cyber Flashcards

1
Q

The Active Directory user configured for windows discovery needs which permission(s) or
membership?

A. Member of Domain Admin Group

B. Member of LDAP Admin Group

C. Read and Write Permissions

D. Read Only Permissions

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which Vault authorization does a user need to have assigned to able to generate the Entitlement
Report from the reports page in PVWA?(choose two)

A. Manage Users

B. Audit Users

C. Read Activity

D. View Entitlements

E. List Accounts

A

A,B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What do you need on the Vault to support LDAP over SSL?

A. CA Certificate(s) used to sign the External Directory certificate

B. RECPRV.key

C. a private key for the external directory

D. self-signed Certificate(s) for the Vault

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You are troubleshooting a PVWA slow response. Which log files should you analyze first? (Choose two.)

A. ITALog.log

B. web.config

C. CyberArk.WebApplication.log

D. CyberArk.WebConsole.log

A

C,D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the easiest way to duplicate an existing platform?

A. From PrivateArk, copy/paste the appropriate Policy.ini file; then rename it.
B. From the PVWA, navigate to the platforms page, select an existing platform that is similar to the new target account platform and then click Duplicate; name the new platform.

C. From PrivateArk, copy/paste the appropriate settings in PVConfiguration.xml; then update the policyName variable.

D. From the PVWA, navigate to the platforms page, select an existing platform that is similar to the new target account platform, manually update the platform settings and click “Save as” INSTEAD of save to duplicate and rename the platform.

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

RECOVERY PRIVATE KEY—–STORE IN PHYSICAL SAFE
RECOVERY PUBLIC KEY——STORE IN HARDWARE SECURITY MODULE
SERVER KEY———————-STORE IN THE VAULT SERVER DISK DRIVE
SSH KEY—————————STORE IN THE VAULT

A

Recovery Private Key: Store in a Physical Safe Recovery Public Key: Store on the Vault Server Disk Drive Server Key: Store in a Hardware Security Module SSH Keys: Store in the Vault.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Due to corporate storage constraints, you have been asked to disable session monitoring and recording for 500 testing accounts used for your lab environment. How do you accomplish this?

A. Master Policy>select Session Management>add Exceptions to the platform(s)>disable Session Monitoring and Recording policies

B. Administration>Platform Management>select the platform(s)>disable Session Monitoring and Recording

C. Polices>Access Control (Safes)>select the safe(s)>disable Session Monitoring and Recording policies

D. Administration>Configuration Options>Options>select Privilege Session Management>disable Session Monitoring and Recording policies

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A user requested access to view a password secured by dual-control and is unsure who to contact to expedite the approval process. The Vault Admin has been asked to look at the account and identify who can approve their request. What is the correct location to identify users or groups who can approve?

A. PVWA > Administration > Platform Configuration > Edit Platform > UI & Workflow > Dual Control > Approvers

B. PVWA > Policies > Access Control (Safes) > Select the safe > Safe Members > Workflow > Authorize Password Requests

C. PVWA > Account List > Edit > Show Advanced Settings > Dual Control > Direct Managers

D. PrivateArk > Admin Tools > Users and Groups > Auditors (Group Membership)

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You have been given the requirements that certain accounts cannot have their passwords
updated during business hours:

A. Change settings on the CPM configuration safe so that access is permitted after business
hours only

B. Update the password change parameters of the platfrom to match the permitted time
frame

C. Disable automatic CPM management for all accounts that are assigned to this platform

D. Add an exception to the Master Policy to allow the action for this platform during the
permitted time

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What must you specify when configuring a discovery scan for UNIX? (Choose two.)

A. Vault Administrator

B. CPM Scanner

C. root password for each machine

D. list of machines to scan

E. safe for discovered accounts

A

C,D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

To change the safe where recordings are kept for a specific platform, which setting must you update in the platform configuration?

A. SessionRecorderSafe

B. SessionSafe

C. RecordingsPath

D. RecordingLocation

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which processes reduce the risk of credential theft? (Choose two.)

A. require dual control password access approval

B. require password change every X days

C. enforce check-in/check-out exclusive access

D. enforce one-time password access

A

C,D o B,D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You are onboarding an account that is not supported out of the box. What should you do first to obtain a platform to import?
A. Create a service ticket in the customer portal explaining the requirements of the custom platform

B. Search common community portals like stackoverflow,reddit,github for an existing platform

C. From the platforms page,unchecked the hide non supported platforms checkbox and see if a platform meeting your needs appears

D. Visit the CyberArk marketplace And search or a platform that meets your needs

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You are onboarding 5,000 UNIX root accounts for rotation by the CPM. You discover that the CPM is unable to log in directly with the root account and will need to use a secondary account. How can this be configured to allow for password management using least privilege?

A. Configure each CPM to use the correct logon account.

B. Configure each CPM to use the correct reconcile account.

C. Configure the UNIX platform to use the correct logon account.

D. Configure the UNIX platform to use the correct reconcile account.

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

RIGHT ORDER:

A.START THE PRIVATEARK DISASTER RECOVERY SERVICE

B.SHUTDOWN THE PRIVATEARK SERVER SERVICE ON THE DR VAULT

C.IN THE PADR.INI FILE, SET FAILOVER MODE=NO AND REMOVE THE LAST TWO LINE

A

B,C,A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You are configuring a Vault HA cluster.Which file should you check to confirm the correct drives have been assigned for the location of the Quorum and Safes data disks?

A. ClusterVault.ini

B. My.ini

C. Vault.ini

D. DBParm.ini

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which methods can you use to add a user directly to the Vault Admin Group? (Choose three.)

A. REST API

B. PrivateArk Client

C. PACLI

D. PVWA

E. Active Directory

F. Sailpoint

A

A,B,E

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which Automatic Remediation is configurable for a PTA detection of a “Suspected Credential
Theft”?

A. Add to Pending

B. Rotate Credentials

C. Reconcile Credentials

D. Disable Account

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

VEDI LA N20

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

VEDI LA N22

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

You want to create a new onboarding rule. Where do you accomplish this?

A. In PVWA, click Reports > Unmanaged Accounts > Rules

B. In PVWA, click Options > Platform Management > Onboarding Rules

C. In PrivateArk, click Tools > Onboarding Rules

D. In PVWA, click Accounts > Onboarding Rules

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What does the minvalidity parameter on a platform policy determine?

A. time between a password retrieval and the account becoming eligible for a password
change

B. timeout for users signed into the PVWA as configured in the glodel settings

C. minimum amount of time that just in time access is valid

D. time in minutes before an empty safe will be automatically deleted

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What does the Export Vault Data (EVD) utility do?

A. exports data from the Vault to TXT or CSV files, or to MSSQL databases

B. generates a backup file that can be used as a cold backup

C. exports all passwords and imports them into another instance of CyberArk

D. keeps two active vaults in sync

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

When are external vault users and groups synchronized by default?

A. They are synchronized once every 24 hours between 1 AM and 5 AM.

B. They are synchronized once every 24 hours between 7 PM and 12 AM.

C. They are synchronized every 2 hours.

D. They are not synchronized according to a specific schedule.

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

You created a new safe and need to ensure the user group cannot see the password, but can connect through the PSM. Which safe permissions must you grant to the group? (Choose two.)

