PAM-DEF CyberArk Defender - PAM Questions and Answers

Discovery and Audit (DMA), Auto Detection (AD), and Accounts Discovery are CyberArk components or products that can be used to discover Windows Services or Scheduled Tasks that use privileged accounts.

Discovery and Audit (DMA) is a tool that scans Windows servers and workstations to identify privileged accounts that are used by Windows Services or Scheduled Tasks. DMA can also generate reports on the usage and risks of these accounts.

Auto Detection (AD) is a feature of the CyberArk Privileged Account Security Solution that automatically detects and onboards privileged accounts that are used by Windows Services or Scheduled Tasks. AD can also monitor and rotate the passwords of these accounts.

Accounts Discovery is a feature of the CyberArk Privileged Account Security Solution that scans the network to discover privileged accounts on various platforms, including Windows. Accounts Discovery can also identify accounts that are used by Windows Services or Scheduled Tasks.

References :

: Discovery and Audit (DMA) User Guide

: Auto Detection Implementation Guide

: Accounts Discovery Implementation Guide

 Setting the reconcile account at the platform level allows for flexibility in how the reconcile account is specified. A rule can be used to dynamically determine the appropriate reconcile account, or a specific reconcile account can be selected and configured directly in the platform settings.  This approach provides the ability to manage reconciliation accounts more efficiently and adapt to different scenarios 1 .

References :

CyberArk Community - Associate reconcile account with a specific platform

Comprehensive Explanation : The Privileged Threat Analytics (PTA) sensors are designed to collect specific types of data to detect potential security threats. For the alert category of  Unmanaged privileged account , the  Network Sensor  and  PTA Windows Agent  are responsible for collecting the relevant data. Similarly, for the alert category of  Anomalous access to multiple machines , data is collected from  Logs , the  Vault , and optionally from  AWS  and  Azure . The  Suspicious activities detected in a privileged session  category relies on data from  Logs , the  Vault , and optionally from  AD ,  AWS , and  Azure . Lastly, the  Suspected credentials theft  category also utilizes the  Network Sensor  and  PTA Windows Agent  for data collection.

References :

CyberArk’s official training materials and documentation provide detailed information on PTA sensors and the types of data they collect for different alert categories.

 The Privileged Accounts Inventory Report provides information about all the privileged accounts in the system, based on different filters, such as safe, platform, policy, and owner. To run this report through the Reports page in PVWA on a specific safe, the user needs to have the following permissions on that safe:

List Accounts: This permission allows the user to view the accounts in the safe and their properties, such as name, address, platform, and policy.

View Safe Members: This permission allows the user to view the members of the safe and their authorizations, such as owners, users, and groups.

These permissions are required to show complete account inventory information for the specific safe. Other permissions, such as Manage Safe Owners, Access Safe without confirmation, Manage Safe, and View Audit, are not relevant for this report.  References :  Reports and Audits - CyberArk ,  Safe Member Authorizations

When attempting to change the root account’s password, the CPM will log in to the system as the logon account, run the su command to log in as root, and then change root’s password. This is because the logon account is used to initiate sessions to machines that do not permit direct logon, such as Unix systems that restrict root access. When a logon account is associated with a privileged account, it will be used to log onto the remote machine and then elevate itself to the role of the privileged user. As different types of machines might have different logon prompts or elevation commands, the CPM can use the AutoLogonSequenceWithLogonAccount parameter to define the logon process and the elevation to the privileged account. This parameter contains regular expression prompts and responses that define the logon process and subsequent activities.  The regular expressions can include dynamic values that the CPM reads from the account properties, user parameters, or client-specific parameters 1 . For example, the following is a possible AutoLogonSequenceWithLogonAccount parameter for a Unix platform:

This parameter instructs the CPM to log in to the system as the logon account, enter the logon password, run the su - command to switch to the root user, enter the logon password again, run the change command to change the root password, exit the root session, and exit the logon session 1 .

The other options are not correct, as follows:

A. Log in to the system as root, then change root’s password. This option is not possible, because the root account cannot be used for direct logon.  The logon account is associated with the root account to enable the CPM to access the system and change the password 1 .

B. Log in to the system as the logon account, then change root’s password. This option is not effective, because the logon account does not have the permission to change the root’s password.  The logon account needs to elevate itself to the root user by using the su command before changing the password 1 .

D. None of these. This option is not valid, because there is a correct answer among the choices.

References :

1 :  Logon Accounts for SSH and Telnet Connections

The command to configure email alerts within PTA (Privileged Threat Analytics) after the initial installation is  /opt/tomcat/utility/emailConfiguration.sh . This command is used to start the PTA utility that allows you to set up email notifications for various alerts. During the configuration process, you will be prompted to enter details such as the SMTP/S protocol, email server IP address, SMTP port, sender’s email address, and recipient’s email address.  If the mail server requires authentication, you will also need to provide the username and password for the user that will send email notifications 1 .

