1. What are privileged accounts?

ANS: A privileged account is a user account that has more privileges than ordinary users. There are
many kinds of privileged accounts like Root and administrator accounts are typically used for
installing and removing software and changing configuration. They are super user accounts.

Examples: Root -Linux

Administrator-Windows
SA-Oracle
Enable-Cisco

2. What are the different types of accounts?

ANS: They are different account is there

1. Local account
2. Domain account
3. Service account
4. Shared account

Local accounts: A local account controls access to one single, physical computer. Your local
account credentials (username, password, and SID/UID) are stored locally on the computer's hard
drive, and the computer checks its own files to authenticate your login. ... A  local account allows you
some level of access to an individual computer.

Domain account: A domain user is one whose username and password are stored on
a domain controller rather than the computer the user is logging into. When you log in as a domain
user, the computer asks the domain controller what privileges are assigned to you.

Service account: A service account is a special user account that an application or service uses to

interact with the operating system. Services use the service accounts to log on and make changes to
the operating system or the configuration. Through permissions, you can control the actions that
the service can perform.

Shared account: Shared accounts are any resource that uses a single pair of credentials to
authenticate multiple users. ... The challenges shared accounts hold for IT: Activity Tracking and
visibility: The basic premise of identity and access management (IAM) knows who accessed which
resource.

3. What is identity access management (IAM)?

ANS: Identity and access management is the information security discipline that allows

users access to appropriate technology resources, at the right time. ... Once a user successfully
completes the authentication process, the IAM system must then verify the user's authorization to
perform the requested activity.
Identity and access management (IAM) in enterprise IT is about defining and managing the roles and
access privileges of individual network users and the circumstances in which users are granted (or
denied) those privileges. Those users might be customers (customer identity management) or
employees (employee identity management. The core objective of IAM systems is one digital
identity per individual. Once that digital identity has been established, it must be maintained,
modified and monitored throughout each user’s “access lifecycle.”

4. What is EPV?

ANS: Enterprise Password Vault – CyberArk’s Enterprise Password

Vault (EPV) enables organizations to secure, manage, automatically change and log
All activities associated with all types of Privileged Passwords.

It uses a highly secure central repository to store and protect both SSH keys and  passwords for
use in on-premises, hybrid and cloud environments. In addition, its auditing and control features
mean you can track and identify the misuse of any privileged accounts.

Administer, secure, rotate and control access to privileged account passwords.

5. What are the system requirements for installing digital vault server?

ANS: Before installing the Vault, make sure that you have the following:
6. What are prerequisites for installing digital vault server?

ANS:

 Vault Installation Package

 The CyberArk Vault installation CD
 Master CD
 Operator CD
 License file
 Installation documentation

Software prerequisites
Windows 2016 server
Windows 2012 server
.NET Framework 4.5.2.
7. What are vault security layers?

ANS:

Firewall & Code Data Isolation-The Vault must run on a dedicated server, eliminating security holes
in third party Product. This is enforced by the CyberArk firewall, which doesn’t let any
communication into the server or out of it other than its own authenticated protocol – the Vault
protocol. No other component is able to communicate with the outside world, except for the
Storage Engine. The fact that the Vault’s code is the only code that runs on the dedicated
Server assures a sterile environment and total control over the server by the security System.

Encrypted Network Communication & Visual Security Audit Trail- Every password and file stored on
the Vault is encrypted, using an encryption infrastructure that is totally hidden from the end user.
This means that neither users nor administrators need to concern themselves with any key
management issues.
The Vault's Visual Security is the first and only technology that lets Users see activities Carried out in
their Safes by other Users. Real-time monitoring of who is logged on to the Safe and the information
they have retrieved enables Users to track passwords and files in the Vault. Other Visual Security
features inform Users whenever activity occurs in the Vault, and mark passwords and files so that
those that have been accessed by other Users are noticeable immediately.
Strong Authentication & Granular Access Control-Every access to the Vault must be authenticated.
The Privileged Account Security Solution uses a strong two-way authentication protocol.
Authentication is based on Passwords, PKI digital certificates, RSA SecurID tokens, RADIUS protocol,
USB Tokens, or Windows authentication. Taking the latter approach requires no additional
Authentication to be made by the end-user. The Privileged Account Security solution also supports
third-party authentication that can be integrated into the organization's existing Authentication
server.
The Privileged Account Security solution provides a built-in access control mechanism. Users are
totally unaware of passwords or information that is not intended for their use. Users can be
permitted to read, write, delete, or administer data according to the access Control rules.

File Encryption & Dual Control Security-Every password and file stored on the Vault is encrypted,
using an encryption infrastructure that is totally hidden from the end user. This means that neither
users nor administrators need to concern themselves with any key management issues.
8. What does [Link] contains?

ANS: .XML contains

 Customer’s unique ID.

 The type of Vault that is installed.
 The version of the license.
 The expiry date of the license.
 The license key.
 Licensed components.
 The number of EPV Users permitted to work with the CyberArk Vault
 Whether or not to enable high availability clustering.
 Whether or not to enable a connection with an external directory.
 Whether or not to enable Disaster Recovery features.
 Whether or not to enable Remote Monitoring in the Vault.
 Whether or not to enable backup by third party software
 The types of authentication that are permitted by the Vault.
 The types of Clients that the Vault will recognize.

9. What does master CD & operator CD contains?

ANS:

Master CD contains:-

Recovery private key

Recovery public key
Random database key
Server key

Operator CD contains:- Recovery public key

Random database key
 Server key

10. What is the latest version available in market?

ANS: Present 11.3 latest versions available in market.

11. What are the silent features of 11 versions?

ANS: Silent upgrade for PVWA and CPM for automation to help our customers deploy faster in an
automated manner, we provide a silent upgrade option that can be automated with a customer's
automation tools for a faster deployment process.

New connection component to support SQL Server Management Studio 18 A new PSM connection
component was added to the PSM installation and to CyberArk Marketplace to enable secure access
to SQL Server Management Studio (SSMS) 18.

Support deploying Vault on AWS on Windows 2016 CyberArk now supports deployment of Vault
installed on AWS on Windows 2016 Server.
12. What is the remote control agent?

ANS: The Enterprise Remote Control Agent is the software that allows you to take control of a PC.
The CyberArk Vault Remote Control feature enables users to carry out several Operations on Vault
components from a remote terminal.
Managing the Vault, DR Vault, ENE, and CVM from a Remote Location The following table displays
the commands that can be used with the PARClient utility to manage the Vault, DR Vault, ENE, and
CVM from a remote physical location.
13. What is safe and what does it contains?

ANS: A safe is a logical container for storing passwords. Safes are typically created based on who will
need access to the privileged accounts whose passwords will be stored within the safe. For instance,
you might create a safe for a business unit or for a group of administrators

14. What is cyber ark hardening?

ANS: CyberArk installs the Vault Server on a hardened operating system, based on Microsoft Bastion
Host server recommendations which define a highly secured Windows server. The hardening process
is performed as part of the Vault installation and results in disablement of many operating system
services. The hardened Vault Server is designed to serve only CyberArk protocol requests. As such, it
may not function as a regular domain member in a Windows network. In addition, the hardening
process also strips the permissions from existing and built-in Windows users (except the user that
runs the installation).

15. Is it possible to remove the hardening once digital vault hardened?

ANS: Not possible we have to re-build the OS.