A. List Accounts

B. Use Accounts

C. Access Safe without Confirmation

D. Retrieve Files

E. Confirm Request

A

A,B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

During a High Availability node switch you notice an error and the Cluster Vault Manager Utility fails back to the original node. Which log files should you check to investigate the cause of the issue? (Choose three.)

A. CyberArk Webconsole.log

B. VaultDB.log

C. PM_Error.log

D. ITALog.log

E. ClusterVault.console.log

F. logiccontainer.log

A

B,D,E

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which parameters can be used to harden the Credential Files (CredFiles) while using CreateCredFile Utility? (Choose three.)

A. OS Username

B. Current machine IP

C. Current machine hostname

D. Operating System Type (Linux/Windows/HP-UX)

A

A,B,C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which master policy settings ensure non repudiation?

A. Require password verification every X days and enforce one time password access

B. Enforce check in/check out exclusive access and enforce one time password access

C. Allow EPV transparent connections and enforce check in/check out exclusive access

D. Allow EPV transparent connections and enforce one time password access

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Where can a user with the appropriate permissions generate a report? (Choose two.)

A. PVWA > Reports

B. PrivateArk Client

C. Cluster Vault Manager

D. PrivateArk Server Monitor

E. PARClient

A

A,B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Users are unable to launch Web Type Connection components from the PSM server. Your manager asked you to open the case with CyberArk Support. Which logs will be most useful for the CyberArk Support Team to debug the issue? (Choose three.)

A. PSMConsole.log

B. PSMDebug.log

C. PSMTrace.log

D. <Session_ID>.Component.log</Session_ID>

E. PMconsole.log

F. ITALog.log

A

A,C,D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

You have been asked to identify the up or down status of Vault Services. Which CyberArk utility can you use to accomplish this task?

A. PrivateArk Central Administration Console

B. PAS Reporter

C. PrivateArk Remote Control Agent

D. Syslog

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

A new colleague created a directory mapping between the Active Directory groups and the Vault. Where can the newly Configured directory mapping be tested?

A. Connect to the Active Directory and ensure the organizational unit exists.

B. Connect to Sailpoint (or similar tool) to ensure the organizational unit is correctly named; log in to the PVWA with “Administrator” and confirm authentication succeeds.

C. Search for members that exist only in the mapping group to grant them safe permissions through the PVWA.

D. Connect to the PrivateArk Client with the Administrator Account to see if there is a user in the Vault Admin Group.

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

A user needs to view recorded sessions through the PVWA. Without giving auditor access, which safes does a user need access to view PSM recordings? (Choose two.)

A. Recordings safe

B. Safe the account is in

C. System safe

D. PVWAConfiguration safe

E. VaultInternal safe

A

A,B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which file must be edited on the Vault to configure it to send data to PTA?

A. dbparm.ini

B. PARAgent.ini

C. my.ini

D. padr.ini

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

You want to build a connector that connects to a website through the Web applications for PSM framework. Which default connector do you duplicate and modify?

A. PSM-ChromeSample

B. PSM-WebForm

C. PSM-WebApp

D. PSM-WebAppSample

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

VEDI LA N38

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

When an account is unable to change its own password, how can you ensure that password reset with the reconcile account is performed each time instead of a change?

A. Set the parameter RCAllowManualReconciliation to Yes.

B. Set the parameter ChangePasswordinResetMade to Yes.

C. Set the parameter IgnoreReconcileOnMissingAccount to No.

D. Set the UnlockUserOnReconcile to Yes.

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

In a default CyberArk installation, which group must a user be a member of to view the “reports” page in PVWA?

A. PVWAMonitor

B. ReportUsers

C. PVWAReports

D. Operators

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Where can you assign a Reconcile account?

A. In the PVWA at the account level

B. In the PVWA in the platform configuration

C. In the Master policy of the PVWA

D. At the Safe level

E. In the CPM settings

A

A,B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Your organization requires all passwords be rotated every 90 days.
Where can you set this requirement?

A. Master Policy

B. Safe Templates

C. PVWAConfig.xml

D. Platform Configuration

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

According to CyberArk, which issues most commonly cause installed components to display as disconnected in the System Health Dashboard? (Choose two.)

A. network instabilities/outages

B. vault license expiry

C. credential de-sync

D. browser compatibility issues

E. installed location file corruption

A

A,C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Where can reconcile and/or logon accounts be linked to an account? (Choose two.)

A. account settings

B. platform settings

C. master policy

D. safe settings

E. service account settings

A

A,B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Which built in report from the reports page in PVWA displays the number of day until a
password is due to expire?

A. Privileged Accounts Inventory

B. Privileged Accounts Compliance Status

C. Activity Log

D. Privileged Account CPM Status

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

You are running a “Privileged Accounts Inventory” Report through the Reports page in PVWA on
a specific safe.
To show complete account inventory information, which permission/s are needed on that safe?

A. List Accounts, View Safe Members

B. Manage Safe Owners

C. List Accounts, Access Safe without confirmation

D. Manage Safe, View Audit

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

You have been asked to create an account group and assign three accounts which belong to a
cluster. When you try to create a new group,you receive an inauthorized error,however,you are able
to edit other aspects of the account properties. Which safe permission do you need to manage
account groups?

A. Create folders

B. Specify next account content

C. Rename accounts

D. Manage safe

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Which dependent accounts does the CPM support out-of-the-box? (Choose three.)

A. Solaris Configuration file

B. Windows Services

C. Windows Scheduled Tasks

D. Windows DCOM Applications

E. Windows Registry

F. Key Tab file

A

B,C,E

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

A password compliance audit found: 1) One-time password access of 20 domain accounts that are members of Domain Admins group in Active Directory are not being enforced. 2) All the sessions of connecting to domain controllers are not being recorded by CyberArk PSM. What should you do to address these findings?

A. Edit the Master Policy and add two policy exceptions: enable “Enforce one-time password access”, enable “Record and save session activity”.

B. Edit safe properties and add two policy exceptions: enable “Enforce one-time password access”, enable “Record and save session activity”.

C. Edit CPM Settings and add two policy exceptions: enable “Enforce one-time password access”, enable “Record and save session activity”.

D. Contact the Windows Administrators and request them to add two policy exceptions at Active Directory Level: enable “Enforce one-time password access”, enable “Record and save session activity”.

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

If PTA is integrated with a supported SIEM solution, which detection becomes available?

A. unmanaged privileged account

B. privileged access to the Vault during irregular days

C. riskySPN

D. exposed credentials

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Which change could CyberArk make to the REST API that could cause existing scripts to fail?

A. adding optional parameters in the request

B. adding additional REST methods

C. removing parameters

D. returning additional values in the response

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

In PVWA you are attemping to play a recording made of a session by user jsmith, but there is no option to Fast Forward within the video. It plays and only allows you to skip between commands instead. You are also unable to download the video. What could be the cause?

