PAM-SEN CyberArk Sentry PAM Questions and Answers

CARKpsmp-infra

libssh

OpenSSH 7.8 or higher

CARKpsmp-ADBridge

CARKpsmp-SSHD

Port 1858 must be opened between the load balancer and the PVWAs.

The load balancer must be configured in DNS round robin.

The load balancer must support "sticky sessions".

The LoadBalancerClientAddressHeader parameter in the PVWA.ini file must be set.

Windows Time service

PrivateArk Database

Windows Update service

PrivateArk Server

Edit the “Windows_Servers” platform, expand “Automatic Password Management”, then select General and modify “AllowedSafes” to be (WindowsDC1)|(WindowsDC2).

Edit the “Windows_Servers” platform, expand “Automatic Password Management”, then select Options and modify “AllowedSafes” to be (Win*).

Edit the “WindowsDC1” and “WindowsDC2” safes through Safe Management, Add “Windows_Servers” to the “AllowedPlatforms”.

Log in to PrivateArk using an Administrative user, Select File, Server File Categories, Locate the category “WindowsServersAllowedSafes” and specify “WindowsDC1,WindowsDC2”.

PSMUnmanagedSessionAccounts Safe

PSMRecordingsSessionAccounts Safe

PSMUnmanagedApplicationAccounts Safe

PSMSessionBackupAccounts Safe

Web Services Role

NET 4.5.1 Framework Feature

Remote Desktop Services Role

Windows BitLocker

PVconfiguration.xml

web.config

apigw.ini

CyberArkScheduledTasks.exe.config

TRUE

FALSE

by using a network load balancer Most Voted

in PVWA > Options > PSM for SSH Proxy > Servers

in PVWA > Options > PSM for SSH Proxy > Servers > VIP

by editing sshd.config on the all the PSM for SSH servers

TRUE

FALSE

To test that CyberArk is storing accurate credentials for accounts.

To change the password of an account according to organizationally defined password rules

To allow CyberArk to manage unknown or lost credentials.

To generate a new complex password.

PSMConnect

PSMAdminConnect

PSM

The credentials the end user retrieved from the vault

CyberArk Password (SRP)

LDAP

SAML

PKI

RADIUS

OracleSSO

Biometric

TRUE

FALSE

The PrivateArk Server Service on the Vault.

The CyberArk Password Manager service on the Components Server.

The CyberArk Event Notification Engine Service on the Vault

The CyberArk Privileged Session Manager service on the Vault.

Port 1858 to Vault and Port 443 to PVWA

Port 1858 only

all ports to the Vault

Port UDP/1858 to Vault and all required ports to targets and Port 389 to the PSM

ssh neil@linuxuser01:acme.corp@192.168.1.164@192.168.65.145

ssh neil@linuxuser01#acme.corp@192.168.1.164@192.168.65.145 Most Voted

ssh neil@linuxuser01@192.168.1.164@192.168.65.145

ssh neil@linuxuser01@acme.corp@192.168.1.164@192.168.65.145

The Interval setting for the platform is incorrect and must be less than 120.

The ImmediateInterval setting for the platform is incorrect and must be greater than or equal to 1.

The DaysToRun setting for the platform is incorrect and must be set to Sat,Sun.

The HeadStartInterval setting for the platform is incorrect and must be set to 0.

c:\inetpub\wwwroot\passwordvault\web.config

c:\inetpub\wwwroot\passwordvault\services\web.config

c:\cyberark\password vault web access\env\web.config

c:\program files\cyberark\password vault web access\web.config

Install the Vault in the cloud the same way you would in an on-premises environment. Place the server key in a password protected folder on the operating system.

Install the Vault in the cloud the same way you would in an on-premises environment. Purchase a Hardware Security Module to secure the server key.

Install the Vault using the native cloud images and secure the server key using native cloud Key Management Systems.

Install the Vault using the native cloud images and secure the server key with a Hardware Security Module.