16. What are the default safes that are created after vault installation?

ANS: Default safes are

1. System Safe
2. Vault internal
3. Notification Engine
17. What is the purpose of master account?

ANS: Master account is used for retrieving the Administrator accounts. Whenever Administrator
accounts are blocked / suspended by using master account we can activate the administrator
account.

18. What are the log files related to vault server?

ANS: Log files related to vault server are [Link], trace logs.
19. What are the services related to vault server?

ANS:

 Cyberark event notification engine.

 Cyberark logic container.
 Private ark database.
 Private ark remote control agent.
 Private ark server.
 Cyberark windows hardened firewall.
20. What are the configuration files of vault server?

ANS: Vault configuration files are

 Dbparm
 Paragent(Remote control agent)-9022
 Passparm(Password management)
 Tsparm(safes directory)
 Vault

21. What does system safe contains?

ANS: System safe contains configuration files, license file and log files of vault server.

 [Link]
 italog
 [Link]
 [Link]
 [Link]
 [Link]
22. What does vault internal safe contains?

ANS: LDAP configuration details.

23. What re built in users and groups that are created after cyber ark implementation?

ANS: After cyberark implementation default users and groups are:

 Auditor
 Administrator
 Batch
 Master
 NotificationEngine
 PSMApp_WIN
 PVWAAppUser
 PVWAGwUser
 Auditors groups
 Notification Engines group
 PSMAppUsers group
 PSMLiveSessionTerminators group
 PSMMaster group
 PVWAGWAccounts group
 PVWAMonitor group
 PVWAUsers group

24. What are the prerequisites of installing CPM?

ANS: Install .net Framework 4.5.2.

25. What are the system requirements for installing CPM?

ANS: TCP/IP connection to the Digital Vault Server.

26. What are the default safes that are created after CPM installation?

ANS: Default safes of CPM are

 PasswordManager
 PasswordManager_ADInternal
 PasswordManager_Info
 PasswordManager_Pending
 PasswordManager_workspace
 PasswordManagerShared
27. What does password manager safe contains?

ANS: Password manager safe contains [Link], [Link] files.

28. What are the services related to CPM?

ANS: CPM services are CyberArk Password Manager ,CyberArk Central Policy manager Scanner.

29. What are log files related to CPM?

ANS:
 PM
 PM_error
 PMConsole
 PMTrace
 ThirdParty levels

Activity Log (logs folder)- [Link] –contains all the log messages, including general and informative
messages, errors, and warnings.
pm_error.log –contains only warning and error messages.
Third part Logs- Generated by the Central Password Manager built-in password generation plug-ins
when an error occurs. Root log, console log, expect log and debug log.

History Log files- After a log file has been uploaded into the Safe, it is renamed and moved into the
History subfolder.

30. What are the process &prompt files and where does it contains?

ANS: Bin folder

31. What is the order of installation of cyber ark?

ANS: Cyberark order of installation in below

< 10.8:-

 Vault
 CPM
 PVWA
 PSM

> 10.8:-

 Vault
 PVWA
 CPM
 PSM

32. What are prerequisites for PVWA?

ANS: IIS server (internet information services), Windows Server must be a domain member.
33. What are system requirements of PVWA?

ANS: The minimum requirements for the PVWA are as follows:

34. What is the default port of cyber ark in which all the components will communicate to vault?

ANS: Default port of Cyberark Vault TCP/IP port number is 1858.

35. What are the services related to PVWA?

ANS: PVWA services are:-

 IIS Admin Service(IIS ADMIN)

 Windows Process Activation Service
 World Wide Web Publishing Service.
36. What are log files related to PVWA?

ANS: PVWA log files are

 [Link] [Link]
 [Link]
 [Link]

37. What is the configuration file of PVWA?

ANS: Configuration file of PVWA is [Link]

38. What are the safes created after PVWA installation?

ANS: PVWA default safes are

 PVWAConfig
 PVWAPrivateUserPrefs
 PVWAPublicData
 PVWAReports
 PVWATaskDefinations
 PVWATicketingSystem
 PVWAUserPrefs
39. What does PVWA config safe contains?

ANS: [Link] (.ini files is used to assign in Platform Level) and [Link]

40. What are the system requirements for installing PSM?

ANS:

 TCP/IP connection to the CyberArk Password Vault Server

 Windows 2012
 PSM setup
 Windows Server must be a domain member.
41. What are the prerequisites for installing PSM?

ANS: Prerequisites of PSM are RD Web access, RD Connection broker and RD Session host,
Only Windows Server 2012 R2, Windows Server must be a domain member, User logged in during
installation must be a Domain User with local admin rights.

 RD Web access: Remote desktop web access enables user to connect to resources provided
by session collections and virtual desktop collections by using the start menu or web
browser.
 RD connection broker: Remote Desktop connection broker connects or reconnects a client
device to RemoteApp programs, session based desktops and virtual desktops.
 RD session host: Remote desktop session host enables a server to host RemoteApp
programs or session based desktops.
42. Why do we need remote desktop licensing server?

Ans1: (it will Lunch the RD Licence on PSM Server)

Ans 2: The Remote Desktop Connection Broker is used to connect users to existing

virtual desktops and apps. The Remote Desktop License Server manages the RDS Client
Access Licenses (CALs) that are required by client devices to connect to the RD session host.

43. What are the default users of PVWA & PSM that are created after installation?

ANS: Default users of PVWA after installation PVWAAppUsers and PVWAGWUsers

PVWAAppUser is used by the Password Vault Web Access for internal Processing.

PVWAGWUseris the Gateway user through which users will access the Vault
In PSM PSMAppUsers and PSMGWUsers.

This user is used by the PSM for internal processing. The credentials file for this user is [Link]
and is stored in the PSM server

This is the Gateway user through which the PSM user will access the Vault to retrieve the target
machine password. The credentials file for this user is stored on the PSM Server in a file named:
[Link]
44. What is the default safe where recordings will be stored?

ANS: All the recordings will be stored in PSMRecordings.

45. Name the services related to PSM?

ANS: CyberArk Privileged Session Manager.

46. What are log files related to PSM?

ANS: PSM log files are PSMConsole and PSMTrace

47. What is the configuration file of PSM?

ANS: basic_psm

48. What are default safes that are created after PSM installation?

ANS: Default safes that are created after PSM installation

 PSM
 PSMLiveSession
 PSMUnamanagedAccounts
 PSMRecordings
49. What does PSM safe contains?

ANS: PSM Safe contains PSMAdmin and PSMServer.

50. What is the formula for calculating storage of PSM recordings?

ANS:
51. What is the functionality of Vault, CPM, PVWA and PSM?

ANS:

 Vault: It is the secure repository of all sensitive information, and it is responsible for
securing this information, managing and controlling all access to this information, and
maintaining and providing tamper-proof audit records.
 CPM: The Privileged Account Security solution provides a revolutionary breakthrough in
password management with the CyberArk Central Policy Manager (CPM), which
automatically enforces enterprise policy. ... The CPM generates new random passwords
and replaces existing passwords on remote machines.
 PVWA: The Password Vault Web Access Interface is a complete featured web interface
providing a single console for requesting, accessing, and managing privileged account
credentials passed throughout the enterprise by both end users and system
administrators.
 PSM: CyberArk's Privileged Session Manager (PSM) is a central point of control for
protecting target systems accessed by privileged users and accounts. It's a single solution
that isolates controls and monitors all privileged activity across the data center with
recording and monitoring activity.

