Vault Security and Troubleshooting Guide

Questions and Answers

What happens when a component loses its network connection to the Vault?

• It continues to communicate with the Vault.
• It logs out the user from all sessions.
• It automatically attempts to reconnect to the Vault.
• It appears as disconnected in the System Health Dashboard. (correct)

What is credential de-sync?

• It is caused by a network outage impacting the Vault.
• It refers to a mismatch between stored passwords in the Vault and credential file. (correct)
• It leads to automatic re-authentication attempts.
• It occurs when a component's settings are modified.

What is the most likely consequence of an expired Vault license?

• The Vault will prevent startup altogether. (correct)
• User permissions will be automatically revoked.
• Components will reset to default settings.
• Components may disconnect intermittently.

Which issues are less likely to cause component disconnections?

File corruption in the installed location (A), Browser compatibility issues (B)

Where can reconcile and logon accounts be linked?

Through the account settings (C)

Which of the following is a common cause of component disconnection?

Credential de-sync (A)

Why might browser compatibility issues not lead to component disconnections?

They primarily impact UI interactions, not backend processes. (C)

Which setting is NOT relevant for linking reconcile and logon accounts?

Client settings (C)

Which log contains informational messages and errors related to PSM functionality?

PSMConsole.log (A)

Which log provides detailed entries of workflows related to the PSM component?

PSMTrace.log (C)

What is the primary focus of the .Component.log file?

Errors and trace messages for the connection client (B)

Why is the PSMDebug.log considered less relevant for debugging connection issues?

It does not exist in CyberArk documentation. (C)

Which log would likely be the least useful when diagnosing PSM connection issues?

ITALog.log (D)

When examining logs for connection issues, which should be prioritized?

PSM-specific logs (D)

Which log would you consult first when users cannot launch Web Type Connection components?

PSMTrace.log (C)

What type of log is the PMconsole.log associated with?

Password Manager logs (B)

What is required to support LDAP over SSL on the Vault?

CA Certificate(s) used to sign the External Directory certificate (B)

Which log files should be analyzed first when troubleshooting a slow response in PVWA?

CyberArk.WebApplication.log (A), CyberArk.WebConsole.log (D)

What is the easiest way to duplicate an existing platform?

From the PVWA, navigate to the platforms page, select an existing platform that is similar to the new target account platform and then click Duplicate; name the new platform. (B)

Where should the Recovery Private Key be stored?

On a physical safe (A)

How can you disable session monitoring and recording for 500 testing accounts?

Master Policy>select Session Management>add Exceptions to the platform(s)>disable Session Monitoring and Recording policies (D)

What is recommended for storing the Server Key?

In a Hardware Security Module (C)

If you want to view the status of web sessions, which log file is most relevant?

CyberArk.WebSession.General.log (D)

Which file is NOT typically involved when duplicating a platform?

PlatformSettings.log (D)

What needs to be enabled to ensure one-time password access for the 20 domain accounts?

Add exceptions to the Master Policy. (C)

Why is it important to record sessions connecting to domain controllers?

To maintain an audit trail of sensitive activities. (C)

What is the consequence of not enforcing one-time password access for the domain accounts?

Password reuse increases, compromising security. (D)

What should you do to begin addressing the issue of recording sessions in CyberArk PSM?

Edit the Master Policy to enable session recording. (C)

Which option is NOT a correct action to address the findings regarding domain accounts?

Edit safe properties to enforce OTP and session recording. (D)

What is the primary role of the Master Policy in the context of managing domain accounts?

To define rules for session recording and password management. (D)

What enhances security by preventing the reuse of compromised passwords?

Enforcing one-time password access. (D)

Who should be contacted to implement policy exceptions at the Active Directory level?

The Windows Administrators. (C)

What is required to manage loosely connected devices?

PSM for SSH (B)

What configuration is needed in the Master policy to allow only one user to check out passwords securely?

Enforce check-in/check-out exclusive access = active; Require privileged session monitoring and isolation = active (D)

When should vault keys be rotated?

When it is copied to file systems outside the vault (D)

Where can PTA be configured to send alerts? (Choose two.)

SIEM (B), Email (C)

What does the PSM do besides managing session connections?

Forwards logs to both SIEM systems and PTA (C)

What is the significance of the vault sending health statistics to SIEM applications?

To detect any anomalies that might indicate issues (C)

What does PTA analyze data from?

Various critical external components including SIEM solutions (C)

What effect does 'Record and save session activity' have in the context of user session management?

