PAM-DEF Practice

Which CyberArk group does a user need to be part of to view recordings or live monitor sessions?

Arrange the steps to restore a Vault using PARestore for a Backup in the correct sequence.

Which Automatic Remediation is configurable for a PTA detection of a “Suspected Credential Theft”?

To ensure all sessions are being recorded, a CyberArk Administrator goes to the master policy and makes configuration changes. What configuration is correct?

Which certificate type do you need to configure the vault for LDAP over SSL?

Which values are acceptable in the address field of an account?

Which of the following account onboarding method is considered proactive?

When creating an onboarding rule, it will be executed upon _____?

Which onboarding method would you use to integrate CyberArk with your accounts provisioning process?

What is the primary purpose of Dual Control?

A newly created platform allows users to access a Linux endpoint. When users click to connect, nothing happens. Which piece of the platform is missing?

What is the purpose of the PrivateArk Server service?

Which report provides a list of accounts stored in the vault?

Which report shows the accounts that are accessible to each user?

What is the purpose of the Immediate Interval setting in a CPM policy?

What is the purpose of the Interval setting in a CPM policy?

Which utilities could you use to change debugging levels on the vault without having to restart the vault? (Choose two)

If a user is a member of more than one group that has authorizations on a safe, by default that user is granted ___?

Vault authorizations may be granted to _____?

Which user is automatically added to all safes and cannot be removed?

Within the vault, each password is encrypted by:

What are the functions of the remote control agent service? Choose 3.

What is the purpose of the cyberark event notification engine service?

What is the purpose of the PrivateArk Database service?

Which of the following logs contains information about errors related to PTA?

A vault administrator has associated a logon account to one of their unix root accounts in the vault, when attempting to change the root account password, the central policy manager (CPM) will:

Select the best practice for storing the master cd.

Which service should not be running on the DR vault when the primary production vault is up?

One can create exceptions to the master policy based on

When managing SSH keys, the central policy manger (CPM) stores the public key:

When managing SSH keys, the central policy manger (CPM) stores the private key:

Time of day or day of week restrictions on when password changes can occur are configured in the:

Time of day or day of week restrictions on when password verifications can occur are configured in the:

Time of day or day of week restrictions on when password reconciliations can occur are configured in the:

According to the default web options settings, which group grants access to the report page?

Due to network activity, ACME Corp’s PrivateArk Server became active on the OR Vault while the Primary Vault was also running normally. All the components continued to point to the Primary Vault. Which steps should you perform to restore DR replication to normal?

Assuming a safe has been configured to be accessible during certain hours of the day, a vault administrator may still access that safe outside of those hours.

The vault supports subnet based access control.

A logon account can be specified in the platform settings.

When a DR Vault become an active vault, it will automatically revert back to DR mode once the Primary Vault comes back online.

Which of the following components can be used to create a tape backup of the vault?

A simple mail transfer protocol (SMTP) integration is critical for monitoring vault activity and facilitating workflow processes, such as dual control.

What is the name of the platform parameter that determines the length of time a person is allowed to use a one-time password?

What is the primary purpose of one-time passwords?

What is the primary purpose of exclusive accounts?

Which type of automatic remediation can be performed by the PTA in the case of a suspicious password change security event?

Which type of automatic remediation can be performed by the PTA in the case of a suspected credential theft security event?

Which report could show all accounts that are past their expiration dates?

Which report shows the accounts that are accessible to each user?

Access control to passwords is implemented by:

For an account attached to a platform that requires dual control based on a master policy exception, how would the vault administrator configure a group of users to access a password without approval?

What is the purpose of the HeadStartInterval setting in a platform?

Which master policy setting must be active in order to have an account checked out by one user for a pre-determined amount of time?

PSM for Windows (previously known as RDP Proxy) supports connections to which of the following target systems?

PSM for SSH (previously known as PSM-SSH Proxy) supports connections to which of the following target systems?

Which keys are required to be present in order to start the PrivateArk Server service? (Choose 2)

Which combination of safe member permissions will allow end Users to log in to a remote machine transparently but NOT show or copy the password?

Which user can access all passwords in the vault?