52. What is the difference between standalone configurations and HA cluster configuration?

ANS:

53. How will you implement cyber ark HA cluster?

ANS:

 Make sure all prerequisites are in place.

 Install vault server on node A
 Do the cluster configuration in cluster [Link] file
  Copy the operator keys to node B
 Stop the CVM on node A and make sure the disks are in offline.
 Install the vault server on node B.
 Do the cluster configuration in cluster [Link] file
 Vault id and server id should be same on both nodes.
 Start CVM on node A
 Do the failover from active node to passive node and vice versa.
 Now install the components in the following order.
 PVWA,CPM and PSM

54. What is the configuration file of cluster vault & what does it contains?

ANS: [Link]

55. What is Quorum?

ANS: In order to prevent split brain scenarios in case of communication errors and, we are going to
use the Quorum mechanism.
The Quorum uses a separate disk on the shared storage.
Quorum disk will always stay offline during normal Cluster Vault operation (except during
installation) but remain reserved for the active node.

56. What are the log files of HA-cluster?

ANS: Log files of HA-Cluster are

 [Link]
 [Link]
57. Name the services related to HA-cluster?

ANS: ClusterVaultmanager

58. What are the prerequisites of HA-cluster?

ANS: Prerequisites of HA-Cluster is

 Dedicated SAN and Shared Storage

 Two identical vault servers
 Virtual IP address
 Each node should have only one single static IP
 It is highly recommended that both nodes have the same amount of physical memory
 The clocks on both cluster nodes must be synchronized
 The two Cluster Vault Nodes must be connected directly via a private network or cross-over
cable.
 If the storage is based on iSCSi(network storage) then a Windows update (KB2955164)
should be installed in order to ensure database stability.
 Ensure that the drive letters for the Quorum and Storage disks are identical in both nodes.
 Ensure that the shared storage resources are only online in one node.
 Make sure that servers are reachable via public ip, private ip and virtual ip.
 Vault Servers (Primary, DR, Satellite) For each HA Cluster Pair, 2x Vault Servers (Node 1 and
Node 2) – Windows 2012 R2 64-bit Standard Edition:
 The Vault servers is highly recommended to be on physical servers for security and
performance purposes. If this is an issue, please contact CyberArk Professional Services.
 The server should be installed as a clean image from ISO, rather than a normal domain
image that’s been cleaned to avoid any GPO impact
 .NET Framework 4.5.2 Feature Installed
 2x shared disks via SCSI or Fiber (SAN) attached storage
 Primary disk for data storage based on Vault data size calculations
 Secondary disk for Quorum verification with at least 500MB
 These disks should not be used by any other system
 If SAN is used, these should be on separate LUNs
 Both the Quorum and the Data disks MUST be provisioned as an MBR partition table, NOT a
GPT partition table
 Public and Private NICs
  Private NICs should be connected by a crossover cable or be on an isolated /30 VLAN
 Three (3) public IPs, 2 private IPs
 Node 1 public, Node 2 public, Vault VIP
 Node 1 private, Node 2 private
 2 IPs for Out-of-Band management (iLo/DRAC)
 DO NOT install any third party software; this includes Antivirus, Spyware, Backup,
Monitoring software.
 The server should not be part of the domain.
 Install the latest Microsoft Patches and updates and verify that they do not have MS
Windows Update active (setup to “Never Check”)

59. How the nodes will communicate in HA-cluster?

ANS: HA clusters usually use a heartbeat private network connection which is used to monitor the
health and status of each node in the cluster.

60. In which node storage will be in online?

ANS: Only on Active Node storage is in online condition.

61. Why the vault server should not be part of domain?

ANS: The Vault’s DNS sever settings should remain empty to eliminate the risk of attack
initiated through compromised DNS servers.

62. What is DEP and why do you we need disable DEP in CPM server?

ANS: Data Execution Prevention (DEP) is a security feature that can help prevent damage to your
computer from viruses and other security threats. Harmful programs can try to attack Windows by
attempting to run (also known as execute) code from system memory locations reserved for
Windows and other authorized programs.
63. What is the purpose of cyber ark CPM scanner services?

ANS: CPM Scanner service is used for Accounts discovery.

64. What are the logs we can see under third party logs?

ANS: Third Party logs are root logs, console log, expect log and debug log.

65. What does password manager shared contains?

ANS: Password manager shared contains all policy files.

66. What does PVWA config safe contains?

ANS: The [Link] contains the “UI & Workflow” settings for all platforms.
The PlatformBaseID, ties the platforms listed in the [Link] with the platforms contained in the
PasswordManagerSharedsafe.

67. What is the purpose of remote connection broker?

ANS: Remote Desktop connection broker connects or reconnects a client device to RemoteApp
programs, session based desktops and virtual desktops.
68. What is the purpose of session collection?

ANS:

69. What is network layer authentication?

ANS: Network Level Authentication (NLA) is an authentication tool used in Remote Desktop Services
(RDP Server) or Remote Desktop Connection (RDP Client), introduced in RDP 6.0 in Windows Vista
and above. NLA is sometimes called front authentication as it requires the connecting user to
authenticate themselves before a session can be established with the remote device.
70. What is PSM connect and PSM admin connect?

ANS: During installation, the following users are created locally on the PSM machine:

•PSMConnect–used by end users to launch a session via the PSM.

•PSMAdminConnect–used by auditors to monitor live sessions.

71. Is it possible to customize recording safes?

ANS: Custom recording safes can be defined at the platform level and are created automatically by
the PSM when it uploads the first recordings to the Vault.
72. How will you grant access for getting reports tab?

ANS: We will get a reports tab after adding into PVWAMonitor group.

73. How will you integrate AD in cyber ark?

ANS: Create an LDAP Bind account with READ ONLY access to the directory.
 Have the User Name, Password, and DN available
 Create three LDAP groups for granting access to the vault.
 CyberArk Administrators
 CyberArk Auditors
 CyberArk Users
 We strongly recommend you use LDAP/S
 This insures that all of the traffic between the Domain Controller or LDAP authenticating
Server and the Vault is encrypted
 Install the Root Certificate for the CA that issued the certificate on the directory servers to
the Vault Servers.
 Create a hosts file on the vault servers to manually resolve directory server names.

74. What are default ports of LDAP?

ANS: The default port of LDAP is 389 and SSL authentication is 636.
75. What is the purpose of Bind user?

ANS: Bind operations are used to authenticate clients (and the users or applications behind them) to
the directory server, to establish an authorization identity that will be used for subsequent
operations processed on that connection, and to specify the LDAP protocol version that the client
will use.

Binding is the step where the LDAP server authenticates the client and, if the client is successfully
authenticated, allows the client access to the LDAP server based on that client's privileges. Rebinding
is simply doing the process over to authenticate the client.

76. How LDAP directory mapping can be done?

ANS:
77. What are the predefined users & groups that are added after safe creation?

ANS: Administrator, DR user and Batch.

78. What is the safe? How many ways safes can be created?

ANS: Safe is a logical container it stores privileged accounts stored in the form of files.

Safes can be created in the following ways

 Privateark client
 PVWA
 Pacli script
79. What is safe retention period?

ANS: Note that version will not be deleted while still in the safe object history retention period
which is defined below.

80. How will you grant safe ownership?

ANS: Go to the private ark client go to respective user and add safe required ownership .From PVWA
go to the respective safes and add members or the groups mapped from AD.

