PAM-SEN Sample Questions Answers

The PrivateArk Server Service on the Vault.

The CyberArk Password Manager service on the Components Server.

The CyberArk Event Notification Engine Service on the Vault

The CyberArk Privileged Session Manager service on the Vault.

Recovery Time Objectives or Recovery Point Objectives are at or near zero.

Integration with an Enterprise Backup Solution is required.

Off site replication is required.

PSM is used.

TRUE

FALSE

Installing CPMs in multiple sites prevents complex firewall rules to manage devices at remote sites.

Multiple instances create fault tolerance.

Multiple instances increase response time.

Having additional CPMs increases the maximum number of devices CyberArk can manage

OpenSSH 7.8 or above is not installed.

The MFACaching parameter in the psmpparms file is not set to True.

A passphrase policy must be added.

MFA caching is not supported when the PSM for SSH is deployed with default settings.

Update PVWA.ini with new user name

Update Vault.ini with new user name

Create new user in PrivateArk

Rename user in PrivateArk

Create new cred file for user

Vault

CPM

PVWA

PSM

PrivateArk

OPM

AIM

saml.config

samlconfig.ini

PVWAConfig.xml

PVConfiguration.xml

PSM and PVWA

PSM and CPM

PVWA and Vault

Vault and PSM

c:\inetpub\wwwroot\passwordvault\web.config

c:\inetpub\wwwroot\passwordvault\services\web.config

c:\cyberark\password vault web access\env\web.config

c:\program files\cyberark\password vault web access\web.config

Smart card redirection is supported

It does not support connections to target system where NLA is enabled on the PSM server

SSH sessions cannot be established

Printer redirection cannot be enabled

It does not support session recording capabilities for applications that run outside a web browser

RSA SecurID Authentication (in PVWA) and LDAP Authentication

CyberArk Authentication and RADIUS Authentication

Oracle SSO (in PVWA) and SAML Authentication

LDAP Authentication and RADIUS Authentication

server.key

recpub.key

recprv.key

mdbase.dat

PSMConnect

PSMAdminConnect

PSM

The credentials the end user retrieved from the vault

It must not alter page content, or should include a mechanism to prevent pages from being altered. Most Voted

It must support “sticky sessions”. Most Voted

It must be able to digitally sign and issue certificates for PVWA servers.

It must be able to connect to all Vault and PVWA servers through Port TCP 443.

It must be configured with high-availability (HA) enabled.

by using a network load balancer Most Voted

in PVWA > Options > PSM for SSH Proxy > Servers

in PVWA > Options > PSM for SSH Proxy > Servers > VIP

by editing sshd.config on the all the PSM for SSH servers

maximum number of concurrent connections that can be opened between the CPM and the remote machines for the platform

maximum number of concurrent connections that can be between the PSM and the remote machines for the platform

maximum number of concurrent connections allowed for a specific account on the platform through the PSM

maximum number of concurrent connections to the Vault allowed for sending audit activities relating to the platform

DBparm.ini and CAVaultManager.exe

VaultKeys.ini and CAVaultManager.exe

DBparm.ini and ChangeServerKeys.exe

VaultKeys.ini and ChangeServerKeys.exe

TRUE

FALSE

To test that CyberArk is storing accurate credentials for accounts.

To change the password of an account according to organizationally defined password rules

To allow CyberArk to manage unknown or lost credentials.

To generate a new complex password.

TRUE

FALSE

In the CYBRWINDAD platform, under Automatic Password Management/General, configure AllowedSafes and set to (WINDEMEA)|(WINDEMEA_ADMIN). Most Voted

In the settings for Configuration/CPM assigned to the WINDEMEA and WINDEMEAADMIN safes, configure AllowedSafes and set to (WINDEMEA)|(WINDEMEAADMIN).

In the CYBRWINDAD platform, under UI&Workflows/Properties/Optional, configure AllowedSafes and set to (WINDEMEA)|(WINDEMEA_ADMIN).

Modify cpm.ini on the relevant CPM/s and add the setting AllowedSafesCYBRWINDAD and set to (WINDEMEA)|(WINDEMEAADMIN).

APIKeyManager Utility Most Voted

CreateCredFile Utility Most Voted

CPMInDomain_Hardening.ps1

PMTerminal.exe

Data Execution Prevention

Copy the files to the Vault server and discard the CD.

Copy the contents of the CD to a Hardware Security Module and discard the CD.

Store the CD in a secure location, such as a physical safe.

Store the CD in a secure location, such as a physical safe, and copy the contents of the CD to a folder (secured with NTFS permissions} on the vault.

IdP “EntityID” and “PartnerIdentityProvider Name” in PVWA saml.config file

IdP “User name” and “SingleSignOnServiceUrl” in PVWA saml.config file

IdP “Audience” and “ServiceProviderName” in the PVWA saml.config file

IdP “Secure hash algorithm” and “Certificate” in the PVWA saml.config file

This setup is already fault tolerant.

Install more PVWAs in each data center.

Continuously monitor PVWA status and send users the link to another PVWA if issues are encountered.

Load balance all PVWAs under same URL.

Install two new PVWA servers in Tokyo data center, configure load balancing, connect to the local satellite Vault and provide the URL of new PVWA servers to the local employees.

Install two new PVWA servers in New York data center, configure load balancing and have them connect to the satellite Vault in Tokyo.

Install two new PSM servers in the Tokyo data center, configure load balancing, connect to the local satellite vault, and inform the local employees to browse using the same PVWA URL.

Change the current distributed Vaults architecture, migrate back to a Primary-DR architecture, install two new PVWA servers in the Tokyo data center and configure load balancing. Connect to the local DR Vault and provide the URL of new PVWA servers to the local employees.

DR

Backup

Operator

Auditor

PTA

PSM

PVWA

EPM

Remove IIS settings which can be considered security vulnerabilities.

Validate that the PSM is ready to be placed behind a load balancer.

Confirm that the Windows Services for PSM are running on the server.

Ensure that the AppLocker script does not have any syntax errors.

Configure the Kerberos authentication method on the default IIS Application pool

Check that the server IP address is correctly configured and that it is static

In the Network Connection properties, configure Preferred DNS Servers

Install Microsoft Windows patch KB4014998

Create a local user and add it to the PSMMaintenance Group.

Create a local user called proxymng.

Create a local user and add it to group configured for the parameter AllowGroups in the /etc/sshd_config file

Create a local user, called psmpmng.

performs IIS hardening

configures all group policy settings

renames the local Administrator Account

configures Windows Firewall

imports the CyberArk INF configuration

Administration Options > CPM Settings

AllowedSafe Parameter on each platform policy

MaxConcurrentConnection parameter on each platform policy

Administration > Options > CPM Scanner

LDAP and RADIUS Most Voted

CyberArk and RADIUS

SAML and Cyber Ark

SAML and RADIUS

SNMPHostIP Most Voted

SNMPTrapPort

SNMPCommunity

SNMPVersion