Standard Questions

Question 1

What can’t CyberArk overcome?

• Penetration
• Recon
• Lateral Movement
• Privilege Escalation

Answer 1

Penetration

Question 2

What port does the Vault use to communicate?

Answer 2

TCP 1858

Question 3

What is PACLI?

Answer 3

The PrivateArk Command
Line Interface (or PACLI)
enables CyberArk Vault users
to access the Vault server from
any location using an intuitive
command-line environment.
• Bulk adding users
• Adding safes
• Modifying properties
• Any other scripting usages

Question 4

The PrivateArk Client can
be installed on any station
with access to the Vault.

Answer 4

True

Question 5

Vault Central Administration station can
be installed on any station
with access to the Vault.

Answer 5

False: Only available on Vault server

Question 6

What is RCC? Why is it used/better? What port does it use?

Answer 6

Remote Control Client: Executes tasks on vault via the Remote Control Agent. Now we don’t need to use RDP. Uses port 9022.

Question 7

Difference users and accounts?

Answer 7

Users: People who have been granted
access to the system. Use the accounts and passwords.
Accounts: Priv accounts with passwords stored in vault. Such as an Domain admin account…

Question 8

Applications and CyberArk components are also users who access accounts.

Answer 8

True

Question 9

Difference internal and transparent users and groups?

Answer 9

Internal are built-in (automatically created) or manual added in the vault.
Transparent: Users and Groups that are automatically provisioned from an external directory (LDAP)

Question 10

What will happen if you delete a transparent

user within CyberArk

Answer 10

It will be automatically re-created upon login if it still exists within AD and answers the mapping criteria.

Question 11

What is the Master user? How can you change the password?

Answer 11

The Master user is the most powerful user in the system, with full Safe and Vault authorizations that
cannot be removed.
To change the Master user password, log in with the Master user and click on User -> Set Password
Master user can only change the Master user password.

Question 12

Requirements to log in with the Master User? In what file are these stored?

Answer 12

-PrivateArk Client
-Master Password
-Master CD (RecPrvKey)
-Vault or emergency console defined as (EmergencyStationIP)
The last 2 are defined in the dbparm.ini file.

Question 13

Where are users stored? How is user management done (Such as creating)? Is it recommended that you
manage your users with an external LDAP directory,
such as Active Directory?

Answer 13

Stored: Vault database
User managemant: Privateark Client
Yes

Question 14

What is a Directory Map? Explain the two kinds.

Answer 14

A Directory Map determines whether a User Account will be created in the Vault, and the roles they will have.
-User Mapping – allows for authentication and
defines user’s attributes, such as Vault
Authorizations and Location.
• Group Mapping – makes LDAP groups
searchable from within CyberArk, allowing
mapped groups to be granted safe
authorizations and to be nested within built-in
CyberArk groups.

Question 15

Explain: AutoSyncExternalObjects=Yes,24,1,5

Answer 15

Parameter in dbparm.ini. if, how
often, and when the Vault’s External users and groups will be synchronized with the
External Directory (LDAP)
Yes –> Will sync vault with the External Directory.
24 –> The number of hours in one period cycle.
1,5 –> The hours during which the sync will take place.

Question 16

Verschil Safe en Vault authorizations?

Answer 16

Vault:
Can be assigned only to users (not groups).
• Cannot be inherited via group membership.
• Defined only via the Private Ark Client.

Safe: Assigned to users and/or groups.
• Can be inherited via group membership.
• Can be defined in the Private Ark Client or PVWA

Question 17

The list of groups that are
added automatically to
newly created safes is
controlled by a parameter in
the X file.

Answer 17

dbparm.ini

Question 18

How to determine which rights a group has first?

Answer 18

Lower directory mapping number

Question 19

Access Control is applied to?

Answer 19

Safes –> Use this account…

Question 20

How many objects can be stored in a safe? How many does Cyberark rec?
How many characters can a safe name be?
How do we apply least privilege?

Answer 20

20k
3-5k
28
Avoid situations where providing a user access to a Safe allows them to access accounts they don’t need to access For example: you may want to configure separate Safes for
Windows Desktop Accounts, Windows Local Administrators,
and Windows Domain Accounts

Question 21

What is the right workflow creating policies and accounts? Examples
Add Accounts 
Review/Edit Master Policy
Create
Platforms
Create Safes
Add exceptions
to Master policy based on Platforms

Answer 21

Review/Edit Master Policy days
Create Platforms
Add exceptions
to Master policy
based on Platforms
Create Safes
Add Accounts

Question 22

On what level do you set technical settings for passwords and exceptions?

Answer 22

Platform level.

Question 23

On what level do you set Global policy

settings/A baseline?

Answer 23

Master policy

Question 24

Privileged Access Workflow

• Require dual access control approval
• Enforce Check-in check-out
• Enforce on time password access
• Allow EPV transparent connections
• Specify reason

Answer 24

-End users will will need to request access to
an account before connecting to a target
system. Depending on advanced
configuration, access authorization must be
given by one or more managers
-Only one user will be able to access and use
an account at any given point of time. When a
user checks out an account, it is locked and
cannot be retrieved by other users until it is
released by the user.
-Passwords are changed after each access.
When a user retrieves an account, the CPM
initiates a password change process that will
occur automatically. Users get a minimum
amount of time with the password before it
changes.
-Enables end users to click the Connect button
in the PVWA to access target devices without
exposing the password to the end user.
-End users will have to enter some text to justify
why they are accessing a particular target
system

Question 25

Password Management: Require password change every X days Require verification every X days Will these be done automatically?