81. What are the roles and permissions that we can see at safe level?

ANS: Roles and permissions at safe level are:-

Access:-

 Use accounts
 Retrieve accounts
 List accounts

Account management:-

 Add accounts (includes update properties)

 Update account content
 Update account properties
 Initiate CPM account management operations
 Specify next account content
 Rename accounts
 Delete accounts
 Unlock accounts

Safe management:-

 Manage safe
  Manage safe members
 Backup safe

Monitor:-

 View audit log

 View safe members

Work flow:-

 Authorize account requests (Level 1, Level 2)

 Access safe without confirmation

Advanced:-

 Create folders
 Delete folders
 Move accounts/folders

82. What is the platform and why do we need to duplicate platform?

ANS: Introduction to Policy by Platform the Policy by Platform view enables you to easily see the
settings that will be applied to each platform and gives you an 'at a glance' picture of the effective
policy that manages associated accounts.

You can see the base line of compliance-related settings implemented at system level through the
Master Policy, combined with exceptions for specific platforms

There are two types of Account Platforms:

Account Platforms:-

 Define the technical settings required to manage the account

 User to define exceptions to the Master Policy
 Every account is associated with one platform

Target Account Platforms:-

 Service Account platforms define additional service accounts that are required for use in
different resources, such as Windows services or Windows scheduled tasks.
 Service accounts will be tied to target accounts
 TARGET ACCOUNT PLATFORMS
 Target Account Platforms are used to provide two main functionalities22
 Technical settings required to login into and change passwords on the various types of
systems.
 There will be a separate Platform for each type of Account we will manage
 Example -How you login to and change a password on a Unix server is much different that
how you do the same thing on a windows server
 Basis for exceptions to the Master Policy
  Example -There may be multiple Platforms that are used to manage accounts on Unix via ssh
servers. The technical settings may be the same.
 Exceptions can be made to the Master Policy so that accounts associated with one of the
UNIX via sshPlatforms require Dual Control.
 How we associate Accounts with Platforms will be covered later in this section.

83. What are privileged accounts and different types of account?

ANS: There are 6 types of accounts

 Local Admin accounts: These accounts are typically non-personal and provide administrative
access to the local host. These accounts are typically used by the IT staff to perform
maintenance or to set up new workstations. Often, these accounts will have the same
password across the platform or organizations. 
  Privileged user accounts: These are the most obvious accounts. These give administrative
privileges to one or more systems. They are the most common form and usually have unique
and complex passwords giving them power across the network. These are the accounts that
need to be monitored closely. These accounts should be monitored for who has access,
what they have access to, and how often they request access.  

 Emergency accounts: Emergency accounts provide unprivileged users with admin access to
secure systems in case of an emergency. These are also referred to as "fire call" or "break
glass" accounts. While these accounts should require managerial approval, the process is
usually manual and lacks the appropriate record keeping needed for compliance audits.

 Domain Admin accounts: Domain admin's have privileged access across all workstations and
servers on a Windows domain. These are the most extensive and robust accounts across
your network because they have complete control over all domain controllers and the ability
to modify membership of every administrative account within the domain.

 Service accounts: These accounts are privileged local or domain accounts that are used by an
application or service to interact with the operating system. Typically, they will only have
domain access if it is required by the application being used. Local service accounts are more
complicated because they typically interact with multiple Windows components.

 Application accounts: these accounts are used by applications to access databases and
provide access to other applications. These accounts usually have broad access to the
company information because of their need to work across the network.

84. In how many ways accounts can be on boarded?

ANS: Accounts can be on boarded in following ways

 Manually
 Password upload utility
 Accounts discovery
 Rest API

85. What is password upload utility and how will you on board account on PUU?

ANS: Password Upload utility is used to on board the target servers in bulk. You have to prepare a
csv file where you can add a separate line for each target server. Each line will have different fields
such as IP address of the server, account name, password, safe to which the server to be added etc.
Once you run the utility, accounts will be added to PIM.
The PUU contains the executables and configuration files required to run the utility.

 Create the csv file.

 Configure the vault address in [Link] file

 Configure the credential file the running command [Link] [Link]
  Specify the csv file name in [Link] file

 run command [Link] [Link]

86. What is the log file related to PUU?

ANS: Related log file of PUU is Password upload error.

87. What is dual control access approval and how will you enable?

ANS: End users will require authorization before accessing privileged accounts. Depending on
advanced configuration, access authorization must be given by one or more managers or Peers.

Dual Control: -The Master Policy enables organizations to ensure that passwords can only be
retrieved after permission or ‘confirmation’ has been granted from an authorized Safe
Owner(s).Authorized Safe Owners can either grant or deny requests. This feature adds an additional
measure of protection, in that it enables you to see who wants to access the information in the Safe
when, and for what purpose.

Note: The first group member who confirms or rejects a request doe’s so on behalf of the entire
group. If more than one confirmation is required, each group is equivalent to a single authorized
user and will count as a single confirmation/rejection. As soon as users receive confirmation for a
request from an authorized user, they can access the password or file that the request was created
for.

The manual security workflow comprises the following steps:

1. The user creates a request: A user who wishes to access an account in an environment where the
Master Policy enforces Dual Control must first create a request. In the request, the user specifies the
reason for accessing the account, whether they will access it once or multiple times, and the time
period during which they will access it. A notification about the request is sent to users who are
authorized to confirm this request.

2. The request is confirmed or rejected by the authorized user: Through the notification, authorized
users can access the request and view its details. Based on these details, authorized users either
confirm or reject the request. The number of authorized users who are required to confirm requests
is defined in the Master Policy.

3. The user connects to the account: Each time an authorized user responds to the request, the user
who created it receives a notification. When the total number of required confirmations is received
for the request, this user receives final notification. The user can now activate the confirmation and
access the

Account according to the request specifications.

88. What is check in check out policy and how will you enable it?

ANS: Enforce check-in/check-out exclusive access – Users can check out an account and lock it so
that no other users can retrieve it at the same time. After the user has used the password, they
check the password back into the Vault. Together with enforcing one-time password access, this
restricts access to a single user, ensuring exclusive usage of the privileged account and guaranteeing
accountability. By default, this rule is inactive.

Accounts Check-out and Check-in:

Auditing and control requirements demand full identification and monitoring of users who access
privileged accounts during any given period. In addition, to guarantee accountability, each user who
accesses a privileged account must be the only one to do so.

The Master Policy enables organizations to permit users to check out a ‘one-time’ password and lock
it so that no other users can retrieve it at the same time. After the user has used the password, he
checks the password back into the Vault. This ensures exclusive usage of the privileged account,
enabling full control and tracking for the password.

If the organizational policy determines that a password can only be used once, the Master Policy can
also be configured to change the password’s value before unlocking it and making it available to
other users. If a CPM is installed, this can be done automatically.
89. What is one time password access and how will you enable it?

ANS: Enforce one-time password access: Accounts can be retrieved for one time use only, and the
password stored inside must be changed after each use before the account is released and can be
used again. Passwords can be changed automatically by the Privileged Account Security solution’s
password management capability.

90. What is the purpose of allow EPV connections?

ANS: Quick to connect.

Allow EPV transparent connections (‘click to connect’) – Users can connect to remote devices
without needing to know or specify the required password. This prevents the password from being
exposed to the user and maintains productivity as the user does not have to open a login session and
then copy and paste the password credentials into it. In addition, advanced settings define whether
or not users are permitted to view passwords. This enforces strong authentication for accessing
managed devices and restricts user access to passwords according to granular access control.

