CyberArk PAM Key Features

Questions and Answers

What is the primary function of CyberArk PAM's discover feature?

To record and monitor privileged activity

To identify and manage credentials (correct)

To isolate credentials

To manage password complexity

What is the purpose of password rotation frequency in CyberArk PAM?

To monitor privileged activity

To regularly change passwords (correct)

To limit access to sensitive data

To manage credential length

What is the primary goal of CyberArk PAM's remediate feature?

To isolate credentials

To monitor privileged activity

To mitigate risky behavior (correct)

To manage credential length

What is the purpose of policies in CyberArk PAM?

To manage password complexity

What is the primary function of CyberArk PAM's record feature?

To audit sessions

What is the primary function of CyberArk PAM's monitor feature?

To monitor privileged activity

What is the primary purpose of the Vault in the given diagram?

To store credentials

What is the primary function of the Privileged Session Manager in the context of the Vault?

To manage and monitor privileged sessions of IT staff and auditors

What type of encryption model is used in the given diagram?

Hierarchical Encryption Model

What is the recommended factor of authentication in the given diagram?

Two Factor

What is the primary benefit of using a Password Vault in the context of the Vault?

To secure and manage sensitive credentials and prevent insider threats

What is the primary purpose of Auditing in the given diagram?

To track and analyze security events

What is the role of the Central Policy Manager in the context of the Vault?

To enforce centralized policy management on target accounts and servers

What is the benefit of using a Hierarchical Encryption Model?

Every object has a unique key.

What is the primary risk associated with unmanaged target accounts and servers?

Insider threats and security breaches

What is the primary purpose of the firewall in the given diagram?

To protect against external security breaches

What is the primary purpose of the Vault in the context of Privileged Account Management?

To secure and manage sensitive credentials and prevent insider threats

What is the primary benefit of using a Privileged Session Manager in the context of the Vault?

To monitor and control privileged access to sensitive resources

What is the benefit of using granular permissions in the given diagram?

It provides role-based access control

What is the primary purpose of the Authentication process in the given diagram?

To verify user identities

What task can be performed via the PVWA interface?

Disable a user or activate a suspended user

What type of users can be viewed via the PVWA interface?

Both LDAP and CyberArk users

What can be created manually through the PVWA interface?

New CyberArk users

What action can be taken on a user's password via the PVWA interface?

Reset the password

What is a feature of the User Management module in the PVWA interface?

Create and edit CyberArk users

What is a capability of the PVWA interface in terms of user management?

View all users

Where are users stored in PrivateArk Client?

Vault database

How can users be added to PrivateArk Client?

Manually through PrivateArk Client or via LDAP directory

What is the recommended approach to managing users in PrivateArk Client?

Using an external LDAP directory, such as Active Directory

What can be configured for a user in PrivateArk Client?

All of the above

What is the purpose of the General Tab in PrivateArk Client?

To manually add a new user

How can you change the Master user password in PrivateArk Client?

Through the User → Set Password option

What is the primary distinction between Users and Accounts in the context of User Management?

Users represent individual entities, while Accounts represent access points.

What is the main difference between Internal users and groups and Transparent users and groups?

Internal users and groups are managed by the system, while Transparent users and groups are managed by the administrator.

What is the purpose of directory mapping in User Management?

To synchronize user data between directories

What can be managed in PrivateArk Client and PVWA?

Internal users and groups

What is the primary benefit of using custom directory mapping?

Streamlines user management by automating user provisioning

What is the main difference between Vault authorizations and Safe authorizations?

Vault authorizations are used for managing privileged accounts, while Safe authorizations are used for managing shared accounts

What is the primary role of predefined users and groups in User Management?

To provide a default set of roles and permissions

What is the main benefit of using Transparent users and groups?

Streamlines user management by automating user provisioning

What is the significance of the '30' in the platform name 'LIN SSH 30'?

Indicates the password rotation frequency

What is the purpose of the 'Generate Password' section in the Edit Platform settings?

To manage password complexity

Why would a Vault administrator deactivate a platform?

To improve performance by reducing platforms

What is a key characteristic of the platform name 'LIN SSH 30'?

It is based on a logical naming convention

What can be modified in the Edit Platform settings?

Password policy settings

What is divided into two broad sections in the Edit Platform settings?

UI & Workflows and Automatic Password Management

What is the primary purpose of plug-ins in Platform Management?

To connect to different target systems

What is a key aspect of password policy settings in Platform Management?

Defining the technical settings for password management

How are platforms organized in Platform Management?

By target system type

What is the basis for exceptions to the Master Policy?

The specific requirements of each platform

Why is it necessary to duplicate a platform in Platform Management?

To create a new platform with different password policy settings

Where are platforms located in the interface?

Under the Administration tab

What can be viewed in the Platform Management page?

Password management policies applied to different platforms

What was discussed in this session?

The general workflow when working with CyberArk PAM

What is the next exercise after completing this session?

Securing Windows Domain Accounts

What is the purpose of the CyberArk Marketplace?

To access additional resources and exercises

What can be done in the Platform Management page?

All of the above

What is the result of configuring key parameters in Platforms?

Password management policies

What is the relationship between the Master Policy and Platforms?

The Master Policy is used to configure key parameters in Platforms

What is the purpose of editing the Master Policy?

To configure password management policies

What is the maximum number of objects recommended to be stored in a Safe?

3,000 to 5,000

What is the principle that should be followed when storing objects in Safes?

Least privilege

What type of accounts should have separate Safes?

Windows Desktop Accounts, Windows Local Administrators, and Windows Domain Accounts

What is the character limit for safe names?

28 characters

What is the recommended approach to managing access control to privileged identities in CyberArk?

Least privilege

How many characters are double-byte characters limited to?

Not supported

Who can be granted access to a Safe?

Users and groups

What is the purpose of permissions in a Safe?

To manage accounts and their passwords

How are permissions organized in a Safe?

Into groups for convenience

What can be done to a Safe if you have the appropriate permissions?

Add new members and assign permissions

What is a benefit of using granular permissions in a Safe?

It provides more flexibility in managing access

What is managed through the permissions assigned to Members of a Safe?

Access to accounts and their passwords

What is the maximum number of characters allowed in a safe name?

28

What is the purpose of the AllowedSafes parameter?

To limit the scope of a platform to specific safes

Why is object-level access control not recommended?

No reason is given in the text

What can be used to add members and manage permissions in a safe?

The new wizard

What is the benefit of using permission presets?

Simplifies the permission management process

What can be searched for in the Vault or LDAP using the new wizard?

Users or groups

What is the purpose of predefined users and groups?

To simplify user management

What is the significance of the string 'Lin-' in the AllowedSafes parameter?

It is a regular expression pattern for limiting scope

What is the purpose of the Scan Vault for Account step?

To retrieve account information and current passwords

What happens after a successful login using new credentials?

The system stores new credentials

What is discussed in this session?

How to add an account to CyberArk PAM via the PVWA

What is the outcome of the Change Process?

A successful or failed login using new credentials

What is the purpose of the Generate Password step?

To generate a new password

What happens after a successful connection and run of the change password process?

The system logs in using new credentials

What is the purpose of the Login using current credentials step?

To validate current credentials

What is the outcome of the Login using current credentials step?

A successful or failed login using current credentials

What is the purpose of the Store new credentials step?

To store new credentials

What is the purpose of the Change Process diagram?

To illustrate the password management process

What is the purpose of using CyberArk PAM to push private keys to application servers?

To authenticate using SSH keys

What is the benefit of securing Unix accounts with SSH keys?

To provide an additional layer of security

What is the purpose of the 'Verify you can login with the Private Key' exercise?

To verify secure login using a private key

What is the benefit of using linked accounts in CyberArk PAM?

To provide secure access to multiple platforms

What is the purpose of generating a key-pair in SSH key management?

To generate a private and public key pair

What is the benefit of securing Windows Server Local Accounts via a reconcile account?

To reduce the risk of unauthorized access

What is the main benefit of using SSH keys instead of passwords?

More secure and less vulnerable to attacks

What is the role of the Central Policy Manager in the context of the Vault?

To manage and change key-pairs frequently

What is the primary purpose of storing private keys in the Vault?

To allow users to retrieve private keys for authentication

What is the benefit of using unique key-pairs for each target system?

More secure and reduces the risk of compromised systems

What happens when a target system is compromised?

All systems that trust the compromised system are vulnerable

What is the primary function of the SSH Key Manager?

To create unique key-pairs for each target system

What is the purpose of the Central Policy Manager changing key-pairs frequently?

To reduce the risk of compromised systems

What is the benefit of using the SSH Key Manager to authenticate to target systems?

More secure and less vulnerable to attacks

What is the main purpose of a Logon account?

To authenticate users to a system

What is a best practice for Root account management?

Using the username 'root'

What is the primary purpose of SSH key management?