Which of the following are secure options for storing the contents of the operator CD, while still allowing the contents to be accessible upon a planned vault restart? Choose three correct options.

One of your users is receiving the error message "ITATS006E Station is suspended for User jsmith" when attempting to sign in to the pvwa. Which utility would you use to correct this problem?

Via PVWA, a user initiates a PSM connection to the target linux machine using RemoteApp. When the client machine makes a RDP connection to the PSM server, which user will be utilized?

An auditor needs to login to the PSM in order to live monitor an active session. Which user ID is used to establish the RDP connection to the PSM server?

How does the vault administrator apply a new license file?

Cyberark implements license limits by controlling the number and types of users that can be provisioned in the vault

The vault administrator can change the vault license by uploading the new license to the system safe

Cyberark recommends implementing object level access control on all safes

For a safe with object level access control enabled, the vault administrator is able to turn off object level access control when it is no longer needed on the safe

In order to connect to a target device through PSM, the account credentials used for the connection must be stored in the vault

PTA can automatically suspend sessions if suspicious activities are detected in a privileged session, but only if the session is made via the Cyberark PSM.

What is the purpose of the EVD? (Export vault data utility)

A safe was recently created by a user who is a member of the LDAP vault administrator group. Which of the following users does not have access to the newly created safe by default?

Which one of these built-in vault users is not automatically added to a safe when it is created?

Which one of the following reports is not generated by using the PVWA?

Vault admins must manually add the auditors group to newly created safes so auditors will have sufficient access to run reports.

Accounts Discovery allows secure connection to domain controllers

Platform settings are applied to

Which of the following PTA detections require the deployment of a Network Sensor or installing the PTA Agent on the domain controller? (Choose 2)

Which of the following PTA detections are included in the Core PAS offering? (Choose 2)

Which is the purpose of a linked account?

Users who have the ‘Access Safe without confirmation’ safe permission on a safe where accounts are configured for Dual control, still need to request approval to use the account.

Which credentials does CyberArk use when managing a target account?

What is the process to remove object level access control from a Safe?

What is the purpose of the password verify process?

What is the purpose of the password change process?

What is the purpose of the password reconcile process?

The Accounts Feed contains:

A user has successfully conducted a short PSM session and logged off. However, the user cannot access the Monitoring tab to view the recordings. What is the issue?

When a DR vault server becomes an active vault, it will automatically fail back to the original state once the primary vault comes back online.

You are onboarding an account that is not supported out of the box. What should you do first to obtain a platform to import?

You have been asked to identify the up or down status of Vault services. Which CyberArk utility can you use to accomplish this task?

You are logging into CyberArk as the Master user to recover an orphaned safe. Which items are required to log in as Master?

Your organization requires all passwords to be rotated every 90 days. Where can you set this regulatory requirement?

To enable the Automatic response ‘Add to Pending’ within PTA when unmanaged credentials are found, what are the minimum permissions required by PTAUser for the PasswordManager_pending safe?

You have been asked to turn off the time access restrictions for a safe. Where is this setting found?

What is the configuration file used by the CPM scanner when scanning UNIX/Linux devices?

You have been asked to secure a set of shared accounts in CyberArk whose passwords will need to be used by end users. The account owner wants to be able to track who was using an account at any given moment. Which security configuration should you recommend?

In your organization the ‘click to connect’ button is not active by default. How can this feature be activated?

Which PTA sensors are required to detect suspected credential theft?

Which CyberArk utility allows you to create lists of Master Policy Settings, owners and safes for output to text files or MSSQL databases?

A Vault Administrator team member can log in to CyberArk, but for some reason, is not given Vault Admin rights. Where can you check to verify that the Vault Admins directory mapping points to the correct AD group?

Which usage can be added as a service account platform?

When running a ‘Privileged Accounts Inventory’ Report through the Reports page in PVWA on a specific safe, which permission/s are required on that safe to show complete account inventory information?

What is the easiest way to duplicate an existing platform?

The Privileged Access Management solution provides an out-of-the-box target platform to manage SSH keys, called UNIX Via SSH Keys. How are these keys managed?

You want to generate a license capacity report. Which tool accomplishes this?

How much disk space do you need on the server for a PAReplicate?

