of the Dual Control workflow?
Reason for access
What is the benefit of using Exclusive Passwords in Privileged Account Management?
To provide an additional layer of security
What is the primary goal of the One-time Passwords workflow?
To use a unique password for each access
What is the purpose of the Minimum validity period in password management?
To control password reset based on a set period
What is a key aspect of the Dual Control policy?
Require users to specify a reason for access
What is the primary benefit of using Safe Membership Configuration in Privileged Account Management?
To provide an additional layer of security and control
What is the primary purpose of the Accounts Discovery and Onboarding Rules feature?
To discover and onboard new accounts
What method can be used to add multiple accounts at once?
Add multiple accounts from file
How can scripts and applications interact with the Vault?
Through the PAM Web Services API
What is the purpose of Continuous Accounts Discovery?
To continuously discover new accounts
What is the primary purpose of the Discovery and Audit (DNA) feature?
To discover and audit new accounts
What is the primary benefit of integrating with the Vault using the Rest API?
To customize interactions with the Vault
What is the primary benefit of using Accounts Discovery with Automatic Onboarding Rules?
Streamlined onboarding process
What is the purpose of Continuous Accounts Discovery?
To discover new accounts
What is an advantage of adding multiple accounts from a file?
Reduced administrative burden
What is the purpose of the REST API integration in PAM Administration?
To enable automation of account discovery and onboarding
Which onboarding method is preferred when dealing with a large number of accounts?
Adding multiple accounts from a file
What is the benefit of using Accounts Discovery with Automatic Onboarding Rules?
Streamlined onboarding process
What is the primary purpose of the Discovery and Audit (DNA) method?
To discover and audit existing accounts
What is the benefit of using Continuous Accounts Discovery?
Reduced administrative burden
What is the main purpose of the Add Account method in onboarding accounts?
To add an account when the target Safe and Platform are known
Which method is used to upload discovered accounts to the Pending Safe?
Add Discovered Accounts
What is the purpose of the Add Discovered Accounts method?
To upload discovered accounts to the Pending Safe or onboard the accounts directly via automatic onboarding rules
How many main REST methods are relevant for the process of onboarding accounts?
3
What is the purpose of automatic onboarding rules in the Add Discovered Accounts method?
To onboard the accounts directly
What are the three main REST methods relevant for onboarding accounts?
Add Account, Add Discovered Accounts, Create Bulk Upload of Accounts
What is the purpose of RDP over SSL in the PSM flow?
To connect to Windows Servers securely
How does the Privileged Session Manager enhance privileged access control?
By isolating privileged sessions for added security
What is the purpose of fetching credentials from the Vault?
To authenticate to privileged sessions securely
What is the benefit of integrating with SIEM and PTA?
To monitor and analyze privileged access in real-time
What is the purpose of the Vault in the PSM flow?
To manage and secure privileged credentials
What is the purpose of logging and auditing in the PSM flow?
To monitor and analyze privileged access for compliance
What is the primary benefit of using PSM in the given diagram?
To provide complete isolation of target systems
What is the purpose of the Vault in the given diagram?
To manage privileged credentials for target systems
What happens to logs in the given diagram?
They are forwarded to SIEM and PTA for analysis
What is the primary purpose of using RDP over SSL in the given diagram?
To provide secure connections to Windows/UNIX servers
What is the benefit of using PSM with the Vault?
It reduces the risk of credential exposure to users
What is the primary benefit of integrating with SIEM/PTA in the given diagram?
It enables real-time analysis and threat detection
What is the primary purpose of the PSM for SSH?
To enable privileged access control
What happens after the user opens an SSH session to the PSM server?
PSM retrieves privileged account password from the vault
What is the purpose of the Vault in the given diagram?
To store privileged account passwords
What is the benefit of using PSM for SSH?
Improved security through session isolation
What is the purpose of logging in the given diagram?
To forward logs to SIEM and PTA
What is the role of PSM in the given diagram?
To manage privileged access control
What is the benefit of integrating PSM with SIEM and PTA?
Enhanced monitoring and analysis of SSH sessions
What is the primary purpose of the PSM connection?
To establish an SSH session to the target using the privileged account
What can be viewed using the PSM for SSH?
Live session audit
What action can the PSM take when notified by PTA or a third-party threat analytics tool?
Suspend or terminate sessions
What can authorized users do with active sessions using the PSM?
Participate in controlling sessions and suspend or terminate them
What protocol is being used for remote desktop connection in the given diagram?
RDP
What is the purpose of the PSM in the given diagram?
To monitor and control active sessions
What is the purpose of the PVWA interface in the given diagram?
To manage privileged sessions
What is the unit of measurement for the average bit rate of recorded sessions?
KB/min
What is the formula to calculate the required storage on the PSM Server?
SPSM = Csession * tsession * Rsession + 20GB
What is the average length of a recorded session used in the example calculation?
180 minutes
What is the required storage on the Vault Server calculated based on?
Retention history requirement and average number of recorded sessions per day
What is the purpose of the calculation for the required storage on the PSM Server?
To determine the required storage for recorded sessions
What is the result of the calculation for the required storage on the Vault Server?
1.96 TB
Where can PSM video and text recordings be stored?
In an external storage device
What is the purpose of monitoring privileged session recordings?
To identify security breaches
What is the primary benefit of using the Vault for storage?
Improved security
What can be monitored using the PSM?
Both active and recorded sessions
What is the primary function of the PSM in the context of the Vault?
To create video and text recordings
What is the primary benefit of using the PSM for SSH?
Improved security
What can be managed using the PSM?
Both privileged session recordings and active sessions
What is the primary purpose of privileged session management?
To prevent unauthorized access
What is the primary function of the CyberArk Privileged Threat Analytics?
To detect and respond to suspicious activities
What is the benefit of using CyberArk Privileged Threat Analytics?
Speedy response and automated containment
What type of data does CyberArk Privileged Threat Analytics collect?
Data from a wide variety of sources
What is the purpose of the ALERT feature in CyberArk Privileged Threat Analytics?
To notify security teams with detailed event information
What is the primary goal of CyberArk Privileged Threat Analytics?
To detect and respond to suspicious activities
What is the significance of real-time analytics in CyberArk Privileged Threat Analytics?
It enables rapid identification and detection of suspicious activities
What is the primary purpose of modifying and adding rules for suspicious session activities in CyberArk?
To tailor the detection of threats to the organization's specific needs
What is the function of the Category field in defining a rule in CyberArk?
To categorize the type of session activity being monitored
What is the role of the Security Team in the Session Analysis and Response Life Cycle?
To perform manual response and risk review
What is the purpose of the demos featured in the 'Demos' section?
To review recorded demos of threat detection and automatic response
What is the primary benefit of using a customized set of rules for suspicious session activities in CyberArk?
To tailor the detection of threats to the organization's specific needs
What is the primary objective of Privileged Threat Analytics (PTA)?
To detect and respond to privileged threats
What is the purpose of the Threat Score in defining a rule in CyberArk?
To assign a severity rating to the rule
What type of data sources are used by Privileged Threat Analytics (PTA)?
Various data sources, including network traffic, logs, and system events
What is the primary benefit of configuring automatic responses in PTA?
To improve the speed of threat response
What is the primary goal of session analysis in PTA?