A. Recording is of a PSM for SSH session

B. The browser you are using is out of date and needs to update to be supported

C. You do not have View Audit permission on the safe where the account is stored

D. You need to update the recorder settings in the platform to enable screen capture every 10000ms or less

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

You created a new platform by duplicating the out-of-box Linux through the SSH platform. Without any change, which Text Recorder Type(s) will the new platform support? (Choose two.)

A. SSH Text Recorder

B. Universal Keystrokes Text Recorder

C. Events Text Recorder

D. SQL Text Recorder

E. Telnet Commands Text Recorder

A

A,B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Which usage can be added as a service account platform?

A. Kerberos Tokens

B. IIS Application Pools

C. PowerShell Libraries

D. Loosely Connected Devices

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

VEDI LA N55

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

In addition to add accounts and update account contents, which additional permission on the safe is required to add a single account?

A. Upload Accounts Properties

B. Rename Accounts

C. Update Account Properties

D. Manage Safe

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

You want to give a newly-created group rights to review security events under the Security pane. You also want to be able to update the status of these events. Where must you update the group to allow this?

A. in the PTAAuthorizationGroups parameter, found in Administration > Options > PTA

B. in the PTAAuthorizationGroups parameter, found in Administration > Options > General

C. in the SecurityEventsAuthorizationGroups parameter, found in Administration > Security > Options

D. in the SecurityEventsFeedAuthorizationGroups parameter, found in Administration > Options > General

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

What is required to enable access over SSH to Unix account through both PSM and PSMP?

A. The platform must contain connection components for PSM-SSH and PSMP-SSH

B. PSM and PSMP must already have stored the SSH Fingerprint for the Unix host

C. The Enable PSMP setting in the Unix platform must be set to Yes

D. A duplicate platform with the PSMP settings must be created

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

VEDI LA N59

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

When the CPM connects to a database, which interface is most commonly used?

A. Kerberos

B. Odbc

C. Vbscript

D. sybade

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

What is required to manage loosely connected devices?

A. PSM for SSH

B. EPM

C. PSM

D. PTA

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

When should vault keys be rotated?

A. when it is copied to file systems outside the vault

B. annually

C. whenever a CyberArk user leaves the organization

D. when migrating to a new data center

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Where can PTA be configured to send alerts? (Choose two.)

A. SIEM

B. Email

C. Google Analytics

D. EVD

E. PAReplicate

A

A,B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

In your organization the “click to connect” button is not active by default. How can this feature be activated?

A. Policies > Master Policy > Allow EPV transparent connections > Inactive

B. Policies > Master Policy > Session Management > Require privileged session monitoring and isolation > Add Exception

C. Policies > Master Policy > Allow EPV transparent connections > Active

D. Policies > Master Policy > Password Management

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

What are the mandatory fields when onboarding from Pending Accounts? (Choose two.)

A. Address

B. Safe

C. Account Description

D. Platform

E. CPM

A

B,D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

VEDI LA N66

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Which accounts can be selected for use in the Windows discovery process? (Choose two.)

A. an account stored in the Vault

B. an account specified by the user

C. the Vault Administrator

D. any user with Auditor membership

E. the PasswordManager user

A

A,B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

You are concerned about the Windows Domain password changes occurring during business hours. Which settings must be updated to ensure passwords are only rotated outside of business hours?

A. In the platform policy - Automatic Password Management > Password Change > ToHour & FromHour

B. in the Master Policy Account Change Window > ToHour & From Hour

C. Administration Settings - CPM Settings > ToHour & FromHour

D. On each individual account - Edit > Advanced > ToHour & FromHour

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

CyberArk recommends implementing object level access control on all Safes.
A. True B. False

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

PTA can automatically suspend sessions if suspicious activities are detected in a privileged session, but only if the session is made via the CyberArk PSM.
A. True
B. False, the PTA can suspend sessions whether the session is made via the PSM or not

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Customers who have the ‘Access Safe without confirmation’ safe permission on a safe where accounts are configured for Dual control, still need to request approval to use the account.
A. TRUE B. FALSE

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Which of the following Privileged Session Management (PSM) solutions support live monitoring of active sessions?

A.PSM (i.e., launching connections by clicking on the connect button in the Password Vault Web Access (PVWA)

B.PSM for Windows (previously known as RDP Proxy)

C.PSM for SSH (previously known as PSM-SSH Proxy)

D.All of the above

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

The Vault administrator can change the Vault license by uploading the new license to the system Safe.
A. True B. False

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Which steps should you perform to restore DR replication to normal?

A.Replicate data from DR Vault to Primary Vault > Shutdown PrivateArk Server on DR Vault > Start replication on DR vault

B.Shutdown PrivateArk Server on DR Vault > Start replication on DR vault

C.Shutdown PrivateArk Server on Primary Vault > Replicate data from DR Vault to Primary Vault > Shutdown PrivateArk Server on DR Vault > Start replication on DR vault

D.Shutdown PrivateArk Server on DR Vault > Replicate data from DR Vault to Primary Vault > Shutdown PrivateArk Server on DR Vault > Start replication on DR vault

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

The vault supports Role Based Access Control.
A. TRUE B. FALSE

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

To manage automated onboarding rules, a CyberArk user must be a member of which group?

A.Vault Admins

B.CPM User

C.Auditors

D.Administrators

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

CyberArk implements license limits by controlling the number and types of users that can be provisioned in the vault.
A. TRUE B. FALSE

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

Which report shows the accounts that are accessible to each user?

A.Activity report

B.Entitlement report

C.Privileged Accounts Compliance Status report

D.Applications Inventory report

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

Which CyberArk utility allows you to create lists of Master Policy Settings, owners and safes for output to text files or MSSQL databases?

A.Export Vault Data

B.Export Vault Information

C.PrivateArk Client

D.Privileged Threat Analytics

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

Select the best practice for storing the Master CD.

A.Copy the files to the Vault server and discard the CD

B.Copy the contents of the CD to a Hardware Security Module (HSM) and discard the CD

C.Store the CD in a secure location, such as a physical safe

D.Store the CD in a secure location, such as a physical safe, and copy the contents of the CD to a folder secured with NTFS permissions on the Vault

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

Target account platforms can be restricted to accounts that are stored m specific Safes using the Allowed Safes property.
A. TRUE B. FALSE

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

Ad-Hoc Access (formerly Secure Connect) provides the following features. Choose all that apply.

A.PSM connections to target devices that are not managed by CyberArk.

B.Session Recording.

C.Real-time live session monitoring.

D.PSM connections from a terminal without the need to login to the PVWA.

A

A,B,C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

As long as you are a member of the Vault Admins group you can grant any permission on any safe.
A. TRUE B. FALSE

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

When on-boarding account using Accounts Feed, Which of the following is true?

A.You must specify an existing Safe where are account will be stored when it is on boarded to the Vault

B.You can specify the name of a new sale that will be created where the account will be stored when it is on-boarded to the Vault.

C.You can specify the name of a new Platform that will be created and associated with the account

D.Any account that is on boarded can be automatically reconciled regardless of the platform it is associated with.

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

What is the primary purpose of One Time Passwords?