To configure SSH keys

What is the purpose of password reconciliation?

To synchronize passwords

What is the primary concern of Privileged Access Security?

Securing sensitive credentials

What is a key aspect of SSH policy configuration?

Defining access controls

What type of files can the CPM manage application accounts in?

Plain text files, INI files, XML files, and Web configuration files

What happens when the CPM changes the password for a privileged account?

The CPM pushes the updated password to the config file used by the application

What is required to add a configuration file usage?

Manually add the relevant usage in the target account platform

What type of file is used by the application to retrieve credentials?

Configuration file

What is the purpose of the CPM in relation to the config file?

To update the password in the config file

What is the role of the CPM in managing application accounts?

To manage application accounts in various file types

What is the purpose of Usages in CyberArk PAM?

To synchronize an account password with all other occurrences of the same password

What happens when the password for a target account is changed in CyberArk PAM?

The password is updated on all occurrences of the same password anywhere in the network

What is the purpose of Dependent Platforms in CyberArk PAM?

To manage Usages of account passwords

How does the CPM synchronize account passwords in CyberArk PAM?

By scanning for usages anywhere in the network

What is an example of a Dependent Platform in CyberArk PAM?

A local Windows user used to run a scheduled task

What is the result of setting SearchForUsages to Yes in CyberArk PAM?

The CPM scans for usages anywhere in the network

What is the purpose of specifying the section and parameter in the INI config file usage?

To specify the location of the password in the file

What is the benefit of encrypting passwords in configuration files?

To enhance the security of the password storage

What is the purpose of associating a logon account with the usage?

To log onto the remote machine where the usage exists

What is the purpose of the Encryption Command parameter?

To encrypt the password using an external command

What is the effect of the CPM changing the password for dba01?

It changes the password in the database and the INI file

What is the purpose of the INI file in the context of the CPM?

To store the password for the server

What is required to log onto the remote machine where the usage exists?

A logon account

What is the benefit of using the CPM to manage passwords?

It enhances the security of password storage

What is the primary purpose of requiring users to specify a reason for access in Privileged Account Management?

To track accountability and ensure responsible access

What is the primary role of Safe membership in Dual Control policies?

To authorize access requests from managers or peers

What is the primary benefit of using Dual Control policies in Privileged Account Management?

To provide an additional layer of security and control

What is the primary purpose of the Privileged Account Request section in a Platform?

To create a list of choices for users when accessing a password

Who are the Requesters in the context of Dual Control policies?

The users who want to access privileged accounts

What is the primary benefit of requiring users to specify a reason for access in a Platform?

To provide an audit trail for access requests

What is the primary function of the multi-level approval process in Dual Control?

To require approval from multiple groups before a request is fulfilled

What is the purpose of selecting 'All' in the number of confirmers for a request?

To require approval from all members of the group

How does the multi-group approval process work?

At least one person from each group must approve the request before it is fulfilled

What is the purpose of the IT Directors group in the multi-level approval process?

To approve requests after they have been approved by the IT Managers group

What is the benefit of using a multi-level approval process?

It provides an additional layer of security and accountability

What is the purpose of enabling direct manager approval?

To require approval from the manager of the requester

What happens to the password when multiple users access it simultaneously?

It is reset as each user accesses

What is the purpose of the password release mechanism?

To release the password after the Minimum validity period

What is an essential component of the Dual Control workflow?

Reason for access

What is the benefit of using Exclusive Passwords in Privileged Account Management?

To provide an additional layer of security

What is the primary goal of the One-time Passwords workflow?

To use a unique password for each access

What is the purpose of the Minimum validity period in password management?

To control password reset based on a set period

What is a key aspect of the Dual Control policy?

Require users to specify a reason for access

What is the primary benefit of using Safe Membership Configuration in Privileged Account Management?

To provide an additional layer of security and control

What is the primary purpose of the Accounts Discovery and Onboarding Rules feature?

To discover and onboard new accounts

What method can be used to add multiple accounts at once?

Add multiple accounts from file

How can scripts and applications interact with the Vault?

Through the PAM Web Services API

What is the purpose of Continuous Accounts Discovery?

To continuously discover new accounts

What is the primary purpose of the Discovery and Audit (DNA) feature?

To discover and audit new accounts

What is the primary benefit of integrating with the Vault using the Rest API?

To customize interactions with the Vault

What is the primary benefit of using Accounts Discovery with Automatic Onboarding Rules?

Streamlined onboarding process

What is the purpose of Continuous Accounts Discovery?

To discover new accounts

What is an advantage of adding multiple accounts from a file?

Reduced administrative burden

What is the purpose of the REST API integration in PAM Administration?

To enable automation of account discovery and onboarding

Which onboarding method is preferred when dealing with a large number of accounts?

Adding multiple accounts from a file

What is the benefit of using Accounts Discovery with Automatic Onboarding Rules?

Streamlined onboarding process

What is the primary purpose of the Discovery and Audit (DNA) method?

To discover and audit existing accounts

What is the benefit of using Continuous Accounts Discovery?

Reduced administrative burden

What is the main purpose of the Add Account method in onboarding accounts?

To add an account when the target Safe and Platform are known

Which method is used to upload discovered accounts to the Pending Safe?

Add Discovered Accounts

What is the purpose of the Add Discovered Accounts method?

To upload discovered accounts to the Pending Safe or onboard the accounts directly via automatic onboarding rules

How many main REST methods are relevant for the process of onboarding accounts?

3

What is the purpose of automatic onboarding rules in the Add Discovered Accounts method?

To onboard the accounts directly

What are the three main REST methods relevant for onboarding accounts?

Add Account, Add Discovered Accounts, Create Bulk Upload of Accounts

What is the purpose of RDP over SSL in the PSM flow?

To connect to Windows Servers securely

How does the Privileged Session Manager enhance privileged access control?

By isolating privileged sessions for added security

What is the purpose of fetching credentials from the Vault?

To authenticate to privileged sessions securely

What is the benefit of integrating with SIEM and PTA?

To monitor and analyze privileged access in real-time

What is the purpose of the Vault in the PSM flow?

To manage and secure privileged credentials

What is the purpose of logging and auditing in the PSM flow?

To monitor and analyze privileged access for compliance

What is the primary benefit of using PSM in the given diagram?

To provide complete isolation of target systems

What is the purpose of the Vault in the given diagram?

To manage privileged credentials for target systems

What happens to logs in the given diagram?

They are forwarded to SIEM and PTA for analysis

What is the primary purpose of using RDP over SSL in the given diagram?

To provide secure connections to Windows/UNIX servers

What is the benefit of using PSM with the Vault?

It reduces the risk of credential exposure to users

What is the primary benefit of integrating with SIEM/PTA in the given diagram?

It enables real-time analysis and threat detection

What is the primary purpose of the PSM for SSH?

To enable privileged access control

What happens after the user opens an SSH session to the PSM server?

PSM retrieves privileged account password from the vault

What is the purpose of the Vault in the given diagram?

To store privileged account passwords

What is the benefit of using PSM for SSH?

Improved security through session isolation

What is the purpose of logging in the given diagram?

To forward logs to SIEM and PTA

What is the role of PSM in the given diagram?

To manage privileged access control

What is the benefit of integrating PSM with SIEM and PTA?

Enhanced monitoring and analysis of SSH sessions

What is the primary purpose of the PSM connection?

To establish an SSH session to the target using the privileged account

What can be viewed using the PSM for SSH?

Live session audit

What action can the PSM take when notified by PTA or a third-party threat analytics tool?

Suspend or terminate sessions

What can authorized users do with active sessions using the PSM?

Participate in controlling sessions and suspend or terminate them

What protocol is being used for remote desktop connection in the given diagram?

RDP

What is the purpose of the PSM in the given diagram?

To monitor and control active sessions

What is the purpose of the PVWA interface in the given diagram?

To manage privileged sessions

What is the unit of measurement for the average bit rate of recorded sessions?

KB/min

What is the formula to calculate the required storage on the PSM Server?

SPSM = Csession * tsession * Rsession + 20GB

What is the average length of a recorded session used in the example calculation?

180 minutes

What is the required storage on the Vault Server calculated based on?

Retention history requirement and average number of recorded sessions per day

What is the purpose of the calculation for the required storage on the PSM Server?

To determine the required storage for recorded sessions

What is the result of the calculation for the required storage on the Vault Server?

1.96 TB

Where can PSM video and text recordings be stored?

In an external storage device

What is the purpose of monitoring privileged session recordings?

To identify security breaches

What is the primary benefit of using the Vault for storage?

Improved security

What can be monitored using the PSM?

Both active and recorded sessions

What is the primary function of the PSM in the context of the Vault?

To create video and text recordings

What is the primary benefit of using the PSM for SSH?

Improved security

What can be managed using the PSM?