To detect anomalies in user behavior
What is the primary risk associated with unmanaged target accounts and servers?
All of the above
What is the primary benefit of using real-time analytics in PTA?
Improved threat detection
What is the primary purpose of threat profiling in PTA?
To identify high-risk users and systems
What is the primary benefit of integrating PTA with Active Directory Security?
Enhanced threat detection and response
What is the primary purpose of the Privileged Accounts Inventory Report?
To provide information about all the accounts in the system
What is the main difference between Operational reports and Audit/Compliance reports?
Operational reports are used for daily operations, while Audit/Compliance reports are used for compliance and auditing
What can be done with finished reports?
They can be downloaded in Excel or CSV formats
What is the purpose of the Refresh button in report status?
To see if a report has been generated
What information is provided by the Applications Inventory Report?
Information about application IDs in the system
What is the benefit of adding subscribers to a report?
It allows subscribers to receive notifications by email when the report is generated
What type of report is an Entitlement Report categorized as?
PVWA Report
Which type of report provides information about Privileged Accounts?
Privileged Accounts Inventory
What is the main focus of the Compliance Status report?
Privileged Accounts compliance
Which report provides a record of all activities performed in the system?
Activity Log Report
Which type of report would be of interest to Vault Admins?
PrivateArk Reports
What is the main focus of the Applications Inventory report?
Application inventory management
What type of report can be generated using the EVD Utility?
Privileged Accounts Inventory
What is required to run different reports in PrivateArk Client?
Specific permissions
What type of report provides a list of all users in the system?
Users List Report
Which application can be used to generate various reports, including the Privileged Accounts Inventory report?
All of the above
What type of report provides information on the compliance status of privileged accounts?
Compliance Status Report
What is the primary purpose of generating reports using the PVWA and PrivateArk Client?
To generate reports on privileged accounts
What type of report provides a list of all safes in the system?
Safes List Report
What is the primary benefit of generating reports using the PVWA and PrivateArk Client?
Better management of privileged accounts
What is the primary deployment model of PAM Self-Hosted?
Entirely on-premises installation
What is a key benefit of PAM Self-Hosted?
Total ownership and control by the customer
What is the primary concern for scalability planning in PAM Self-Hosted?
Scaling to meet increasing user demands
What is a key infrastructure requirement for PAM Self-Hosted?
All of the above
What is a primary security consideration for PAM Self-Hosted?
All of the above
What is a key benefit of PAM Self-Hosted in terms of high availability?
Increased uptime and reduced downtime
What is the primary purpose of the Vault in the provided architecture?
To store and manage privileged credentials
What is the benefit of deploying the Vault in a High Availability (HA) cluster configuration?
To ensure the availability of the Vault in the event of a failure
What is the role of the Central Policy Manager (CPM) in the provided architecture?
To manage and configure policies for the IT environment
What is the primary consideration when deploying the CyberArk architecture in a distributed environment?
Planning for scalability and high availability
What is the primary benefit of using a hierarchical encryption model in the CyberArk architecture?
Improved security of the Vault
What is the primary reason for implementing a disaster recovery (DR) site in the provided architecture?
To ensure business continuity in the event of a disaster
What is the primary function of the Central Policy Manager?
Performs password changes on devices
What is the purpose of the Privileged Session Manager?
To isolate and monitor privileged account activity
What is the primary benefit of using a Password Vault?
To store and manage privileged account information securely
What is the function of the Secure Digital Vault?
To store privileged account information securely
What is the role of the Privilege Threat Analytics?
To monitor and detect malicious privileged account behavior
What is the purpose of the Password Vault Web Access?
To provide a web interface for users to access privileged account information
What is the primary function of the Central Policy Manager in the context of the Vault?
To configure policies and perform password changes on devices
What is the primary benefit of using a Privileged Session Manager in the context of the Vault?
To isolate and monitor privileged account activity
Where are the Safes in the Vault stored?
In the Data sub-directory
What is the purpose of the Credential File in the Replicator utility?
To authenticate to the Vault server
What is essential to back up regularly in the Vault?
Both the Data and Metadata folders
What is the command used to launch a backup at a command line?
PAReplicate.exe vault.ini /logonfromfile user.ini /FullBackup
What is a requirement for integrating with an Enterprise Backup Solution?
Policy requires integration
What is the purpose of the Vault.ini file?
To give the Replicator utility the network address of the Vault server
What can be backed up and restored in the Vault?
Both a single Safe to a Vault and a complete Vault's data and metadata
Where are database files stored in the Vault?
In the Metadata sub-directory
What is the purpose of enabling the Backup user?
To enable the Replicator utility to backup data
What is the purpose of setting a password on the Primary Vault?
To secure the Primary Vault
What is the name of the solution that replicates data?
Replicate Utility
What is the purpose of the Replicator module?
To replicate data to a backup folder
What is a key requirement for the backup server when using the Replicate Utility?
It must have the same disk space as the Vault database on an NTFS volume
What is the recommended approach to backing up the Vault using the Replicate Utility?
Install the Replicate Utility on a separate server on the network
Why is the Indirect Backup method recommended over the Direct Backup method?
It reduces the risk of introducing an external application to the Vault
What is a necessary feature of the backup server when using the Replicate Utility?
It must have accessibility by the enterprise backup system
What is a key benefit of using the Replicate Utility for backup and restore?
It enables integration with enterprise backup systems
What is a key consideration when installing the Replicate Utility on a separate server?
The server must have physical security that only permits authorized users
What is the role of the Replicate Utility in the backup and restore process?
It pulls Vault data as encrypted files to the backup server
What is a necessary step before installing the Replicate Utility?
Ensure the backup server meets the necessary requirements
What is the recommended approach to avoid data loss during replication?
Save audit data via the activity log
What is the purpose of using a DNS Alias for the Vaults?
To control which Vault is used by the components
What is the primary goal of automatic failover in PVWA setup?
To allow users to access passwords without interruption
What is the risk associated with not saving audit data during replication?
Data loss
What is the purpose of using a Disaster Recovery Environment?
To provide a backup Vault in case of failure
What is the primary benefit of using a Primary Vault Synchronization?
To ensure consistency across all Vaults
What is the purpose of the CheckInterval parameter in automatic failover?
To indicate the time it takes for the DR Vault to contact the Primary Vault
What happens when the DR Vault is unable to contact the Primary Vault after the retry attempts?
The DR Vault goes into DR mode
What is the purpose of setting EnableFailover to No in manual failover?
To disable automatic failover
What is required to perform a manual failover?
Setting ActivateManualFailover to Yes and restarting the DR service
What is the sequence of events in the failover process?
Connection fails, retry attempts, failover started, data synchronization
What is the purpose of EnableDbsync in manual failover?
To enable data synchronization
What is the default setting for EnableDbsync in manual failover?
Yes
What happens when the DR service is restarted with ActivateManualFailover set to Yes?
The service reads the config file and starts the failover process
What occurs when a failover takes place in the Disaster Recovery Environment?
The DR service first synchronizes the information in its database with the Safe data files
What is the default setting for the EnableDbsync parameter in the padr.ini file?
EnableDbsync=Yes
What determines the length of time between synchronizations of the Vault file system?
The ReplicateInterval parameter
What is the primary purpose of the DR service in the Disaster Recovery Environment?
