New Year Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > CyberArk > Defender > PAM-DEF

PAM-DEF CyberArk Defender - PAM Question and Answers

Question # 4

Which certificate type do you need to configure the vault for LDAP over SSL?

A.

the CA Certificate that signed the certificate used by the External Directory

B.

a CA signed Certificate for the Vault server

C.

a CA signed Certificate for the PVWA server

D.

a self-signed Certificate for the Vault

Full Access
Question # 5

What is the purpose of the PrivateArk Database service?

A.

Communicates with components

B.

Sends email alerts from the Vault

C.

Executes password changes

D.

Maintains Vault metadata

Full Access
Question # 6

What is the purpose of the password change process?

A.

To test that CyberArk is storing accurate credentials for accounts

B.

To change the password of an account according to organizationally defined password rules

C.

To allow CyberArk to manage unknown or lost credentials

D.

To generate a new complex password

Full Access
Question # 7

In the Private Ark client under the Tools menu > Administrative Tools > Users and Groups, which option do you use to update users’ Vault group memberships?

A.

Update > General tab

B.

Update > Authorizations tab

C.

Update > Member Of tab

D.

Update > Group tab

Full Access
Question # 8

In accordance with best practice, SSH access is denied for root accounts on UNIX/LINUX system. What is the BEST way to allow CPM to manage root accounts.

A.

Create a privileged account on the target server. Allow this account the ability to SSH directly from the CPM machine. Configure this account as the Reconcile account of the target server’s root account.

B.

Create a non-privileged account on the target server. Allow this account the ability to SSH directly from the CPM machine. Configure this account as the Logon account of the target server’s root account.

C.

Configure the Unix system to allow SSH logins.

D.

Configure the CPM to allow SSH logins.

Full Access
Question # 9

Which of the following PTA detections are included in the Core PAS offering?

A.

Suspected Credential Theft

B.

Over-Pass-The Hash

C.

Golden Ticket

D.

Unmanaged Privileged Access

Full Access
Question # 10

When a DR Vault Server becomes an active vault, it will automatically fail back to the original state once the Primary Vault comes back online.

A.

True; this is the default behavior

B.

False; this is not possible

C.

True, if the AllowFailback setting is set to “yes” in the padr.ini file

D.

True, if the AllowFailback setting is set to “yes” in the dbparm.ini file

Full Access
Question # 11

Which accounts can be selected for use in the Windows discovery process? (Choose two.)

A.

an account stored in the Vault

B.

an account specified by the user

C.

the Vault Administrator

D.

any user with Auditor membership

E.

the PasswordManager user

Full Access
Question # 12

Which CyberArk group does a user need to be part of to view recordings or live monitor sessions?

A.

Auditors

B.

Vault Admin

C.

DR Users

D.

Operators

Full Access
Question # 13

Your organization requires all passwords be rotated every 90 days.

Where can you set this regulatory requirement?

A.

Master Policy

B.

Safe Templates

C.

PVWAConfig.xml

D.

Platform Configuration

Full Access
Question # 14

The Accounts Feed contains:

A.

Accounts that were discovered by CyberArk in the last 30 days

B.

Accounts that were discovered by CyberArk that have not yet been onboarded

C.

All accounts added to the vault in the last 30 days

D.

All users added to CyberArk in the last 30 days

Full Access
Question # 15

What is the purpose of the Interval setting in a CPM policy?

A.

To control how often the CPM looks for System Initiated CPM work.

B.

To control how often the CPM looks for User Initiated CPM work.

C.

To control how long the CPM rests between password changes.

D.

To control the maximum amount of time the CPM will wait for a password change to complete.

Full Access
Question # 16

A newly created platform allows users to access a Linux endpoint. When users click to connect, nothing happens.

Which piece of the platform is missing?

A.

PSM-SSH Connection Component

B.

UnixPrompts.ini

C.

UnixProcess.ini

D.

PSM-RDP Connection Component

Full Access
Question # 17

SAFE Authorizations may be granted to____________.

Select all that apply.

A.

Vault Users

B.

Vault Group

C.

LDAP Users

D.