Both privileged session recordings and active sessions

What is the primary purpose of privileged session management?

To prevent unauthorized access

What is the primary function of the CyberArk Privileged Threat Analytics?

To detect and respond to suspicious activities

What is the benefit of using CyberArk Privileged Threat Analytics?

Speedy response and automated containment

What type of data does CyberArk Privileged Threat Analytics collect?

Data from a wide variety of sources

What is the purpose of the ALERT feature in CyberArk Privileged Threat Analytics?

To notify security teams with detailed event information

What is the primary goal of CyberArk Privileged Threat Analytics?

To detect and respond to suspicious activities

What is the significance of real-time analytics in CyberArk Privileged Threat Analytics?

It enables rapid identification and detection of suspicious activities

What is the primary purpose of modifying and adding rules for suspicious session activities in CyberArk?

To tailor the detection of threats to the organization's specific needs

What is the function of the Category field in defining a rule in CyberArk?

To categorize the type of session activity being monitored

What is the role of the Security Team in the Session Analysis and Response Life Cycle?

To perform manual response and risk review

What is the purpose of the demos featured in the 'Demos' section?

To review recorded demos of threat detection and automatic response

What is the primary benefit of using a customized set of rules for suspicious session activities in CyberArk?

To tailor the detection of threats to the organization's specific needs

What is the primary objective of Privileged Threat Analytics (PTA)?

To detect and respond to privileged threats

What is the purpose of the Threat Score in defining a rule in CyberArk?

To assign a severity rating to the rule

What type of data sources are used by Privileged Threat Analytics (PTA)?

Various data sources, including network traffic, logs, and system events

What is the primary benefit of configuring automatic responses in PTA?

To improve the speed of threat response

What is the primary goal of session analysis in PTA?

To detect anomalies in user behavior

What is the primary risk associated with unmanaged target accounts and servers?

All of the above

What is the primary benefit of using real-time analytics in PTA?

Improved threat detection

What is the primary purpose of threat profiling in PTA?

To identify high-risk users and systems

What is the primary benefit of integrating PTA with Active Directory Security?

Enhanced threat detection and response

What is the primary purpose of the Privileged Accounts Inventory Report?

To provide information about all the accounts in the system

What is the main difference between Operational reports and Audit/Compliance reports?

Operational reports are used for daily operations, while Audit/Compliance reports are used for compliance and auditing

What can be done with finished reports?

They can be downloaded in Excel or CSV formats

What is the purpose of the Refresh button in report status?

To see if a report has been generated

What information is provided by the Applications Inventory Report?

Information about application IDs in the system

What is the benefit of adding subscribers to a report?

It allows subscribers to receive notifications by email when the report is generated

What type of report is an Entitlement Report categorized as?

PVWA Report

Which type of report provides information about Privileged Accounts?

Privileged Accounts Inventory

What is the main focus of the Compliance Status report?

Privileged Accounts compliance

Which report provides a record of all activities performed in the system?

Activity Log Report

Which type of report would be of interest to Vault Admins?

PrivateArk Reports

What is the main focus of the Applications Inventory report?

Application inventory management

What type of report can be generated using the EVD Utility?

Privileged Accounts Inventory

What is required to run different reports in PrivateArk Client?

Specific permissions

What type of report provides a list of all users in the system?

Users List Report

Which application can be used to generate various reports, including the Privileged Accounts Inventory report?

All of the above

What type of report provides information on the compliance status of privileged accounts?

Compliance Status Report

What is the primary purpose of generating reports using the PVWA and PrivateArk Client?

To generate reports on privileged accounts

What type of report provides a list of all safes in the system?

Safes List Report

What is the primary benefit of generating reports using the PVWA and PrivateArk Client?

Better management of privileged accounts

What is the primary deployment model of PAM Self-Hosted?

Entirely on-premises installation

What is a key benefit of PAM Self-Hosted?

Total ownership and control by the customer

What is the primary concern for scalability planning in PAM Self-Hosted?

Scaling to meet increasing user demands

What is a key infrastructure requirement for PAM Self-Hosted?

All of the above

What is a primary security consideration for PAM Self-Hosted?

All of the above

What is a key benefit of PAM Self-Hosted in terms of high availability?

Increased uptime and reduced downtime

What is the primary purpose of the Vault in the provided architecture?

To store and manage privileged credentials

What is the benefit of deploying the Vault in a High Availability (HA) cluster configuration?

To ensure the availability of the Vault in the event of a failure

What is the role of the Central Policy Manager (CPM) in the provided architecture?

To manage and configure policies for the IT environment

What is the primary consideration when deploying the CyberArk architecture in a distributed environment?

Planning for scalability and high availability

What is the primary benefit of using a hierarchical encryption model in the CyberArk architecture?

Improved security of the Vault

What is the primary reason for implementing a disaster recovery (DR) site in the provided architecture?

To ensure business continuity in the event of a disaster

What is the primary function of the Central Policy Manager?

Performs password changes on devices

What is the purpose of the Privileged Session Manager?

To isolate and monitor privileged account activity

What is the primary benefit of using a Password Vault?

To store and manage privileged account information securely

What is the function of the Secure Digital Vault?

To store privileged account information securely

What is the role of the Privilege Threat Analytics?

To monitor and detect malicious privileged account behavior

What is the purpose of the Password Vault Web Access?

To provide a web interface for users to access privileged account information

What is the primary function of the Central Policy Manager in the context of the Vault?

To configure policies and perform password changes on devices

What is the primary benefit of using a Privileged Session Manager in the context of the Vault?

To isolate and monitor privileged account activity

Where are the Safes in the Vault stored?

In the Data sub-directory

What is the purpose of the Credential File in the Replicator utility?

To authenticate to the Vault server

What is essential to back up regularly in the Vault?

Both the Data and Metadata folders

What is the command used to launch a backup at a command line?

PAReplicate.exe vault.ini /logonfromfile user.ini /FullBackup

What is a requirement for integrating with an Enterprise Backup Solution?

Policy requires integration

What is the purpose of the Vault.ini file?

To give the Replicator utility the network address of the Vault server

What can be backed up and restored in the Vault?

Both a single Safe to a Vault and a complete Vault's data and metadata

Where are database files stored in the Vault?

In the Metadata sub-directory

What is the purpose of enabling the Backup user?

To enable the Replicator utility to backup data

What is the purpose of setting a password on the Primary Vault?

To secure the Primary Vault

What is the name of the solution that replicates data?

Replicate Utility

What is the purpose of the Replicator module?

To replicate data to a backup folder

What is a key requirement for the backup server when using the Replicate Utility?

It must have the same disk space as the Vault database on an NTFS volume

What is the recommended approach to backing up the Vault using the Replicate Utility?

Install the Replicate Utility on a separate server on the network

Why is the Indirect Backup method recommended over the Direct Backup method?

It reduces the risk of introducing an external application to the Vault

What is a necessary feature of the backup server when using the Replicate Utility?

It must have accessibility by the enterprise backup system

What is a key benefit of using the Replicate Utility for backup and restore?

It enables integration with enterprise backup systems

What is a key consideration when installing the Replicate Utility on a separate server?

The server must have physical security that only permits authorized users

What is the role of the Replicate Utility in the backup and restore process?

It pulls Vault data as encrypted files to the backup server

What is a necessary step before installing the Replicate Utility?

Ensure the backup server meets the necessary requirements

What is the recommended approach to avoid data loss during replication?

Save audit data via the activity log

What is the purpose of using a DNS Alias for the Vaults?

To control which Vault is used by the components

What is the primary goal of automatic failover in PVWA setup?

To allow users to access passwords without interruption

What is the risk associated with not saving audit data during replication?

Data loss

What is the purpose of using a Disaster Recovery Environment?

To provide a backup Vault in case of failure

What is the primary benefit of using a Primary Vault Synchronization?

To ensure consistency across all Vaults

What is the purpose of the CheckInterval parameter in automatic failover?

To indicate the time it takes for the DR Vault to contact the Primary Vault

What happens when the DR Vault is unable to contact the Primary Vault after the retry attempts?

The DR Vault goes into DR mode

What is the purpose of setting EnableFailover to No in manual failover?

To disable automatic failover

What is required to perform a manual failover?

Setting ActivateManualFailover to Yes and restarting the DR service

What is the sequence of events in the failover process?

Connection fails, retry attempts, failover started, data synchronization

What is the purpose of EnableDbsync in manual failover?

To enable data synchronization

What is the default setting for EnableDbsync in manual failover?

Yes

What happens when the DR service is restarted with ActivateManualFailover set to Yes?

The service reads the config file and starts the failover process

What occurs when a failover takes place in the Disaster Recovery Environment?

The DR service first synchronizes the information in its database with the Safe data files

What is the default setting for the EnableDbsync parameter in the padr.ini file?