91. How will you do CPM password management via PUU?

ANS:
92. What is reconcile account and how will you associate account via PUU?

ANS:

 Used for ‘lost’ or unknown passwords

 Should be used infrequently
 Needs to have elevated privileges (i.e. Domain Admin)
 This account is usually a service account reserved for this purpose
 Reconcile accounts for Unix require a custom plug-in
Reconciling Passwords

Passwords in the Vault must be synchronized with corresponding passwords on remote devices to
ensure that they are constantly available. Therefore, the CPM runs a verification process to check
that passwords are synchronized. If the verification process discovers passwords that are not
synchronized with their corresponding password in the Vault, the CPM can reset both passwords
and reconcile them. This ensures that the passwords are resynchronized automatically, without any
manual intervention.

The platform contains rules that determine whether automatic reconciliation will take place when a
password is detected as unsynchronized, or whether it is launched only through a manual operation
by an end user/system admin. A reconciliation account password that will be used to reset the
unsynchronized password can be defined either in the platform or at account level. This account can
be stored in a separate Safe, where it is only accessible to the CPM for reconciliation purposes.
During password verification, the CPM plug-ins return a list of predefined errors to the CPM. Each
platform specifies the specific errors that will launch a reconciliation process for passwords linked to
that platform. This enables each enterprise to specify its own prompts for reconciling passwords and
gives maximum flexibility to individual needs.

During password reconciliation, the unsynchronized password is replaced in the Vault and in the
remote device with a new password that is generated according to the relevant platform. As soon as
reconciliation is finished successfully, all standard verifications and changes can be carried out as
usual. Users can see details of the last reconciliation process in the Operational Views in the
Accounts List.

To Define a Reconciliation Account Password At platform level – All accounts attached to a specific
platform will use the reconciliation account password specified in the platform.
93. What is logon account and how will you associate account via PUU?

ANS:

 Used when a user is prevented from logging on but password is known

 Used on a regular basis –i.e. it is common to block root access via SSH
 A ‘super user’, such as root, should not be used as a logon account
Associating Logon Accounts
The CPM associates logon accounts to enable users to log onto remote machines where they can
perform identity management tasks. Logon accounts can be configured in either of the following
ways:

At platform level – All accounts attached to a specific platform will use the logon Account specified
in the platform.

At account level – A logon account can be initiated manually in the Account Details page. The
following parameters in the Privileged Account Management parameters specify the default logon
account that will be associated with each new account.

LogonAccountSafe – The name of the Safe or a dynamic rule that specifies it, where the default
logon account that will be used for accounts associated with this platform is stored.

Note: PSM cannot access logon accounts if the Master Policy is configured to enforce dual control
password access approval.

LogonAccountFolder – The name of the folder or a dynamic rule that specifies it, where the default
logon account that will be used for accounts associated with this platform is stored.

LogonAccountName – The name of the default logon account that will be used for accounts
associated with this platform.

94. What is the default port of remote control agent (SNMP)?

ANS: Default port of Remote control agent is 9022.

95. What is the functionality of CPM?

ANS: The Privileged Account Security solution provides a revolutionary breakthrough in password
management with the CyberArk Central Policy Manager (CPM), which automatically enforces
enterprise policy. The CPM generates new random passwords and replaces existing passwords on
remote machines.
96. What is the functionality of PVWA?

ANS: The Password Vault Web Access (PVWA) enables both end users and administrators to access
and manage privileged accounts.
97. What is the functionality of PSM?

ANS:
99. How will you enable PSM?

ANS:

99. How will you change recording safe retention period?

ANS: Reports Safes and PSM Recording Safes are created automatically with the following setting:

Auto-purge is enabled – Files in this Safe will automatically be purged after the Object History
Retention Period defined in the Safe properties. Audit – This rule enables you to determine how Safe
audits are retained.

Activities audit retention period – The Master Policy controls the number of days that Safe activities
audits are retained. By default, audits of activities are kept for 90 days.

Note: If this parameter is set to zero, activities in the Safe will not be written in an audit log.

Protect or unprotect the recording – You can protect important recording from being deleted
automatically after the Safe retention period on the Recordings Safe has expired.

To protect a recording, click Protect on the toolbar; the recording will be stored in the Safe either
until you delete it or until you remove the protection.

To unprotect a recording, click Unprotect on the toolbar; the recording will be deleted from the Safe
the next time that expired Safe history is erased from the Safe The retention period setting can be
modified in the Safe properties.

100. How will you monitor the live session?

ANS: PSMMaster and Auditors group member can monitor the live sessions.

Monitoring Privileged Session Recordings

The PVWA acts as a centralized access point for privileged session recordings. In order to display
information about privileged session recordings and be able to play the session recordings, users
require the following authorizations:

Membership in the Auditors Group Or, Membership in the relevant Password Safes and Recording
Safes with the following authorizations:

In the relevant account Safes:

 List accounts/files

Note: This authorization specifically enables users to access recordings from the Account Details
page.

In the relevant recording Safes:

 Retrieve accounts/files
 List accounts/files
 View audit
 Monitoring Privileged Sessions
 Privileged Account Security

Authorized users can view the recordings in any of the following ways:

The MONITORING page enables intuitive access to all privileged session recordings. This page is
visible to authorized users after the first recording has been uploaded to the Vault.

The Recording Details page enables a more thorough view of a specific session recording. The
Account Details page provides access to recordings for individual passwords.
101. How will you terminate the live session & what permissions will you assign for terminating
live session?

ANS: If we add PSMLiveSessionTerminator group we can terminate the live session.

Terminating Live Sessions

You can terminate live sessions from your own workstation.

To Terminate Live Sessions In the MONITORING page:

1. In the Live Sessions grid, display the live session to terminate.

2. In the line of the session, click the Action menu icon and then Terminate.

 In the Live Session Details page:

1. Display the Live Session details page of the live session to terminate.

2. On the toolbar, click Terminate.

A message appears prompting you for confirmation.

3. Click Yes to terminate the live session, or, Click No to leave the live session running and return to
the Live Session details page. A new window is opened on your workstation and the live session is
terminated; a message appears to confirm that the target session was terminated.
102. Why do we need remote desktop licensing server?

ANS: CAL licences.

A client access license (CAL) is needed for each user and device that connects to a Remote
Desktop Session (RDS) host. An RDS licensing server is needed to install, issue, and track RDS CALs.
When a user or a device connects to an RD Session Host server, the RD Session
Host server determines if an RDS CAL is needed.

Connecting to the PSM Server with Microsoft Remote Desktop Services (RDS) Session Host Make
sure you have the appropriate RDS CAL licensing. PSM can work with any RDSCAL License scheme
(either per user or per device).

103. Is command based recording is possible or not?

ANS: Yes possible.

Configuring SSH Commands Access Control in PSMSSH commands white-listing or black-listing

(Commands Access Control) in PSM gives an organization the ability to block unauthorized SSH
commands if attempted to be executed by a privileged user on a network, security or other device or
any SSH-based target system.

Users can connect transparently to a target system or device through the PSM, and run specific
commands on the target according to the user’s permissions and the allowed commands as defined
by the organization's security policy in the Vault. Unauthorized commands will be blocked and will
not be sent to the target.

The solutions’ architecture does not require installation of an agent on the target machine or device.
Instead, PSM can recognize the command the user entered by analyzing the output of the terminal
channel.
The solution aims to prevent user errors and provide a basic ability to block unauthorized
commands, especially where agents cannot be installed due to an organizations’ policy or
environment requirements (for example, when restricting access to a network or security devices).