A.Reduced risk of credential theft

B.More frequent password changes

C.Non-repudiation (individual accountability)

D.To force a ‘collusion to commit’ fraud ensuring no single actor may use a password without authorization.

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

What is the purpose of the PrivateArk Server service?

A. Executes password changes

B. Maintains Vault metadata

C. Makes Vault data accessible to components

D. Sends email alerts from the Vault

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

Which keys are required to be present in order to start the PrivateArk Server service?

A. Recovery public key

B. Recovery private key

C. Server key

D. Safe key

A

A,C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

In the Private Ark client, how do you add an LDAP group to a CyberArk group?

A. Select Update on the CyberArk group, and then click Add > LDAP Group

B. Select Update on the LDAP Group, and then click Add > LDAP Group

C. Select Member Of on the CyberArk group, and then click Add > LDAP Group

D. Select Member Of on the LDAP group, and then click Add > LDAP Group

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

SAFE Authorizations may be granted to____________. Select all that apply.

A. Vault Users

B. Vault Group

C. LDAP Users

D. LDAP Groups

A

A,B,C,D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

Which CyberArk group does a user need to be part of to view recordings or live monitor
sessions?

A. Auditors

B. Vault Admin

C. DR Users

D. Operators

A

A

89
Q

Which onboarding method would you use to integrate CyberArk with your accounts provisioning
process?

A. Accounts Discovery

B. Auto Detection

C. Onboarding RestAPI functions

D. PTA Rules

A

B

90
Q

If the AccountUploader Utility is used to create accounts with SSH keys, which parameter do
you use to set the full or relative path of the SSH private key file that will be attached to the
account?

AKeyPath

BKeyFile

CObjectName

DAddress

A

B

91
Q

Where do you update this permission for all auditors?

A.Private Ark Client > Tools > Administrative Tools > Directory Mapping > Vault Authorizations

B.Private Ark Client > Tools > Administrative Tools > Users and Groups > Auditors >
Authorizations tab

C.PVWA User Provisioning > LDAP integration > Vault Auditors Mapping > Vault Authorizations

D.PVWA> Administration > Configuration Options > LDAP integration > Vault Auditors Mapping >
Vault Authorizations

A

B

92
Q

A new domain controller has been added to your domain. You need to ensure the CyberArk
infrastructure can use the new domain controller for authentication. Which locations must you
update?

A.on the Vault server in Windows\System32\Etc\Hosts and in the PVWA Application under
Administration > LDAP Integration > Directories > Hosts

B.on the Vault server in Windows\System32\Etc\Hosts and on the PVWA server in
Windows\System32\Etc\Hosts

C.in the Private Ark client under Tools > Administrative Tools > Directory Mapping

D.on the Vault server in the certificate store and on the PVWA server in the certificate store

A

A

93
Q

Which statement is correct concerning accounts that are discovered, but cannot be added to
the Vault by an automated onboarding rule?

A.They are added to the Pending Accounts list and can be reviewed and manually uploaded.

B.They cannot be onboarded to the Password Vault.

C.They must be uploaded using third party tools.

D.They are not part of the Discovery Process.

A

A

94
Q

Which statement is correct about CPM behavior in a Distributed Vault environment?

A. CPMs can only access the Primary Vault.When it is unavailable.CPM cannot access
any Vault until another Vault is promoted as the new Primary Vault

B. CPMs can access only the Safelife Vaults

C. CPMs can only access the Primary Vault when it is unavailable, CPM cannot access
any Vault until the original Primary Vault is operational again

D. CPM can access all Vaults-Primary and the Safelife

A

A

95
Q

Which of the following properties are mandatory when adding accounts from a file? (Choose three.) Options:

A- Safe Name

B- Platform ID

C- All required properties specified in the Platform

D- Username

E- Address

F- Hostname

A

A,B,C

96
Q

Which option in the Private Ark client is used to update users’ Vault group memberships? Options:

A-Update > General tab

B- Update > Authorizations tab

C- Update > Member Of tab

D- Update > Group tab

A

C

97
Q

Your customer, ACME Corp, wants to store the Safes Data in Drive D instead of Drive C. Which file should you edit? Options:

A-TSparm.ini

B- Vault.ini

C- DBparm.ini

D- user.ini

A

A

98
Q

When onboarding multiple accounts from the Pending Accounts list, which associated setting must be the same across the selected accounts? Options:

A-Platform

B- Connection Component

C- CPM

D- Vault

A

A

99
Q

VEDI LA N105

A
100
Q

Which permissions are needed for the Active Directory user required by the Windows
Discovery process? Options:

A-Domain Admin

B- LDAP Admin

C- Read/Write

D- Read

A

D

101
Q

Which command generates a full backup of the Vault?

A. PAReplicate.exe Vault.ini/LogonFromFile user.ini/FullBackup

B. PAPreBackup.exe C:\PrivateArk\Server\Conf\Vault.ini Backup/Asdf1234/full

C. PARestore.exe PADR ini/LogonFromFile vault.ini/FullBackup

D. CAVaultManager.exe RecoverBackupFiles /BackupPoolName BkpSvr1

A

A

102
Q

Which command configures email alerts within PTA if settings need to be changed post
install? Options:

A-/opt/tomcat/utility/emailConfiguration.sh

B- /opt/PTA/emailConfiguration.sh

C- /opt/PTA/utility/emailConfig.sh

D- /opt/tomcat/utility/emailSetup.sh

A

A

103
Q

You are creating a shared safe for help desk.What must be considered regarding the naming
convention?

A. Ensure the naming convention does not excees 28 characters

B. Combine environments,owners and platform to minimize the total number of safes
created

C. Safe owners should determine the safe name to enable them to easily remember it

D. The word Safe cannot be used

A

A

104
Q

You are creating a new Rest API user that utilizes CyberArk Authentication. What is a correct
process to provision this user? Options:

A-Private Ark Client > Tools > Administrative Tools > Users and Groups > New > User

B- Private Ark Client > Tools > Administrative Tools > Directory Mapping > Add

C- PVWA > User Provisioning > LDAP Integration > Add Mapping

D- PVWA > User Provisioning > Users and Groups > New > User

A

A

105
Q

To use PSM connections while in the PVWA, what are the minimum safe permissions a user or group will need? Options:

A-List Accounts, Use Accounts

B- List Accounts, Use Accounts, Retrieve Accounts

C- Use Accounts

D- List Accounts, Use Accounts, Retrieve Accounts, Access Safe without confirmation

A

A

106
Q

user has successfully conducted a short PSM session and logged off. However, the user cannot access the Monitoring tab to view the recordings. What is the issue?

The user must login as PSMAdminConnect

The PSM service is not running

The user is not a member of the PVWAMonitor group

The user is not a member of the Auditors group

A

D

107
Q

When creating an onboarding rule, it will be executed upon .