EnableDbsync=Yes

What determines the length of time between synchronizations of the Vault file system?

The ReplicateInterval parameter

What is the primary purpose of the DR service in the Disaster Recovery Environment?

To synchronize the information in its database with the Safe data files

What is the default time interval for synchronizing the Vault file system?

3,600 seconds (or 1 hour)

What is the purpose of the Primary Vault in the Disaster Recovery Environment?

To synchronize the information in its database with the DR Vault

What is the primary function of the Server Key in the CyberArk PAM solution?

To install and operate CyberArk PAM

What type of encryption is used to protect the keys in the Vault?

AES-256

What is the purpose of the Recovery Private Key in the CyberArk PAM solution?

To recover encrypted vault objects

How are vault objects encrypted in the CyberArk PAM solution?

Using a hierarchical encryption model

What is the purpose of encrypting the key in the Vault?

To protect the key from unauthorized access

What is the primary function of the Recovery Public Key in the CyberArk PAM solution?

To recover encrypted vault objects

What is the purpose of the three files that form the cornerstone of the CyberArk PAM solution encryption methodology?

To install and operate CyberArk PAM

What is the benefit of using a secure platform in the Vault?

To reduce the risk of key exposure

What is the purpose of access control in the Vault?

To restrict access to authorized personnel

What is the benefit of using digital vault configuration?

To increase the security of the Vault

What is the purpose of encryption in the Vault?

To protect the data from unauthorized access

What is the benefit of using granular permissions in the Vault?

To restrict access to sensitive data

What is the purpose of the Vault's security controls?

To protect the Vault from external threats

What is the benefit of using a hierarchical encryption model?

To increase the security of the Vault

What is the purpose of the firewall in the Vault's security architecture?

To protect the Vault from external threats and unauthorized access

What is the benefit of using a Hierarchical Encryption Model in the Vault?

It provides a unique encryption key for each object

What is the primary purpose of Access Control in the Vault?

To restrict access to authorized users and roles

What is the role of the Proprietary Protocol in the Vault's security architecture?

It provides a secure connection for encrypting data

What is the primary benefit of using Granular Permissions in the Vault?

It enables more granular access control to sensitive data

What is the purpose of Auditing in the Vault's security architecture?

To detect and respond to security incidents

What is the primary function of the Firewall in the given diagram?

To control access to the Vault

What type of encryption model is used in the Hierarchical Encryption Model?

Multi-layer encryption

What is the primary benefit of using Granular Permissions in the Vault?

Fine-grained control over access

What is the primary purpose of Auditing in the given diagram?

To track and monitor access to the Vault

What is the recommended factor of authentication in the given diagram?

Two factor

What is the primary purpose of the Proprietary Protocol in the Vault?

To provide an additional security layer

What is the purpose of the Server Key in CyberArk PAM?

To operate CyberArk PAM

What type of encryption is used in the Vault Object Encryption mechanism?

AES-256

What is the role of the Recovery Public Key in CyberArk PAM?

To recover private keys

What is the purpose of the Recovery Private Key in CyberArk PAM?

To recover private keys

What are the three files required to install and operate CyberArk PAM?

Server Key, Recovery Public Key, and Recovery Private Key

What is the primary purpose of the encryption methodology in CyberArk PAM?

To protect Vault objects

What is the primary goal of security controls protecting the Vault and encryption keys?

To ensure data integrity and confidentiality

What is the primary benefit of using a hierarchical encryption model in the Vault?

To simplify key management

What is the role of permissions in the Vault's access control layer?

To control access to the Vault

What is the primary purpose of encrypting the key with a 3rd-party tool in the Vault?

To protect the key from unauthorized access

What is the primary risk associated with unmanaged target accounts and servers in the Vault?

Unauthorized access to sensitive data

What is the primary benefit of using granular permissions in the Vault's access control layer?

To control access to sensitive data

What is the primary purpose of the Vault in the context of Privileged Account Management?

To provide secure access to privileged accounts

What is the primary goal of encryption mechanisms in the Vault?

To protect data at rest and in transit

What are the methods used to monitor system health?

REST, Email, SIEM, SNMP

What administrative task is related to system maintenance?

Monitoring replication and DR status

What is monitored in terms of replication and DR status?

Replication and DR status

What is the primary goal of monitoring system health?

To detect system failures

What are the different ways to monitor components?

REST, Email, SIEM, SNMP

What is the benefit of monitoring system health?

To detect system failures

What is the purpose of the Remote Control Agent?

To execute tasks on a Vault component

What information can be received through the Remote Monitoring feature?

Both Operating System and Vault component-specific information

What is required to be installed on the same computer as the Remote Control Agent?

None of the above

What is the purpose of the MIB files provided by CyberArk?

To describe the SNMP notifications sent by the Vault

What is the function of the Remote Control feature in the Vault?

To carry out remote operations on the Vault and its components

What is the benefit of using the Remote Monitoring feature?

To monitor the Operating System and Vault information remotely

What is the ID of the email template that can be customized for component monitoring?

206

Where can you configure the monitoring interval for a component?

dbparm.ini

What is the purpose of the ComponentMonitoringInterval parameter?

To set the monitoring interval for a component

What determines the actions taken when a component is disconnected?

ComponentNotificationThreshold

What is the result of enabling email notifications for a component?

Vault Admins will receive a notification in their inbox

What is used to monitor components via SNMP?

Remote Control Agent

Where can you enable monitoring of a specific CyberArk component user account?

PrivateArk Client

What is the purpose of the General tab in the PrivateArk Client?

To check the box for sending email notifications

What is the purpose of creating a shadow user?

To run connection components and store user preferences

What is the primary function of AppLocker in PSM?

To define a set of rules that allow or deny applications from running

What should you do to isolate problems related to shadow users?

Run the component manually as the shadow user

How do you disable AppLocker entirely?

By setting Executable Rules to Audit Only in the MMC snap-ins

What is the recommended approach when adding a new component in PSM?

Adjust AppLocker by adding an exception to PSMConfigureApplocker.xml

What should you do to the PSMConfigureApplocker.ps1 script?

Run it to adjust AppLocker

What happens to a user who fails to log in 5 times?

The user is suspended

How can a user be unsuspended after being locked out?

Automatically after a set time period

What is the purpose of the UserLockoutPeriodInMinutes parameter?

To configure the timeout period for automatic unsuspend

Why did the user's login attempt fail?

The user's password was changed recently

What can the Vault administrator see in the ITAlog?

The user's failed login attempts

What happens when a user's account is suspended?

The user is temporarily locked out

Who can see the ITAlog?

Only the Vault administrator

What is the result of a user's failed login attempt?

The user is suspended

Where is the CreateCredFile.exe command located?

C:\Program Files\CyberArk\Password Manager\Vault

What can cause interference with the CPM?

Local Computer Policy

What is the purpose of the VaultPermissionsValidation.sh script?

To resynch the credentials for the PTA Vault users

What is the command to run to resynch the credentials for the PTA Vault users?

VaultPermissionsValidation.sh

What is the alias to navigate to the utility folder on the PTA server?

UTILITYDIR

What can be done to resolve PTA connectivity issues?

Resynch the credentials for the PTA Vault users

What is the primary reason for disabling Network Level Authentication (NLA) in a PSM-RDP connection?

To determine if it's causing the connection problem

How can you manually test the PSMConnect user in a PSM-RDP connection?

By doing all of the above

Where can you disable Network Level Authentication (NLA) in a Target Windows Account?

In the Control Panel → System and Security → System → Remote Settings

What is the recommended approach to resolve issues with overloaded environments in a PSM connection?

Increasing the timeout values

What is the primary purpose of checking the PSM Protocol version in a PSM connection?

To understand the problem with the PSM connection

Why is it recommended to compare safe permissions with other safes in a PSM connection?

To ensure safe permissions are correctly configured

What is the purpose of shadow users in PSM?

To run connection components and store user preferences

What is the recommended approach to troubleshoot issues with PSM-RDP connections?

Run the component manually using the shadow user and adjust AppLocker rules

How can AppLocker be adjusted to allow a new component to run on the PSM machine?

By uncommenting the line relating to the new component in PSMConfigureApplocker.xml

What is the purpose of the AppLocker feature in Windows?

To define a set of rules that allow or deny applications from running on the PSM machine

What is the result of deleting a shadow user on the PSM machine?

The PSM will create a new shadow user

How can AppLocker be disabled on the PSM machine?

By using the MMC snap-ins to set Executable Rules to Audit Only

What is the purpose of running the component manually as the shadow user?

To isolate problems related to PSM-RDP connections

Why would you adjust AppLocker rules on the PSM machine?

To allow a new component to run on the PSM machine

When troubleshooting Target Windows Accounts, what command can be used to verify the connection?

net use \/IPC$ /user:\

In PSM-RDP Connection troubleshooting, what is an important aspect to consider?