References :

CyberArk’s official documentation provides a detailed procedure on how to configure PTA to send alerts to emails, including the use of the  /opt/tomcat/utility/emailConfiguration.sh  command

The license capacity report is a tool that provides information about the licensed user types and objects in the Vault. It enables users to see the maximum number of licenses for each user type or object, and the number of used licenses for each one. Only user types and objects that are limited by the license are displayed in this report. To generate a license capacity report, users need to use the PrivateArk Client, which is a graphical user interface that allows users to manage safes and their properties. Users can access the report from the Tools menu in the PrivateArk Client.  References :  Reporting License Usage ,  Manage the CyberArk License

A Vault Admin may still access a safe outside of the hours that it has been configured to be accessible, as long as he has the Bypass Safe Time Restrictions authorization on the Vault. The Bypass Safe Time Restrictions authorization enables a user to access any safe in the Vault, regardless of the time restrictions that are defined for that safe. This authorization is useful for emergency situations or maintenance tasks that require access to safes outside of the normal working hours.  By default, the Vault Admins group has this authorization, as well as other administrative authorizations on the Vault 1 .

References :

1 :  Vault Member Authorizations

 To view recorded sessions through the PVWA without having auditor access, a user needs access to two specific safes: the  Recordings safe  and the  safe the account is in . The Recordings safe is where the PSM session recordings are stored, and users need permission to access this safe to view the recordings.  Additionally, users need access to the safe where the account associated with the recorded session is stored, as this is where the session details and permissions are managed 1 2 .

References :

CyberArk Docs - Configure video and text recordings 3

CyberArk Community - Viewing PSM recorded sessions 1

The server key and the public recovery key are required to be present in order to start the PrivateArk Server service. The server key opens the Vault, much like the key of a physical Vault. The public recovery key is part of the asymmetric recovery key that enables the Master User to log on to the Vault in case of a disaster. The server key and the public recovery key are usually stored on a removable media, such as a disk or CD, so that they can be safely secured in a physical safe. The recovery private key and the safe key are not needed to start the PrivateArk Server service. The recovery private key is only used for recovery purposes and the safe key is only used to access a specific safe that is defined with an external key.  References:   Server keys ,  Server Components

 A platform is a set of parameters that defines how CyberArk manages passwords and sessions for a specific type of account or system. To allow users to access a Linux endpoint, the platform needs to have a PSM-SSH connection component, which enables transparent connections to Linux machines using the SSH protocol. The PSM-SSH connection component is configured in the Master Policy and defines the settings for the PSM connection, such as the port, the authentication method, and the terminal type. If the platform is missing the PSM-SSH connection component, the users will not be able to click to connect to the Linux endpoint.  References :  Connection Components ,  PSM-SSH Connection Component

 It is possible to control the hours of the day during which a user may log into the vault by using the  Time Restrictions  feature. This feature allows administrators to define the days and times that users can access the vault. Users who try to log in outside the permitted hours will be denied access and receive a message informing them of the restriction. Time restrictions can be applied to individual users or groups of users.  References :

[Defender PAM eLearning Course], Module 3: Safes and Permissions, Lesson 3.3: User Management, Slide 7: Time Restrictions

[Defender PAM Sample Items Study Guide], Question 2: Time Restrictions

[CyberArk Documentation Portal], CyberArk Privileged Access Security Implementation Guide, Chapter 4: Managing Users and Groups, Section: Time Restrictions

The purpose of the CyberArk Event Notification Engine service is to send email notifications about Privileged Access Security solution activities automatically to predefined users. It is installed automatically as part of the Vault server installation as a service. The Event Notification Engine (ENE) can be configured to send email notifications for various events, such as password changes, password verifications, account onboarding, account deletion, audit reports, alerts, and more.  The ENE can also support encrypted and authenticated email notifications, as well as high availability implementations 1 .  References :

Event Notification Engine - CyberArk , section “Event Notification Engine”

 The “click to connect” button is a feature that allows users to connect to target systems without entering their credentials manually. It is also known as EPV transparent connections or PSM transparent connections. To activate this feature, you need to enable the  Allow EPV transparent connections  parameter in the Master Policy. This parameter determines whether users can use the “click to connect” button to initiate a privileged session from the PVWA. If the parameter is set to Active, the button is enabled and users can connect to target systems with one click. If the parameter is set to Inactive, the button is disabled and users need to copy the credentials and paste them in the target system login screen.  References :  Connect and configure - CyberArk ,  How to enable/disable Connect button in PVWA console - force.com

When adding accounts from a file, certain properties are mandatory to ensure that the accounts can be properly managed within the CyberArk Privileged Access Security system. The  Safe Name  is required to determine where the account will be stored. The  Platform ID  is necessary to apply the correct management policies to the account.  Additionally,  all required properties specified in the Platform  must be included to meet the specific requirements for account management as defined by the platform configuration 1 .

References :

CyberArk’s official documentation on adding multiple accounts from a file, which outlines the mandatory information needed for each account, including Safe Name, Platform ID, and other required properties based on the account’s policy requirements 1 .