To synchronize the information in its database with the Safe data files
What is the default time interval for synchronizing the Vault file system?
3,600 seconds (or 1 hour)
What is the purpose of the Primary Vault in the Disaster Recovery Environment?
To synchronize the information in its database with the DR Vault
What is the primary function of the Server Key in the CyberArk PAM solution?
To install and operate CyberArk PAM
What type of encryption is used to protect the keys in the Vault?
AES-256
What is the purpose of the Recovery Private Key in the CyberArk PAM solution?
To recover encrypted vault objects
How are vault objects encrypted in the CyberArk PAM solution?
Using a hierarchical encryption model
What is the purpose of encrypting the key in the Vault?
To protect the key from unauthorized access
What is the primary function of the Recovery Public Key in the CyberArk PAM solution?
To recover encrypted vault objects
What is the purpose of the three files that form the cornerstone of the CyberArk PAM solution encryption methodology?
To install and operate CyberArk PAM
What is the benefit of using a secure platform in the Vault?
To reduce the risk of key exposure
What is the purpose of access control in the Vault?
To restrict access to authorized personnel
What is the benefit of using digital vault configuration?
To increase the security of the Vault
What is the purpose of encryption in the Vault?
To protect the data from unauthorized access
What is the benefit of using granular permissions in the Vault?
To restrict access to sensitive data
What is the purpose of the Vault's security controls?
To protect the Vault from external threats
What is the benefit of using a hierarchical encryption model?
To increase the security of the Vault
What is the purpose of the firewall in the Vault's security architecture?
To protect the Vault from external threats and unauthorized access
What is the benefit of using a Hierarchical Encryption Model in the Vault?
It provides a unique encryption key for each object
What is the primary purpose of Access Control in the Vault?
To restrict access to authorized users and roles
What is the role of the Proprietary Protocol in the Vault's security architecture?
It provides a secure connection for encrypting data
What is the primary benefit of using Granular Permissions in the Vault?
It enables more granular access control to sensitive data
What is the purpose of Auditing in the Vault's security architecture?
To detect and respond to security incidents
What is the primary function of the Firewall in the given diagram?
To control access to the Vault
What type of encryption model is used in the Hierarchical Encryption Model?
Multi-layer encryption
What is the primary benefit of using Granular Permissions in the Vault?
Fine-grained control over access
What is the primary purpose of Auditing in the given diagram?
To track and monitor access to the Vault
What is the recommended factor of authentication in the given diagram?
Two factor
What is the primary purpose of the Proprietary Protocol in the Vault?
To provide an additional security layer
What is the purpose of the Server Key in CyberArk PAM?
To operate CyberArk PAM
What type of encryption is used in the Vault Object Encryption mechanism?
AES-256
What is the role of the Recovery Public Key in CyberArk PAM?
To recover private keys
What is the purpose of the Recovery Private Key in CyberArk PAM?
To recover private keys
What are the three files required to install and operate CyberArk PAM?
Server Key, Recovery Public Key, and Recovery Private Key
What is the primary purpose of the encryption methodology in CyberArk PAM?
To protect Vault objects
What is the primary goal of security controls protecting the Vault and encryption keys?
To ensure data integrity and confidentiality
What is the primary benefit of using a hierarchical encryption model in the Vault?
To simplify key management
What is the role of permissions in the Vault's access control layer?
To control access to the Vault
What is the primary purpose of encrypting the key with a 3rd-party tool in the Vault?
To protect the key from unauthorized access
What is the primary risk associated with unmanaged target accounts and servers in the Vault?
Unauthorized access to sensitive data
What is the primary benefit of using granular permissions in the Vault's access control layer?
To control access to sensitive data
What is the primary purpose of the Vault in the context of Privileged Account Management?
To provide secure access to privileged accounts
What is the primary goal of encryption mechanisms in the Vault?
To protect data at rest and in transit
What are the methods used to monitor system health?
REST, Email, SIEM, SNMP
What administrative task is related to system maintenance?
Monitoring replication and DR status
What is monitored in terms of replication and DR status?
Replication and DR status
What is the primary goal of monitoring system health?
To detect system failures
What are the different ways to monitor components?
REST, Email, SIEM, SNMP
What is the benefit of monitoring system health?
To detect system failures
What is the purpose of the Remote Control Agent?
To execute tasks on a Vault component
What information can be received through the Remote Monitoring feature?
Both Operating System and Vault component-specific information
What is required to be installed on the same computer as the Remote Control Agent?
None of the above
What is the purpose of the MIB files provided by CyberArk?
To describe the SNMP notifications sent by the Vault
What is the function of the Remote Control feature in the Vault?
To carry out remote operations on the Vault and its components
What is the benefit of using the Remote Monitoring feature?
To monitor the Operating System and Vault information remotely
What is the ID of the email template that can be customized for component monitoring?
206
Where can you configure the monitoring interval for a component?
dbparm.ini
What is the purpose of the ComponentMonitoringInterval parameter?
To set the monitoring interval for a component
What determines the actions taken when a component is disconnected?
ComponentNotificationThreshold
What is the result of enabling email notifications for a component?
Vault Admins will receive a notification in their inbox
What is used to monitor components via SNMP?
Remote Control Agent
Where can you enable monitoring of a specific CyberArk component user account?
PrivateArk Client
What is the purpose of the General tab in the PrivateArk Client?
To check the box for sending email notifications
What is the purpose of creating a shadow user?
To run connection components and store user preferences
What is the primary function of AppLocker in PSM?
To define a set of rules that allow or deny applications from running
What should you do to isolate problems related to shadow users?
Run the component manually as the shadow user
How do you disable AppLocker entirely?
By setting Executable Rules to Audit Only in the MMC snap-ins
What is the recommended approach when adding a new component in PSM?
Adjust AppLocker by adding an exception to PSMConfigureApplocker.xml
What should you do to the PSMConfigureApplocker.ps1 script?
Run it to adjust AppLocker
What happens to a user who fails to log in 5 times?
The user is suspended
How can a user be unsuspended after being locked out?
Automatically after a set time period
What is the purpose of the UserLockoutPeriodInMinutes parameter?
To configure the timeout period for automatic unsuspend
Why did the user's login attempt fail?
The user's password was changed recently
What can the Vault administrator see in the ITAlog?
The user's failed login attempts
What happens when a user's account is suspended?
The user is temporarily locked out
Who can see the ITAlog?
Only the Vault administrator
What is the result of a user's failed login attempt?
The user is suspended
Where is the CreateCredFile.exe command located?
C:\Program Files\CyberArk\Password Manager\Vault
What can cause interference with the CPM?
Local Computer Policy
What is the purpose of the VaultPermissionsValidation.sh script?
To resynch the credentials for the PTA Vault users
What is the command to run to resynch the credentials for the PTA Vault users?
VaultPermissionsValidation.sh
What is the alias to navigate to the utility folder on the PTA server?
UTILITYDIR
What can be done to resolve PTA connectivity issues?
Resynch the credentials for the PTA Vault users
What is the primary reason for disabling Network Level Authentication (NLA) in a PSM-RDP connection?
To determine if it's causing the connection problem
How can you manually test the PSMConnect user in a PSM-RDP connection?
By doing all of the above
Where can you disable Network Level Authentication (NLA) in a Target Windows Account?
