Standard Questions Flashcards
What can’t CyberArk overcome?
- Penetration
- Recon
- Lateral Movement
- Privilege Escalation
Penetration
What port does the Vault use to communicate?
TCP 1858
What is PACLI?
The PrivateArk Command Line Interface (or PACLI) enables CyberArk Vault users to access the Vault server from any location using an intuitive command-line environment. • Bulk adding users • Adding safes • Modifying properties • Any other scripting usages
The PrivateArk Client can
be installed on any station
with access to the Vault.
True
Vault Central Administration station can
be installed on any station
with access to the Vault.
False: Only available on Vault server
What is RCC? Why is it used/better? What port does it use?
Remote Control Client: Executes tasks on vault via the Remote Control Agent. Now we don’t need to use RDP. Uses port 9022.
Difference users and accounts?
Users: People who have been granted
access to the system. Use the accounts and passwords.
Accounts: Priv accounts with passwords stored in vault. Such as an Domain admin account…
Applications and CyberArk components are also users who access accounts.
True
Difference internal and transparent users and groups?
Internal are built-in (automatically created) or manual added in the vault.
Transparent: Users and Groups that are automatically provisioned from an external directory (LDAP)
What will happen if you delete a transparent
user within CyberArk
It will be automatically re-created upon login if it still exists within AD and answers the mapping criteria.
What is the Master user? How can you change the password?
The Master user is the most powerful user in the system, with full Safe and Vault authorizations that
cannot be removed.
To change the Master user password, log in with the Master user and click on User -> Set Password
Master user can only change the Master user password.
Requirements to log in with the Master User? In what file are these stored?
-PrivateArk Client
-Master Password
-Master CD (RecPrvKey)
-Vault or emergency console defined as (EmergencyStationIP)
The last 2 are defined in the dbparm.ini file.
Where are users stored? How is user management done (Such as creating)? Is it recommended that you
manage your users with an external LDAP directory,
such as Active Directory?
Stored: Vault database
User managemant: Privateark Client
Yes
What is a Directory Map? Explain the two kinds.
A Directory Map determines whether a User Account will be created in the Vault, and the roles they will have.
-User Mapping – allows for authentication and
defines user’s attributes, such as Vault
Authorizations and Location.
• Group Mapping – makes LDAP groups
searchable from within CyberArk, allowing
mapped groups to be granted safe
authorizations and to be nested within built-in
CyberArk groups.
Explain: AutoSyncExternalObjects=Yes,24,1,5
Parameter in dbparm.ini. if, how
often, and when the Vault’s External users and groups will be synchronized with the
External Directory (LDAP)
Yes –> Will sync vault with the External Directory.
24 –> The number of hours in one period cycle.
1,5 –> The hours during which the sync will take place.
Verschil Safe en Vault authorizations?
Vault:
Can be assigned only to users (not groups).
• Cannot be inherited via group membership.
• Defined only via the Private Ark Client.
Safe: Assigned to users and/or groups.
• Can be inherited via group membership.
• Can be defined in the Private Ark Client or PVWA
The list of groups that are added automatically to newly created safes is controlled by a parameter in the X file.
dbparm.ini
How to determine which rights a group has first?
Lower directory mapping number
Access Control is applied to?
Safes –> Use this account…
How many objects can be stored in a safe? How many does Cyberark rec?
How many characters can a safe name be?
How do we apply least privilege?
20k
3-5k
28
Avoid situations where providing a user access to a Safe allows them to access accounts they don’t need to access For example: you may want to configure separate Safes for
Windows Desktop Accounts, Windows Local Administrators,
and Windows Domain Accounts
What is the right workflow creating policies and accounts? Examples Add Accounts Review/Edit Master Policy Create Platforms Create Safes Add exceptions to Master policy based on Platforms
Review/Edit Master Policy days Create Platforms Add exceptions to Master policy based on Platforms Create Safes Add Accounts
On what level do you set technical settings for passwords and exceptions?
Platform level.
On what level do you set Global policy
settings/A baseline?
Master policy
Privileged Access Workflow
- Require dual access control approval
- Enforce Check-in check-out
- Enforce on time password access
- Allow EPV transparent connections
- Specify reason
-End users will will need to request access to
an account before connecting to a target
system. Depending on advanced
configuration, access authorization must be
given by one or more managers
-Only one user will be able to access and use
an account at any given point of time. When a
user checks out an account, it is locked and
cannot be retrieved by other users until it is
released by the user.