 When a DR Vault Server becomes an active vault, it will automatically fail back to the original state once the Primary Vault comes back online, if the AllowFailback setting is set to “yes” in the padr.ini file. The padr.ini file is the configuration file for the Disaster Recovery application, which enables the DR Vault to replicate data from the Primary Vault and take over its role in case of a failure. The AllowFailback setting determines whether the DR Vault will automatically switch back to the passive mode when the Primary Vault is restored.  The default value of this setting is “no”, which means that the DR Vault will remain active until a manual failback is performed 1 .  To enable the automatic failback, the setting must be changed to “yes” and the padr service must be restarted 1 .  The dbparm.ini file is not relevant to this setting, as it is the main configuration file for the Vault database 2 .  References :

Configure the DR Vault - CyberArk , section “AllowFailback”

DBParm.ini - CyberArk , section “Main parameters”

 Dual Control is a feature that allows you to set up a workflow for approving access requests to sensitive accounts. You can configure up to two levels of authorization for each account, meaning that you need up to two different authorizers to approve the request before the user can access the account. The authorizers can be either users or groups, and they can have different approval methods, such as email, SMS, or CyberArk interface.  References:

[Defender PAM] course, Module 5: Privileged Session Management, Lesson 5.2: Dual Control

[Defender PAM Sample Items Study Guide], Question 31

[CyberArk Documentation], Dual Control

The Interval setting in a CPM policy is used to control how often the CPM looks for System Initiated CPM work, such as password changes, verifications, and reconciliations. The Interval setting defines the frequency, in minutes, that the CPM will check the accounts that are associated with the policy and perform the required actions. For example, if the Interval is set to 60, the CPM will check the accounts every hour and change, verify, or reconcile the passwords according to the policy settings. The Interval setting does not affect User Initiated CPM work, such as manual password changes or retrievals, which are performed immediately upon request. The Interval setting also does not control how long the CPM rests between password changes or the maximum amount of time the CPM will wait for a password change to complete. These parameters are configured in the CPM.ini file, which is stored in the root folder of the < CPM username > Safe.  References :

[Defender PAM eLearning Course], Module 5: Password Management, Lesson 5.1: CPM Policies, Slide 9: CPM Policy Settings

[Defender PAM Sample Items Study Guide], Question 4: CPM Policy Settings

[CyberArk Documentation Portal], CyberArk Privileged Access Security Implementation Guide, Chapter 5: Managing Passwords, Section: CPM Policy Settings, Subsection: Interval

The address field of an Account is used to identify the target system where the Account is located. The CPM uses this address to connect to the target system and perform password management operations. Therefore, the address field can be any name that is resolvable on the CPM server, such as a FQDN, an IP address, a NetBIOS name, or a custom name defined in the hosts file of the CPM server.  References :

Defender PAM Sample Items Study Guide, page 9, question 91

CyberArk Privileged Access Security Implementation Guide, page 75, section “Address”

 The Export Vault Information utility is a CyberArk tool that allows you to create lists of Master Policy settings, owners and safes for output to text files or MSSQL databases. This utility can be used to export various types of information from the Vault, such as accounts, safes, platforms, policies, users, groups, and audit records. The utility can also generate reports based on predefined templates or custom queries. The utility can be run from the command line or the graphical user interface.  References :  Export Vault Information ,  Export Vault Information Utility

The PTA can perform automatic password change as a type of remediation in case of a suspected credential theft security event.  According to the CyberArk documentation 1 , " Rotate credentials - for OverPass the Hash attack and Suspected credentials theft events. " 1  This means that the PTA can initiate a password change request to the CPM for the affected account, which will generate a new random password and update it on the target system and the Vault. This way, the PTA can prevent the attacker from using the stolen credentials to access the target system or launch further attacks.  References :

Configure PTA Remediations - CyberArk , section “Remediation Initiation”

 When managing SSH keys, the CPM stores the public key on the target server. The CPM generates a new random SSH key pair and updates the public SSH key on the target machine. The public SSH key is stored in the home directory of the privileged user on the target machine, usually in the file  ~/.ssh/authorized_keys . The public SSH key is not stored in the Vault, as this would be redundant and unnecessary. The public SSH key cannot be generated from the private key, as this would defeat the purpose of asymmetric encryption.  References :

Manage SSH Keys

SSH Key Manager

Use SSH Keys

The time access restrictions for a safe are configured in the PrivateArk Administrative Client, which is a graphical user interface that allows users to manage safes and their properties. The time access restrictions are set in the  Time Access Restrictions  tab of the Safe properties window. This tab enables users to specify the days and hours when the safe can be accessed. If the time access restrictions are turned off, the safe can be accessed at any time.  References :  PrivateArk Safe management ,  Advanced Safe Management