PSM server hardening

What can be checked in the Local Security Settings when troubleshooting Target Windows Accounts?

Unusual Local Security Settings

What is a suggested troubleshooting step for Target Unix Accounts?

Run 'plink' command manually

What is a common issue related to PSM?

PSM-RDP Connection issues

When troubleshooting Target Windows Accounts, what can be added to the CPM server?

DEP exceptions

What is the primary requirement for the basic troubleshooting methodology in the CyberArk environment?

Knowledge of the system implementation

What is the recommended practice when troubleshooting issues in the CyberArk environment?

Write down all information gathered during the process

What is the purpose of managing log files in the CyberArk environment?

To troubleshoot issues in the Vault

What is the xRay agent used for in the CyberArk environment?

To troubleshoot issues in the Vault

What is the primary goal of the troubleshooting methodology in the CyberArk environment?

To provide guidance for troubleshooting

What is the importance of understanding the system implementation in the CyberArk environment?

It is essential for troubleshooting

Where are CPM exceptions written to by default?

The trace log

Where can you configure the Debug Level for CPM troubleshooting?

The web.config file

What file would you check for CPM CASOS errors?

pm-error.log

Where can you configure the logging level for PVWA troubleshooting?

PVWA administration tab

What type of log files are stored in the \Program Files\CyberArk\PasswordManager\Logs\ThirdParty directory?

Plug-in log files

Where can you find CyberArk Web application logs?

%windir%\temp\

What is the purpose of the Debug Level setting in the web.config file?

To customize the logging level for CPM troubleshooting

Where can the configuration file for the Central Password Manager be found?

Vault ➔ Safe “Password Manager”➔ root\policies.ini

What is the default debug level for the Central Password Manager?

2

Where can the logs for the Privileged Session Manager be found?

\Logs (and subfolders) or according to the 'LogsFolder' parameter

Where can the server settings for the Privileged Session Manager be configured?

PVWA ➔ System tab ➔ Options ➔ Privileged Session Management

What is the purpose of the TraceLevels setting in the Privileged Session Manager?

To configure the debug level for the PSM

Where can the General Settings for the Privileged Session Manager be configured?

PVWA ➔ System tab ➔ Options ➔ Privileged Session Management ➔ General Settings

What is the primary function of Privileged Threat Analytics (PTA)?

To detect malicious activity caused by privileged accounts and contain in-progress attacks

What is the benefit of using On-Demand Privileges Manager?

It provides a comprehensive solution for IT and enables complete visibility and control of super users and privileged accounts

What is the primary responsibility of the Central Policy Manager (CPM)?

To perform password changes and SSH key rotations on devices based on policies

What is the primary security feature of the Digital Vault?

It is implemented in compliance with the CyberArk Digital Vault Server security standard

What is the primary function of the 'Discover' feature in the Central Policy Manager?

To automate privileged account discovery

What is the purpose of the Privileged Session Manager?

To monitor and control privileged session access

What is the primary benefit of using a Password Vault in the context of the Vault?

To monitor and control privileged session access

Which operating system has an administrator account with the password 'tops3cr3t'?

Windows

What is the primary function of the Central Policy Manager?

To define master policy exceptions

What is the primary purpose of the PVWA interface?

To view reports

What is the primary purpose of the Digital Vault Security?

To secure and protect privileged account information

Which of the following is NOT a type of user account in the diagram?

Guest

What is the primary purpose of Privileged Account Discovery?

To discover and manage privileged accounts across the organization

What is the purpose of the security policy in the diagram?

To define access control

What is the primary purpose of the IT department in the diagram?

To provide Enterprise IT Environment

Study Notes

CyberArk PAM Key Features

• CyberArk PAM provides a comprehensive solution for discovering, isolating, recording, monitoring, and remediating privileged credentials and sessions.

Discover and Manage Credentials

• Automated processes for account discovery
• Policies for managing credentials, including:
  • Password complexity
  • Rotation frequency
  • Others

The Vault

• A secure storage for credentials
• Clients of the Vault include:
  • End users (IT staff, auditors, etc.)
  • Custom applications
  • Reporting tools
• The Vault provides a centralized policy management system

The Vault: End-to-End Security

• Secure storage of credentials
• Discretionary and mandatory access control
• Encryption of sessions and files
• Proprietary protocol and hardened built-in firewall
• Single or two-factor authentication
• Granular permissions and role-based access control
• Subnet-based access control and time limits
• Event-based alerts and tamper-proof audit trail
• Hierarchical encryption model, with every object having a unique key

User Management in PVWA

• User management module introduced in PAM version 13, accessible through PVWA
• Create and edit CyberArk users
• Create groups and assign users to them
• View all users (LDAP and CyberArk)
• Disable or activate a suspended user
• Reset a user's password

Managing Users

• Create new CyberArk users manually through PVWA
• Edit CyberArk users through PVWA
• Create groups and assign users to them through PVWA
• Disable or activate a suspended user through PVWA
• Reset a user's password through PVWA

Changing Master Password

• Change the Master user password by logging in as Master user and clicking User → Set Password

User Management in PrivateArk Client

• Manage users and groups via PrivateArk Client
• Adding users: authorized interfaces, authentication, vault authorizations, group membership, and general tabs
• Users stored in Vault database
• Recommended to manage users with an external LDAP directory, such as Active Directory
• Can manually create users via PrivateArk Client

General Tab

• Manually add new users through PrivateArk Client interface

Authorized Interfaces

• Select which interfaces a user can log in from

Authentication

• Select the authentication method for a user

Vault Authorizations

• Configure Vault authorizations for a user

Group Membership

• Select which groups a user is a member of

User Management Overview

• Users vs. Accounts: understand the differences between the two
• Internal Users and Groups vs. Transparent Users and Groups: understand the differences between the two

Platform Management

• Platforms have three main functions: defining technical settings, pointing to relevant plug-ins and connection components, and basis for exceptions to the Master Policy.

Platform Functions

• Define password policy settings such as minimum length, forbidden characters, and more.
• Manage how you log in and change a password on different target systems (e.g., Unix, Windows).

Creating and Managing Platforms

• Platforms are located under the Administration tab.
• Platforms are grouped by target system type.
• There are several dozen baseline platforms that function out of the box with little or no configuration.

Duplicating Platforms

• Duplicating a Platform is required when accounts of the same system type require different policies.
• Example: Unix accounts in different regions need to be rotated on a different basis.

Platform Naming Convention

• Use a logical naming convention based on business rules (e.g., LIN SSH 30 indicates Linux accounts via SSH connections with 30-day password rotation).

Editing Platform Settings

• Select Edit to modify Platform settings (e.g., password policy settings).
• Platforms are divided into two broad sections: UI & Workflows, and Automatic Password Management.

Password Complexity

• The Generate Password section controls password creation policy, including length, complexity, forbidden characters, and more.

Activating/Deactivating Platforms

• The Vault administrator can deactivate Platforms that are not currently relevant to your implementation, providing better administration and performance.

Policy By Platform

• The Platform Management page displays password management policies applied to different platforms.

Summary

• The general workflow when working with CyberArk PAM involves configuring key parameters in the Master Policy and Platforms.
• Key parameters include password policy settings, plug-ins, and connection components.

Granular Safe Permissions

• In the Safe Members tab, users and groups with access to the Safe are displayed.
• Members can be added and permissions assigned, managing access to accounts and passwords.

Permissions

• Permissions are organized into groups: Access, Account management, Safe management and monitoring, Workflow, and Advanced.

Safe Naming

• Safe names are limited to 28 characters and do not support double-byte characters.
• A naming convention is recommended, such as P-BOS-SRV-WIN-LAD-HR for local admin accounts on HR production servers.

Safe Constraints

• The number of objects stored in a Safe should be limited to 20,000, including versions of passwords.
• The recommended number of accounts or files stored in a Safe is between 3,000 and 5,000.

Access Control

• The principle of “least privilege” should be followed, storing objects in Safes according to need-to-know access.
• Separate Safes are recommended for Windows Desktop Accounts, Windows Local Administrators, and Windows Domain Accounts.
• Object-level access control is not recommended.

Adding Safe Members

• A new wizard streamlines the process of creating Safes and adding initial members.
• Permission presets and user/group searching are available.

Platforms and Safes

• The AllowedSafes parameter can limit the scope of a platform to specific Safes using a regular expression pattern.
• This helps improve CPM performance and simplifies administrative tasks.