A.All accounts in the pending accounts list

B.Any future accounts discovered by a discovery process Both

C.“All accounts in the pending accounts list” and “Any future accounts discovered by a discovery process”

A

B

108
Q

All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of the accounts in that safe. The members of the AD group UnixAdmins need to be able to use the show, copy, and connect buttons on those passwords at any time without confirmation. The members of the AD group Operations Staff need to be able to use the show, copy and connect buttons on those passwords on an emergency basis, but only with the approval of a member of Operations Managers never need to be able to use the show, copy or connect buttons themselves.Which safe permission do you need to grant Operations Staff? Check all that apply.

A.Use Accounts

B.Retrieve Accounts

C.Authorize Password Requests

D.Access Safe without Authorization

A

A,B,D

109
Q

A user with administrative privileges to the vault can only grant other users privileges that he himself has.
TRUE
FALSE

A

B

110
Q

As long as you are a member of the Vault Admins group you can grant any permission on any safe.
TRUE
FALSE

A

B

111
Q

The System safe allows access to the Vault configuration files.
TRUE
FALSE

A

A

112
Q

The System safe allows access to the Vault configuration files.
TRUE
FALSE

A

A

113
Q

When a group is granted the ‘Authorize Account Requests’ permission on a safe Dual Control requests must be approved by

A.Any one person from that group

B.Every person from that group

C.The number of persons specified by the Master Policy

D.That access cannot be granted to groups

A

C

114
Q

Which parameter controls how often the CPM looks for Soon-to-be-expired Passwords that need to be changed.

A.HeadStart

B.Interval Interval

C.ImmediateInterval

A

A

115
Q

Which one the following reports is NOT generated by using the PVWA?

A.Accounts Inventory

B.Application Inventory

C.Sales List

D.Convince Status

A

C

116
Q

Users who have the ‘Access Safe without confirmation’ safe permission on a safe where accounts are configured for Dual control, still need to request approval to use the account.
TRUE FALSE

A

B

117
Q

It is possible to restrict the time of day, or day of week that a [b]verify[/b] process can occur
TRUE FALSE

A

A

118
Q

What is the purpose of a linked account?

A.To ensure that a particular collection of accounts all have the same password.

B.To ensure a particular set of accounts all change at the same time.

C.To connect the CPNI to a target system.

D.To allow more than one account to work together as part of a password management process.

A

D

119
Q

You receive this error: “Error in changepass to user domainuser on domain server(domain. (winRc=5) Access is denied.”Which root cause should you investigate?

A.The account does not have sufficient permissions to change its own password

B.The domain controller is unreachable.

C.The password has been changed recently and minimum password age is preventing the change.

D.The CPM service is disabled and will need to be restarted.

A

A

120
Q

You are creating a Dual Control workflow for a team’s safe. Which safe permissions must you
grant to the Approvers group?

A.List accounts, Authorize account request

B.Retrieve accounts, Access Safe without confirmation

C.Retrieve accounts, Authorize account request

D.List accounts, Unlock accounts

A

A

121
Q

VEDI LA N126

A
122
Q

Which Cyber Are components or products can be used to discover Windows Services or Scheduled Tasks that use privileged accounts? Select all that apply.

A.Discovery and Audit (DMA)

B.Auto Detection (AD)

C.Export Vault Data (EVD)

D.On Demand Privileges Manager (OPM)

E.Accounts Discovery

A

A,B,E

123
Q

Which configuration file is used by the CPM scanner when scanning UNIX/Linux devices?

A. UnixPrompts.ini

B. Plink.exe

C. Dbparm.ini

D. UnixScanner.ini

A

A

124
Q

You need to enable the PSM for all platforms.Where do you perform this task?

A.Platform Management > (Platform) > UI & Workflows

B.Master Policy > Session Management

C.Master Policy > Privileged Access Workflows

D.Administration > Options > Connection Components

A

B

125
Q

VEDI LA N131

A
126
Q

Users can be resulted to using certain CyberArk interfaces (e.g.PVWA or PACLI). TRUE FALS

A

A

127
Q

A Vault administrator have associated a logon account to one of their Unix root accounts in the vault.When attempting to verify the root account’s password the Central Policy Manager (CPM) will:

A.ignore the logon account and attempt to log in as root

B.prompt the end user with a dialog box asking for the login account to use

C.log in first with the logon account, then run the SU command to log in as root using the password in the Vault

D.none of these

A

C

128
Q

The primary purpose of exclusive accounts is to ensure non-repudiation (Individual accountability).
TRUE FALS

A

A

129
Q

Which Master Policy Setting must be active in order to have an account checked-out by one user for a pre-determined amount of time?

A.Require dual control password access Approval

B.Enforce check-in/check-out exclusive access

C.Enforce one-time password access

D.Enforce check-in/check-out exclusive access & Enforce one-time password access

A

D

130
Q

VEDI LA N138

A
131
Q

A Reconcile Account can be specified in the Master Policy.
TRUE FALSE

A

B

132
Q

Assuming a safe has been configured to be accessible during certain hours of the day, a Vault Admin may still access that safe outside of those hours.
TRUE FALSE

A

B

133
Q

Which type of automatic remediation can be performed by the PTA in case of a suspected credential theft security event?

A.Password change

B.Password reconciliation

C.Session suspension

D.Session termination

A

A

134
Q

Which report could show all accounts that are past their expiration dates?

A.Privileged Account Compliance Status report

B.Activity log

C.Privileged Account Inventory report

D.Application Inventory report

A

A

135
Q

To enable the Automatic response “Add to Pending” within PTA when unmanaged credentials are found, what are the minimum permissions required by PTAUser for the PasswordManager_pending safe?

A.List Accounts, View Safe members, Add accounts (includes update properties), Update Account content, Update Account properties

B.List Accounts, Add accounts (includes update properties), Delete Accounts, Manage Safe

C.Add accounts (includes update properties), Update Account content, Update Account properties, View Audit

D.View Accounts, Update Account content, Update Account properties, Access Safe without confirmation, Manage Safe, View Audit

A

A

136
Q

A newly created platform allows users to access a Linux endpoint. When users click to
connect, nothing happens.Which piece of the platform is missing?

A.PSM-SSH Connection Component

B.UnixPrompts.ini

C.UnixProcess.ini

D.PSM-RDP Connection Component

A

A

137
Q

For a safe with Object Level Access enabled you can turn off Object Level Access Control
when it no longer needed on the safe.
TRUE
FALSE

A

B

138
Q

What is the purpose of the Interval setting in a CPM policy?

A.To control how often the CPM looks for System Initiated CPM work.

B.To control how often the CPM looks for User Initiated CPM work.

C.To control how long the CPM rests between password changes.

D.To control the maximum amount of time the CPM will wait for a password change to complete.

A

A

139
Q

What is the name of the Platform parameters that controls how long a password will stay valid when One Time Passwords are enabled via the Master Policy?

A.Min Validity Period

B.Interval

C.Immediate Interval

D.Timeout

A

A

140
Q

Which of the following statements are NOT true when enabling PSM recording for a target Windows server? (Choose all that apply)

A.The PSM software must be instated on the target server

B.PSM must be enabled in the Master Policy (either directly, or through exception)

C.PSMConnect must be added as a local user on the target server

D.RDP must be enabled on the target server

A

A,B

141
Q

When managing SSH keys, the CPM stores the Public Key

A.In the Vault

B.On the target server

C.A & B

D.Nowhere because the public key can always be generated from the private key.