Note: Universal keystroke recording cannot be applied with Commands Access Control in PSM. For
considerations when using Command Access Control, descriptions on how to enable, configure and
manage ACLs, and how to modify and delete Commands Access Control, refer to the following
section Configuring SSH Commands Access Control in PSMP

104. What are PSM shadow users?

ANS: Sessions for Non-RDP client applications (WinSCP, Putty etc.) are launched on the PSM server
using the PSM Shadow User accounts.

105. How will you enable suspended users?

ANS:
106. How will you enable default suspend users?

ANS: The PasswordManageruser is the default user of the CPM that is used to connect to the Vault.
The Cred file is created automatically during the CPM installation.

The PasswordManageruser is authenticated by the Vault each time it connects. After the CPM
successfully authenticates, the vault changes the password for the PasswordManageruser and
updates the cred file on the Comp Server.
107. What are the tasks that we can perform by using remote control agent/client for operating
vault?

ANS: In remote control agent we can perform below tasks.

108. What is the configuration & log file of remote control agent?

ANS: [Link] and [Link]

The CyberArk Vault Remote Control feature enables users to carry out several operations on the
Vault, DR Vault, and ENE components from a remote terminal. It comprises two elements:
REMOTE CONTROL

•The Agent is installed as part of the Vault installation on the Server and on the Disaster Recovery
Server.

Remote Control Agent

•The Remote Control Client is a utility that runs from a command line interface and carries out tasks
on a Vault component where the Remote Control Agent is installed.

•It does not require any other Vault components to be installed on the same computer, even the
PrivateArkClient.

Remote Control Client:

•Retrieve logs

•Set parameters

•Restart vault

•Restart services

•Reboot vault server

•Retrieve machine statistics such as

•Memory Usage

•Processor Usage

REMOTE CONTROL AGENT.

The Remote Control Agent allows users to do the following from the Client:

•The Remote Control Agent can use SNMPto send Vault traps to a remote terminal. This enables
users to receive both Operating System and Vault information, as follows:

•Operating System information:

•CPU, memory, and disk usage

•Event log notifications

•Service status

•Component-specific information:

•Password Vault and DR Vault status

•Password Vault and DR Vault logs

•CyberArk provides two MIBfiles (for SNMP v1 and SNMPv2) that describe the SNMP notifications
that are sent by the Vault. These files can be uploaded and integrated into the enterprise monitoring
software.

•These MIB files are included on the Privileged Account Security Installation CD

109. What is the Backup and restore?

ANS: Indirect Backup (Recommended)

•Replicate module is installed on a domain member server, typically the same server as other
CyberArk components.

•[Link] is used to copy vault data as encrypted files from the Vault server to the domain
server.
•Third-party backup software can then be used to backup these files.

•Direct Backup (Not Recommended)

•Replicate module is installed on the Vault Server.

•[Link] is used to prepare the metadata on the Vault server for direct tape backup.

•Warning: Installing a third-party backup agent on the Vault server may introduce vulnerabilities and
is not recommended.

110. How will you take vault backup by using replicate software?

ANS: 1. Enable the Backup user and set an initial password.

2. Install the Replicate module and specify a location for Replicated Data.

3. Edit the [Link] to point to the Vault server.

4. Create a Credential File for the Backup user.

5. Create a batch file to execute the Replicate Process.

111. What are default user that needs to be enabling for doing backup and restore?

ANS: Backup and operator.

112. What are the commands for executing backup and restore?
ANS: To Restore a Safe

Safes are restored using the PARestore utility, regardless of how they were backed up.

Notes: If a Safe with the name of the backed-up Safe does not exist in the Vault, before beginning
the restore process, create a new Safe with the same name as the Safe that was removed. This Safe
will remain empty, and the contents of the backed-up Safe will be restored to a target Safe with a
different name that is specified during the restore process. To increase the level of security, the
restore process synchronizes the Safe’s owners of the existing Safe and the original Safe. As a result,
when you restore a single Safe, its original Owners may not be restored with the Safe data and must
be added manually.

To restore a Safe that was backed up with the PrivateArk Replicator:

At a command line prompt, use the following command: PARestore <VaultFile> <User> /RestoreSafe
<Safe> /TargetSafe <NewSafe>

The Vault’s Backup solution is comprised of several utilities that manage and perform the backup
and restore operations. These utilities can be configured to run automatically using a scheduling
program. Safes backup should be synchronized with your backup methodology.

Replication:-

The Vault Backup utility exports the Safe files from the CyberArk Vault to a computer on the local
network where the Backup utility has been installed. The Safes are copied in a similar format and
structure to the one in the Server. The global backup system can then access the files from that
computer. In order to be able to issue the replicate utility in a Safe, a user must have the ‘Backup All
Safes’ user authorization and the ‘Backup Safe’ authorization in the Safe being replicated. A
predefined group called ‘Backup Users’ is created during Vault installation and upgrading, and is
added automatically to every Safe that is created. Each user that is subsequently assigned to this
group must be given backup authorizations manually. This user authenticates to the Vault with a
user credentials file which contains its username and encrypted logon credentials. As the Backup
utility is part of the total CyberArk Vault environment, there is no need for any external application
to cross the firewall. The entire backup procedure takes place within the Vault environment, thus
maintaining the high level of security that is characteristic to the CyberArk Vault.

Note: If your Safes are on an NTFS partition, the replicated Safes should also be on an NTFS partition,
and not FAT/FAT32.

The following diagram displays the processes that take place during Vault replication. Vault
Replication

Privileged Account Security

Step 1: The Vault Backup utility ([Link]) generates a metadata backup in the Vault’s
Metadata Backup folder, and then exports the contents of the Data folder and the contents of the
Metadata Backup folder to the computer on which the Backup utility is installed.

Step 2: After the replication process is complete, the external backup application copies all the files
from the replicated Data folder and the Metadata folder. Keep the replicated files on the Backup
utility machine after the external backup application copies all the files. The next time you run the
Backup utility to the same location; it will update only the modified files and reduce the time of the
replication.

113. How will you do the incremental and full backup in your current organization?

ANS: Incremental backup on daily basis and ful backup on weekly basis using the cyberark task
scheduler.
114. What is DR?

ANS: DR means Disaster recovery its same as vault server it uses whenever vault server goes down
DR vault server will be automatically up and running. DR is a backup server.

The Disaster Recovery (DR) service that runs on the DR Vaults is responsible for replicating the data
and metadata from the Production Vault, as described below.

Data Replication – The DR Service replicates the external files (Safes files and Safes folders) from the
CyberArk Production Vault to the DR Vault. Data replication is performed according to the settings in
the Disaster Recovery configuration file ([Link]).

Metadata Replication – The DR Service replicates the metadata files based on exports (full backup)
and binary logs (incremental backups). Metadata replication from the Production Vault to the DR
Vault occurs after each action in the Vault has been completed.

Replication of the metadata files (MySQL DB) based on exports (full backup) and binary logs
(incremental backups)

 Metadata replication from the Production Vault to the Disaster Recovery Vault occurs at the
completion of each event
 Since password objects are also stored in the metadata, password objects are always synced
between production and DR.
115. How will you perform DR drill?

ANS: Before doing DR drill we will take the entire backup from vault server and need to check
replicating the data or not till the date of DR drill.