LDAP Groups

Full Access
Question # 18

When running a “Privileged Accounts Inventory” Report through the Reports page in PVWA on a specific safe, which permission/s are required on that safe to show complete account inventory information?

A.

List Accounts, View Safe Members

B.

Manage Safe Owners

C.

List Accounts, Access Safe without confirmation

D.

Manage Safe, View Audit

Full Access
Question # 19

As long as you are a member of the Vault Admins group you can grant any permission on any safe.

A.

TRUE

B.

FALSE

Full Access
Question # 20

A new HTML5 Gateway has been deployed in your organization.

From the PVWA, arrange the steps to configure a PSM host to use the HTML5 Gateway in the correct sequence.

Full Access
Question # 21

You are onboarding an account that is not supported out of the box.

What should you do first to obtain a platform to import?

A.

Create a service ticket in the customer portal explaining the requirements of the custom platform.

B.

Search common community portals like stackoverflow, reddit, github for an existing platform.

C.

From the platforms page, uncheck the “Hide non-supported platforms” checkbox and see if a platform meeting your needs appears.

D.

Visit the CyberArk marketplace and search for a platform that meets your needs.

Full Access
Question # 22

When are external vault users and groups synchronized by default?

A.

They are synchronized once every 24 hours between 1 AM and 5 AM. Most Voted

B.

They are synchronized once every 24 hours between 7 PM and 12 AM.

C.

They are synchronized every 2 hours.

D.

They are not synchronized according to a specific schedule.

Full Access
Question # 23

You receive this error:

“Error in changepass to user domain\user on domain server(\domain.(winRc=5) Access is denied.”

Which root cause should you investigate?

A.

The account does not have sufficient permissions to change its own password.

B.

The domain controller is unreachable.

C.

The password has been changed recently and minimum password age is preventing the change.

D.

The CPM service is disabled and will need to be restarted.

Full Access
Question # 24

You need to enable the PSM for all platforms.

Where do you perform this task?

A.

Platform Management > (Platform) > UI & Workflows

B.

Master Policy > Session Management

C.

Master Policy > Privileged Access Workflows

D.

Administration > Options > Connection Components

Full Access
Question # 25

Which parameter controls how often the CPM looks for accounts that need to be changed from recently completed Dual control requests.

A.

HeadStartInterval

B.

Interval

C.

ImmediateInterval

D.

The CPM does not change the password under this circumstance

Full Access
Question # 26

In the Private Ark client, how do you add an LDAP group to a CyberArk group?

A.

Select Update on the CyberArk group, and then click Add > LDAP Group

B.

Select Update on the LDAP Group, and then click Add > LDAP Group

C.

Select Member Of on the CyberArk group, and then click Add > LDAP Group

D.

Select Member Of on the LDAP group, and then click Add > LDAP Group

Full Access
Question # 27

Before failing back to the production infrastructure after a DR exercise, what must you do to maintain audit history during the DR event?

A.

Ensure that the Production Instance replicates changes that occurred from the Disaster Recovery Instance.

B.

Briefly stop and start the Disaster Recovery Instance before attempting to fail components back to the Production Instance.

C.

Stop the CPM services before starting the production server.

D.

Perform an IIS Reset on all PVWA servers.

Full Access
Question # 28

A user is receiving the error message “ITATS006E Station is suspended for User jsmith” when attempting to sign into the Password Vault Web Access (PVWA). Which utility would a Vault administrator use to correct this problem?

A.

createcredfile.exe

B.

cavaultmanager.exe

C.

PrivateArk

D.

PVWA

Full Access
Question # 29

When the CPM connects to a database, which interface is most commonly used?

A.

Kerberos

B.

ODBC

C.

VBScript

D.

Sybase

Full Access
Question # 30

You want to give a newly-created group rights to review security events under the Security pane. You also want to be able to update the status of these events.

Where must you update the group to allow this?

A.

in the PTAAuthorizationGroups parameter, found in Administration > Options > PTA

B.

in the PTAAuthorizationGroups parameter, found in Administration > Options > General

C.

in the SecurityEventsAuthorizationGroups parameter, found in Administration > Security > Options

D.

in the SecurityEventsFeedAuthorizationGroups parameter, found in Administration > Options > General

Full Access
Question # 31

A logon account can be specified in the platform settings.