A

B

142
Q

VEDI LA N152

A
143
Q

What is the maximum number of levels of authorization you can set up in Dual Control?

A.1

B.2

C.3

D.4

A

B

144
Q

You have been asked to secure a set of shared accounts in CyberArk whose passwords will need to be used by end users. The account owner wants to be able to track who was using an account at any given moment.Which security configuration should you recommend?

A.Configure one-time passwords for the appropriate platform in Master Policy.

B.Configure shared account mode on the appropriate safe.

C.Configure both one-time passwords and exclusive access for the appropriate platform in Master Policy.

D.Configure object level access control on the appropriate safe.

A

C

145
Q

Which utilities could you use to change debugging levels on the vault without having to restart the vault. Select all that apply.

A.PAR Agent

B.PrivateArk Server Central Administration

C.Edit DBParm.ini in a text editor

D.Setup.exe

A

A,B

146
Q

Within the Vault each password is encrypted by:

A.the server key

B.the recovery public key

C.the recovery private key

D.its own unique key

A

D

147
Q

VAULT authorizations may be granted to_____.

A.Vault Users

B.Vault Groups

C.LDAP Users

D.LDAP Groups

A

C

148
Q

tsparm.ini is the main configuration file for the Vault.
True False

A

B

149
Q

What is the purpose of the PrivateArk Database service?

A.Communicates with components

B.Sends email alerts from the Vault

C.Executes password changes

D.Maintains Vault metadata

A

D

150
Q

The password upload utility must run from the CPM server
TRUE FALSE

A

B

151
Q

A Simple Mail Transfer Protocol (SMTP) integration is critical for monitoring Vault activity and facilitating workflow processes, such as Dual Control.
True False

A

A

152
Q

A user is receiving the error message “ITATS006E Station is suspended for User jsmith” when attempting to sign into the Password Vault Web Access (PVWA) .Which utility would a Vault administrator use to correct this problem?

A.createcredfile.exe

B.cavaultmanager.exe

C.PrivateArk

D.PVWA

A

C

153
Q

VEDI LA N 166

A
154
Q

You are logging into CyberArk as the Master user to recover an orphaned safe. Which items are required to log in as Master?

A.Master CD, Master Password, console access to the Vault server, Private Ark Client

B.Operator CD, Master Password, console access to the PVWA server, PVWA access

C.Operator CD, Master Password, console access to the Vault server, Recover.exe

D.Master CD, Master Password, console access to the PVWA server, Recover.exe

A

A

155
Q

In accordance with best practice, SSH access is denied for root accounts on UNIX/LINUX
system .What is the BEST way to allow CPM to manage root accounts?

A.Create a privileged account on the target server. Allow this account the ability to SSH directly from
the CPM machine. Configure this account as the Reconcile account of the target server’s root
account.

B.Create a non-privileged account on the target server. Allow this account the ability to SSH directly
from the CPM machine. Configure this account as the Logon account of the target server’s root
account.

C.Configure the Unix system to allow SSH logins.

D.Configure the CPM to allow SSH logins.

A

B

156
Q

Via Password Vault Web Access (PVWA), a user initiates a PSM connection to the target Linux machine using RemoteApp. When the client’s machine makes an RDP connection to the PSM server, which user will be utilized?

A.Credentials stored in the Vault for the target machine

B.Shadowuser

C.PSMConnect

D.PSMAdminConnect

A

C

157
Q

Which PTA sensors are required to detect suspected credential theft?

A.Logs,Vault Logs

B.Logs,Network Sensor,Vault Logs

C.Logs,PSM Logs,CPM Logs

D.Logs,Network Sensor,EPM

A

A

158
Q

Vault admins must manually add the auditors group to newly created safes so auditors will have sufficient access to run reports
TRUE FALSE

A

B

159
Q

The Privileged Access Management solution provides an out-of-the-box target platform to manage SSH keys, called UNIX Via SSH Keys. How are these keys managed?

A.CyberArk stores Private keys in the Vault and updates Public keys on target systems.

B.CyberArk stores Public keys in the Vault and updates Private keys on target systems.

C.CyberArk does not store Public or Private keys and instead uses a reconcile account to create keys on demand.

D.CyberArk stores both Private and Public keys and can update target systems with either key.

A

A

160
Q

Which of the following PTA detections require the deployment of a Network Sensor or installing the PTA Agent on the domain controller?

A.Suspected credential theft

B.Over-Pass-The-Hash

C.Golden Ticket

D.Unmanaged privileged access

A

C, SE SONO 2 B,C

161
Q

Which of the following components can be used to create a tape backup of the Vault?

A.Disaster Recovery

B.Distributed Vaults

C.Replicate

D.High Availability

A

C

162
Q

A logon account can be specified in the platform settings.
A.True B.False

A

A

163
Q

Which user(s) can access all passwords in the Vault?

A.Administrator

B.Any member of Vault administrators

C.Any member of auditors

D.Master

A

D

164
Q

A.Operating System Username Which parameters can be used to harden the Credential Files (CredFiles) while using CreateCredFile Utility?

A.Host IP Address

B.Client Hostname

C.Operating System Type (Linux/Windows/HP-UX)

D.Vault IP Address

E.Time Frame

A

A,B,C

165
Q

For Digital Vault Cluster in a high availability configuration, how does the cluster determine if a node is down?

A.The heartbeat s no longer detected on the private network.

B.The shared storage array is offline.

C.An alert is generated in the Windows Event log.

D.The Digital Vault Cluster does not detect a node failure.

A

A

166
Q

VEDI LA N180

A
167
Q

As vault Admin you have been asked to configure LDAP authentication for your organization’s CyberArk users. Which permissions do you need to complete this task?

A. Audit Users and Add Network Areas

B. Audit Users and Manage Directory Mapping

C. Audit Users and Add/Update Users

D. Audit Users and Activate Users

A

B

168
Q

Which components can connect to a satellite Vault in distributed Vault architecture?

A. CPM, EPM, PTA

B. PVWA, PSM

C. CPM,PVWA, PSM

D. CPM, PSM

A

B

169
Q

A new HTML5 Gateway has been deployed in your organization. Where do you configure the PSM to use the HTML5 Gateway?

A. Administration > Options > Privileged Session Management > Configured PSM Servers > Connection Details > Add PSM Gateway

B. Administration > Options > Privileged Session Management > Add configured PSM Gateway Servers

C. Administration > Options > Privileged Session Management > Configured PSM Servers > Add PSM Gateway

D. Administration > Options > Privileged Session Management >Configured PSM Servers > Connection Details

A

A

170
Q

A vault Administrator team member can log in to CyberArk, but for some reason, is not given Vault Admin rights. Where can you check to verify that the Vault Admins directory mapping points to the correct AD group

A. PVWA > User Provisioning > LDAP Integration > Mapping Criteria

B. PVWA > User Provisioning > LDAP Integration > Map Name

C. PVWA > Administration > LDAP Integration > Mappings

D. PVWA > Administration > LDAP Integration >AD Groups

A

A

170
Q

In the PrivateArk Client, how do you add an LDAP group to a CyberArk Group?