 A service account platform is a type of platform that defines how CyberArk manages passwords for service accounts, which are accounts that run applications or services on remote machines. A usage is a configuration that allows CyberArk to manage passwords for files, such as XML or INI files, that are stored on remote machines. A usage is associated with a parent account, which is the account that has access to the file. A usage can be added as a service account platform if the file contains the password of a service account. For example, IIS Application Pools is a usage that can be added as a service account platform, because it manages the passwords of the application pools that run on IIS servers. The other options, Kerberos Tokens, PowerShell Libraries, and Loosely Connected Devices, are not usages that can be added as service account platforms, because they do not manage passwords for service accounts.  References :  Usages ,  Service Account Platforms

 The  Privileged Accounts Inventory  report in PVWA includes a column that displays the  Age  of the password, which indicates the number of days since the password was created 1 . This information can be used to determine how many days are left until a password is due to expire, based on the password policy’s expiration settings.

References :

CyberArk’s official documentation on PVWA reports provides a list of available reports and their descriptions, including the Privileged Accounts Inventory report which contains details about password age and other relevant information 1 .

 To add an LDAP group to a CyberArk group, you need to use the Private Ark client and follow these steps 1 :

In the Users and Groups tree, select the CyberArk group that you want to add the LDAP group to.

In the Properties pane, click Member Of.

Click Add > LDAP Group.

In the LDAP Group dialog box, enter the name of the LDAP group and click OK.  References :  Add an LDAP group to a Vault group

The easiest way to duplicate an existing platform is to use the PVWA, which is the web interface that allows users to access and manage the CyberArk Defender PAM system. The PVWA has a platforms page that displays all the platforms that are available in the system, categorized by platform types. Users can duplicate an existing platform by selecting it, clicking the ellipsis button next to it, and then clicking Duplicate. This will create a copy of the platform with the same settings and properties, which can be customized according to the user’s needs. Users can name the new platform and save it in the system.  References :  Manage platforms - CyberArk

The correct process to install a custom platform from the CyberArk Marketplace involves downloading the platform package from the Marketplace and then importing it using the Privileged Vault Web Access (PVWA).  This process allows you to add new platforms that are not included in the default installation directly into the CyberArk Privileged Access Manager (PAM) - Self-Hosted 1 .

References :

CyberArk Docs - Add New Platforms 1

CyberArk Docs - Manage platforms 2

 A user with administrative privileges to the vault can grant other users privileges that he himself does not have, as long as he has the Authorize Users authorization on the Vault. The Authorize Users authorization enables a user to add or remove other users or groups as Vault members, and assign or revoke their authorizations. A user with this authorization can grant any privilege to any other user or group, regardless of his own privileges.  However, this authorization does not allow a user to change his own privileges or the privileges of other users who have the same authorization 1 .

References :

1 :  Vault Member Authorizations

The user that is automatically added to all Safes and cannot be removed is the Master user. The Master user is a predefined user that is created during the Vault installation and has full permissions on all Safes and accounts. The Master user is the only user that can perform certain tasks, such as creating other predefined users, managing the Vault configuration, and restoring the Vault from a backup.  The Master user cannot be deleted or modified by any other user, and is always a member of every Safe 1 2 .  References :

Predefined users and groups - CyberArk , section “Master”

Safes and Safe members - CyberArk , section “Safe members overview”

To store the Safes Data in a different drive, such as moving from Drive C to Drive D, you need to edit the  TSparm.ini  file. This file contains various parameters that configure the behavior of the Vault, including the location of the Safes Data.  By editing the  SafesDirectory  parameter in the  TSparm.ini  file, you can specify a new path for the Safes Data, effectively changing the storage location to the desired drive 1 .

References :

CyberArk’s official documentation on managing files and documents, which includes information on how to store files in different locations within the Vault 2 .

Knowledge articles on how to move the PSMRecordings safe or other Vault data to a different drive, which provide step-by-step instructions and mention the TSparm.ini file 1

The configuration file used by the CPM scanner when scanning UNIX/Linux devices is UnixPrompts.ini. This file is located in the CPM scanner installation folder and can be customized according to the UNIX/Linux machine’s specific configuration. The file contains parameters that define the prompts and paths for various commands and files used by the CPM scanner, such as login password, sudo password, sudo error, passwd file, group file, shadow file, and sudoers file.  References :  Configure the CPM Scanner ,  CPM Scanner parameters file (CACPMScanner.exe.config)

To ensure that Windows Domain password changes occur outside of business hours, the settings that must be updated are found in the  Master Policy  under the  Account Change Window  section. Here, you can specify the  ToHour  and  FromHour  to define the time frame outside of which the passwords should be rotated.  This setting allows you to control when password changes can occur, ensuring that they do not interfere with business operations by taking place during non-business hours 1 .

