Pass the CyberArk Defender PAM-DEF Questions and answers with CertsForce

 SSH keys are a way to authenticate to a target machine with a privileged account, and are subject to the same risks and challenges as privileged passwords. CyberArk provides an out-of-the-box target platform to manage SSH keys, called UNIX Via SSH Keys, which simplifies and automates SSH keys lifecycle management. This platform works as follows:

CyberArk stores the private keys in the Vault, where they benefit from all the security and accessibility features of the Vault, such as encryption, auditing, and backup.

CyberArk updates the public keys on the target systems, using a parent account that has access to the file that contains the public key, such as ~/.ssh/authorized_keys. CyberArk can generate new random SSH key pairs and update the public keys on the target systems according to the organizational policy, such as after a single use, after a predefined period, or manually.

CyberArk can also verify that the private and public keys are synchronized, and reconcile them if they are not, using a reconcile account that can reset the SSH key pairs on the target systems.

References: Manage SSH Keys, Use SSH Keys

 The Master Policy in CyberArk defines the behavior of one-time passwords and exclusive accessExclusive access ensures that only one user can check out an account at any given time, effectively locking the account during its use to prevent simultaneous access1. On the other hand, one-time password functionality is designed to change the account’s password after it is used, based on a timer set by the MinValidityPeriod parameter in the policy file. This means that once the password is checked out and the timer expires, the Central Policy Manager (CPM) will change the password2. These settings are often used together to maintain accountability and security for the usage of shared privileged accounts. References:

CyberArk Docs: One-time passwords and exclusive accounts1

CyberArk Knowledge Article: CPM: What is the difference between “One Time” and “Exclusive” passwords?2

 To restore DR replication to normal after network activity caused the PrivateArk Server on the DR Vault to become active while the Primary Vault was also running, you should first shut down the PrivateArk Server on the DR Vault. This ensures that the DR Vault is no longer active and can be prepared for replication. After shutting down the server, you should then start the replication process on the DR Vault to synchronize the data from the Primary Vault1.

References:

CyberArk’s official documentation on initiating a DR failback to the Production Vault provides a detailed procedure for restoring DR replication to normal1.

Additional information on monitoring backup and DR replications can be found in CyberArk’s documentation2.

For further study and understanding of the CyberArk Defender PAM course objectives and documents, the official CyberArk training resources and study guides are recommended3.

According to the web search results, when an auditor initiates a live monitoring session to PSM server to view an ongoing live session, the auditor’s machine makes an RDP connection to the PSM server using the PSMAdminConnect user. The PSMAdminConnect user is a local or domain user that starts PSM sessions on the PSM machine for authorized users who want to monitor or terminate active sessions1. The PSMAdminConnect user has limited permissions and access rights on the PSM server, and its credentials are managed by the CPM. The PSMAdminConnect user retrieves the credentials of the target account from the vault and uses them to establish a secure connection to the target machine. The auditor can then view the live session through the PSM session, while the PSM server records and audits the session activity.

 The best practice for storing the Master CD is to store it in a secure location, such as a physical safe. The Master CD contains the server key, the public recovery key, and the private recovery key, which are essential for starting, operating, and recovering the Vault. These keys are sensitive and should be protected from unauthorized access, loss, or damage. Therefore, storing the CD in a physical safe ensures that the keys are kept in a secure location when not in use, and that they are available when needed. This is the recommended option by CyberArk1.

The other options are not best practices and should be avoided, as they expose the keys to potential risks, such as theft, corruption, or deletion. Copying the files to the Vault server and discarding the CD is not secure, as it makes the keys accessible to anyone who can access the Vault server or compromise its security. Copying the contents of the CD to a Hardware Security Module (HSM) and discarding the CD is not feasible, as the HSM can only store the server key, not the recovery keys2. Storing the CD in a secure location, such as a physical safe, and copying the contents of the CD to a folder secured with NTFS permissions on the Vault is not necessary, as it creates redundant copies of the keys that may not be synchronized or updated. Moreover, NTFS permissions are not sufficient to protect the keys from malicious or accidental actions. References:

Server Keys - CyberArk, section “Server Keys”

Store the Server Key in an HSM - CyberArk, section “Store the Server Key in an HSM”

When a new domain controller is added to a domain, it is necessary to update the CyberArk infrastructure to ensure it can use the new domain controller for authentication. This involves updating the hosts file on the Vault server located at Windows\System32\Etc\Hosts to include the new domain controller’s details. Additionally, within the PVWA Application, you need to navigate to Administration > LDAP Integration > Directories > Hosts and update the information there as well. This ensures that both the Vault server and the PVWA Application are aware of the new domain controller and can authenticate against it1.

References:

CyberArk’s official documentation on configuring Active Directory integration, which includes details on setting up domain controllers for authentication2.

Information on adding Active Directory as a directory service in CyberArk Identity, which discusses the integration of domain controllers3.

Vault Authorizations

• Can be assigned only to users (not groups).

• Cannot be inherited via group membership.

• Defined only via the Private Ark Client.

Safe Auth

• Assigned to users and/or groups.

• Can be inherited via group membership.

• Can be defined in the Private Ark Client or PVWA

 To check that the LDAP binding is using TCP/636, you can use the Test-NetConnection cmdlet from the PVWA to connect to the domain controller on Port 636. This method allows you to verify that the LDAP service is listening on the secure port and that the connection can be established using SSL/TLS, which is typically associated with port 6361.

References:

CyberArk Docs - LDAP Integration2

CyberArk Knowledge Article - How to test outgoing LDAP external directory connectivity to the vault

https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PTA/Security-Events.htm?TocPath=End%20User%7CSecurity%20Events%7C_____2#Permissions

 It is possible to leverage DNA to provide discovery functions that are not available with auto-detection. Auto-detection is a feature that enables the CPM to automatically discover and onboard accounts on target systems that are associated with a specific platform. Auto-detection can be configured in the Platform Management settings for each platform that supports this functionality. However, auto-detection has some limitations, such as requiring the CPM to have access to the target system, not supporting all platforms, and not providing comprehensive information about the accounts and their security risks1. DNA, on the other hand, is a standalone scanning tool that can discover and audit privileged accounts across the network, regardless of the platform or the CPM access. DNA can provide additional discovery functions, such as identifying machines vulnerable to Pass-the-Hash attacks, collecting reliable and comprehensive audit information, and generating reports and visual maps that evaluate the privileged account security status in the organization2. DNA can also be used before or independently of the CyberArk PAM solution, as it does not require agents to be installed on target systems2. References:

1: Auto-detection

2: CyberArk DNA Overview