In the Control Panel → System and Security → System → Remote Settings
What is the recommended approach to resolve issues with overloaded environments in a PSM connection?
Increasing the timeout values
What is the primary purpose of checking the PSM Protocol version in a PSM connection?
To understand the problem with the PSM connection
Why is it recommended to compare safe permissions with other safes in a PSM connection?
To ensure safe permissions are correctly configured
What is the purpose of shadow users in PSM?
To run connection components and store user preferences
What is the recommended approach to troubleshoot issues with PSM-RDP connections?
Run the component manually using the shadow user and adjust AppLocker rules
How can AppLocker be adjusted to allow a new component to run on the PSM machine?
By uncommenting the line relating to the new component in PSMConfigureApplocker.xml
What is the purpose of the AppLocker feature in Windows?
To define a set of rules that allow or deny applications from running on the PSM machine
What is the result of deleting a shadow user on the PSM machine?
The PSM will create a new shadow user
How can AppLocker be disabled on the PSM machine?
By using the MMC snap-ins to set Executable Rules to Audit Only
What is the purpose of running the component manually as the shadow user?
To isolate problems related to PSM-RDP connections
Why would you adjust AppLocker rules on the PSM machine?
To allow a new component to run on the PSM machine
When troubleshooting Target Windows Accounts, what command can be used to verify the connection?
net use \/IPC$ /user:\
In PSM-RDP Connection troubleshooting, what is an important aspect to consider?
PSM server hardening
What can be checked in the Local Security Settings when troubleshooting Target Windows Accounts?
Unusual Local Security Settings
What is a suggested troubleshooting step for Target Unix Accounts?
Run 'plink' command manually
What is a common issue related to PSM?
PSM-RDP Connection issues
When troubleshooting Target Windows Accounts, what can be added to the CPM server?
DEP exceptions
What is the primary requirement for the basic troubleshooting methodology in the CyberArk environment?
Knowledge of the system implementation
What is the recommended practice when troubleshooting issues in the CyberArk environment?
Write down all information gathered during the process
What is the purpose of managing log files in the CyberArk environment?
To troubleshoot issues in the Vault
What is the xRay agent used for in the CyberArk environment?
To troubleshoot issues in the Vault
What is the primary goal of the troubleshooting methodology in the CyberArk environment?
To provide guidance for troubleshooting
What is the importance of understanding the system implementation in the CyberArk environment?
It is essential for troubleshooting
Where are CPM exceptions written to by default?
The trace log
Where can you configure the Debug Level for CPM troubleshooting?
The web.config file
What file would you check for CPM CASOS errors?
pm-error.log
Where can you configure the logging level for PVWA troubleshooting?
PVWA administration tab
What type of log files are stored in the \Program Files\CyberArk\PasswordManager\Logs\ThirdParty directory?
Plug-in log files
Where can you find CyberArk Web application logs?
%windir%\temp\
What is the purpose of the Debug Level setting in the web.config file?
To customize the logging level for CPM troubleshooting
Where can the configuration file for the Central Password Manager be found?
Vault ➔ Safe “Password Manager”➔ root\policies.ini
What is the default debug level for the Central Password Manager?
2
Where can the logs for the Privileged Session Manager be found?
\Logs (and subfolders) or according to the 'LogsFolder' parameter
Where can the server settings for the Privileged Session Manager be configured?
PVWA ➔ System tab ➔ Options ➔ Privileged Session Management
What is the purpose of the TraceLevels setting in the Privileged Session Manager?
To configure the debug level for the PSM
Where can the General Settings for the Privileged Session Manager be configured?
PVWA ➔ System tab ➔ Options ➔ Privileged Session Management ➔ General Settings
What is the primary function of Privileged Threat Analytics (PTA)?
To detect malicious activity caused by privileged accounts and contain in-progress attacks
What is the benefit of using On-Demand Privileges Manager?
It provides a comprehensive solution for IT and enables complete visibility and control of super users and privileged accounts
What is the primary responsibility of the Central Policy Manager (CPM)?
To perform password changes and SSH key rotations on devices based on policies
What is the primary security feature of the Digital Vault?
It is implemented in compliance with the CyberArk Digital Vault Server security standard
What is the primary function of the 'Discover' feature in the Central Policy Manager?
To automate privileged account discovery
What is the purpose of the Privileged Session Manager?
To monitor and control privileged session access
What is the primary benefit of using a Password Vault in the context of the Vault?
To monitor and control privileged session access
Which operating system has an administrator account with the password 'tops3cr3t'?
Windows
What is the primary function of the Central Policy Manager?
To define master policy exceptions
What is the primary purpose of the PVWA interface?
To view reports
What is the primary purpose of the Digital Vault Security?
To secure and protect privileged account information
Which of the following is NOT a type of user account in the diagram?
Guest
What is the primary purpose of Privileged Account Discovery?
To discover and manage privileged accounts across the organization
What is the purpose of the security policy in the diagram?
To define access control
What is the primary purpose of the IT department in the diagram?
To provide Enterprise IT Environment
Study Notes
CyberArk PAM Key Features
- CyberArk PAM provides a comprehensive solution for discovering, isolating, recording, monitoring, and remediating privileged credentials and sessions.
Discover and Manage Credentials
- Automated processes for account discovery
- Policies for managing credentials, including:
- Password complexity
- Rotation frequency
- Others
The Vault
- A secure storage for credentials
- Clients of the Vault include:
- End users (IT staff, auditors, etc.)
- Custom applications
- Reporting tools
- The Vault provides a centralized policy management system
The Vault: End-to-End Security
- Secure storage of credentials
- Discretionary and mandatory access control
- Encryption of sessions and files
- Proprietary protocol and hardened built-in firewall
- Single or two-factor authentication
- Granular permissions and role-based access control
- Subnet-based access control and time limits
- Event-based alerts and tamper-proof audit trail
- Hierarchical encryption model, with every object having a unique key
User Management in PVWA
- User management module introduced in PAM version 13, accessible through PVWA
- Create and edit CyberArk users
- Create groups and assign users to them
- View all users (LDAP and CyberArk)
- Disable or activate a suspended user
- Reset a user's password
Managing Users
- Create new CyberArk users manually through PVWA
- Edit CyberArk users through PVWA
- Create groups and assign users to them through PVWA
- Disable or activate a suspended user through PVWA
- Reset a user's password through PVWA
Changing Master Password
- Change the Master user password by logging in as Master user and clicking User → Set Password
User Management in PrivateArk Client
- Manage users and groups via PrivateArk Client
- Adding users: authorized interfaces, authentication, vault authorizations, group membership, and general tabs
- Users stored in Vault database
- Recommended to manage users with an external LDAP directory, such as Active Directory
- Can manually create users via PrivateArk Client
General Tab
- Manually add new users through PrivateArk Client interface
Authorized Interfaces
- Select which interfaces a user can log in from
Authentication
- Select the authentication method for a user
Vault Authorizations
- Configure Vault authorizations for a user
Group Membership
- Select which groups a user is a member of
User Management Overview
- Users vs. Accounts: understand the differences between the two
- Internal Users and Groups vs. Transparent Users and Groups: understand the differences between the two
Platform Management
- Platforms have three main functions: defining technical settings, pointing to relevant plug-ins and connection components, and basis for exceptions to the Master Policy.