References :

CyberArk Docs - Set password policies

 PSM for Windows supports connections to various types of target systems, including Windows, UNIX, Oracle, and others. PSM for Windows uses different connection components to establish and manage the sessions, depending on the type and protocol of the target system. For example, PSM-RDP is used for Windows systems, PSM-SSH and PSM-Telnet are used for UNIX systems, PSM-Toad and PSM-SQLPlus are used for Oracle databases, and so on.  References:

PSM for Windows

Connect through Privileged Session Manager for Windows

Supported connection components

Security Admins are the built-in group that can view and configure Automatic Remediation and Session Analysis and Response in the PVWA. These features are part of the Privileged Threat Analytics (PTA) module, which is designed to detect and respond to anomalous activities and risky behaviors in the privileged environment. Security Admins have the permissions to access the PTA settings and configure the policies and actions for Automatic Remediation and Session Analysis and Response.  References:

Defender PAM Sample Items Study Guide, page 18, question 49

Privileged Threat Analytics Implementation Guide, page 9, section “Security Admins”

BackupFilesDeletion=No

PARestore vault.ini operator /FullVaultRestore

CAVaultManager RecoverBackupFiles

CAVaultManager RestoreDB

BackupFilesDeletion=Yes,24,1,5,7d

https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Restoring-Safes-or-the-Vault.htm

https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Using-Logon-Accounts-for-SSH-and-Telnet-Connections.htm?Highlight=logon%20account

The Password Upload utility can be used to create safes, as well as password objects, folders, and platforms. The Password Upload utility works with the CyberArk Password Vault to create password objects from a passwords list and store them in the Vault. This enables you to upload large numbers of passwords automatically and makes the Vault implementation process quicker and more automatic. The Password Upload utility initiates the Vault environment required to store passwords in the safe and start working with them.  This includes creating new safes, adding the CPM user as a safe owner, and sharing the safe with the Password Vault Web Access 1 .  References :

1 :  Password Upload Utility

Users can be restricted to using certain CyberArk interfaces (e.g. PVWA or PACLI) by using the User Type property. The User Type property is a parameter that can be configured in the User Management settings for each user. The User Type property defines which interfaces the user can access the Vault through, such as PVWA, PrivateArk Client, PACLI, PSM, etc. The User Type property is determined by the CyberArk license and can be assigned to users when they are added to the Vault or when their properties are updated. For example, if a user is assigned the User Type of EPVUser, they can access the Vault through PVWA, PrivateArk Client, PrivateArk Webclient, PACLI, and PIMSU.  However, if a user is assigned the User Type of BizUser, they can only access the Vault through PVWA 1 . Therefore, by using the User Type property, administrators can control and restrict which CyberArk interfaces the users can use.  References :

1 :  Manage users , Types of users subsection

It is possible to restrict the time of day, or day of week that a verify process can occur by using the  Verify Time Window  parameter in the  Platform Management  page. This parameter allows the administrator to define a time window for each platform, during which the verify process can be performed. The verify process will not run outside of this time window, unless it is manually initiated by the administrator. This feature can help reduce the load on the target systems and the network during peak hours.  References :

[Defender PAM Course], Module 4: Managing Accounts, Lesson 2: Account Verification, Slide 8: Verify Time Window

[Defender PAM Documentation], Version 12.3, Administration Guide, Chapter 4: Managing Platforms, Section: Verify Time Window

When an authentication failure for the DR user is noticed in the ITALog, the correct process to fix this error involves two steps. First, you need to update the password for the DR user. This is done through the PrivateArk Client by navigating to  Tools > Administrative Tools > Users and Groups > DR User > Update > Authentication > Update Password . After updating the password, the next step is to create a new credential file on the DR Vault using the  CreateCredFile  utility with the newly set password.  This ensures that the DR Vault has the updated credentials necessary for the DR user to authenticate successfully 1 2 .

References :

CyberArk’s official documentation on troubleshooting authentication issues, which includes steps on updating user passwords and creating new credential files 1 .

Community discussions and support articles on resolving DR user authentication failures, which provide practical insights and recommended actions 2

 Users who have the ‘Access Safe without confirmation’ safe permission on a safe where accounts are configured for Dual control, do not need to request approval to use the account. The ‘Access Safe without confirmation’ safe permission is a special permission that allows a user to bypass the Dual control mechanism and access the accounts in the safe without requiring confirmation from other authorized users. This permission can be useful for emergency situations or trusted users who need immediate access to the accounts.  However, this permission also increases the risk of unauthorized or malicious access, so it should be granted with caution and monitored closely 1 .

References :

1 :  Access without confirmation

According to the web search results, the diamond.log is the main log file that records the PTA system activities, such as receiving and processing events, generating alerts, and sending notifications 1 .  The diamond.log also contains information about errors related to PTA, such as connection failures, configuration issues, parsing problems, or internal exceptions 2 .  The diamond.log can be found in the /opt/tomcat/logs directory on the PTA machine 1 .  The debug level of the diamond.log can be changed using the changeLogLevel.sh utility or manually editing the log4j.properties file 1 .  The diamond.log can be used for troubleshooting PTA issues and viewing statistics

 One Time Passwords (OTPs) are passwords that are valid for only one use or a limited time period. The primary purpose of OTPs is to reduce the risk of credential theft, which is a common attack vector for hackers and malicious insiders. By using OTPs, the exposure of the credentials is minimized, and the attacker cannot reuse the stolen password to access the target system. OTPs also enhance the security of the authentication process, as they add an extra layer of verification to the user’s identity.  OTPs can be generated by various methods, such as SMS, email, hardware tokens, software tokens, etc 1 .