Which of the following statements are NOT true when enabling PSM recording for a target Windows server? (Select all that apply)

Which Built-In group grants access to the ADMINISTRATION page?

What is the purpose of the Allowed Safes parameter in a CPM policy? (Select all that apply)

You are creating a Dual Control workflow for a team’s safe. Which safe permissions must you grant to the Approvers group?

You receive this error: ‘Error in changepass to user domain\user on domain server(\domain.(winRc=5) Access is denied.’ Which root cause should you investigate?

You are creating a shared safe for the help desk. What must be considered regarding the naming convention?

A user requested access to view a password secured by dual-control and is unsure who to contact to expedite the approval process. The Vault Admin has been asked to look at the account and identify who can approve their request. What is the correct location to identify users or groups who can approve?

Which built-in report from the reports page in PVWA displays the number of days until a password is due to expire?

To use PSM connections while in the PVWA, what are the minimum safe permissions a user or group will need?

In a default CyberArk installation, which group must a user be a member of to view the reports page in PVWA?

Which statement is correct concerning accounts that are discovered, but cannot be added to the Vault by an automated onboarding rule?

A new domain controller has been added to your domain. You need to ensure the CyberArk infrastructure can use the new domain controller for authentication. Which locations must you update?

If the AccountUploader Utility is used to create accounts with SSH keys, which parameter do you use to set the full or relative path of the SSH private key file that will be attached to the account?

You are creating a new Rest API user that utilizes CyberArk Authentication. What is a correct process to provision this user?

Which command configures email alerts within PTA if settings need to be changed post install?

Which permissions are needed for the Active Directory user required by the Windows Discovery process?

To manage automated onboarding rules, a CyberArk user must be a member of which group?

When onboarding multiple accounts from the Pending Accounts list, which associated setting must be the same across the selected accounts?

Your organization has a requirement to allow users to ‘check out passwords’ and connect to targets with the same account through the PSM. What needs to be configured in the Master policy to ensure this will happen?

In PVWA, you are attempting to play a recording made of a session by user jsmith, but there is no option to ‘Fast Forward’ within the video. It plays and only allows you to skip between commands instead. You are also unable to download the video. What could be the cause?

Your customer, ACME Corp, wants to store the Safes Data in Drive D instead of Drive C. Which file should you edit?

A new HTML5 Gateway has been deployed in your organization. Where do you configure the PSM to use the HTML5 Gateway?

You need to enable the PSM for all platforms. Where do you perform this task?

Which option in the Private Ark client is used to update users Vault group memberships?

Which parameters can be used to harden the Credential Files (CredFiles) while using CreateCredFile Utility? (Choose three.)

Users are unable to launch web type connection components from the PSM server. Your manager asked you to open the case with cyberark support. Which logs will help the cyberark support team debug the issue? Choose 3.

The Password upload utility can be used to create safes.

The System safe allows access to the Vault configuration files.

As long as you are a member of the Vault Admins group you can grant any permission on any safe.

The password upload utility must run from the Central Policy Manager (CPM) server.

A user with administrative privileges to the vault can only grant other users’ privileges that he himself has.

Which of the following properties are mandatory when adding accounts from a file? Choose 3.

Which of the following can be configured in the master policy? (Choose all that apply)

Which of the following statements are NOT true when enabling PSM recording for a target Windows server? Choose all that apply.

Which item is an option for PSM recording customization?

In the Private Ark client, how do you add an LDAP group to a CyberArk group?

For Digital Vault Cluster in a high availability configuration, how does the cluster determine if a node is down?

In a rule using ‘Privileged Session Analysis and Response’ in PTA, which session options are available to configure as responses to activities?

You are onboarding 5,000 UNIX root accounts for rotation by the CPM. You discover that the CPM is unable to log in directly with the root account and will need to use a secondary account. How should this be configured to allow for password management using least privilege?

You received a notification from one of your CyberArk auditors that they are missing Vault level audit permissions. You confirmed that all auditors are missing the Audit Users Vault permission. Where do you update this permission for all auditors?

You need to recover an account localadmin02 for target server 10.0.123.73 stored in Safe Team1. What do you need to recover and decrypt the object? (Choose three.)