Professional Documents
Culture Documents
CyberArk CDE Reviewer Notes
CyberArk CDE Reviewer Notes
CyberArk CDE Reviewer Notes
===============================
Operational Reports
1. Privileged Accounts inventory report - information about all the privileged
accounts in the system
Permission needed:
* List accounts
* View safe members
Audit/Compliance Reports
3. Privileged Accounts compliance status report - information about the CPM status
for each account
- validates compliance with the policy
Permission needed:
* List accounts
* View Audit
* Confirm safe request
* Member of the PVWA monitor group
* Member of the auditors group - to run the report for the entire Vault
===============================
===============================
1. Safes list
2. Owners list
3. Active/Non-active safes
4. License capacity report
5. Users list
6. Active/Non-active users
7. Entitlement report
===============================
1. List accounts
2. View safe members
3. Add accounts
4. Update account content
5. Update account properties
===============================
1. List accounts
2. View safe members
3. Retrieves accounts
4. Initiate CPM account management operations
===============================
PTA Logs
===============================
DBParm.ini - file for configuring the vault server to forward activity logs to a
SIEM or syslog server.
- file for adjusting the LDAP synchronization parameters, for setting the RADIUS
server
- file for adding new firewall rules
TSParm.ini - file for configuring the physical disks used to store vault data
Passparm.ini - file for configuring password policy for users of the vault
Basic_psm.ini - file that contains the information required to start the PSM.
==============================
===============================
1. Log on to the vault, navigate to server folder under the PrivateArk Install
location
2. Access the system safe from the PrivateArk client
===============================
Permissions in PVWA:
===============================
1. SQL commands
2. SSH Keystrokes
3. Windows titles
4. Universal keystrokes
===============================
1. Organizational structure
2. Security classification
3. Functional structure
4. Compliance requirements
4. Geographical structure
===============================
Failover procedure is triggered when the CPM detects one of the following events:
===============================
===============================
1. Collect
2. Detect
3. Alert
4. Respond
5. Automate
===============================
* Windows R2 or Windows 2016 with only remote Desktop Services (RDS) Session Host
Role
* Remote Desktop Session Host (requires RDS CAL licensing)
===============================
1. PARagent.ini
2. PrivateArk Server Central Administration
===============================
1. Location of Access
2. Days of Access
3. Window Time for access
4. Time limits
===============================
• Phase Two:
- The CPM Scanner scans the devices for accounts and dependencies
- Then uploads them to the pending safe
===============================
Describe the two phases of the process with both Windows and Unix Accounts
Discovery.
* Phase One:
- Windows, Auto Discovery queries a directory container (like Active Directory) for
a list of machines
- Unix, a CSA file with the target IP addresses is uploaded to the system
*Phase Two:
- Using the list of machines generated in phase one, Auto Discovery will log into
each machine and discover accounts and dependencies
===============================
* Over pass-the-hash
* DC sync
* PAC attacks
* Golden ticket
===============================
1. Configuration file
2. Windows Registry
3. Database string
===============================
===============================
What critical privileged account related risks in the IT environment does the PTA
monitor?
* Exposed credentials
* Unconstrained delegation
* Dual usage
===============================
===============================
===============================
During PSM installation, what groups or permissions are created and assigned to the
PSM safe?
* PSM App Users: used to retrieve from the Vault, create recording safes, upload
recordings, etc.
* PSM Master: manages the safe where the recording are stored
* PSM GW_<Machine Name>: Gateway user through which the PSM user will access the
Vault to retrieve the target machine password
* PSMApp_<MachineName>: used by the PSM for internal processing
===============================
===============================
===============================
===============================
* Password
* Master CD
* Specified terminal
===============================
Groups who have the authority to review security events in the PVWA
1. Vault admins
2. Security admins
3. Security operators
===============================
===============================
Users:
Applications/components/people who have been granted access to the system
Accounts:
The actual privileged account IDs such as personal admin, generic or shared
accounts and service accounts which are stored in safes
===============================
* Assigned to users/groups
* Can be inherited via group membership
* Can be defined in the PrivateArk client or PVWA (typically done in the PVWA)
===============================
1. Server key
2. Recovery public key