Platform Functions
- Define password policy settings such as minimum length, forbidden characters, and more.
- Manage how you log in and change a password on different target systems (e.g., Unix, Windows).
Creating and Managing Platforms
- Platforms are located under the Administration tab.
- Platforms are grouped by target system type.
- There are several dozen baseline platforms that function out of the box with little or no configuration.
Duplicating Platforms
- Duplicating a Platform is required when accounts of the same system type require different policies.
- Example: Unix accounts in different regions need to be rotated on a different basis.
Platform Naming Convention
- Use a logical naming convention based on business rules (e.g., LIN SSH 30 indicates Linux accounts via SSH connections with 30-day password rotation).
Editing Platform Settings
- Select Edit to modify Platform settings (e.g., password policy settings).
- Platforms are divided into two broad sections: UI & Workflows, and Automatic Password Management.
Password Complexity
- The Generate Password section controls password creation policy, including length, complexity, forbidden characters, and more.
Activating/Deactivating Platforms
- The Vault administrator can deactivate Platforms that are not currently relevant to your implementation, providing better administration and performance.
Policy By Platform
- The Platform Management page displays password management policies applied to different platforms.
Summary
- The general workflow when working with CyberArk PAM involves configuring key parameters in the Master Policy and Platforms.
- Key parameters include password policy settings, plug-ins, and connection components.
Granular Safe Permissions
- In the Safe Members tab, users and groups with access to the Safe are displayed.
- Members can be added and permissions assigned, managing access to accounts and passwords.
Permissions
- Permissions are organized into groups: Access, Account management, Safe management and monitoring, Workflow, and Advanced.
Safe Naming
- Safe names are limited to 28 characters and do not support double-byte characters.
- A naming convention is recommended, such as P-BOS-SRV-WIN-LAD-HR for local admin accounts on HR production servers.
Safe Constraints
- The number of objects stored in a Safe should be limited to 20,000, including versions of passwords.
- The recommended number of accounts or files stored in a Safe is between 3,000 and 5,000.
Access Control
- The principle of “least privilege” should be followed, storing objects in Safes according to need-to-know access.
- Separate Safes are recommended for Windows Desktop Accounts, Windows Local Administrators, and Windows Domain Accounts.
- Object-level access control is not recommended.
Adding Safe Members
- A new wizard streamlines the process of creating Safes and adding initial members.
- Permission presets and user/group searching are available.
Platforms and Safes
- The AllowedSafes parameter can limit the scope of a platform to specific Safes using a regular expression pattern.
- This helps improve CPM performance and simplifies administrative tasks.
Accounts
- Accounts store privileged account IDs and passwords in Safes
- Examples of accounts include:
- Domain administrators
- Local administrators
- Root accounts
- Service accounts
- Every account resides in a single Safe
- Every account is associated with a single Target Account Platform
Adding a Linux Account
- To add a new Linux account, provide the following information:
- Platform: LIN SSH 30
- Safe: Lin-Fin-US
- Master Policy:_Exception: Change password every 30 days
- Username: logon01
- Password: ****** (hidden for security)
- Address: target-lin.acme.corp
Account Management Operations
- Central Policy Manager (CPM) manages passwords and SSH keys on devices based on policies set by Vault Administrators
- CPM performs three actions:
- Password Verification: Confirms passwords in Vault match target system
- Password Change: Changes passwords automatically based on expiration period or user intervention
- Reconciliation of unknown or lost passwords: Process used when Vault password doesn't match target system
Password Management Overview
- CPM manages privileged accounts through three actions: Verification, Change, and Reconciliation
- Verification confirms passwords in Vault match target system
- Change updates passwords automatically or through user intervention
- Reconciliation resolves unknown or lost passwords
Verification Process
- Scan Vault for Account
- Login using current credentials
- Notify Vault of success or failure
Change Process
- Scan Vault for Account
- Login using current credentials
- Generate new password
- Connect and run change password
- Store new credentials
Push Private Keys to Application Servers
- CyberArk PAM allows pushing private keys to application servers for SSH key authentication.
Linked Accounts
- There are two types of linked accounts commonly used and supported by default for most platforms:
- Logon account
- Reconcile account
Logon Account
- No additional information provided about logon accounts.
Root Account Best Practices
- Using a username "root" is not recommended as it compromises all systems that trust it if it is compromised.
- SSH keys are more difficult to change than passwords.
SSH Key Manager
- Creates unique key-pairs for each target system.
- Private keys are stored in the Vault, not on user workstations.
- The CPM (Central Policy Manager) changes key-pairs often and automatically disseminates public keys to target systems.
- End users retrieve the private key from the Vault to authenticate to the target system.
Agenda and Objectives
- By the end of this session, you will be able to:
- Describe and configure linked accounts (logon accounts and reconcile accounts)
- Describe and configure SSH key management
Configuration File Management
- Certain applications retrieve credentials from configuration files, which can be managed by the CPM.
- Supported file types include plain text, INI files, XML files, and web configuration files.
Config File Usage
- Applications use configuration files to retrieve passwords for authentication.
- When the CPM changes a password, it must also update the corresponding configuration file.
Adding Config File Usage
- To add a configuration file usage, the relevant usage must be added manually to the target account platform.
- The parameter SearchForUsages must be enabled.
Dependent Platforms
- Dependent Platforms are used for managing Usages.
- A usage refers to an instance where an account is used to perform a task somewhere else.
Usages
- The CPM can synchronize an account password with all other occurrences of the same password on the same server or anywhere in the network.
- This is done through Usages, which are registered in CyberArk PAM.
Scheduled Task Example
- A scheduled task can be used to run a task with a specific account.
- In this example, a local Windows user – sendmail01 – is used to run a scheduled task – SchedTask01.
Adding Config File Usage (2)
- The specific INI config file usage must be added to the relevant account.
- The usage specifies the server address, full path to the INI file, and where in the file the password can be found.
Configuration Files
- When the CPM changes a password, it will also change the password in the corresponding configuration file.
- The password can be encrypted using an external command.
Logon Account
- An extra account may be required to log onto the remote machine where the usage exists.
- A logon account can be associated with the usage.
Encrypting the Password in Config Files
- Passwords stored in configuration files can be encrypted using an external command.
- The encryption command and encryption regex parameters are used to handle the encryption process.
Advanced Settings
- End users can connect transparently using privileged accounts and are allowed by default to view passwords.
- Users can specify a reason for access, which forces them to provide a reason why they are using a particular account.
Privileged Account Request
- The list of options for the drop-down is defined at the Platform level, so it can have a different set of reasons on a platform-by-platform basis.
- Predefined Reasons can be added to create a list of choices for users when accessing a password in the PVWA.
Dual Control
- Dual control requires end users to get authorization before accessing privileged accounts.
- Authorization must be given by one or more managers or peers, depending on the configuration.
- Dual Control is controlled through Safe membership, where Requesters are the people who want to use the privileged accounts.
- At least one person from each group with approver permissions must approve the request before the requester can use the password.
Multi-Group Approval Process
- If more than one group with approver permissions is set up, at least one person from each group must approve the request before the requester can use the password.
- In advanced settings, a multi-level approval process can be enabled, where a request must first be approved by one group before it is forwarded for approval to another group.
- Direct manager approval can be enabled, determined by the Manager attribute on the requester's AD user object.