Accounts

• Accounts store privileged account IDs and passwords in Safes
• Examples of accounts include:
  • Domain administrators
  • Local administrators
  • Root accounts
  • Service accounts
• Every account resides in a single Safe
• Every account is associated with a single Target Account Platform

Adding a Linux Account

• To add a new Linux account, provide the following information:
  • Platform: LIN SSH 30
  • Safe: Lin-Fin-US
  • Master Policy:_Exception: Change password every 30 days
  • Username: logon01
  • Password: ****** (hidden for security)
  • Address: target-lin.acme.corp

Account Management Operations

• Central Policy Manager (CPM) manages passwords and SSH keys on devices based on policies set by Vault Administrators
• CPM performs three actions:
  1. Password Verification: Confirms passwords in Vault match target system
  2. Password Change: Changes passwords automatically based on expiration period or user intervention
  3. Reconciliation of unknown or lost passwords: Process used when Vault password doesn't match target system

Password Management Overview

• CPM manages privileged accounts through three actions: Verification, Change, and Reconciliation
• Verification confirms passwords in Vault match target system
• Change updates passwords automatically or through user intervention
• Reconciliation resolves unknown or lost passwords

Verification Process

• Scan Vault for Account
• Login using current credentials
• Notify Vault of success or failure

Change Process

• Scan Vault for Account
• Login using current credentials
• Generate new password
• Connect and run change password
• Store new credentials

Push Private Keys to Application Servers

• CyberArk PAM allows pushing private keys to application servers for SSH key authentication.

Linked Accounts

• There are two types of linked accounts commonly used and supported by default for most platforms:
  • Logon account
  • Reconcile account

Logon Account

• No additional information provided about logon accounts.

Root Account Best Practices

• Using a username "root" is not recommended as it compromises all systems that trust it if it is compromised.
• SSH keys are more difficult to change than passwords.

SSH Key Manager

• Creates unique key-pairs for each target system.
• Private keys are stored in the Vault, not on user workstations.
• The CPM (Central Policy Manager) changes key-pairs often and automatically disseminates public keys to target systems.
• End users retrieve the private key from the Vault to authenticate to the target system.

Agenda and Objectives

• By the end of this session, you will be able to:
  • Describe and configure linked accounts (logon accounts and reconcile accounts)
  • Describe and configure SSH key management

Configuration File Management

• Certain applications retrieve credentials from configuration files, which can be managed by the CPM.
• Supported file types include plain text, INI files, XML files, and web configuration files.

Config File Usage

• Applications use configuration files to retrieve passwords for authentication.
• When the CPM changes a password, it must also update the corresponding configuration file.

Adding Config File Usage

• To add a configuration file usage, the relevant usage must be added manually to the target account platform.
• The parameter SearchForUsages must be enabled.

Dependent Platforms

• Dependent Platforms are used for managing Usages.
• A usage refers to an instance where an account is used to perform a task somewhere else.

Usages

• The CPM can synchronize an account password with all other occurrences of the same password on the same server or anywhere in the network.
• This is done through Usages, which are registered in CyberArk PAM.

Scheduled Task Example

• A scheduled task can be used to run a task with a specific account.
• In this example, a local Windows user – sendmail01 – is used to run a scheduled task – SchedTask01.

Adding Config File Usage (2)

• The specific INI config file usage must be added to the relevant account.
• The usage specifies the server address, full path to the INI file, and where in the file the password can be found.

Configuration Files

• When the CPM changes a password, it will also change the password in the corresponding configuration file.
• The password can be encrypted using an external command.

Logon Account

• An extra account may be required to log onto the remote machine where the usage exists.
• A logon account can be associated with the usage.

Encrypting the Password in Config Files

• Passwords stored in configuration files can be encrypted using an external command.
• The encryption command and encryption regex parameters are used to handle the encryption process.

Advanced Settings

• End users can connect transparently using privileged accounts and are allowed by default to view passwords.
• Users can specify a reason for access, which forces them to provide a reason why they are using a particular account.

Privileged Account Request

• The list of options for the drop-down is defined at the Platform level, so it can have a different set of reasons on a platform-by-platform basis.
• Predefined Reasons can be added to create a list of choices for users when accessing a password in the PVWA.

Dual Control

• Dual control requires end users to get authorization before accessing privileged accounts.
• Authorization must be given by one or more managers or peers, depending on the configuration.
• Dual Control is controlled through Safe membership, where Requesters are the people who want to use the privileged accounts.
• At least one person from each group with approver permissions must approve the request before the requester can use the password.

Multi-Group Approval Process

• If more than one group with approver permissions is set up, at least one person from each group must approve the request before the requester can use the password.
• In advanced settings, a multi-level approval process can be enabled, where a request must first be approved by one group before it is forwarded for approval to another group.
• Direct manager approval can be enabled, determined by the Manager attribute on the requester's AD user object.

Exclusive Access

• Exclusive access allows multiple users to access the password simultaneously.
• The password is changed automatically upon manual release, and the system will release it automatically based on the Minimum validity period.
• In later versions, the password can be auto-released by the PSM.

Summary

• The session covered five workflows: Allow transparent connections, Require users to specify reason for access, Dual Control, Exclusive Passwords, and One-time Passwords.

PAM Web Services API

• PAM Web Services API is a set of REST-based services running on the PVWA.
• It allows scripts and applications to communicate with the Vault.
• Used by CyberArk applications as well as third-party applications.
• Enables organizations to develop custom interactions with the Vault to automate business processes.

Discovery and Onboarding Methods

• Discovery and Onboarding Methods include:
  • Add a single account
  • Add multiple accounts from file
  • Discovery and Audit (DNA)
  • Continuous Accounts Discovery
  • Accounts Discovery & Onboarding Rules
  • Rest API

Onboarding Accounts

• Onboarding accounts can be done using three main REST methods:
  • Add account
  • Add discovered accounts
  • Create bulk upload of accounts

Add Account Method

• Used when the target Safe and Platform are known to the onboarding utility.

Add Discovered Accounts Method

• Used by CyberArk discovery and upload mechanisms, as well as third-party discovery mechanisms.
• Uploads discovered accounts (and dependencies) to the Pending Safe or onboards the accounts directly via automatic onboarding rules.

PAM Administration

• Involves Discovery and Onboarding.

PSM Flow

• PSM provides complete isolation of target systems, ensuring privileged credentials never reach users or their devices.
• Connections can be made from Unix, Linux, Mac, or Windows end-user machines.
• The PSM flow involves:
  • Logging on through PVWA
  • Connecting to PSM using RDP/TLS
  • Fetching credentials from Vault
  • Connecting using native protocols
  • Forwarding logs to SIEM and PTA
  • Storing session recordings

PSM for Windows

• The PSM for Windows flow involves:
  • Connecting to PSM using RDP/TLS
  • Fetching credentials from Vault
  • Connecting using native protocols
  • Forwarding logs to SIEM and PTA
  • Storing session recordings

PSM for SSH

• The PSM for SSH flow involves:
  • Opening an SSH session to the PSM server
  • Retrieving a privileged account password from the Vault
  • Opening an SSH session to the target using the privileged account
  • Forwarding logs to SIEM and PTA
  • Storing SSH session audits

Summary

• The Privileged Session Manager (PSM) features include:
  • PSM Connection Components
  • PSM Ad-Hoc Connections
  • PSM via HTML5 Gateway
  • PSM for Windows
  • PSM for SSH

Active Session Monitoring (PSM)

• PSM enables authorized users to monitor active sessions, take part in controlling these sessions, and suspend or terminate them.
• PSM can automatically suspend or terminate sessions when notified by PTA or a third-party threat analytics tool.

Active Session Monitoring (PSM for SSH)

• It is not possible to monitor or control live PSM for SSH sessions, but it is possible to view the live session audit.
• Recordings created by PSM for SSH are displayed in the classic interface.

Monitor Active Sessions

• Users can monitor active sessions using PVWA, HTTP/S, Unix, Administrator, RDP, and SSH (using putty).

Sizing Calculations for the PSM Server

• The required storage on the PSM Server (SPSM) is calculated using the formula: SPSM = Csession * tsession * Rsession recording + 20GB.
• The average bit rate of recorded video for different sessions is:
  • 100 KB/min for average SSH session
  • 200 KB/min for average low activity RDP session
  • 300 KB/min for average high activity RDP session with rich wallpaper

Sizing Calculations for the Vault Server

• The required storage on the Vault Server (SVault) is calculated using the formula: SVault = tretention * Nsession * tsession * Rsession recording + 20GB.
• The retention history requirement (tretention) is a factor in calculating the required storage.

PAM Administration

• The goal of this section is to enable participants to monitor and manage privileged session recordings, audits, and active sessions.
• The participant will be able to monitor and manage privileged session recordings, audits, and active sessions upon completion of this session.

Recordings

• PSM and PSM for SSH create video and text recordings for privileged sessions and store them in the Vault.
• Authorized users can view these recordings at any time.
• Recordings can be stored in an external storage device.