A.

True

B.

False

Full Access
Question # 32

Ad-Hoc Access (formerly Secure Connect) provides the following features. Choose all that apply.

A.

PSM connections to target devices that are not managed by CyberArk.

B.

Session Recording.

C.

Real-time live session monitoring.

D.

PSM connections from a terminal without the need to login to the PVWA.

Full Access
Question # 33

Which user is automatically added to all Safes and cannot be removed?

A.

Auditor

B.

Administrator

C.

Master

D.

Operator

Full Access
Question # 34

Within the Vault each password is encrypted by:

A.

the server key

B.

the recovery public key

C.

the recovery private key

D.

its own unique key

Full Access
Question # 35

CyberArk recommends implementing object level access control on all Safes.

A.

True

B.

False

Full Access
Question # 36

dbparm.ini is the main configuration file for the Vault.

A.

True

B.

False

Full Access
Question # 37

You notice an authentication failure entry for the DR user in the ITALog.

What is the correct process to fix this error? (Choose two.)

A.

PrivateArk Client > Tools > Administrative Tools > Users and Groups > DR User > Update > Authentication > Update Password.

B.

Create a new credential file, on the DR Vault, using the CreateCredFile utility and the newly set password.

С. Create a new credential file, on the Primary Vault, using the CreateCredFile utility and the newly set password.

C.

PVWA > User Provisioning > Users and Groups > DR User > Update Password.

D.

PrivateArk Client > Tools > Administrative Tools > Users and Groups > PAReplicate User > Update > Authentication > Update Password.

Full Access
Question # 38

How does the Vault administrator apply a new license file?

A.

Upload the license.xml file to the system Safe and restart the PrivateArk Server service

B.

Upload the license.xml file to the system Safe

C.

Upload the license.xml file to the Vault Internal Safe and restart the PrivateArk Server service

D.

Upload the license.xml file to the Vault Internal Safe

Full Access
Question # 39

A user has successfully conducted a short PSM session and logged off. However, the user cannot access the Monitoring tab to view the recordings.

What is the issue?

A.

The user must login as PSMAdminConnect

B.

The PSM service is not running

C.

The user is not a member of the PVWAMonitor group

D.

The user is not a member of the Auditors group

Full Access
Question # 40

According to CyberArk, which issues most commonly cause installed components to display as disconnected in the System Health Dashboard? (Choose two.)

A.

network instabilities/outages

B.

vault license expiry

C.

credential de-sync

D.

browser compatibility issues

E.

installed location file corruption

Full Access
Question # 41

A user requested access to view a password secured by dual-control and is unsure who to contact to expedite the approval process. The Vault Admin has been asked to look at the account and identify who can approve their request.

What is the correct location to identify users or groups who can approve?

A.

PVWA> Administration > Platform Configuration > Edit Platform > UI & Workflow > Dual Control> Approvers

B.

PVWA> Policies > Access Control (Safes) > Safe Members > Workflow > Authorize Password Requests

C.

PVWA> Account List > Edit > Show Advanced Settings > Dual Control > Direct Managers

D.

PrivateArk > Admin Tools > Users and Groups > Auditors (Group Membership)

Full Access
Question # 42

You have been given the requirement that certain accounts cannot have their passwords updated during business hours.

How can you set up a configuration to meet this requirement?

A.

Change settings on the CPM configuration safe so that access is permitted after business hours only.

B.

Update the password change parameters of the platform to match the permitted time frame.

C.

Disable automatic CPM management for all accounts that are assigned to this platform.

D.

Add an exception to the Master Policy to allow the action for this platform during the permitted time.

Full Access
Question # 43

You have been asked to turn off the time access restrictions for a safe.

Where is this setting found?

A.

PrivateArk Client

B.

RestAPI

C.

PVWA

D.

Vault

Full Access
Question # 44

If a user is a member of more than one group that has authorizations on a safe, by default that user is granted________.

A.

the vault will not allow this situation to occur.