Exclusive Access
- Exclusive access allows multiple users to access the password simultaneously.
- The password is changed automatically upon manual release, and the system will release it automatically based on the Minimum validity period.
- In later versions, the password can be auto-released by the PSM.
Summary
- The session covered five workflows: Allow transparent connections, Require users to specify reason for access, Dual Control, Exclusive Passwords, and One-time Passwords.
PAM Web Services API
- PAM Web Services API is a set of REST-based services running on the PVWA.
- It allows scripts and applications to communicate with the Vault.
- Used by CyberArk applications as well as third-party applications.
- Enables organizations to develop custom interactions with the Vault to automate business processes.
Discovery and Onboarding Methods
- Discovery and Onboarding Methods include:
- Add a single account
- Add multiple accounts from file
- Discovery and Audit (DNA)
- Continuous Accounts Discovery
- Accounts Discovery & Onboarding Rules
- Rest API
Onboarding Accounts
- Onboarding accounts can be done using three main REST methods:
- Add account
- Add discovered accounts
- Create bulk upload of accounts
Add Account Method
- Used when the target Safe and Platform are known to the onboarding utility.
Add Discovered Accounts Method
- Used by CyberArk discovery and upload mechanisms, as well as third-party discovery mechanisms.
- Uploads discovered accounts (and dependencies) to the Pending Safe or onboards the accounts directly via automatic onboarding rules.
PAM Administration
- Involves Discovery and Onboarding.
PSM Flow
- PSM provides complete isolation of target systems, ensuring privileged credentials never reach users or their devices.
- Connections can be made from Unix, Linux, Mac, or Windows end-user machines.
- The PSM flow involves:
- Logging on through PVWA
- Connecting to PSM using RDP/TLS
- Fetching credentials from Vault
- Connecting using native protocols
- Forwarding logs to SIEM and PTA
- Storing session recordings
PSM for Windows
- The PSM for Windows flow involves:
- Connecting to PSM using RDP/TLS
- Fetching credentials from Vault
- Connecting using native protocols
- Forwarding logs to SIEM and PTA
- Storing session recordings
PSM for SSH
- The PSM for SSH flow involves:
- Opening an SSH session to the PSM server
- Retrieving a privileged account password from the Vault
- Opening an SSH session to the target using the privileged account
- Forwarding logs to SIEM and PTA
- Storing SSH session audits
Summary
- The Privileged Session Manager (PSM) features include:
- PSM Connection Components
- PSM Ad-Hoc Connections
- PSM via HTML5 Gateway
- PSM for Windows
- PSM for SSH
Active Session Monitoring (PSM)
- PSM enables authorized users to monitor active sessions, take part in controlling these sessions, and suspend or terminate them.
- PSM can automatically suspend or terminate sessions when notified by PTA or a third-party threat analytics tool.
Active Session Monitoring (PSM for SSH)
- It is not possible to monitor or control live PSM for SSH sessions, but it is possible to view the live session audit.
- Recordings created by PSM for SSH are displayed in the classic interface.
Monitor Active Sessions
- Users can monitor active sessions using PVWA, HTTP/S, Unix, Administrator, RDP, and SSH (using putty).
Sizing Calculations for the PSM Server
- The required storage on the PSM Server (SPSM) is calculated using the formula: SPSM = Csession * tsession * Rsession recording + 20GB.
- The average bit rate of recorded video for different sessions is:
- 100 KB/min for average SSH session
- 200 KB/min for average low activity RDP session
- 300 KB/min for average high activity RDP session with rich wallpaper
Sizing Calculations for the Vault Server
- The required storage on the Vault Server (SVault) is calculated using the formula: SVault = tretention * Nsession * tsession * Rsession recording + 20GB.
- The retention history requirement (tretention) is a factor in calculating the required storage.
PAM Administration
- The goal of this section is to enable participants to monitor and manage privileged session recordings, audits, and active sessions.
- The participant will be able to monitor and manage privileged session recordings, audits, and active sessions upon completion of this session.
Recordings
- PSM and PSM for SSH create video and text recordings for privileged sessions and store them in the Vault.
- Authorized users can view these recordings at any time.
- Recordings can be stored in an external storage device.
Configuring Rules
- Rules are defined by category, pattern, session response, threat score, and scope
- Categories include SSH, Universal Keystrokes, SCP, SQL, and Windows title
- Patterns are regular expressions to be monitored
- Session responses include Suspend, Terminate, and None
- Threat score ranges from 1-100
- Scope determines who or what the rule will apply to
Session Analysis and Response Life Cycle
- The life cycle includes analytics, define risks, alerts, automatic response, manual response, and risk review
- The security team is involved in the manual response and risk review stage
Privileged Threat Analytics
- It quickly gathers and analyzes critical data
- Enables speedy response and automated containment
- Detects suspicious activities
- Alerts security teams with detailed event information
- Collects data from a wide variety of sources
- Part of CyberArk's PAM administration
Agenda
- Describe the main functionality of Privileged Threat Analytics (PTA)
- Describe the different data sources used by the PTA
- Describe the different attacks and risks detected by the PTA
- Describe the alert flow by the PTA
- Configure and test PTA automatic responses
- Describe the session analysis and response flow
Report Categories
- There are two categories of reports: Operational reports and Audit/Compliance reports.
Filter Options
- Each type of report has differing filtering criteria.
Scheduling Reports
- Reports can be run immediately, saved, or scheduled to run on a regular basis.
- Subscribers can be added to receive notifications by email when the report is generated, containing a link to the report.
Report Status
- The Refresh button can be used to check if a report has been generated.
Finished Reports
- Reports can be downloaded in Excel or CSV formats.
Report Types
- PrivateArk Reports are of interest to Vault Admins and include:
- License capacity of the system
- Lists of Users
- Active/Non-active Users
- Safes List
- Active/Non-active Safes
- PVWA Reports are of interest to Auditors and include:
- Privileged Accounts Inventory
- Applications Inventory
- Privileged Accounts Compliance Status
- Entitlement Report
- Activity Log
Report Generation
- Reports can be generated using the PVWA and the PrivateArk Client.
- The Export Vault Data (EVD) Utility can be used to extract data for reports.
Permissions
- Different reports require different permissions to run.
CyberArk's Scalable Architecture
- The architecture consists of auditors, PVWA, CPM, PSM, and a Vault (HA Cluster) in the main data center, with replicated environments in London and Hong Kong.
- The IT environment is integrated with the Vault and other components.
PAM Self-Hosted Components
- PAM Self-Hosted is a Privileged Access Manager solution where all components are owned and operated by the customer.
- It can be deployed on-premises, in the cloud, or in a hybrid environment.
- The components include:
- Secure Digital Vault: a secure server for storing privileged account information.
- Password Vault Web Access (PVWA): a web interface for users to access privileged account information.
- Central Policy Manager (CPM): performs password changes on devices and configures policies.
- Privileged Session Manager (PSM): isolates and monitors privileged account activity, recording sessions.
- Privilege Threat Analytics (PTA): monitors and detects malicious privileged account behavior.
CyberArk PAM Offerings
- PAM Self-Hosted is an entirely on-premises or cloud-based deployment.
- CyberArk Privilege Cloud is a PAM solution delivered as Software as a Service (SaaS).