It creates an audit trail for each session, enhancing security (B)

Flashcards

LDAP over SSL for Vault

Import the CA certificate used by the external directory into the Windows certificate store to enable LDAP over SSL on the Vault.

PVWA Slow Response Logs

Analyze PVWA.App.log, PVWA.Reports.log, PVWA.Console.log, PVWA.Casos.log, CyberArk.WebSession.General.log, CyberArk.WebServiceSession.log for troubleshooting slow PVWA response.

Duplicate Platform (PVWA)

Duplicate an existing platform in PVWA by selecting it, clicking 'Duplicate', naming the new platform.

Recovery Private Key Storage

Store the recovery private key in a physical safe (Master CD).

Recovery Public Key Storage

Store the recovery public key on the Vault server disk drive.

Server Key Storage

Store the server key in a Hardware Security Module (HSM).

SSH Keys Storage

Store SSH keys within the Vault.

Disable Session Monitoring Testing

Disable session monitoring and recording policies in the Master Policy, adding exceptions for specific platforms.

Web Type Connection Component Logs

Analyze PSMConsole.log, PSMTrace.log, and .Component.log files for troubleshooting web type connection components.

Vault Service Disconnection

Components show as disconnected in System Health Dashboard due to network loss or credential mismatch.

Link Accounts (Reconcile/Logon)

Link reconcile and logon accounts to accounts in account settings or platform settings.

One-Time Password Enforcement

Edit Master Policy to enable 'Enforce one-time password access' and 'Record and save session activity' exception.

Loosely Connected Devices Management

Use Privileged Session Manager (PSM) for SSH to manage loosely connected devices.

Exclusive Check-Out Access

Enable 'Enforce check-in/check-out exclusive access' in Master Policy and set to active.

Vault Key Rotation Schedule

Rotate vault keys annually or when migrating to a new data center.

PTA Alert Destinations

Configure PTA to send alerts to Security Information and Event Management (SIEM) systems and email.

Study Notes

Vault Security

• LDAP over SSL: To support LDAP over SSL on the Vault, import the CA certificate that signed the certificate used by the external directory into the Windows certificate store.

Troubleshooting PVWA Slow Response

• Analyze the following log files:
  • PVWA.App.log
  • PVWA.Reports.log
  • PVWA.Console.log
  • PVWA.Casos.log
  • CyberArk.WebSession.General.log
  • CyberArk.WebServiceSession.log
  • CyberArk.WebServiceSession..log

Duplicating Platforms

• Duplicate platforms through the PVWA:
  • Navigate to the platforms page.
  • Select an existing platform similar to the new target account platform.
  • Click Duplicate.
  • Name the new platform.

Key Storage Locations

• Recovery Private Key: Store in a Physical Safe (Master CD)
• Recovery Public Key: Store on the Vault Server Disk Drive
• Server Key: Store in a Hardware Security Module
• SSH Keys: Store in the Vault.

Disabling Session Monitoring and Recording

• Disabling for Testing Accounts:
  • Disable Session Monitoring and Recording policies through the Master Policy.
  • Select Session Management.
  • Add Exceptions to the platform(s).

Troubleshooting Web Type Connection Components

• Analyze the following log files:
  • PSMConsole.log
  • PSMTrace.log
  • .Component.log

Identifying Vault Service Status

• Components display as disconnected in the System Health Dashboard when they lose network connection to the Vault.
• Credential de-sync: When the password stored in the Vault for a component user no longer matches the password stored in the component's credential file, the component will display as disconnected.

Linking Accounts with Reconcile and Logon Accounts

• Reconcile and Logon accounts can be linked to an account in these two locations:
  • Account settings:
  • Platform settings:

Enforcing One-Time Password Access and Session Recording

• Edit the Master Policy and add two policy exceptions:
  • Enable "Enforce one-time password access"
  • Enable "Record and save session activity".

Managing Loosely Connected Devices

• Use the Privileged Session Manager (PSM) for SSH to manage loosely connected devices.

Ensuring Exclusive Check-Out Access Through PSM

• Enable "Enforce check-in/check-out exclusive access" in the Master Policy.
• Configure the setting to active.

Vault Key Rotation

• When to rotate vault keys:
  • Annually
  • When migrating to a new data center

PTA Alert Configuration

• PTA can send alerts to:
  • SIEM
  • Email

Description

This quiz covers essential topics related to Vault security, including LDAP over SSL configuration, troubleshooting slow responses with log file analysis, duplicating platforms, and proper key storage locations. Test your knowledge on how to maintain and secure your Vault environment effectively.