The other options are not the primary purpose of OTPs, because:

B. More frequent password changes. This is not the primary purpose of OTPs, but a consequence of using them. OTPs require more frequent password changes, as they expire after one use or a limited time period. However, this is not the main goal of using OTPs, but rather a means to achieve the goal of reducing the risk of credential theft.

C. Non-repudiation (individual accountability). This is not the primary purpose of OTPs, but a benefit of using them. Non-repudiation means that the user cannot deny performing an action or accessing a resource, as there is sufficient evidence to prove their identity and activity. OTPs can help achieve non-repudiation, as they are unique and personal to each user, and can be traced back to the user’s device or account. However, this is not the main goal of using OTPs, but rather an advantage of using them.

D. To force a ‘collusion to commit’ fraud ensuring no single actor may use a password without authorization. This is not the primary purpose of OTPs, but a feature of using them. OTPs can help prevent unauthorized access to privileged accounts, as they require the user to have both the OTP and the regular password to access the target system. This means that no single actor can use the password without authorization, as they would need the cooperation of another actor who has the OTP. However, this is not the main goal of using OTPs, but rather a capability of using them.

References :

1 :  One-time password

To configure a PSM host to use the HTML5 Gateway from the PVWA, you would typically follow these steps:

Log into the PVWA  with an administrative user.

Navigate to  Administration > Options .

Right-click on  Privileged Session Management  and select  Add Configured PSM Gateway Servers .

Right-click  Configured PSM Gateway Servers , then  Add PSM Gateway Server .

Select the newly added gateway server and enter a unique ID for the PSM HTML5 Gateway.

Expand the newly created gateway server and enter the necessary configuration details.

Please note that these steps are based on general procedures for configuring a PSM host with an HTML5 Gateway and should be verified against the official CyberArk documentation or by a qualified CyberArk professional.  For detailed instructions and best practices, refer to the CyberArk documentation 1 2 3 .

A Reconcile Account is not specified in the Master Policy, but in the Platform settings. The Master Policy defines the general password management settings for all the accounts in the Vault, such as the frequency of password rotation and verification. The Platform settings define the specific password management settings for each type of target system, such as the password complexity and the Reconcile Account.  References :

Defender PAM course, Module 2: Password Management, Lesson 2: Master Policy and Platforms, slide 8

Defender PAM course, Module 2: Password Management, Lesson 3: Reconcile and Logon Accounts, slide 2

Defender PAM Sample Items Study Guide, Question 37

CyberArk Privileged Access Security Documentation, Password Management - Master Policy

CyberArk Privileged Access Security Documentation, Password Management - Platforms

The CyberArk marketplace is a platform that simplifies delivery of privileged access security solutions, such as CyberArk Privileged Account Security Solution. It features the industry’s broadest and deepest portfolio of technology integrations, including platforms for various types of accounts. Customers can find and deploy integrations with CyberArk Marketplace in as little as four clicks. If there is no platform that meets the customer’s needs, they can request a custom platform from CyberArk or create their own using the Platform Development Kit (PDK).  References :  CyberArk Marketplace ,  Platform Development Kit

This configuration ensures that privileged sessions are monitored and isolated, and all session activities are recorded and saved for future reference  1 .

Retrieve accounts/files : Required

List accounts/files : Required

View audit : Required

Access Safe without confirmation : Not Required

Create Folders : Not Required

Comprehensive Explanation : To allow a group to view recordings in a recording safe, the required authorizations are  Retrieve accounts/files ,  List accounts/files , and  View audit . These authorizations enable the group members to access and view the session recordings stored within the safe. The  Retrieve accounts/files  permission allows users to retrieve files during PSM sessions. The  List accounts/files  permission enables users to see the list of accounts and files within the safe.  The  View audit  authorization is necessary for users to view the audit records associated with the recordings 1 .

References :

CyberArk Docs - Monitor Privileged Sessions

 Changes to the REST API that could cause existing scripts to fail include  removing parameters . When parameters are removed from an API, scripts that rely on those parameters being present may no longer function correctly because they expect certain data to be available.  This can lead to errors or unexpected behavior in the scripts that use the API 1 .

