chapter 10

Question 1

Privileged Session Management
Provides 3 Main Benefits:
1. (blank) - separate endpoints from critical target systems to prevent lateral movement
2. (blank) - detect and track suspicious activities in privileged sessions and events in real time
3. (blank) - support forensic analysis and audit with detailed records of privileged activity

Answer 1

isolation

monitoring

recording

Question 2

When we talk about PSM, the (blank), we are usually referring to the PSM installed on a Windows server.
You can think of this as the “Universal PSM” because you can
connect through it practically from
any device to any device.

Answer 2

Privileged Session Manager

Question 3

The (blank) enables
organizations to secure,
control, and monitor privileged access to network devices
* It creates detailed session audits and video recordings of all IT administrator privileged
sessions on remote machines
* Sessions on the target
systems are fully isolated and the privileged account credentials are never exposed to the end-users or their client
applications and devices

Answer 3

PSM

Question 4

what is this?

1. Logon through PVWA
2. Connect to PSM using RDP/TLS
3. Fetch credential from Vault
4. Connect using native protocols
5. Logs forwarded to SIEM and PTA
6. Store session recording

Answer 4

psm flow

Question 5

Enable the PSM in the (blank) Policy for all platforms or for
specific platforms by use of exceptions

Answer 5

master

Question 6

By default, Platforms are associated
with the first installed PSM server

Answer 6

blank

Question 7

(blank) - define the
configuration settings for using a given third
-party client to
connect to a target platform.
A few common ones are: * SQLPlus
* RDP
* Putty
* WinSCP

Answer 7

Connection Components
(aka Connectors)

Question 8

Connection Components
(aka Connectors)

There are many connection components available out of the box
* Additional connection
components can be found in the (blank)
* Organizations can also
build and add custom
connection components to the PAM solution

Answer 8

CyberArk
Marketplace

Question 9

To enable the use of a particular third-party client to connect to a
given account, the appropriate Connection Component needs
to be assigned to the (blank) that manages that account

Answer 9

Platform

Question 10

The new interface accelerates and simplifies Vault administration by allowing admins to import (blank) connectors and link them to Platforms, all from one
location

Answer 10

psm

Question 11

The (blank) framework facilitates the creation of custom connection components using a (relatively) simple, freeware programming language called AutoIT

Answer 11

Universal Connector

Question 12

With an (blank),
users can connect securely to any machine supported by the
PSM if they know the password
* Main use cases:
⎼ Connecting with accounts that are not stored in the CyberArk
Vault
⎼ Connecting with personal accounts
* Provides all the benefits of PSM: isolation, monitoring, and recording

Answer 12

Ad-Hoc Connection

Question 13

how to enable ad-hox connections?

The (blank) Platform must be activated
* Privileged session
monitoring and isolation
must be enabled for the
PSM Secure Connect
platform. This can be done either globally or via an exception to the Master policy

Answer 13

PSM Secure Connect

Question 14

when launching an ad-hoc connections the Users will need to specify all the account details when they connect:
* The (blank) they want to use on the PSM
* Target system Address
* Username
* Password, etc.

Answer 14

client

Question 15

Many organizations block RDP client connections from end-users’ machines for security
reasons or regulatory requirements.
* RDP is a Microsoft protocol, so in order to use it in Linux, Unix, or MAC environments,
users must install a 3rd-party client in order to connect to the PSM.
* The HTML5 Gateway tunnels the session between the end user and the PSM proxy
machine using a secure WebSocket protocol (port 443). This solution eliminates the need
to open an RDP connection from the end user’s machine. Instead, the end user only
requires a web browser to establish a connection to a remote machine through PSM.
* Secure access through HTML5 requires integrating an HTML5 gateway on a Linux server
(can be co-hosted with PSM for SSH). The Gateway is based on Apache Guacamole.

Answer 15

blank

Question 16

HTML5 Gateway: Flow

Answer 16

1. Logon through PVWA and click on Connect
2. Connect to HTML5 GW using WebSocket
3. Connect to PSM using RDP
4. Fetch credential from Vault
5. Connect using native protocols
6. Logs forwarded to SIEM and PTA
7. Store session recording

Question 17

The HTML5 GW is enabled at the
system level for each (blank) server

Answer 17

PSM

Question 18

Users can be given the option to connect either an HTML5-based or RDP-file connection method when connecting to the
remote server
* This setting is applied at the (blank) level

Answer 18

Connection Component

Question 19

• Users connect directly from their desktops with an RDP-compliant client to the PSM, which then connects to the target host using the protocol appropriate to that host: SSH, RDP, etc.
• There is no need to go through the PVWA.
• Users can launch the RDP client and sign in into CyberArk using single- or multi-factor authentication (for example, LDAP with RADIUS).
  ⎼ The RDP client application must include the ability to configure run “Start Program”
  for the RDP connections.
  ⎼ Connections can be made from Unix / Linux / Mac / Windows end user machines.
• PSM continues to provide complete isolation of the target systems, ensuring
  that privileged credentials never reach users or their devices

Answer 19

blank

Question 20

PSM for Windows: Flow

Answer 20

1. Connect to PSM using RDP/TLS
2. Fetch credential from Vault
3. Connect using native protocols
4. Logs forwarded to SIEM and PTA
5. Store session recording

Question 21

RDP Client
Settings

Answer 21

PSM IP
* Vault user
* Activate Start Program
* Program path:
⎼ Privileged Account name
⎼ Target address
⎼ Connection Component

Question 22

Preconfigured
RDP Files

You can also configure
individual RDP files to
connect through the (blank)
* It is possible to configure connections with or without
providing the target system details

Answer 22

psm

Question 23

PSM for SSH: Overview

• The average enterprise manages hundreds
  of Unix servers and network devices
• Systems are usually critical, but access to
  them is uncontrolled
• Network and Unix teams are reluctant to
  change their existing workflows and tool sets
• PSM for SSH (previously PSM SSH Proxy or
  PSMP) is designed to provide a native
  Unix/Linux user experience when connecting
  to any SSH target system

Answer 23

blank

Question 24

PSM for SSH
Client Settings

The connection settings for PSM for SSH resemble those of PSM for Windows.
* Connections are not
launched via the (blank),
but through a special
connection string.

Answer 24

pvwa

Question 25

PSM for SSH: Flow

Answer 25

1. User opens SSH session to the PSM server 2. PSM retrieves privileged account password from the vault 3. Open SSH session to the target using the privileged account 4. Logs forwarded to SIEM and PTA 5. Store SSH session audit