B.

only those permissions that exist on the group added to the safe first.

C.

only those permissions that exist in all groups to which the user belongs.

D.

the cumulative permissions of all groups to which that user belongs.

Full Access
Question # 45

Which master policy settings ensure non-repudiation?

A.

Require password verification every X days and enforce one-time password access.

B.

Enforce check-in/check-out exclusive access and enforce one-time password access.

C.

Allow EPV transparent connections ('Click to connect') and enforce check-in/check-out exclusive access.

D.

Allow EPV transparent connections ('Click to connect') and enforce one-time password access.

Full Access
Question # 46

An auditor initiates a live monitoring session to PSM server to view an ongoing live session. When the auditor’s machine makes an RDP connection the PSM server, which user will be used?

A.

PSMAdminConnect

B.

Shadowuser

C.

PSMConnect

D.

Credentials stored in the Vault for the target machine

Full Access
Question # 47

Match each component to its respective Log File location.

Full Access
Question # 48

Which processes reduce the risk of credential theft? (Choose two.)

A.

require dual control password access approval

B.

require password change every X days

C.

enforce check-in/check-out exclusive access

D.

enforce one-time password access

Full Access
Question # 49

You have been asked to identify the up or down status of Vault services.

Which CyberArk utility can you use to accomplish this task?

A.

Vault Replicator

B.

PAS Reporter

C.

Remote Control Agent

D.

Syslog

Full Access
Question # 50

What is the easiest way to duplicate an existing platform?

A.

From PrivateArk, copy/paste the appropriate Policy.ini file; then rename it.

B.

From the PVWA, navigate to the platforms page, select an existing platform that is similar to the new target account platform and then click Duplicate; name the new platform.

C.

From PrivateArk, copy/paste the appropriate settings in PVConfiguration.xml; then update the policyName variable.

D.

From the PVWA, navigate to the platforms page, select an existing platform that is similar to the new target account platform, manually update the platform settings and click “Save as” INSTEAD of save to duplicate and rename the platform.

Full Access
Question # 51

What is the maximum number of levels of authorization you can set up in Dual Control?

A.

1

B.

2

C.

3

D.

4

Full Access
Question # 52

When creating an onboarding rule, it will be executed upon .

A.

All accounts in the pending accounts list

B.

Any future accounts discovered by a discovery process

C.

Both “All accounts in the pending accounts list” and “Any future accounts discovered by a discovery process”

Full Access
Question # 53

Where can reconcile and/or logon accounts be linked to an account? (Choose two.)

A.

account settings

B.

platform settings

C.

master policy

D.

safe settings

E.

service account settings

Full Access
Question # 54

What are the mandatory fields when onboarding from Pending Accounts? (Choose two.)

A.

Address

B.

Safe

C.

Account Description

D.

Platform

E.

CPM

Full Access
Question # 55

As long as you are a member of the Vault Admins group, you can grant any permission on any safe that you have access to.

A.

TRUE

B.

FALSE

Full Access
Question # 56

Where can you check that the LDAP binding is using TCP/636?

A.

in Active Directory under "Users OU" => "User Properties" => "External Bindings" => "Port"

B.

in PVWA, under "LDAP Integration" => "LDAP" => "Directories" => "" => "Hosts" => "Host"

C.

in PrivateArk Client, under "Tools" => "Administrative Tools" => "Directory Mapping" => ""

D.

From the PVWA, connect to the domain controller using Test-NetConnection on Port 636.

Full Access
Question # 57

All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of the accounts in that safe. The members of the AD group UnixAdmins need to be able to use the show, copy, and connect buttons on those passwords at any time without confirmation. The members of the AD group Operations Staff need to be able to use the show, copy and connect buttons on those passwords on an emergency basis, but only with the approval of a member of Operations Managers never need to be able to use the show, copy or connect buttons themselves.

Which safe permission do you need to grant Operations Staff? Check all that apply.

A.

Use Accounts

B.

Retrieve Accounts

C.

Authorize Password Requests

D.

Access Safe without Authorization

Full Access
Question # 58

Which change could CyberArk make to the REST API that could cause existing scripts to fail?