-Passwords are changed after each access.
When a user retrieves an account, the CPM
initiates a password change process that will
occur automatically. Users get a minimum
amount of time with the password before it
changes.
-Enables end users to click the Connect button
in the PVWA to access target devices without
exposing the password to the end user.
-End users will have to enter some text to justify
why they are accessing a particular target
system
Password Management:
Require password change every X days
Require verification every X days
Will these be done automatically?
Require password change every X days
determines the maximum number of days
that can elapse between two password
changes.
Require password verification every X days
ensures that passwords stored in the Vault
are always synchronized with passwords in
the target systems.
Note that Platform settings determine if
passwords will be changed automatically/verified
for an account.
Session Management:
-Require privileged session monitoring
and isolation
-Record and save session activity
-This is the parameter that activates privileged session management. This is disabled by default. -which is ACTIVE by default, instructs the PSM servers to upload recordings and session activity to the Vault.
Audit Management:
-Activities audit retention period
-Determines how long the Vault will
store the history of audit activities
What are 3 functions of a platform?
-Define the technical settings required to manage
passwords. Examples: How long is a password, how complex…
-Point to the relevant plug-ins and connection
components. Examples: You log in differently to Windows Machines then to Unix Machines.
-The basis for exceptions to the
Master Policy
Two types of platforms:
*Target Account Platforms:
-Define the technical settings required to manage accounts
• Used to define exceptions to the Master Policy
• Every account is associated with one platform
*Service Account Platforms
How many platforms can an account be associated with?
One, account = not a user
The technical settings for
managing passwords can
be found in the
Automatic Password Management
What is the purpose of deactivating platforms?
• Better administration: Inactive platforms are hidden from users when they add accounts • Better performance: the CPM does not manage Inactive platforms
Is object level access control recommended (OLAC) by Cyberark?
No
Pros of AllowedSafes option?
-You can limit the scope of a particular platform to only those Safes that match the regular expression pattern (Linux --> When adding an account can only add to Safes that start with Linux) -This will help improve the performance of the CPM
In how many safes can an account be? In how any platforms?
1
How does the password change of a root account on unix?
Log in with login account –> su to go to root account –> change password
How can the login account be set?
The logon account
can be set on the
individual account or
via the Platform.
A ‘super user’ such as root should be used as a logon account
FALSE
Automatic reconciliation
must be enabled for a reconcile account.
TRUE
Where are private keys stored?
In the vault
Where are public keys stored?
On the target server.
One private key can be used to access multiple systems
TRUE
SSH Keys need their own platform
True
SSH Keys need their own safe, it can’t be shared with a safe with passwords
False
You can rotate the SSH keys
using the Change button, just
like with passwords
TRUE
You can retrieve a copy of the private key and this can’t be disallowed.
This can be disallowed.
What are dependents and usages?
Dependents are a sort of platform. Usages refer to instances when an account, which is created at the operating system or domain level, is also used to perform some task somewhere else
What needs to be enabled to search for usages?
SearchForUsages
What sort of usages are there?
NON-DISCOVERABLE USAGES and DISCOVERABLE USAGES. Both need to be manually in PVWA, but only non-discoverable need to be done on platform level.
Can passwords in files be encrypted? How and where is it stored?
Encryption Command – The encryption file can
be stored in any location on the
CPM machine.
What happens when a user has view and list, but Allow EPV connections ‘Allow users to view password’ is disabled?
The user will not be able to see the password.
What does ‘Access Safe
without confirmation’ do?
Bypasses Dual Control
What does A MinValidityPeriod of 60
mean?
The password will be changed 60 minutes after it is accessed During that time, other users are able to access the password This is when OTP is enabled without Exclusive passwords
Explain OTP and Exclusive passwords together and apart
Exclusive passwords
• When a user accesses a password, the account
is locked, no other user can access the password
until it has been released.
• User must release the password manually
• Password is changed automatically upon manual
release
One-time passwords
• After a user accesses a password, it is changed
automatically based on the minimum validity
period
• Multiple users are able to access the password
simultaneously
• Minimum validity period is reset as each user
accesses the password
Exclusive and One-time passwords combined
• Account is locked to a single user, no other user can
access it
• If the user does not release the account manually, the
system will release it automatically based on the
Minimum Validity Period and change the password
If the Request timeframe contains a
specified time period, the password
will only be changed by the CPM after
the timeframe has expired, even though the MinValidityPeriod might be less. Only when dual control password is enabled.
True
