Vault Security and Troubleshooting Guide

Questions and Answers

What happens when a component loses its network connection to the Vault?

It continues to communicate with the Vault.

It logs out the user from all sessions.

It automatically attempts to reconnect to the Vault.

It appears as disconnected in the System Health Dashboard. (correct)

What is credential de-sync?

It is caused by a network outage impacting the Vault.

It refers to a mismatch between stored passwords in the Vault and credential file. (correct)

It leads to automatic re-authentication attempts.

It occurs when a component's settings are modified.

What is the most likely consequence of an expired Vault license?

The Vault will prevent startup altogether. (correct)

User permissions will be automatically revoked.

Components will reset to default settings.

Components may disconnect intermittently.

Which issues are less likely to cause component disconnections?

File corruption in the installed location

Where can reconcile and logon accounts be linked?

Through the account settings

Which of the following is a common cause of component disconnection?

Credential de-sync

Why might browser compatibility issues not lead to component disconnections?

They primarily impact UI interactions, not backend processes.

Which setting is NOT relevant for linking reconcile and logon accounts?

Client settings

Which log contains informational messages and errors related to PSM functionality?

PSMConsole.log

Which log provides detailed entries of workflows related to the PSM component?

PSMTrace.log

What is the primary focus of the .Component.log file?

Errors and trace messages for the connection client

Why is the PSMDebug.log considered less relevant for debugging connection issues?

It does not exist in CyberArk documentation.

Which log would likely be the least useful when diagnosing PSM connection issues?

ITALog.log

When examining logs for connection issues, which should be prioritized?

PSM-specific logs

Which log would you consult first when users cannot launch Web Type Connection components?

PSMTrace.log

What type of log is the PMconsole.log associated with?

Password Manager logs

What is required to support LDAP over SSL on the Vault?

CA Certificate(s) used to sign the External Directory certificate

Which log files should be analyzed first when troubleshooting a slow response in PVWA?

CyberArk.WebApplication.log

What is the easiest way to duplicate an existing platform?

From the PVWA, navigate to the platforms page, select an existing platform that is similar to the new target account platform and then click Duplicate; name the new platform.

Where should the Recovery Private Key be stored?

On a physical safe

How can you disable session monitoring and recording for 500 testing accounts?

Master Policy>select Session Management>add Exceptions to the platform(s)>disable Session Monitoring and Recording policies

What is recommended for storing the Server Key?

In a Hardware Security Module

If you want to view the status of web sessions, which log file is most relevant?

CyberArk.WebSession.General.log

Which file is NOT typically involved when duplicating a platform?

PlatformSettings.log

What needs to be enabled to ensure one-time password access for the 20 domain accounts?

Add exceptions to the Master Policy.

Why is it important to record sessions connecting to domain controllers?

To maintain an audit trail of sensitive activities.

What is the consequence of not enforcing one-time password access for the domain accounts?

Password reuse increases, compromising security.

What should you do to begin addressing the issue of recording sessions in CyberArk PSM?

Edit the Master Policy to enable session recording.

Which option is NOT a correct action to address the findings regarding domain accounts?

Edit safe properties to enforce OTP and session recording.

What is the primary role of the Master Policy in the context of managing domain accounts?

To define rules for session recording and password management.

What enhances security by preventing the reuse of compromised passwords?

Enforcing one-time password access.

Who should be contacted to implement policy exceptions at the Active Directory level?

The Windows Administrators.

What is required to manage loosely connected devices?

PSM for SSH

What configuration is needed in the Master policy to allow only one user to check out passwords securely?

Enforce check-in/check-out exclusive access = active; Require privileged session monitoring and isolation = active

When should vault keys be rotated?

When it is copied to file systems outside the vault

Where can PTA be configured to send alerts? (Choose two.)

SIEM

What does the PSM do besides managing session connections?

Forwards logs to both SIEM systems and PTA

What is the significance of the vault sending health statistics to SIEM applications?

To detect any anomalies that might indicate issues

What does PTA analyze data from?

Various critical external components including SIEM solutions

What effect does 'Record and save session activity' have in the context of user session management?

It creates an audit trail for each session, enhancing security

Study Notes

Vault Security

• LDAP over SSL: To support LDAP over SSL on the Vault, import the CA certificate that signed the certificate used by the external directory into the Windows certificate store.

Troubleshooting PVWA Slow Response

• Analyze the following log files:
  • PVWA.App.log
  • PVWA.Reports.log
  • PVWA.Console.log
  • PVWA.Casos.log
  • CyberArk.WebSession.General.log
  • CyberArk.WebServiceSession.log
  • CyberArk.WebServiceSession..log

Duplicating Platforms

• Duplicate platforms through the PVWA:
  • Navigate to the platforms page.
  • Select an existing platform similar to the new target account platform.
  • Click Duplicate.
  • Name the new platform.

Key Storage Locations

• Recovery Private Key: Store in a Physical Safe (Master CD)
• Recovery Public Key: Store on the Vault Server Disk Drive
• Server Key: Store in a Hardware Security Module
• SSH Keys: Store in the Vault.

Disabling Session Monitoring and Recording

• Disabling for Testing Accounts:
  • Disable Session Monitoring and Recording policies through the Master Policy.
  • Select Session Management.
  • Add Exceptions to the platform(s).

Troubleshooting Web Type Connection Components

• Analyze the following log files:
  • PSMConsole.log
  • PSMTrace.log
  • .Component.log

Identifying Vault Service Status

• Components display as disconnected in the System Health Dashboard when they lose network connection to the Vault.
• Credential de-sync: When the password stored in the Vault for a component user no longer matches the password stored in the component's credential file, the component will display as disconnected.

Linking Accounts with Reconcile and Logon Accounts

• Reconcile and Logon accounts can be linked to an account in these two locations:
  • Account settings:
  • Platform settings:

Enforcing One-Time Password Access and Session Recording

• Edit the Master Policy and add two policy exceptions:
  • Enable "Enforce one-time password access"
  • Enable "Record and save session activity".

Managing Loosely Connected Devices

• Use the Privileged Session Manager (PSM) for SSH to manage loosely connected devices.

Ensuring Exclusive Check-Out Access Through PSM

• Enable "Enforce check-in/check-out exclusive access" in the Master Policy.
• Configure the setting to active.

Vault Key Rotation

• When to rotate vault keys:
  • Annually
  • When migrating to a new data center

PTA Alert Configuration

• PTA can send alerts to:
  • SIEM
  • Email

Description

This quiz covers essential topics related to Vault security, including LDAP over SSL configuration, troubleshooting slow responses with log file analysis, duplicating platforms, and proper key storage locations. Test your knowledge on how to maintain and secure your Vault environment effectively.