References :

CyberArk Docs: REST APIs 1

According to the web search results, when a DR Vault Server becomes an active vault, it will not automatically revert back to DR mode once the Primary Vault comes back online.  The Vault administrator must manually set the DR Vault to DR mode by setting “FailoverMode=no” in the padr.ini file 1 .  This file is located in the /opt/CARKaim/conf directory on the DR Vault machine 2 .  The Vault administrator must also stop the replication process on the DR Vault and restart the PrivateArk Server service 1 .  This procedure is known as a DR failback, which restores the original roles of the Primary Vault and the DR Vault after a failover 1 .  The AllowFailback setting in the padr.ini file does not affect the DR failback process, as it only determines whether the DR Vault can be used as a backup for another DR Vault in a cascading DR scenario 3 . The dbparm.ini file is not relevant for the DR failback process, as it contains the database parameters for the Vault server.  References :

Initiate a DR failback to the Production Vault - CyberArk

Install the Disaster Recovery application - CyberArk

Cascading DR - CyberArk

[dbparm.ini file - CyberArk]

To configure CyberArk to use HTML5 gateways exclusively for PSM connections, you need to set the DefaultConnectionMethod to HTML5 in the PVWA.  This is done by logging in to the PVWA with an administrative user, navigating to  Options > Privileged Session Management UI , and setting the DefaultConnectionMethod to HTML5 1 .  This configuration ensures that HTML5 sessions are triggered only for PSM machines associated with the HTML5 Gateway 1 .

References :

CyberArk Docs - Secure Access with an HTML5 Gateway 1

Being a member of the Vault Admins group does not automatically grant you any permission on any safe that you have access to. The Vault Admins group is a predefined group that is created during the installation or upgrade of the vault.  This group has the Vault Admin authorization, which allows its members to perform administrative tasks on the vault, such as managing users, groups, platforms, policies, and safes 1 .  However, this authorization does not include any safe member authorizations, such as View, Retrieve, Use, or Manage Safe 2 . Therefore, to grant any permission on a safe, you need to be added as a safe member with the appropriate authorizations, either directly or through another group. The Vault Admins group can be added to safes with all safe member authorizations, but this is not done automatically for all safes.  By default, this group is only added to a number of system safes, such as the Password Manager Safe, the PVWAConfig Safe, and the Notification Methods Safe 3 .  For other safes, the Vault Admins group can be added manually by the safe owner or another user with the Manage Safe authorization 4 .  References :

1 :  Predefined users and groups , Predefined groups subsection

2 : [CyberArk Privileged Access Security Implementation Guide], Chapter 3: Managing Safes, Section: Safe Authorizations, Table 2-1: Safe Authorizations

3 :  What default groups can be automatically added to Safes when they are created?

4 : [CyberArk Privileged Access Security Administration Guide], Chapter 3: Managing Safes, Section: Adding Safe Members

 In CyberArk’s Privileged Access Management (PAM), when an account cannot change its own password, setting the parameter  IgnoreReconcileOnMissingAccount  to  No  ensures that the reconcile account is used for password reset. This is because the reconcile account has the necessary permissions to reset the password when the primary account cannot do so.  References : The information provided is based on general knowledge of CyberArk PAM best practices and is not taken from any specific CyberArk Defender PAM course or learning resources.

When building a connector to connect to a website through the Web applications for PSM framework, you would duplicate and modify the default connector  PSM-WebAppSample . This sample connector serves as a template that can be customized to fit the specific requirements of the web application you are targeting.  It provides a starting point with predefined settings that can be adjusted to create a new, functional connector for the desired web application 1 2 .

References :

CyberArk Docs - Web applications for PSM 2

CyberArk Docs - Configure PSM to connect to Web applications 1

Vault keys should be rotated when there is a significant event that could potentially compromise the security of the keys, such as when migrating to a new data center. This is because the keys may be exposed to new environments and systems, and rotating them ensures that any potential exposure does not result in a security breach.  Additionally, periodic rotation of encryption keys is recommended to maintain the integrity of the encryption and to adhere to best practices for security 1 .  References :

CyberArk Docs: Credentials Rotation Policy 2

HashiCorp Developer: Key Rotation

A user with the appropriate permissions can generate a report in the  PVWA (Privileged Vault Web Access)  under the  Reports  section 1 . Users who belong to the group specified in the  ManageReportsGroup  parameter in the Reports section of the Web Access Options in the System Configuration page are able to generate reports in the PVWA.  By default, this group is the  PVWAMonitor  group 1 .  Additionally, reports can be generated using the  PrivateArk Client , which is a desktop application that provides a direct interface to manage the CyberArk Vault and its contents, including the generation of reports 2 .

References :

CyberArk Docs - Reports in PVWA 1

CyberArk Docs - Generate the Report 2

 The newly configured directory mapping can be tested by searching for members that exist only in the mapping group to grant them safe permissions through the PVWA (Privileged Vault Web Ac cess).  This process allows you to verify that the directory mapping is functioning correctly by ensuring that only the intended users, who are part of the specific Active Directory group, are granted access to the safes in the CyberArk Vault 1 2 .