Before Installing
- Enable the Backup user
- Set the password on the Primary Vault
Install the Utility
- Install the Replicator module and specify a path to a backup folder for the replicated data
Configure Vault.ini
- Edit the Vault.ini to give the Replicator utility the network address of the Vault server
Create Cred File
- The Credential File is used by the utility to authenticate to the Vault
- The password for the Backup user is changed in the Vault and the Credential File is updated after every successful login
Performing a Backup
- The backup is launched at a command line using the PAReplicate.exe executable file
- The syntax of the command specifies the vault.ini file and uses the logonfromfile and fullbackup switches
Overview
- The CyberArk Vault enables you to backup and restore a single Safe to a Vault, as well as a complete Vault’s data and metadata
- The Data and Metadata folders are extremely important and it is imperative to back them up regularly
Backup Considerations
- Vault backup can be implemented in two ways: Direct Backup (Not Recommended) and Indirect Backup (Recommended)
- Direct Backup introduces an external application to the Vault and potentially reduces the level of security
- Indirect Backup uses the PrivateArk Replicate Utility to pull Vault data as encrypted files to a server, and then enterprise backup software can backup these files
Installation and Setup
- Before installing the Replicator utility, ensure the backup server has at least the same disk space as the Vault database on an NTFS volume, accessibility by your enterprise backup system, and physical security that only permits authorized users to access it
Enhanced DR Replication
- Database synchronization occurs between the Primary Vault and Disaster Recovery Environment
- The DR Service is responsible for synchronization
- Data and metadata synchronization can be enabled in the padr.ini configuration file with the default setting EnableDbsync=Yes
Data Replication Interval
- The ReplicateInterval parameter determines the length of time between synchronizations of the Vault file system
- The default interval is 3,600 seconds (or one hour)
PVWA Failover Setup
- PVWA servers can be configured for automatic failover to allow users to access passwords without interruption
- Audit data should be saved via the activity log before re-enabling replication
- SIEM integration can mitigate the issue of saving audit data
DNS Load Balancing
- A DNS Alias can be used to control which Vault is used by the components (CPMs, PSMs, PVWAs)
- The DNS Alias is set in the Vault.ini file
- DNS Alias updates are a manual process and will extend the outage
Failover
- Automatic failover can be enabled with the parameter EnableFailover=Yes
- The CheckInterval indicates the DR Vault will contact the Primary Vault every 60 seconds, and if it fails, it will try again 4 times, once every 30 seconds
- After which, the DR Vault considers that the Primary is down and it goes into DR mode
Manual Failover
- To configure the DR Vault for manual failover, padr.ini should be configured as follows: EnableFailover to No, EnableDbsync to Yes, and ActivateManualFailover to No
- To perform a proper manual failover, set the parameter ActivateManualFailover to Yes and restart the DR service
The Failover Process
- The failover process involves connection failure, retry attempts, failover started, data synchronization, starting PrivateArk, stopping the Server, and disaster recovery service
CyberArk PAM Solution Encryption
- Three files form the cornerstone of the CyberArk PAM solution encryption methodology: Server Key, Recovery Public Key, and Recovery Private Key.
- These files are required to install and operate CyberArk PAM.
Vault Object Encryption - Day-to-Day Operations
- Vault objects are encrypted using AES-256.
- Server Key is used to encrypt vault objects.
- Safe objects are encrypted using AES-256.
- Safe Key is used to encrypt safe objects.
- Password files are encrypted using AES-256.
- File Key is used to encrypt password files.
The Vault: End-to-End Security
- The Vault provides end-to-end security with features like:
- Discretionary and Mandatory Access Control
- Session Encryption
- Firewall Authentication
- Granular Permissions
- Subnet-Based Access Control
- Tamperproof Audit Trail
- Hierarchical Encryption Model
- The Vault uses a proprietary protocol and hardened built-in Windows firewall.
- OpenSSL encryption is used.
- Role-Based Access Control and Time Limits are available.
- Every object in the Vault has a unique key.
Vault Encryption and Key Management
- Keys are encrypted using a 3rd-party tool.
- Keys are not stored in RAM.
- Keys are always available, even when the Vault is restarted.
- Inserting a medium is required to encrypt the key.
Summary
- The session covered security controls protecting the Vault and encryption keys.
- It also covered encryption mechanisms protecting Vault data.
CyberArk PAM Solution Encryption
- Three files form the cornerstone of the CyberArk PAM solution encryption methodology: Server Key, Recovery Public Key, and Recovery Private Key.
- These files are required to install and operate CyberArk PAM.
Vault Object Encryption - Day-to-Day Operations
- Vault objects are encrypted using AES-256.
- Server Key is used to encrypt vault objects.
- Safe objects are encrypted using AES-256.
- Safe Key is used to encrypt safe objects.
- Password files are encrypted using AES-256.
- File Key is used to encrypt password files.
The Vault: End-to-End Security
- The Vault provides end-to-end security with features like:
- Discretionary and Mandatory Access Control
- Session Encryption
- Firewall Authentication
- Granular Permissions
- Subnet-Based Access Control
- Tamperproof Audit Trail
- Hierarchical Encryption Model
- The Vault uses a proprietary protocol and hardened built-in Windows firewall.
- OpenSSL encryption is used.
- Role-Based Access Control and Time Limits are available.
- Every object in the Vault has a unique key.
Vault Encryption and Key Management
- Keys are encrypted using a 3rd-party tool.
- Keys are not stored in RAM.
- Keys are always available, even when the Vault is restarted.
- Inserting a medium is required to encrypt the key.
Summary
- The session covered security controls protecting the Vault and encryption keys.
- It also covered encryption mechanisms protecting Vault data.
Remote Control
- Enables users to perform remote operations on Vault, DR Vault, and ENE components.
- Consists of Remote Control Agent (Windows service) and Remote Control Client (command-line interface utility).
- Remote Control Agent runs on Vault components, while the Client can run on any computer without requiring other Vault components.
Remote Monitoring
- Enables users to receive Operating System and Vault information, including CPU, memory, and disk usage, event log notifications, and service status.
- Uses SNMP to send Vault traps to a remote terminal.
- CyberArk provides two MIB files for SNMP v1 and v2 that describe SNMP notifications sent by the Vault.
System Monitoring and Administrative Tasks
- Can monitor system health via REST, email, SIEM, and SNMP.
- Can monitor replications and DR status.
- Perform common administrative tasks related to system maintenance.
Monitoring Components
- Can monitor components via REST, email, SIEM, and SNMP.
- Examples of components that can be monitored include PVWAAppUser, PasswordManager, DR, and Backup.
Enabling Component Monitoring
- Can customize email notifications by editing the body parameter in the Component is inactive template (ID: 206).
- Can enable monitoring of a specific CyberArk component user account using the PrivateArk Client.
- Can add the ComponentMonitoringInterval parameter to dbparm.ini to set the monitoring interval.
- Can define the actions taken when the Vault detects a disconnected component using the ComponentNotificationThreshold parameter.