 Plan for down time

 Plan for change freeze
 Inform to customers about the activity and to use DR PVWA’s
 Stop the production vault server
 Check the [Link] file and make sure that enable failover mode is set to yes.
 After 5 attempts of retries the DR vault server should be automatically up and running.
 Monitor the [Link]

116. What is the configuration file of DR vault?

ANS: [Link]
117. What is the log file of DR vault?

ANS: [Link]
118. What are the services related to DR?

ANS: CyberArkDisasterRecovery

118. Which user is responsible for replicating the vault data?

ANS: DR user is responsible replicating the vault data.

119. How will you point the component servers to DR site?

ANS: All the [Link] files of the component servers must contain DR vault ip address.

120. What are different types of reports?

ANS: Reports are two types

1. Operational reports

a. Privileged account inventory

b. Applications inventory

2. Audit and compliance reports

a. Privileged accounts compliance status
b. Activity log
c. Entitlement
121. In how many ways reports can be generated?

ANS: Reports can be generated in two ways

1. PVWA webpage reports tab

2. Private ark client
122. What is Entitlement report?

ANS: Entitlement reports – User, FullName, Group, GroupOwnership, Location,

UserType, TargetPolicy, TargetSystem, TargetAccount, Safe, Read, Change,
OtherPermissions

123. What is privileged compliance account report?

ANS: Privileged account compliance status report uses CPM status for each account that is complaint
or non complaint .
124. What is license capacity report and what does it contains?

ANS: List down the licenses that are available and valid for users as well as PIM components.

125. How will you generate activity log reports for server?

ANS: From PVWA page go to reports tab and generate activity log report based on the codes that are
required.
126. What are customized reports?

ANS:

127. How will you login with master account and where you can login?

ANS: Need to specify recover private key path in [Link] file and emergency station ip in
[Link] file. Master user can only login from server administrative console and from emergency
station ip.

128. Can master account login PVWA?

ANS: NO he can only login via private ark client.

129. How will you perform version upgrade?

ANS:

1. Take file system backup on all component servers where CyberArk components are installed

2. It is better to stop the services while run the script for version upgrade

3. Better plan the activity during off peck time (preferably on weekends) and notify the administrator
/ end users to use DR PVWA instead of Prod PVWA

4. Ensure all components including Vault, CPM, PVWA and PSM components are up and running in
DR

5. Stop the services in production component servers and take file backup

6. Run the script on each component in production

7. Start the services and test if everything is working

8. Then notify the end users to use production PVWA

9. Stop the services on DR and run the same steps to upgrade DR

130. What are the steps to be taken before doing version upgrade?

ANS: Take file system backup on all component servers where CyberArk components are installed.

131. What are the log files and how will you enable debug logs?

ANS:
132. What is purpose of EPM?

ANS: Endpoint Least Privilege, App Control & Credential Theft Protection

133. What are OPM and PTA?

ANS: CyberArk’s Privileged Threat Analytics detects malicious privileged account behavior.

•By comparing current privileged activity in real-time to historical activity, CyberArk can
detect and identify anomalies as they happen, allowing the incident response team to
respond, disrupting the attack before serious damage is done.

•By continuously monitoring privileged accounts for reset and change password activities,
the PTA can detect when a user changes a password of a managed privileged account
without using the CPM, and can automatically respond to contain the risk by reconciling the
password of this account.
135. What is secure connect?

ANS:

136. What is rest API?

ANS: The PAS Web Services is a REST full API that enables users to create, list, modify and delete
entities in Privileged Account Security solution from within programs and scripts.

The main purpose of the PAS Web Services is to automate tasks that are usually performed manually
using the UI, and to incorporate them into system and account provisioning scripts.
The PAS Web Services are installed as part of the PVWA installation, and can be used immediately
without any additional configuration. Make sure your CyberArk license enables you to use the
CyberArk PAS SDK

137. End user is not able to access target server, how do you handle?

ANS: a) there may be password mismatch between target server and vault for the selected
privileged account. We have to synch the password in between vault and target server for the
privileged id

b) Target server might be down or not reachable and not accepting requests. We need to talk
to application or server team to ask them to resolve the issue at target server level and ensure the
requests are accepted from PIM to login.

c) Selected privileged account may not exists on target server When the privileged account is
on-boarded to PIM using password upload utility, data in the csv file might be wrong, and wrong
privileged account is added to PIM (on-boarded to PIM) Work with target server team and ask them
to create privileged account on target server. Or delete the privileged account in PIM console and
add correct privileged account which is existing on target server

d) Required interface is not installed or registered under connection components in PIM

configuration. For example toad is not installed and the user is trying to access database target
server, connection will not be established and user can not access target server

We need to install the interface and register under connection components if there is no entry in
PIM configuration. (Check under Administration -> Options)

138. How do you implement Cyber Ark?

ANS:

First Step is to install the components:

Enterprise Vault is the critical component in Cyber Ark, this component should be installed on a
separate server. Hence first steps are to install Enterprise Vault on dedicated Windows server.

Hardening option – Do not select Hardening option when you install Vault for the first time. Once
the installation of all components successfully we harden the Vault

CPM (Central Policy Manger) and PVWA components should be installed on another server. First
CPM should be installed and then PVWA should be installed. .Net Frame work should be installed
and IIS server also should be installed. RDP service should be installed.

It is recommended to install PSM on another server.

Second step is configuration:

1. AD integration to import end users and groups in to PIM

3. Create Safes
Create required safes as per the design confirmed in PVWA

4. Platform Duplication

It is better to duplicate the default platform available in the system For example if there is a platform
“Windows Server Local Accounts”, duplicate it with “IBM Windows Server Local accounts” so that
policies can be applied at more granular level.

5. Policy Management

Set the policies for check-in check-out exclusive access, one-time password, duel control etc., if
required for any platform Set the password rules, session management rules etc., for the required
platform.

5. Account on-boarding

Accounts can be on-boarded manually one by one Accounts can be on-boarded in bulk using
password upload utility

139. How does the file sharing can be done through PIM ?

ANS: Sometimes the files, could be log files, configuration files or any other files may need to be
copied from a target server (could be an unix server or windows server) to other target server.

PIM allows to use WinSCP as the interface or client to copy the file from one target server to PSM
server, and copy the file from PSM server to other target server. WinSCP should be installed on PSM
server and configured.

140: What is break glass id and why it is required?

ANS:

141. What is password randomization?

ANS: Password randomization means, changing the passwords for privileged account at regular
interval. We can schedule the password change in Policy as shown below. We can set the value for
“Required password change for X days”, default value is 90 days.

142. How can you change the password for privileged accounts, let say I want to change the
password for 100 accounts?

ANS: We can change the password for multiple accounts at a time manually. Select the required
accounts in accounts page (where you can view the list of accounts) and run the change password (in
Manage button, you can click on “change” option). Please see the screen below, you can choose the
option change the password by CPM immediately, so that CPM will change the password for all the
selected accounts.
143. What is SplitPassword?

ANS: Password policy to ensure that single user doesn't have access to complete password on
account.

144. What are the default ports?

ANS: PORTS:-

Vault with Component:-1858

SSH + SFTP (but can be configured anywhere):-22

Telnet:-23

RDP:-3389

LDAP:-389

DNS:-53

RADIUS:-1812

SNMP:-161

SNMP Trap:-162

Network Trap(NTP):-123

CPM:-21,22,23,3389,135,139,445,1521,3306

145. What is the connector?

ANS: Mention connectors used in

146. What is the difference between Identity Management and Access Management?

147. What is Auto detect or Auto discovery?

148. Which component of CyberArk enables commands to be white listed or blacklisted on a per
user and / or per system basis?