Configuring Rules

• Rules are defined by category, pattern, session response, threat score, and scope
• Categories include SSH, Universal Keystrokes, SCP, SQL, and Windows title
• Patterns are regular expressions to be monitored
• Session responses include Suspend, Terminate, and None
• Threat score ranges from 1-100
• Scope determines who or what the rule will apply to

Session Analysis and Response Life Cycle

• The life cycle includes analytics, define risks, alerts, automatic response, manual response, and risk review
• The security team is involved in the manual response and risk review stage

Privileged Threat Analytics

• It quickly gathers and analyzes critical data
• Enables speedy response and automated containment
• Detects suspicious activities
• Alerts security teams with detailed event information
• Collects data from a wide variety of sources
• Part of CyberArk's PAM administration

Agenda

• Describe the main functionality of Privileged Threat Analytics (PTA)
• Describe the different data sources used by the PTA
• Describe the different attacks and risks detected by the PTA
• Describe the alert flow by the PTA
• Configure and test PTA automatic responses
• Describe the session analysis and response flow

Report Categories

• There are two categories of reports: Operational reports and Audit/Compliance reports.

Filter Options

• Each type of report has differing filtering criteria.

Scheduling Reports

• Reports can be run immediately, saved, or scheduled to run on a regular basis.
• Subscribers can be added to receive notifications by email when the report is generated, containing a link to the report.

Report Status

• The Refresh button can be used to check if a report has been generated.

Finished Reports

• Reports can be downloaded in Excel or CSV formats.

Report Types

• PrivateArk Reports are of interest to Vault Admins and include:
  • License capacity of the system
  • Lists of Users
  • Active/Non-active Users
  • Safes List
  • Active/Non-active Safes
• PVWA Reports are of interest to Auditors and include:
  • Privileged Accounts Inventory
  • Applications Inventory
  • Privileged Accounts Compliance Status
  • Entitlement Report
  • Activity Log

Report Generation

• Reports can be generated using the PVWA and the PrivateArk Client.
• The Export Vault Data (EVD) Utility can be used to extract data for reports.

Permissions

• Different reports require different permissions to run.

CyberArk's Scalable Architecture

• The architecture consists of auditors, PVWA, CPM, PSM, and a Vault (HA Cluster) in the main data center, with replicated environments in London and Hong Kong.
• The IT environment is integrated with the Vault and other components.

PAM Self-Hosted Components

• PAM Self-Hosted is a Privileged Access Manager solution where all components are owned and operated by the customer.
• It can be deployed on-premises, in the cloud, or in a hybrid environment.
• The components include:
  • Secure Digital Vault: a secure server for storing privileged account information.
  • Password Vault Web Access (PVWA): a web interface for users to access privileged account information.
  • Central Policy Manager (CPM): performs password changes on devices and configures policies.
  • Privileged Session Manager (PSM): isolates and monitors privileged account activity, recording sessions.
  • Privilege Threat Analytics (PTA): monitors and detects malicious privileged account behavior.

CyberArk PAM Offerings

• PAM Self-Hosted is an entirely on-premises or cloud-based deployment.
• CyberArk Privilege Cloud is a PAM solution delivered as Software as a Service (SaaS).

Before Installing

• Enable the Backup user
• Set the password on the Primary Vault

Install the Utility

• Install the Replicator module and specify a path to a backup folder for the replicated data

Configure Vault.ini

• Edit the Vault.ini to give the Replicator utility the network address of the Vault server

Create Cred File

• The Credential File is used by the utility to authenticate to the Vault
• The password for the Backup user is changed in the Vault and the Credential File is updated after every successful login

Performing a Backup

• The backup is launched at a command line using the PAReplicate.exe executable file
• The syntax of the command specifies the vault.ini file and uses the logonfromfile and fullbackup switches

Overview

• The CyberArk Vault enables you to backup and restore a single Safe to a Vault, as well as a complete Vault’s data and metadata
• The Data and Metadata folders are extremely important and it is imperative to back them up regularly

Backup Considerations

• Vault backup can be implemented in two ways: Direct Backup (Not Recommended) and Indirect Backup (Recommended)
• Direct Backup introduces an external application to the Vault and potentially reduces the level of security
• Indirect Backup uses the PrivateArk Replicate Utility to pull Vault data as encrypted files to a server, and then enterprise backup software can backup these files

Installation and Setup

• Before installing the Replicator utility, ensure the backup server has at least the same disk space as the Vault database on an NTFS volume, accessibility by your enterprise backup system, and physical security that only permits authorized users to access it

Enhanced DR Replication

• Database synchronization occurs between the Primary Vault and Disaster Recovery Environment
• The DR Service is responsible for synchronization
• Data and metadata synchronization can be enabled in the padr.ini configuration file with the default setting EnableDbsync=Yes

Data Replication Interval

• The ReplicateInterval parameter determines the length of time between synchronizations of the Vault file system
• The default interval is 3,600 seconds (or one hour)

PVWA Failover Setup

• PVWA servers can be configured for automatic failover to allow users to access passwords without interruption
• Audit data should be saved via the activity log before re-enabling replication
• SIEM integration can mitigate the issue of saving audit data

DNS Load Balancing

• A DNS Alias can be used to control which Vault is used by the components (CPMs, PSMs, PVWAs)
• The DNS Alias is set in the Vault.ini file
• DNS Alias updates are a manual process and will extend the outage

Failover

• Automatic failover can be enabled with the parameter EnableFailover=Yes
• The CheckInterval indicates the DR Vault will contact the Primary Vault every 60 seconds, and if it fails, it will try again 4 times, once every 30 seconds
• After which, the DR Vault considers that the Primary is down and it goes into DR mode

Manual Failover

• To configure the DR Vault for manual failover, padr.ini should be configured as follows: EnableFailover to No, EnableDbsync to Yes, and ActivateManualFailover to No
• To perform a proper manual failover, set the parameter ActivateManualFailover to Yes and restart the DR service

The Failover Process

• The failover process involves connection failure, retry attempts, failover started, data synchronization, starting PrivateArk, stopping the Server, and disaster recovery service

CyberArk PAM Solution Encryption

• Three files form the cornerstone of the CyberArk PAM solution encryption methodology: Server Key, Recovery Public Key, and Recovery Private Key.
• These files are required to install and operate CyberArk PAM.

Vault Object Encryption - Day-to-Day Operations

• Vault objects are encrypted using AES-256.
• Server Key is used to encrypt vault objects.
• Safe objects are encrypted using AES-256.
• Safe Key is used to encrypt safe objects.
• Password files are encrypted using AES-256.
• File Key is used to encrypt password files.

The Vault: End-to-End Security

• The Vault provides end-to-end security with features like:
  • Discretionary and Mandatory Access Control
  • Session Encryption
  • Firewall Authentication
  • Granular Permissions
  • Subnet-Based Access Control
  • Tamperproof Audit Trail
  • Hierarchical Encryption Model
• The Vault uses a proprietary protocol and hardened built-in Windows firewall.
• OpenSSL encryption is used.
• Role-Based Access Control and Time Limits are available.
• Every object in the Vault has a unique key.

Vault Encryption and Key Management

• Keys are encrypted using a 3rd-party tool.
• Keys are not stored in RAM.
• Keys are always available, even when the Vault is restarted.
• Inserting a medium is required to encrypt the key.

Summary

• The session covered security controls protecting the Vault and encryption keys.
• It also covered encryption mechanisms protecting Vault data.

CyberArk PAM Solution Encryption

• Three files form the cornerstone of the CyberArk PAM solution encryption methodology: Server Key, Recovery Public Key, and Recovery Private Key.
• These files are required to install and operate CyberArk PAM.

Vault Object Encryption - Day-to-Day Operations

• Vault objects are encrypted using AES-256.
• Server Key is used to encrypt vault objects.
• Safe objects are encrypted using AES-256.
• Safe Key is used to encrypt safe objects.
• Password files are encrypted using AES-256.
• File Key is used to encrypt password files.

The Vault: End-to-End Security

• The Vault provides end-to-end security with features like:
  • Discretionary and Mandatory Access Control
  • Session Encryption
  • Firewall Authentication
  • Granular Permissions
  • Subnet-Based Access Control
  • Tamperproof Audit Trail
  • Hierarchical Encryption Model
• The Vault uses a proprietary protocol and hardened built-in Windows firewall.
• OpenSSL encryption is used.
• Role-Based Access Control and Time Limits are available.
• Every object in the Vault has a unique key.

Vault Encryption and Key Management

• Keys are encrypted using a 3rd-party tool.
• Keys are not stored in RAM.
• Keys are always available, even when the Vault is restarted.
• Inserting a medium is required to encrypt the key.

Summary

• The session covered security controls protecting the Vault and encryption keys.
• It also covered encryption mechanisms protecting Vault data.

Remote Control

• Enables users to perform remote operations on Vault, DR Vault, and ENE components.
• Consists of Remote Control Agent (Windows service) and Remote Control Client (command-line interface utility).
• Remote Control Agent runs on Vault components, while the Client can run on any computer without requiring other Vault components.