A.

adding optional parameters in the request

B.

adding additional REST methods

C.

removing parameters

D.

returning additional values in the response

Full Access
Question # 59

Which of the following files must be created or configured m order to run Password Upload Utility? Select all that apply.

A.

PACli.ini

B.

Vault.ini

C.

conf.ini

D.

A comma delimited upload file

Full Access
Question # 60

A Vault Administrator team member can log in to CyberArk, but for some reason, is not given Vault Admin rights.

Where can you check to verify that the Vault Admins directory mapping points to the correct AD group?

A.

PVWA > User Provisioning > LDAP Integration > Mapping Criteria

B.

PVWA > User Provisioning > LDAP Integration > Map Name

C.

PVWA > Administration > LDAP Integration > Mappings

D.

PVWA > Administration > LDAP Integration > AD Groups

Full Access
Question # 61

You have been asked to secure a set of shared accounts in CyberArk whose passwords will need to be used by end users. The account owner wants to be able to track who was using an account at any given moment.

Which security configuration should you recommend?

A.

Configure one-time passwords for the appropriate platform in Master Policy.

B.

Configure shared account mode on the appropriate safe.

C.

Configure both one-time passwords and exclusive access for the appropriate platform in Master Policy.

D.

Configure object level access control on the appropriate safe.

Full Access
Question # 62

Vault admins must manually add the auditors group to newly created safes so auditors will have sufficient access to run reports.

A.

TRUE

B.

FALSE

Full Access
Question # 63

PSM for Windows (previously known as “RDP Proxy”) supports connections to the following target systems

A.

Windows

B.

UNIX

C.

Oracle

D.

All of the above

Full Access
Question # 64

One can create exceptions to the Master Policy based on ____________________.

A.

Safes

B.

Platforms

C.

Policies

D.

Accounts

Full Access
Question # 65

When a DR Vault Server becomes an active vault, it will automatically revert back to DR mode once the Primary Vault comes back online.

A.

True; this is the default behavior

B.

False, the Vault administrator must manually set the DR Vault to DR mode by setting “FailoverMode=no” in the padr.ini file

C.

True, if the AllowFailback setting is set to “yes” in the padr.ini file

D.

False, the Vault administrator must manually set the DR Vault to DR mode by setting “FailoverMode=no” in the dbparm.ini file

Full Access
Question # 66

Which of the following Privileged Session Management (PSM) solutions support live monitoring of active sessions?

A.

PSM (i.e., launching connections by clicking on the connect button in the Password Vault Web Access (PVWA)

B.

PSM for Windows (previously known as RDP Proxy)

C.

PSM for SSH (previously known as PSM-SSH Proxy)

D.

All of the above

Full Access
Question # 67

In a rule using “Privileged Session Analysis and Response” in PTA, which session options are available to configure as responses to activities?

A.

Suspend, Terminate, None

B.

Suspend, Terminate, Lock Account

C.

Pause, Terminate, None

D.

Suspend, Terminate

Full Access
Question # 68

Which report could show all accounts that are past their expiration dates?

A.

Privileged Account Compliance Status report

B.

Activity log

C.

Privileged Account Inventory report

D.

Application Inventory report

Full Access
Question # 69

For a safe with Object Level Access enabled you can turn off Object Level Access Control when it no longer needed on the safe.

A.

TRUE

B.

FALSE

Full Access
Question # 70

Which item is an option for PSM recording customization?

A.

Windows events text recorder with automatic play-back

B.

Windows events text recorder and universal keystrokes recording simultaneously

C.

Universal keystrokes text recorder with windows events text recorder disabled

D.

Custom audio recording for windows events

Full Access
Question # 71

A Reconcile Account can be specified in the Master Policy.

A.

TRUE

B.

FALSE

Full Access
Question # 72

What does the minvalidity parameter on a platform policy determine?

A.

time between a password retrieval and the account becoming eligible for a password change

B.

timeout for users signed into the PVWA as configured in the global settings

C.

minimum amount of time that Just in Time access is valid

D.

time in minutes before an empty safe will be automatically deleted

Full Access