ANS: On Demand Privileges manager enables the commands to be white listed or blacklisted.

149. What do you understand by SSH Key Manager?

ANS: SSH Key Manager helps organizations prevent unauthenticated access to private SSH keys,
which are frequently used by privileged Unix/Linux users and applications to validate privileged
accounts. SSH Key Manager secures and rotates privileged SSH keys based on the privileged account
security policy and controls and scrutinize access to protect SSH keys. This solution enables
organizations to gain control of SSH keys, which offers access to privileged accounts but is often
ignored.
[Link] are User Directories that are supported by CyberArk?

ANS: CyberArk supports Active Directory, Oracle Internet Directory, Novell eDirectory, IBM Tivoli DS.

151. If CyberArk vault user changed his Active Directory password, what will happen with his
CyberArk account?

ANS: Nothing happens if CyberArk uses the LDAP authentication process.

152. What is PrivateArk Vault Command Line Interface?

ANS: The PrivateArk Vault Command Line Interface (PACLI) enables the users to access the PAS
Solution from any location using fully automated scripts, in a command line environment. Users
accessing the PAS solution via the PACLI have access to limited interface for management, control,
and audit features.

[Link] do you understand by PrivateArk Client?

ANS: The PrivateArk Client is a standard Windows application which is used as the administrative
client for the PAS Solution. The Client can be deployed on multiple remote computers and can access
the Enterprise Password Vault via LAN, WAN, or the Internet through the Web version of the client.
From this interface, the users define a vault hierarchy and create safes. Access to the Enterprise
Password Vault via the PrivateArk Client requires a user to be validated by the Digital Vault.

154. What’s the password complexity required in CyberArk authentication using internal CyberArk
scheme?

ANS: There should be one minimum lowercase alphabet character with one uppercase alphabet
character and one numeric character to generate a password in CyberArk authentication using
internal CyberArk scheme.

155. How many times we can increase the access to wrong Password count?

ANS: Maximum 99 times only.

156. How will you replace .xml license file?

ANS: To apply a new license file you must:

A) Upload the [Link] file to the System Safe.

156. What utility is used to create or update a credential file?

ANS: [Link]

157. What are the authentication methods supported methods by CyberArk?

ANS:

A) CyberArk Password

B) LDAP
C) OAuth

D) PKI

E) RADIUS

F) OracleSSO

SAML

1. Tell me about your past projects and profile.

So far i am carrying an experience of 4 yrs in administrating and implementing customized IT

solutions i.e cyber-ark privileged identity management and i have done 3 projects one on cyber-ark
PAS and the other two projects on Administration and Networking side. coming to the cyber-ark's
project i have been involved in both implementation and support level. we have installed Enterprise
password vault on a dedicated physical server ,Cpm’s , Pvwa’s and PSM’s on virtual servers . After
installing these components we were moved into configuration i.e first AD is integrated to Cyberark
to import users and groups in to PIM. We have Created required safes as per the design confirmed in
PVWA and As per our client requirement we have duplicated the windows platforms with the name
_windows server local accounts. I have on-boarded multiple accounts to PIM i,e windows
servers,linux servers and some databases . We have configured Session recording & live monitoring
on Privileged Session Manager, One-Time Password (OTP), Dual Control Approval Workflow and
exclusive access for check-in check-out etc. Then i was assigned to support role and i need to
monitor the cyberark services on regular basis whether they are running or not. Handling login
issues related to PVWA and target systems for example if the end user is not able to access the
target server i need to check the log files why the user is not able to access the particular account
and i need to resolve this issue, There might be many reasons like Target server might be down or
not reachable, There may be password mismatch between target server and vault for the selected
privileged account, Selected privileged account may not exists on target server. I need to Create and
Manage Safes, platforms and Owners, Policy specification etc these are the daily day to day support
activities i am going to do in this current project.
22. What are day to day support activities you perform in your current support role ?

1) Access related issues, for example end user is not able to access target windows server from
PIM

2) End user is not able to login to PIM (PVWA), we need to find out the root cause and resolve
the issue and ensure the user is successfully login into PIM

3) Senior management or concerned application teams may ask for the video recordings, we
need to pull out the video recordings and send them

4) Weekly reports to be send to management I need to generate various reports in PIM console
and send to management every week

5) New target systems (privileged accounts) need to on-board as and when require I need to
add (on-board) target servers (privileged account) as and when new target servers or privileged
accounts created on target servers

6) Policies may be required to change as per the client requirements time to time Policies that
are defined during the implementation might be required to modify in due course due to change of
requirements at platform level. I need to modify policies such as password rules, check-out / check-
in etc.,

7) PIM System default users such as PasswordManager, PSM etc., may be expired, and PIM do
not function if those users are expired, we need to connect to Vault through vault client and activate
them

8) Monitor the logs daily and make sure the logs are pushing to SIEM tool

9) Monitor the PIM services in Windows services are all ways up and running

10) Application team do ask to hold the password change for specific privileged account on
specific target server. Applications on target servers might be using the local windows server
accounts (privileged account), if the password for privileged account is changed by CPM, applications
running on the target server will get impacted. Hence application teams will ask PIM administrator
to hold the password change for the privileged account on target server

11) Password Policy may be changed on different platforms as per the platform requirements
time to time, we need to change the password rules in PIM password policy to align the password
change interval

12) We need to on-board service accounts as and when required

1) Why do we need CyberArk?

CyberArk creates a whole new layer of security on the inside called privileged account security,
which controls, monitor and detect all-around activity with credentials and privileged account. As we
know privileged are built into every piece of IT infrastructure and are most common exploited piece
in any sophisticated attack, because once inside attacker needs credentials to move around to get
the data they are trying to steel. CyberArk gives customers a way to put control over the credential
to put lock where they can measure the overall security of privileged account.

What is Privileged Session Manager SSH Proxy (PSMP)?

The PSMP is a Linux-based application similar to the PSM. The only difference is that it acts as a
proxy for SSH13 enabled devices. PSMP controls access to privileged sessions and initiates SSH
connections to remote devices on behalf of the user without the need to reveal SSH credentials.
PSMP records the text based sessions which are stored in the EPV, later to be viewed by an
authorized auditor. Unique to the PSMP are single sign in capabilities allowing users to connect to
target devices without exposing the privileged connection password.

What is On-Demand Privileges Manager (OPM)?

On-Demand Privileges Manager permits privileged users to use administrative commands from their
native Unix or Linux session while eliminating the need for root access or admin rights. This secure
and enterprise ready pseudo solution provides unified and correlated logging of all super user
activity linking it to a personal username while providing the freedom required to perform job
function. Granular access control is provided while monitoring all administrative commands
continuously of super users activity based on their role and task.

Q: What is Application Identity Manager (AIM)

The Application Identity Manager is an application based on Windows and Linux which facilitates
access to privileged passwords and eliminates the need to hard code plaintext passwords in
applications, scripts, or configuration files. As with all other credentials stored in the Enterprise
Password Vault, AIM passwords are stored, logged, and managed strongly. AIM is separated into two
components: a Provider, which securely retrieves and caches passwords and provides immediate
access to the requesting application; and the SDK, which provides a set of APIs for Java, .NET,
COM14, CLI15, and C/C++. In the evaluated version, the AIM Provider for Windows and SDK have
been excluded.