Remote Monitoring

• Enables users to receive Operating System and Vault information, including CPU, memory, and disk usage, event log notifications, and service status.
• Uses SNMP to send Vault traps to a remote terminal.
• CyberArk provides two MIB files for SNMP v1 and v2 that describe SNMP notifications sent by the Vault.

System Monitoring and Administrative Tasks

• Can monitor system health via REST, email, SIEM, and SNMP.
• Can monitor replications and DR status.
• Perform common administrative tasks related to system maintenance.

Monitoring Components

• Can monitor components via REST, email, SIEM, and SNMP.
• Examples of components that can be monitored include PVWAAppUser, PasswordManager, DR, and Backup.

Enabling Component Monitoring

• Can customize email notifications by editing the body parameter in the Component is inactive template (ID: 206).
• Can enable monitoring of a specific CyberArk component user account using the PrivateArk Client.
• Can add the ComponentMonitoringInterval parameter to dbparm.ini to set the monitoring interval.
• Can define the actions taken when the Vault detects a disconnected component using the ComponentNotificationThreshold parameter.

Troubleshooting PSM-RDP

• Same troubleshooting recommendations as for PSM-RDP
• Run component manually using shadow user
• Delete Shadow users (from PSM computer management)
• Adjust AppLocker (or remove it manually in Windows for isolation)

Shadow Users

• Created by the PSM upon first connection
• Used to run connection components and store user preferences
• Can isolate problems related to shadow users by:
  • Running the component manually as the shadow user (after password reset)
  • Deleting the user (this will allow the PSM to create the user again)

Adjust AppLocker

• PSM uses Windows AppLocker feature to define rules for allowing or denying applications
• When adding a new component, adjust AppLocker by:
  • Uncommenting the line relating to the new component in PSMConfigureApplocker.xml
  • Running the PSMConfigureApplocker.ps1 script

Disable AppLocker

• Can disable AppLocker entirely for isolating the problem only
• Steps to disable AppLocker:
  • Open secpol.msc or gpedit.msc
  • Go to Computer Configuration → Windows Settings → Security Settings → Application Control Policies → AppLocker
  • Click on Configure rule enforcement and set Executable Rules to Audit Only
  • Turn Enforce rules back on after testing

CPM Services

• Restart the CPM Services to troubleshoot issues

Resynch PTA Credentials

• Run the VaultPermissionsValidation.sh script in the utility folder on the PTA server to resynch credentials for PTA Vault users and PTA_PAS_Gateway account

Common Issues Related to CPM

• Local Computer Policy conflicts with password policy on target device
• Platform and Master Policy settings must not conflict with password policy on target device

User Authentication Issues

• User Receives an Authentication Failure due to:
  • Trying to log in to PVWA with old password after changing network password
• Identifying the Error in the ITA log on the Vault
• Unsuspend the User or use Automatic Unsuspend feature

Automatic Unsuspend

• Configure the Vault to unsuspend users automatically after a predefined time period using the UserLockoutPeriodInMinutes parameter in dbparm.ini

Troubleshooting PSM Server Issues

• To troubleshoot PSM server issues, disable NLA (Network Level Authentication) on the PSM machine or target machine by going to Control Panel → System and Security → System → Remote Settings
• Manually connect with PSMConnect by disabling the Start Program in the Environment tab, getting the PSMConnect account password, and connecting to the PSM with PSMConnect and running MSTSC to the target

Increasing Timeouts

• Timeout parameters determine how long the PSM will wait for certain components to work before considering them as ‘failed’ and ending the session
• In overloaded environments, it is recommended to double the timeout values, e.g., ConnectionComponentTimeout: 20000

PSM Component Issues

• Verify if PSM users (PSMConnect / Shadow users) are supported and if Mapping drives is enabled

Target Windows Accounts

• Verify / Change / Reconcile API and “net use” command
• Use alternative plugins: WMI plugin / PowerShell plugin
• Suggested troubleshooting:
  • Check Windows Event Viewer
  • Check for unusual Local Security Settings
  • Run “net use” manually from the CPM server to verify the connection

Target Unix Accounts

• Verify / Change / Reconcile operations are affected
• Suggested troubleshooting:
  • Run plink manually
  • Disable DEP / add exceptions for DEP on the CPM server
  • Prompts and Process files – add a basic prompt

PSM-RDP Connection Troubleshooting

• Understanding the problem:
  • At what stage does the problem occur?
  • One account? Multiple accounts? Same type?
  • Is the PSM hardened? Is the PSM in a domain?
  • Which connection type is being used? RDP file / RemoteApp
• Suggested troubleshooting:
  • Check the PSM service – is it off/hanging?
  • Run component manually using shadow user
  • Delete Shadow users (from PSM computer management)
  • Adjust AppLocker (or remove it manually in Windows for isolation)

Shadow Users

• Shadow users are created by the PSM upon first connection
• Shadow users are used to run connection components and store user preferences
• Isolate problems related to shadow users by:
  • Running the component manually as the shadow user (after password reset)
  • Deleting the user (this will allow the PSM to create the user again)

Adjusting AppLocker

• The PSM uses the Windows AppLocker feature which defines a set of rules that allow or deny applications from running on the PSM machine
• When adding a new component, adjust AppLocker by:
  • Adding an exception to PSMConfigureApplocker.xml
  • Running the PSMConfigureApplocker.ps1 script

Disabling AppLocker

• Disable AppLocker entirely (for isolating the problem only) using the MMC snap-ins
• Set Executable Rules to Audit Only and turn Enforce rules back on after testing

PSM Configuration

• PSM configuration file is located at C:\Program Files\CyberArk\PSM\Basic_psm.ini
• Debug settings can be found at PVWA > Administration Tab > Options > Privileged Session Management

CPM Configuration

• CPM configuration file is located at Vault > Safe "Password Manager" > root\policies\.ini
• Debug settings can be found at PVWA > Administration Tab > CPM settings

Debugging and Troubleshooting

• Debug levels can be set to 0 (no messages), 1, 2, 3, 4, 5, 6, or 7
• Trace levels can be set to 1, 2, 3, 4, 5, 6, or 7
• Log files can be found at \Logs and subfolders, or according to the LogsFolder parameter in Basic_psm.ini file
• CPM debug levels can be set to 1 (exceptions), 2 (trace messages), 3 (CASOS activities), 4 (CASOS debug activities), 5 (CASOS errors), or 6 (all CASOS activities and errors)

Log Files

• PSM logs can be found at \Logs and subfolders
• CPM logs can be found at \Program Files\CyberArk\PasswordManager\Logs\pm.log, \pm-error.log, \PMConsole.log, and \PMTrace.log
• Plug-in logs can be found at \Program Files\CyberArk\PasswordManager\Logs\ThirdParty\*.log
• PVWA logs can be found at %windir%\temp\

Troubleshooting Flow

• The basic troubleshooting methodology involves understanding the system implementation, component communication, and current behavior compared to expected behavior
• It is important to write down any information gathered during the troubleshooting process and any tests performed, as this information will be required when opening a case with CyberArk support

Privileged Threat Analytics (PTA)

• Detects malicious activity caused by privileged accounts and contains in-progress attacks.

On-Demand Privileges Manager

• Empowers IT and enables complete visibility and control of super users and privileged accounts across the enterprise.

Digital Vault

• A hardened and secured digital vault used to store privileged account information.
• Implemented in compliance with the CyberArk Digital Vault Server security standard, resulting in a highly secure repository for privileged account passwords.

Central Policy Manager (CPM)

• Performs password changes and SSH key rotations on devices based on policies set by Vault Administrators.
• Responsible for Accounts Feed operations, including:
  • Discover: Automates privileged account discovery.
  • Analyze: Provides an easy view of all discovered accounts.
  • Provision: Provisions the scope of accounts to manage in the Vault in a simple and intuitive way.

Policy Management

• Manages password policies for various systems, including Unix, Oracle, Windows, z/OS, and Cisco.

PVWA - Password Vault Web Access

• A web interface used by Administrators to perform administrative tasks and by end users to gain access to privileged account information.

PSM – Privileged Session Manager

• Isolates desktops from sensitive target machines to prevent cyber attacks.
• Creates accountability and control over privileged session access with policies, workflows, and single sign-on.
• Delivers continuous monitoring and compliance with session recording with zero footprint on target machines.

Enterprise Password Vault Solution Overview

• Master/exception policy definition.
• Initial load and reset accounts discovery through REST API or manual loading.
• Auditor access and policy management.
• Request access to privileged accounts through PVWA and PSM.

Description

This quiz covers the key features of CyberArk's Privileged Access Management (PAM) solution, including credential management, session isolation, and risk remediation. Test your knowledge of CyberArk PAM's capabilities.