Troubleshooting PSM-RDP
- Same troubleshooting recommendations as for PSM-RDP
- Run component manually using shadow user
- Delete Shadow users (from PSM computer management)
- Adjust AppLocker (or remove it manually in Windows for isolation)
Shadow Users
- Created by the PSM upon first connection
- Used to run connection components and store user preferences
- Can isolate problems related to shadow users by:
- Running the component manually as the shadow user (after password reset)
- Deleting the user (this will allow the PSM to create the user again)
Adjust AppLocker
- PSM uses Windows AppLocker feature to define rules for allowing or denying applications
- When adding a new component, adjust AppLocker by:
- Uncommenting the line relating to the new component in PSMConfigureApplocker.xml
- Running the PSMConfigureApplocker.ps1 script
Disable AppLocker
- Can disable AppLocker entirely for isolating the problem only
- Steps to disable AppLocker:
- Open secpol.msc or gpedit.msc
- Go to Computer Configuration → Windows Settings → Security Settings → Application Control Policies → AppLocker
- Click on Configure rule enforcement and set Executable Rules to Audit Only
- Turn Enforce rules back on after testing
CPM Services
- Restart the CPM Services to troubleshoot issues
Resynch PTA Credentials
- Run the VaultPermissionsValidation.sh script in the utility folder on the PTA server to resynch credentials for PTA Vault users and PTA_PAS_Gateway account
Common Issues Related to CPM
- Local Computer Policy conflicts with password policy on target device
- Platform and Master Policy settings must not conflict with password policy on target device
User Authentication Issues
- User Receives an Authentication Failure due to:
- Trying to log in to PVWA with old password after changing network password
- Identifying the Error in the ITA log on the Vault
- Unsuspend the User or use Automatic Unsuspend feature
Automatic Unsuspend
- Configure the Vault to unsuspend users automatically after a predefined time period using the UserLockoutPeriodInMinutes parameter in dbparm.ini
Troubleshooting PSM Server Issues
- To troubleshoot PSM server issues, disable NLA (Network Level Authentication) on the PSM machine or target machine by going to Control Panel → System and Security → System → Remote Settings
- Manually connect with PSMConnect by disabling the Start Program in the Environment tab, getting the PSMConnect account password, and connecting to the PSM with PSMConnect and running MSTSC to the target
Increasing Timeouts
- Timeout parameters determine how long the PSM will wait for certain components to work before considering them as ‘failed’ and ending the session
- In overloaded environments, it is recommended to double the timeout values, e.g., ConnectionComponentTimeout: 20000
PSM Component Issues
- Verify if PSM users (PSMConnect / Shadow users) are supported and if Mapping drives is enabled
Target Windows Accounts
- Verify / Change / Reconcile API and “net use” command
- Use alternative plugins: WMI plugin / PowerShell plugin
- Suggested troubleshooting:
- Check Windows Event Viewer
- Check for unusual Local Security Settings
- Run “net use” manually from the CPM server to verify the connection
Target Unix Accounts
- Verify / Change / Reconcile operations are affected
- Suggested troubleshooting:
- Run plink manually
- Disable DEP / add exceptions for DEP on the CPM server
- Prompts and Process files – add a basic prompt
PSM-RDP Connection Troubleshooting
- Understanding the problem:
- At what stage does the problem occur?
- One account? Multiple accounts? Same type?
- Is the PSM hardened? Is the PSM in a domain?
- Which connection type is being used? RDP file / RemoteApp
- Suggested troubleshooting:
- Check the PSM service – is it off/hanging?
- Run component manually using shadow user
- Delete Shadow users (from PSM computer management)
- Adjust AppLocker (or remove it manually in Windows for isolation)
Shadow Users
- Shadow users are created by the PSM upon first connection
- Shadow users are used to run connection components and store user preferences
- Isolate problems related to shadow users by:
- Running the component manually as the shadow user (after password reset)
- Deleting the user (this will allow the PSM to create the user again)
Adjusting AppLocker
- The PSM uses the Windows AppLocker feature which defines a set of rules that allow or deny applications from running on the PSM machine
- When adding a new component, adjust AppLocker by:
- Adding an exception to PSMConfigureApplocker.xml
- Running the PSMConfigureApplocker.ps1 script
Disabling AppLocker
- Disable AppLocker entirely (for isolating the problem only) using the MMC snap-ins
- Set Executable Rules to Audit Only and turn Enforce rules back on after testing
PSM Configuration
- PSM configuration file is located at
C:\Program Files\CyberArk\PSM\Basic_psm.ini
- Debug settings can be found at
PVWA > Administration Tab > Options > Privileged Session Management
CPM Configuration
- CPM configuration file is located at
Vault > Safe "Password Manager" > root\policies\.ini
- Debug settings can be found at
PVWA > Administration Tab > CPM settings
Debugging and Troubleshooting
- Debug levels can be set to 0 (no messages), 1, 2, 3, 4, 5, 6, or 7
- Trace levels can be set to 1, 2, 3, 4, 5, 6, or 7
- Log files can be found at
\Logs
and subfolders, or according to theLogsFolder
parameter inBasic_psm.ini
file - CPM debug levels can be set to 1 (exceptions), 2 (trace messages), 3 (CASOS activities), 4 (CASOS debug activities), 5 (CASOS errors), or 6 (all CASOS activities and errors)
Log Files
- PSM logs can be found at
\Logs
and subfolders - CPM logs can be found at
\Program Files\CyberArk\PasswordManager\Logs\pm.log
,\pm-error.log
,\PMConsole.log
, and\PMTrace.log
- Plug-in logs can be found at
\Program Files\CyberArk\PasswordManager\Logs\ThirdParty\*.log
- PVWA logs can be found at
%windir%\temp\
Troubleshooting Flow
- The basic troubleshooting methodology involves understanding the system implementation, component communication, and current behavior compared to expected behavior
- It is important to write down any information gathered during the troubleshooting process and any tests performed, as this information will be required when opening a case with CyberArk support
Privileged Threat Analytics (PTA)
- Detects malicious activity caused by privileged accounts and contains in-progress attacks.
On-Demand Privileges Manager
- Empowers IT and enables complete visibility and control of super users and privileged accounts across the enterprise.
Digital Vault
- A hardened and secured digital vault used to store privileged account information.
- Implemented in compliance with the CyberArk Digital Vault Server security standard, resulting in a highly secure repository for privileged account passwords.
Central Policy Manager (CPM)
- Performs password changes and SSH key rotations on devices based on policies set by Vault Administrators.
- Responsible for Accounts Feed operations, including:
- Discover: Automates privileged account discovery.
- Analyze: Provides an easy view of all discovered accounts.
- Provision: Provisions the scope of accounts to manage in the Vault in a simple and intuitive way.
Policy Management
- Manages password policies for various systems, including Unix, Oracle, Windows, z/OS, and Cisco.
PVWA - Password Vault Web Access
- A web interface used by Administrators to perform administrative tasks and by end users to gain access to privileged account information.
PSM – Privileged Session Manager
- Isolates desktops from sensitive target machines to prevent cyber attacks.
- Creates accountability and control over privileged session access with policies, workflows, and single sign-on.
- Delivers continuous monitoring and compliance with session recording with zero footprint on target machines.
Enterprise Password Vault Solution Overview
- Master/exception policy definition.
- Initial load and reset accounts discovery through REST API or manual loading.
- Auditor access and policy management.
- Request access to privileged accounts through PVWA and PSM.
This quiz covers the key features of CyberArk's Privileged Access Management (PAM) solution, including credential management, session isolation, and risk remediation. Test your knowledge of CyberArk PAM's capabilities.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free