A. Select update on the CyberArk Group, and then click ADD > LDAP group

B. Select update on the LDAP Group, and then click ADD > LDAP Group

C. Select Member Of on the CyberArk Group, and then click ADD > LDAP group

D. Select Member Of on the LDAP Group, and then click ADD >LDAP Group

A

A

171
Q

How do you create a cold storage backup?

A. On the DR Vault,install PAReplicate according to the installation guide,configure the logon ini file,and define the schedule task for full and incremental backups

B. Installa the Vault Backup utility on a different machine from the Enterprise PasswordVault server and trigger the full backup

C. Configure the backup options in the PVWA

D. On the DR Vault,configure the coild storage backup path in TSParm.ini file

A

B

172
Q

Which tools are used during a CPM renaming process?

A. APIKeyManager Utility

B. CreateCredFile Utility

C. CPMinDomain_Hardening.ps1

D. PMTerminal.exe

E. Data Execution Prevention

A

A,B

173
Q

Which authentication methods does PSM for SSH support?

A. CyberArk Password, LDAP, RADIUS, SAML

B. LDAP, Windows Authentication, SSH Keys

C. RADIUS, Oracle SSO, CyberArk Password

D. CyberArk Password, LDAP, RADIUS

A

D

174
Q

You have been asked to turn off the time access restrictions for a safe. Where is this setting found?

A. PrivateArk

B. RestAPI

C. Password Vault Web Access

D. Vault

A

A

175
Q

What is a valid combination of primary and secondary layers of authentication to a company’s two-factor authentication policy?

A. RSA SecureID Authentication (in PVWA) and LDAP Authentication

B. CyberArk Authentication and RADIUS Authentication

C. Oracle SSO (in PVWA) and SAML authentication

D. LDAP Authentication and RADIUS Authentication

A

D

176
Q

You have been asked to limit a platform called “Windows_Servers” to safes called “WindowsDC1” and “WindowsDC2”. The platform must not be assigned to any other safes. What is the correct way to accomplish this?

A. Edit the “Windows_Servers” platform, expand “Automatic Platform Management”, then select General and modify “Allowed Safes” to be (Windowsdc1)|(WindowsDC2)

B. Edit the “Windows_Servers” platform, expand “Automatic Platform Management”, then select Options and modify “Allowed Safes” to be (Win*).

C. Edit the “WindowsDC1” and WindowsDC2 safes through safe management. Add “Windows_Servers” to the “AllowedPlatforms”.

D. Log into PrivateArk using an Administrative user. Select File, Server File Categories, Locate the Category “WindowsServersAllowedSafes” and specify “WindowsDC1.WindowDC2”

A

A

177
Q

You want to generate a license capacity report. Which tool accomplishes this?

A. Password Vault Web Access

B. PrivateArk Client

C. DiagnoseDB Report

D. RestAPI

A

B

178
Q

VEDI LA N198

A
179
Q

You need to move a platform from using PMTerminal.exe to using Terminal Plugin Controller. What must you do?

A. Within PVWA, Click Administration > Platform Management, Select the platform, and then click Edit. In the left pane, click automatic password management, > CPM Plugin, Set the ExeName parameter to: CyberArk.TPC.exe

B. Using PrivateArk, select the PasswordManager_Shared safe and then select open. Locate the .ini file relating to the platform you wish to change, and double click. At the bottom of the file, insert a line “UseTPC” = True. Remove any lines that reference “PMTerminal” and save. Return the .ini file to the safe. Restart the CPM for this change to take effect.

C. Open the process file of the platform you wish to configure to use TPC. Add the following parameter under the States section. “use TPC=yes.

D. It is not possible to change a Platform from using PMTerminal.exe to using TPC. You must locate a new version of the platform that supports TPC and import the new platform, overwriting the existing platform.

A

A

180
Q

In a rule using “Privileged Session Analysis and Response” in PTA, which session options are available to configure as responses to activities?

A. Suspend, Terminate, None

B. Suspend, Terminate, Lock Account

C. Pause, Terminate, None

D. Suspend, Terminate

A

A

181
Q

What is the configuration file used by the CPM scanner when scanning UNIX/Linux devices?

A. UnixPrompts.ini

B. plink.exe

C. dbparm.ini

D. PVConfig.xml

A

A

182
Q

VEDI LA N203

A
183
Q

How much disk space do you need on the server for a PAReplicate?

A. 500 GB

B. 1 TB

C. same as disk size on Satellite Vault

D. same as disk size on primary vault

A

D

184
Q

You just configured the usage in CyberArk and want to update its password. What is the least
intrusive way to accomplish this?

A. Use the “change” button on the usage’s details page.

B. Use the “Change” button on the parent account’s details page

C. Use the “Sync” button on the usage’s details page

D. Use the “reconcile button on the parent’s details page.

A

B

185
Q

A company requires challenge/response multi-factor authentication for PSMP sessions. Which server must you integrate with the CyberArk vault?

A. LDAP

B. PKI

C. SAML

D. RADIUS

A

D

186
Q

You need to recover an account localadmin02 for target server 10.0.123.73 stored in Safe Team1. What do you need to recover and decrypt the object? (choose 3)

A. Recovery Private Key

B. Recover.exe

C. Vault Data

D. Recovery Public Key

E. Server Key

F. Master Password

A

A,D,E

187
Q

You are setting up a Linux host to act as an HTML 5 gate for PSM sessions. Which servers need to be trusted by the Linux host to secure communications through the gateway?

A. PSM and PVWA

B. PSM and CPM

C. PVWA and Vault

D. Vault and PSM

A

A

188
Q

To mange automated onboarding rules, a CyberArk user must be a member of which group.

A. Vault Admins

B. CPM User

C. Auditors

D. Administrators

A

A

189
Q

VEDI LA N215

A
190
Q

Before failing back to the production infrastructure after a DR exercise, what must you do to
maintain audit history during the DR event?

A.Ensure that the Production Instance replicates changes that occurred from the Disaster Recovery
Instance.

B.Briefly stop and start the Disaster Recovery Instance before attempting to fail components back to
the Production Instance.

C.Stop the CPM services before starting the production server.

D.Perform an IIS Reset on all PVWA servers.

A

A

191
Q

What is the correct process to install a custom platform from the CyberArk Marketplace?

A.Locate the custom platform in the Marketplace and click Import.

B.Download the platform from the Marketplace and import it using the PVW

C.Contact CyberArk Support for guidance on how to import the platform.

D.Duplicate an existing platform and align the setting to match the platform from the Marketplace.

A

B

192
Q

Where can you check that the LDAP binding is using TCP/636?

A.in Active Directory under “Users OU” => “User Properties” => “External Bindings” => “Port”

B.in PVWA, under “LDAP Integration” => “LDAP” => “Directories” => “” => “Hosts” => “Host”

C.in PrivateArk Client, under “Tools” => “Administrative Tools” => “Directory Mapping” => “”

D.From the PVWA, connect to the domain controller using Test-NetConnection on Port 636.