Answer 25

Require password change every X days determines the maximum number of days that can elapse between two password changes. Require password verification every X days ensures that passwords stored in the Vault are always synchronized with passwords in the target systems. Note that Platform settings determine if passwords will be changed automatically/verified for an account.

Question 26

Session Management: -Require privileged session monitoring and isolation -Record and save session activity

Answer 26

``` -This is the parameter that activates privileged session management. This is disabled by default. -which is ACTIVE by default, instructs the PSM servers to upload recordings and session activity to the Vault. ```

Question 27

Audit Management: | -Activities audit retention period

Answer 27

-Determines how long the Vault will | store the history of audit activities

Question 28

What are 3 functions of a platform?

Answer 28

-Define the technical settings required to manage passwords. Examples: How long is a password, how complex... -Point to the relevant plug-ins and connection components. Examples: You log in differently to Windows Machines then to Unix Machines. -The basis for exceptions to the Master Policy

Question 29

Two types of platforms:

Answer 29

*Target Account Platforms: -Define the technical settings required to manage accounts • Used to define exceptions to the Master Policy • Every account is associated with one platform *Service Account Platforms

Question 30

How many platforms can an account be associated with?

Answer 30

One, account = not a user

Question 31

The technical settings for managing passwords can be found in the

Answer 31

Automatic Password Management

Question 32

What is the purpose of deactivating platforms?

Answer 32

``` • Better administration: Inactive platforms are hidden from users when they add accounts • Better performance: the CPM does not manage Inactive platforms ```

Question 33

Is object level access control recommended (OLAC) by Cyberark?

Answer 33

No

Question 34

Pros of AllowedSafes option?

Answer 34

``` -You can limit the scope of a particular platform to only those Safes that match the regular expression pattern (Linux --> When adding an account can only add to Safes that start with Linux) -This will help improve the performance of the CPM ```

Question 35

In how many safes can an account be? In how any platforms?

Answer 35

1

Question 36

How does the password change of a root account on unix?

Answer 36

Log in with login account --> su to go to root account --> change password

Question 37

How can the login account be set?

Answer 37

The logon account can be set on the individual account or via the Platform.

Question 38

A ‘super user’ such as root should be used as a logon account

Answer 38

FALSE

Question 39

Automatic reconciliation | must be enabled for a reconcile account.

Answer 39

TRUE

Question 40

Where are private keys stored?

Answer 40

In the vault

Question 41

Where are public keys stored?

Answer 41

On the target server.

Question 42

One private key can be used to access multiple systems

Answer 42

TRUE

Question 43

SSH Keys need their own platform

Answer 43

True

Question 44

SSH Keys need their own safe, it can't be shared with a safe with passwords

Answer 44

False

Question 45

You can rotate the SSH keys using the Change button, just like with passwords

Answer 45

TRUE

Question 46

You can retrieve a copy of the private key and this can't be disallowed.

Answer 46

This can be disallowed.

Question 47

What are dependents and usages?

Answer 47

``` Dependents are a sort of platform. Usages refer to instances when an account, which is created at the operating system or domain level, is also used to perform some task somewhere else ```

Question 48

What needs to be enabled to search for usages?

Answer 48

SearchForUsages

Question 49

What sort of usages are there?

Answer 49

NON-DISCOVERABLE USAGES and DISCOVERABLE USAGES. Both need to be manually in PVWA, but only non-discoverable need to be done on platform level.

Question 50

Can passwords in files be encrypted? How and where is it stored?

Answer 50

Encryption Command – The encryption file can be stored in any location on the CPM machine.

Question 51

What happens when a user has view and list, but Allow EPV connections 'Allow users to view password' is disabled?

Answer 51

The user will not be able to see the password.

Question 52

What does 'Access Safe | without confirmation' do?

Answer 52

Bypasses Dual Control

Question 53

What does A MinValidityPeriod of 60 | mean?

Answer 53

``` The password will be changed 60 minutes after it is accessed During that time, other users are able to access the password This is when OTP is enabled without Exclusive passwords ```

Question 54

Explain OTP and Exclusive passwords together and apart

Answer 54

Exclusive passwords • When a user accesses a password, the account is locked, no other user can access the password until it has been released. • User must release the password manually • Password is changed automatically upon manual release One-time passwords • After a user accesses a password, it is changed automatically based on the minimum validity period • Multiple users are able to access the password simultaneously • Minimum validity period is reset as each user accesses the password Exclusive and One-time passwords combined • Account is locked to a single user, no other user can access it • If the user does not release the account manually, the system will release it automatically based on the Minimum Validity Period and change the password

Question 55

If the Request timeframe contains a specified time period, the password will only be changed by the CPM after the timeframe has expired, even though the MinValidityPeriod might be less. Only when dual control password is enabled.

Answer 55

True