Cyber-Ark Interview Questions & Answers Part-3

January 03 2024

Cyber-Ark Interview Questions & Answers Part-3

Cyber-Ark Interview Questions

These interview questions will help you in clearing your CyberArk Interviews!

Q.1. How to restrict a LDAP user to use only PSM and PVWA?

To restrict the user to use only authorized interfaces:

Login to PrivateArk Client:
Go to Tools > Administrative Tools > Directory Mapping
Select the Vault User Mapping
Click on User Template and User Type
Select Authorized Interfaces
Choose only those which you want to user to use

If a user uses an unauthorized interface, they will see an authentication failure.

Q.2. Secure RDP Connections to CyberArk PSM Server with SSL ?

Most of the interviewer ask this question:

On the PSM server, run gpedit.msc to set the security layer>

Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.

Open the Security setting, Set client connection encryption level.

In the Options area, from the Encryption Level drop-down list, select High Level.

Click OK to save your settings.

Open the Security setting, Require use of specific security layer for remote (RDP) connections.

In the Options area, from the Security Layer drop-down list select:

Windows 2019 – TLS
Windows 2016 – SSLT
Window 2012 R2 - SSL (TLS 1.0)

For connections with RDP files, specify authentication level:i.

For connections with ActiveX, specify AdvancedSettings4.AuthenticationLevel.

In each active connection component, add a new Component Parameter.

Connections to the PSM require a certificate on the PSM machine. By default, Windows generates a self-signed certificate, but you can use a certificate that is supplied by your enterprise.

Q.3. How to increase the debug levels for CyberArk Vault & its Components?

Vault: DebugLevel= PE(1,6), PERF(1),LDAP(14,15)

CPM: CPM.ini (or via PVWA System Configuration): Upto 6, platformwise, Auto Detection,

PVWA: Administration Tab > click Options and then Logging:

DebugLevel=High (None/High/Low)

InformationLevel=High (None/High/Low)

The LogFolder parameter in web.config in the IIS PasswordVault folder:

CyberArk.WebApplication.log

CyberArk.WebConsole.log

CyberArk.WebSession..log

PVWA.App.log

PSM: General Settings:

Server Settings TraceLevels=1,2,3,4,5,6,7

Recorder Settings TraceLevels=1,2

Connection Client Settings TraceLevels=1,2

Q.4. How to allow firewall between Vault and a server and how many IPs we can add?

AllowNonStandardFWAddresses is a multiple parameter that can be added to the dbparm.ini multiple times.

It should be added in dbparm.ini.

Up to 16 IP addresses are allowed.

Vault service must be restarted after changing parameters in the DBParm.ini file

Eg: AllowNonStandardFWAddresses=[1.1.1.1,2.2.2.0-2.2.2.255,3.3.3.0-3.3.3.255,...],Yes,1000:inbound/tcp

Q.5. How to secure PVWA URL?

Securing any URL, you require an SSL certificate:

Get an SSL certificate containing all the info of your PVWA and if PVWAs are load balanced then it should have LB info too.

Import the certificate on PVWA server to personal section of computer certificates.

Open IIS settings, edit the bindings and select the SSL cert to 443 and apply.

Reset the IIS

This should be done on all the PVWAs.

Q.6. Can we change the password complexity for one platform?

Yes, you can have different password complexity for every platform.

Go to Administration > Platform Management
Edit the platform for which you want to change the password complexity
Go to Password Management Section & Change
Set the complexity as per the requirement

Same password complexity should be set on your target server too, otherwise CPM will fail to change the password.

Q.7. How to apply new patches to Vault?

This question can be asked to L3 profile:

Copy the KB file to your Vault Server.
Enable and start the Windows Update service.
Enable and start the Windows Module Installer service.
Navigate to Registry Editor.
Locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver entry.
Back up the entry.
Change the value of Start to 3.
Restart the Vault Server.

Navigate to Services Management and start the Windows Installer service.

Now, Stop the PrivateArk Server & Database service.

Install the Windows patch for the relevant Operating System. Restart the Vault server if requested to.

Verify the KB installed successfully on the server and stop all windows services enabled. You can consult CyberArk support before patching the Vault as not every patch is applied to Vault servers.

Q.8. Maximum number of transactions that can be received & processed concurrently by the Vault?

The max. number of transactions can be received by Vault can be 9000. And transactions handled concurrently are around 600 by the Vault.

Q.9. What’s the max. length of username in Vault?

Its 128 characters

Q.10. What’s the difference between MFA and 2FA?

2FA: When two authentication methods are being used to provision the account

2FA requires two authentication credentials—no more, no less.

Every Two-Factor Authentication is Multi-Factor Authentication.

MFA: When two authentication methods or more than 2 are being used to provision the account

2 or 3 credentials, but the only criteria to qualify as MFA is that there is more than one credential required to confirm a person’s identity.

Not every Multi-Factor Authentication is Two-Factor Authentication.

Comments (2)

Ola Onifade
22/Oct/2022
Secapps Learning is a good site for learning. The tutor delivers complex concepts in clear, step by step order, always available to help should the need arise. I strongly recommend secapps learning
OLA Onifade
21/Oct/2022
Secapps Learning is a good platform with Tutor who is always willing to help.The trainings are straightforward, walking you through from zero to hero. Highly recommended!

Your email address will not be published. Required fields are marked*

Cyber-Ark Interview Questions & Answers Part-3