A

B

193
Q

Which statement is true about setting the reconcile account at the platform level?

A.This is the only way to enable automatic reconciliation of account passwords.

B.CPM performance will be improved when the reconcile account is set at the platform level.

C.A rule can be used to specify the reconcile account dynamically or a specific reconcile account can be
selected.

D.This configuration prevents the association from becoming broken if the reconcile account is moved
to a different safe.

A

C

194
Q

What can you do to ensure each component server is operational?

A.Logon to PVWA with v10 UI, navigate to Healthcheck, and validate each component server is
connected to the Vault.

B.Ping each component server to ensure connectivity.

C.Use the PrivateArk client to connect to the Vault server and validate all the services are running.

D.Install the Vault Server interface on a remote machine to avoid interactive logon to the Vault OS and
review the ITALog.log through the Vault Server interface.

A

A

195
Q

You notice an authentication failure entry for the DR user in the ITALog. What is the correct process to fix this error? (Choose two.)

A.PrivateArk Client > Tools > Administrative Tools > Users and Groups > DR User > Update >
Authentication > Update Password.

B.Create a new credential file, on the DR Vault, using the CreateCredFile utility and the newly set
password. С. Create a new credential file, on the Primary Vault, using the CreateCredFile utility and the
newly set password.

C.PVWA > User Provisioning > Users and Groups > DR User > Update Password.

D.PrivateArk Client > Tools > Administrative Tools > Users and Groups > PAReplicate User > Update >
Authentication > Update Password.

A

A,C

196
Q

What are the minimum permissions to add multiple accounts from a file when using PVWA bulkupload?
(Choose three.)

A.add accounts

B.rename accounts

C.update account content

D.update account properties

E.view safe members

F.add safes

A

A,C,D

197
Q

VEDI LA N224

A
198
Q

What is the purpose of the Immediate Interval setting in a CPM policy?

A. To control how often the CPM looks for System Initiated CPM work.

B. To control how often the CPM looks for User Initiated CPM work.

C. To control how long the CPM rests between password changes.

D. To control the maximum amount of time the CPM will wait for a password change to complete.

A

B

199
Q

For an account attached to a platform that requires Dual Control based on a Master Policy exception, how would you configure a group of users to access a
password without approval.

A. Create an exception to the Master Policy to exclude the group from the workflow process.

B. Edit the master policy rule and modify the advanced ‘Access safe without approval’ rule to include the group.

C. On the safe in which the account is stored grant the group the ‘Access safe without audit’ authorization.

D. On the safe in which the account is stored grant the group the ‘Access safe without confirmation’ authorization.

A

D

200
Q

As long as you are a member of the Vault Admins group, you can grant any permission on any safe that you have access to.
A. TRUE
B. FALSE

A

B

201
Q

Which report provides a list of accounts stored in the vault.

A. Privileged Accounts Inventory

B. Privileged Accounts Compliance Status

C. Entitlement Report

D. Activity Log

A

A

202
Q

Target account platforms can be restricted to accounts that are stored in specific Safes using the AllowedSafes property.
A. TRUE
B. FALSE

A

A

203
Q

PSM captures a record of each command that was executed in Unix.
A. TRUE
B. FALSE

A

A

204
Q

Platform settings are applied to______________.

A. The entire vault.

B. Network Areas

C. Safes

D. Individual Accounts

A

D

205
Q

Which of the following options is not set in the Master Policy?

A. Password Expiration Time

B. Enabling and Disabling of the
Connection Through the PSM

C. Password Complexity

D. The use of “One-Time-Passwords”

A

C

206
Q

It is possible to leverage DNA to provide discovery functions that are not available with auto-detection.
A. TRUE
B. FALSE

A

A

207
Q

What conditions must be met in order to log into the vault as the Master user? (Choose all that apply.)

A. Logon must be originated from the console of the Vault Server or an EmergencyStation defined in DBParm.ini

B. User must provide the correct master password.

C. Logon requires the Recovery Private Key to be accessible to the vault.

D. Logon must satisfy a challenge response request.

A

A,B,C

208
Q

What is the purpose of the Allowed Safes parameter in a CPM policy? Select all that apply.

A. To improve performance by reducing CPM workload.

B. To prevent accidental use of a policy in the wrong safe.

C. To allow users to access only the passwords they should be able to access.

D. To enforce Least Privilege in CyberArk.

A

C,D

209
Q

Can the ‘Connect’ button be used to initiate an SSH connection, as root, to a Unix system when SSH access for root is denied?

A.
Yes, when using the connect button, CyberArk uses the PMTerminal.exe process which bypasses the root SSH restriction.

B.
Yes, only if a logon account is associated with the root account and the user connects through the PSM-SSH connection component.

C.
Yes, if a logon account is associated with the root account.

D.
No, it is not possible.

A

B

210
Q

Which combination of Safe member permissions will allow end users to log in to a remote machine transparently but NOT show or copy the password?

A. Use Accounts, Retrieve Accounts, List Accounts

B. Use Accounts, List Accounts

C. Use Accounts

D. List Accounts, Retrieve Accounts

A

B

211
Q

When managing SSH keys, the CPM stored the Private Key

A.In the Vault

B.On the target server

C.A & B

D.Nowhere because the private key can always be generated from the public key.

A

A

212
Q

Connect in the right way:

ITALOG | pta
PM.LOG | vault
DIAMOND.LOG | cpm
CYBERARK.WEBAPPLICATION.LOG | pvwa

A

(
DIAMOND.LOG | pta
ITALOG | vault
PM.LOG | cpm
CYBERARK.WEBAPPLICATION.LOG | pvwa)

213
Q

Which values are acceptable in the address field of an Account?

A.It must be a Fully Qualified Domain Name (FQDN)

B.It must be an IP address

C.It must be NetBIOS name

D.Any name that is resolvable on the Central Policy Manager (CPM) server is acceptable

A

D

214
Q

In order to connect to a target device through PSM, the account credentials used for the connection must be stored in the vault?

A.True.

B.False. Because the user can also enter credentials manually using Secure Connect.

C.False. Because if credentials are not stored in the vault, the PSM will log into the target device as PSM Connect.

D.False. Because if credentials are not stored in the vault, the PSM will prompt for credentials.

A

D

215
Q

For an account attached to a platform that requires Dual Control based on a Master Policy exception, how would you configure a group of users to access a password without approval.

A.Create an exception to the Master Policy to exclude the group from the workflow process.

B.Edith the master policy rule and modify the advanced’ Access safe without approval’ rule to include the group.

C.On the safe in which the account is stored grant the group the’ Access safe without audit’ authorization.

D.On the safe in which the account is stored grant the group the’ Access safe without confirmation’ authorization.

A

D

216
Q

Which of these accounts onboarding methods is considered proactive?

A.Accounts Discovery

B.Detecting accounts with PTA

C.A Rest API integration with account provisioning software

D.A DNA scan

A

B

217
Q

Which of the following files must be created or configured m order to run Password Upload Utility? Select all that apply.

A.PACli.ini

B.Vault.ini

C.conf.ini

D.A comma delimited upload file

A

B,C,D