References :

CyberArk Docs - Create directory mapping 1

CyberArk Docs - Edit directory mapping 3

CyberArk Docs - LDAP Integration in PVWA

According to the web page in the edge browser, the vault supports Subnet Based Access Control. This is a feature that allows you to restrict access to a key vault to a specified virtual network and subnet. You can also use firewall settings to deny internet traffic and allow only specific IP addresses.  This way, you can enhance the security and privacy of your key vault data 1 2

The platform configuration defines the password management settings for each type of account, such as the password complexity, rotation frequency, verification method, and reconciliation options. You can set the regulatory requirement for password rotation in the platform configuration by specifying the number of days in the  Password Change Interval  parameter. This parameter determines how often the CPM will change the passwords of the accounts that are associated with the platform. For example, if you set the Password Change Interval to 90, the CPM will change the passwords every 90 days.  References :  Credentials Rotation - CyberArk ,  How do I manage or change passwords stored in CyberArk?

CyberArk Hardened Windows Firewall - > Running

PrivateArk Database - > Running

PrivateArk Server - > Stopped

CyberArk Vault Disaster Recovery - > Running

CyberArk Event Notification Engine - > Stopped

  Comprehensive Explanation : A DR Vault is a Vault that acts as a standby replica of the Primary Vault and is ready to take its place when the Primary Vault is unavailable. The DR Vault operates in Replication mode, which means it continuously replicates the data and metadata from the Primary Vault. In Replication mode, the following services have the following status on the DR Vault:

Cyber-Ark Hardened Windows Firewall: This service provides firewall protection for the Vault server. It should be running on the DR Vault to ensure security.

PrivateArk Database: This service manages the database that stores the metadata of the Vault. It should be stopped on the DR Vault, because the database is not active in Replication mode. The database is only activated when the DR Vault switches to Production mode.

PrivateArk Server: This service manages the Vault server and its communication with other components. It should be stopped on the DR Vault, because the Vault server is not active in Replication mode. The Vault server is only activated when the DR Vault switches to Production mode.

CyberArk Vault Disaster Recovery: This service manages the replication process between the Primary Vault and the DR Vault. It should be running on the DR Vault to ensure data synchronization and readiness for failover.

Cyber-Ark Event Notification Engine: This service manages the event notifications and alerts for the Vault. It should be stopped on the DR Vault, because the event notifications are not relevant in Replication mode. The event notifications are only activated when the DR Vault switches to Production mode.

References :  Primary-DR environment - CyberArk ,  Replicate the Primary Vault to the Satellite Vaults - CyberArk

To support LDAP over SSL, the Vault requires the CA Certificate(s) that were used to sign the certificate of the External Directory. This is necessary to establish a trusted SSL connection between the Vault and the External Directory.  The CA Certificate(s) must be imported into the Windows certificate store on the Vault machine to facilitate this SSL connection 1 .  References : The information provided is based on general knowledge of CyberArk PAM best practices and the requirements for configuring LDAP over SSL as outlined in CyberArk’s official documentation 1 .

 Non-repudiation in the context of CyberArk Master Policy settings refers to the assurance that a user cannot deny the validity of their actions. The settings that ensure non-repudiation are those that enforce accountability and traceability of actions.  Enforcing check-in/check-out exclusive access  ensures that only one user can access an account at a time, and their actions can be traced back to them Enforcing one-time password access  means that passwords are used only once and then changed, which prevents the reuse of credentials and ties actions to specific instances of access 1 2 .

References :

CyberArk Docs: Master Policy Rules 2

CyberArk Docs: The Master Policy 1

To enable access over SSH to a Unix account through both Privileged Session Manager (PSM) and Privileged Session Manager Proxy (PSMP), the platform must contain the necessary connection components for both PSM-SSH and PSMP-SSH.  This ensures that the system can handle SSH connections through PSM for a native user experience and through PSMP for secure, transparent connections to remote systems 1 2 .  References :

CyberArk Docs: Connect through PSM for SSH 1

CyberArk Docs: Connect to Unix machines (using PSM for SSH) 2

Verify Server Address : Ensure that the  address field  is populated with the correct  IP or FQDN  for each server (Option A).

Check PSM Settings : Confirm that the correct  PSM connection component  is specified within the  account platform settings  (Option B).

Automatic Management : Check if the “Disable automatic management for this account” setting is  not enabled  (Option E).

These steps should help in troubleshooting the connection issue in the CyberArk Privileged Access Management (PAM) solution.

 In the PrivateArk client, to update users’ Vault group memberships, you use the  Member Of  tab. After logging in as an administrative user and navigating to the Users and Groups window, you select a user and click  Update .  In the  Member Of  tab, you can manage the user’s group memberships by adding or removing them from groups within the Vault 1 .

References :

CyberArk Docs - Manage users in PrivateArk client 1

 The PTA can automatically suspend sessions if suspicious activities are detected in a privileged session, regardless of the session method. The PTA can suspend sessions that are made via the PSM, the PVWA, or directly to the target system. The PTA can also suspend sessions that are made via SSH, RDP, or other protocols.  References :

Defender PAM Sample Items Study Guide, page 24

PTA User Guide, page 17