Installing CPMs in multiple sites prevents complex firewall rules to manage devices at remote sites.

Multiple instances create fault tolerance.

Multiple instances increase response time.

Having additional CPMs increases the maximum number of devices CyberArk can manage

This setup is already fault tolerant.

Install more PVWAs in each data center.

Continuously monitor PVWA status and send users the link to another PVWA if issues are encountered.

Load balance all PVWAs under same URL.

Yes. it requires a domain administrator account to change any password on any server.

Yes. it requires a local administrator account on any Windows server and a root level account on any Unix server.

No. passwords are changed by the Password Provider Agent.

No. the CPM uses the account information stored in the vault to login and change the account's password using its own credentials

VaultInternal

PVWAConfig

System

Notification Engine

PVWAReports

Import CyberArk policy settings from the provided file into a new GPO. Most Voted

Apply advanced audit on the PSM server.

Link GPO to a dedicated OU containing CyberArk PSM servers. Most Voted

Import an INF file to the local machine.

Configure AppLocker rules to block running unknown executables.

DBparm.ini and CAVaultManager.exe

VaultKeys.ini and CAVaultManager.exe

DBparm.ini and ChangeServerKeys.exe

VaultKeys.ini and ChangeServerKeys.exe

In the CYBRWINDAD platform, under Automatic Password Management/General, configure AllowedSafes and set to (WINDEMEA)|(WINDEMEA_ADMIN). Most Voted

In the settings for Configuration/CPM assigned to the WINDEMEA and WINDEMEAADMIN safes, configure AllowedSafes and set to (WINDEMEA)|(WINDEMEAADMIN).

In the CYBRWINDAD platform, under UI&Workflows/Properties/Optional, configure AllowedSafes and set to (WINDEMEA)|(WINDEMEA_ADMIN).

Modify cpm.ini on the relevant CPM/s and add the setting AllowedSafesCYBRWINDAD and set to (WINDEMEA)|(WINDEMEAADMIN).

Operator CD and License Most Voted

Master CD and License

Operator CD and Vault Certificate

Master CD and DBparm.ini

Vault

CPM

PVWA

PSM

PrivateArk

OPM

AIM

Red Hat Enterprise Linux 7.x

CentOS 7.x

Ubuntu 20.x

AK 7.x

Android 11.x

Install two new PVWA servers in Tokyo data center, configure load balancing, connect to the local satellite Vault and provide the URL of new PVWA servers to the local employees.

Install two new PVWA servers in New York data center, configure load balancing and have them connect to the satellite Vault in Tokyo.

Install two new PSM servers in the Tokyo data center, configure load balancing, connect to the local satellite vault, and inform the local employees to browse using the same PVWA URL.

Change the current distributed Vaults architecture, migrate back to a Primary-DR architecture, install two new PVWA servers in the Tokyo data center and configure load balancing. Connect to the local DR Vault and provide the URL of new PVWA servers to the local employees.

The Vault must be hardened during the Vault installation process. Most Voted

After the Vault server is installed, you must join the server to the Enterprise Domain and reboot the host.

It is executed after Vault installation by running CAVaultHarden.exe and hardening options can be edited by changing the Hardening.ini file. Most Voted

If it is mandated by an organization’s IT governance, you do not have to execute Vault hardening; however, server hardening cannot be reversed.

server.key

recpub.key

recprv.key

mdbase.dat

TRUE

FALSE

Verify the “LoadBalancerClientAddressHeader” parameter setting in PVWA configuration file Web.config is set to “X-Forwarded-For”.

Add the VIP (Virtual IP address) assigned to the four PVWA servers to the certificates issued for all four PVWA servers, if missing.

Add a firewall rule to allow the testing workstation to connect to the VIP (Virtual IP address) assigned to the four PVWA servers on Port TCP 443.

Edit the dbparm.ini file on the Vault server and add the IP or subnet of the workstation to the whitelist.

six or more

four

two or less

three