Scribd Logo
Upload

Welcome to Scribd!

  • CyberArk DNA v4.1 Technical FAQ

    Uploaded by

    saieesha2010
    1K views4 pages
    Cyberark

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Cyberark

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    1K views4 pages

    CyberArk DNA v4.1 Technical FAQ

    Uploaded by

    saieesha2010
    Cyberark

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Cyber-Ark Software Ltd. | cyberark.

    com 1

    CyberArk DNA v4.0
    Technical FAQ
    What is CyberArk DNA?
    CyberArk Discovery and Audit (DNA) is a single-executable Windows tool that enables you to
    automatically detect privileged, administrative and root accounts across Windows and Unix
    environments.
    DNA v4.0 introduces the scanning of Pass-the-Hash vulnerabilities on Windows environments.
    Does CyberArk DNA require a license?
    CyberArk DNA requires a license to run. Licenses may limit the number of computers to scan
    per scan, and include an expiration date.
    What does CyberArk DNA v4.0 scan?
    Account Scan
    CyberArk DNA scans Windows and Unix computers. DNA scans each computer and maps the
    users who can access it, including local and domain users.
    On Windows machines, DNA also scans service accounts used in:
    Windows Services Accounts
    Windows Scheduled Tasks
    Pass-the-Hash Vulnerability Scan
    CyberArk DNA detects stored Privileged account password hashes (representations of the
    password itself). DNA analyzes and presents computers vulnerable to the Pass-the-Hash
    attack, and creates an organizational vulnerability map that displays all possible routes of
    attacks on the network.
    What technology does CyberArk DNA use?
    CyberArk DNA was developed using Microsoft's .NET Framework and designed as a multi-
    threaded application to expedite scanning.
    Does CyberArk DNA require installation?
    CyberArk DNA does not require installation and can be used on any Windows 7 operating
    system with 1 GB free space.




    Cyber-Ark Software Ltd. | cyberark.com 2
    Does CyberArk DNA make any changes to the machine it is run from?
    CyberArk DNA does not make changes to the machine it is run from, except for a registry
    change in the current user hive to be able to store the EULA acceptance, and for writing report
    and log files.
    Does CyberArk DNA make any changes to the scanned DCs or target computers?
    CyberArk DNA performs the network scan in read-only mode. It makes no changes to the Active
    Directory or target computers.
    Will the scan burden my network or affect the performance of my DCs or target
    computers?
    The CyberArk DNA scan consumes low network bandwidth and uses insignificant network and
    CPU resources on the Active Directory DCs and target machines.
    The CyberArk DNA Account Scan consumes low network bandwidth and uses insignificant
    network and CPU resources on the Active Directory DCs and target machines.
    The CyberArk DNA Pass-the-Hash Vulnerability Scan consumes low network bandwidth and
    uses insignificant network resources on the Active Directory DCs. Due to environmental
    limitations, target machines running Windows versions prior to Vista, may experience an
    increase in CPU usage during the scan, which usually varies between a few seconds and up to
    a few minutes (single core machines are not supported due to excessive CPU usage).
    What type of account is required for performing a scan?
    Performing a scan requires an account with read permissions on the Active Directory, as well
    as:
    Local administrative permissions on target Windows machines
    Root privileges on target Unix machines
    This account can be a domain administrator with root privileges on the target Unix machines.
    If a single account with such privileges is not accessible, you can use CyberArk DNA to run two
    separate scans; one scan using the domain administrator account, another scan using the
    domain account with root privileges.
    Where does CyberArk DNA store the domain administrator credentials?
    CyberArk DNA stores the credentials used for scanning in memory. It does not save them in any
    other way.
    Does CyberArk DNA access any password hashes on the workstations, servers
    or the domain controller?
    DNA does not access any hashes, passwords or any sensitive information on scanned
    machines. DNA performs the scan in read-only mode and does not write to the scanned
    machines.




    Cyber-Ark Software Ltd. | cyberark.com 3
    What type of data does CyberArk DNA access during the scan?
    CyberArk DNA accesses account data, machine data, and event log data found on machines
    during the scan.
    Does CyberArk DNA create and expose hashes on scanned machines during the
    scan?
    CyberArk DNA uses protocols and methods that do not leave hashes on scanned machines,
    and, therefore, do not cause machines any vulnerabilities.
    What type of performance can I expect from CyberArk DNA?
    The following CyberArk benchmark shows a typical CyberArk DNA performance. The scan was
    performed on a Windows 7 computer using 25 threads. The Windows machines were scanned
    using separate processes and the Unix machines were scanned using one main process.
    For Windows: Subject
    Total number of computers scanned 40,000
    Computers scanned successfully 29,134 (73%)
    Computers failed partially (4%) 10,018 (25%)
    Computers failed to scan (14%) 855 (2%)
    Total number of unique accounts discovered during the scan 995,667
    Total number of accounts discovered during the scan 1,891,416
    Total number of Service accounts discovered during the scan 749,998
    Total scan time (at worst case) 9 hours, 39 minutes

    For Windows with Pass-the-Hash Scan: Subject
    Total number of computers scanned 40,000
    Computers scanned successfully 23,665 (59%)
    Computers failed partially (4%) 15,038 (38%)
    Computers failed to scan (14%) 1,304 (3%)
    Total number of unique accounts discovered during the scan 992,875
    Total number of accounts discovered during the scan 1,878,374
    Total number of Service accounts discovered during the scan 749,891
    Total scan time (at worst case) 28 hours






    Cyber-Ark Software Ltd. | cyberark.com 4

    For Unix: Subject
    Total number of computers scanned 1,000
    Computers scanned successfully 996
    Computers failed to scan (0.4%) 4
    Total number of unique accounts discovered during the scan 50,869
    Total number of accounts discovered during the scan 92,041
    Total scan time 2 hours, 25 minutes
    Which network protocols does CyberArk DNA require?
    To enable CyberArk DNA to function properly, the following network protocols are required:
    For Windows scanning:
    Windows file and print sharing
    Windows Management Instrumentation (WMI)
    For Unix scanning:
    SSH
    SFTP
    Note: Make sure the above protocols are enabled on all of the target computers you want to
    scan and that firewalls do not block this type of traffic.

    You might also like