PAM-SEN V2

Question 1

After a PSM session is complete, the PSM server uploads the recording to the Vault for long-term
storage.

Answer 1

A. TRUE

Question 2

By default, the vault secure protocol uses which IP port and protocol.

Answer 2

A. TCP/1858

Question 3

What is the best practice for storing the Master CD?

Answer 3

C. Store the CD in a secure location, such as a physical safe.

Question 4

What utility is used to create or update a credential file?

Answer 4

A. CreateCredFile.exe

Question 5

You are successfully managing passwords in the alpha.cyberark.com domain; however, when you
attempt to manage a password in the beta.cyberark.com domain, you receive the ‘network path not
found’ error. What should you check first?

Answer 5

B. That the CPM can successfully resolve addresses in the beta.cyberark.com domain.

Question 6

What is the name of the account used to establish the initial RDP session from the end user client
machine to the PSM server?

Answer 6

A. PSMConnect

Question 7

To apply a new license file you must:

Answer 7

A. Upload the license.xml file to the System Safe.

Question 8

At what point is a transparent user provisioned in the vault?

Answer 8

C. The first time the user logs in.

Question 9

Which of the following are supported authentication methods for CyberArk? Check all that apply.

Answer 9

A. CyberArk Password (SRP)
B. LDAP
C. SAML
D. PKI
E. RADIUS
F. OracleSSO

Question 10

The security of the Vault Server is entirely dependent on the security of the network.

Answer 10

B. FALSE

Question 11

What would be a good use case for the Disaster Recovery module?

Answer 11

C. Off site replication is required.

Question 12

Which of the correct order of installation for PAS components?

Answer 12

A. Vault, CPM, PVWA, PSM

Question 13

The RemoteApp feature of PSM allows seamless Application windows (i.e the Desktop of the PSM
server will not be visible.)

Answer 13

A. TRUE

Question 14

Does CyberArk need service accounts on each server to change passwords?

Answer 14

D. No, the CPM uses the account information stored in the vault to login and change the account’s
password using its own credentials.

Question 15

Which of the following protocols need to be installed on a standalone vault server? Check all that apply.

Answer 15

D. Internet Protocol version 4 (TCP/IPv4)

Question 16

Which of the following are prerequisites for installing PVWA.

Answer 16

A. Web Services Role

Question 17

In order to retrieve data from the vault a user MUST use an interface provided by CyberArk.

Answer 17

A. TRUE

Question 18

Name two ways of viewing the ITAlog:

Answer 18

A. Log into the vault locally and navigate to the Server folder under the PrivateArk install location.
C. Access the System Safe from the PrivateArk client.

Question 19

Which CyberArk component changes passwords on Target Devices?

Answer 19

B. CPM

Question 20

In an SMTP integration it is possible to use the fully-qualified domain name (FQDN) when specifying theSMTP server address(es).

Answer 20

B. FALSE

Question 21

The PrivateArk clients allows a user to view the contents of the vault like a filesystem.

Answer 21

A. TRUE

Question 22

Which of the following are secure options for storing the contents of the Operator CD, while still allowing the contents to be accessible upon a planned Vault restart? Choose all that apply.

Answer 22

A. Store the CD in a physical safe and mount the CD every time vault maintenance is performed
C. Copy the contents of the CD to a folder on the vault server and secure it with NTFS permissions.
D. Store the server key in a Hardware Security Module.

Question 23

The Remote Desktop Services role must be properly licensed by Microsoft.

Answer 23

A. TRUE

Question 24

Which file would you modify to configure your Vault Server to forward Activity Logs to a SIEM or
SYSLOG server?

Answer 24

A. dbparm.ini

Question 25

Which keys are required to be present in order to start the PrivateArk Server Service?

Answer 25

A. Server Key

Question 26

You are installing a CPM.
In addition to Add Safes, Add/Update Users, Reset Users?Passwords and Manage Server File
Categories, which Vault authorization(s) does a CyberArk user need to install the CPM?

Answer 26

B. Activate Users

Question 27

You are configuring SNMP remote monitoring for your organization?s Vault servers.
In the PARAgent.ini, which parameter specifies the destination of the Vault SNMP traps?

Answer 27

A. SNMPHostIP

Question 28

In which configuration file do you add LoadBalancerClientAddressHeader when you enable x-forwardingon the PVWA loadbalancer?

Answer 28

B. web.config

Question 29

You want to improve performance on the CPM by restricting accounts for the CYBRWINDAD platform toonly the WINDEMEA and WINDEMEA_Admin safes. How do you set this in CyberArk?

Answer 29

A. In the CYBRWINDAD platform, under Automatic Password Management/General, configure
AllowedSafes and set to (WINDEMEA)|(WINDEMEA_ADMIN).

Question 30

Before the hardening process, your customer identified a PSM Universal Connector executable that will
be required to run on the PSM. Which file should you update to allow this to run?

Answer 30

A. PSMConfigureAppLocker.xml

Question 31

How should you configure PSM for SSH to support load balancing?

Answer 31

A. by using a network load balancer

Question 32

In which configuration file on the Vault can filters be configured to either include or exclude log
messages that are sent through SNMP?

Answer 32

A. PARAgent.ini

Question 33

A first PSM server has been installed. What should you confirm before installing any additional PSM servers?

Answer 33

C. The user performing the installation is not a direct owner in the PSMUnmanagedSessionAccounts
Safe

Question 34

During the PSM installation process, Safes and a User are created.
In addition to Add Safes, Add/Update Users, Reset Users?Passwords, and Activate Users, which
authorization(s) does the Vault user installing the PSM need to enable them to be successfully created?

Answer 34

B. Manage Server File Categories

Question 35

Your customer wants to store the Safes Data on Vault Drive D instead of Drive C. Which file should you edit?

Answer 35

A. TSparm.ini

Question 36

What must you do to prepare a Windows server for PVWA installation?

Answer 36

A. In the InstallationAutomation folder, run the PVWA_Prerequisites.ps1 file as an administrator in
Powershell.

Question 37

Which statement about REST API is correct? (Choose two.)

Answer 37

A. When a user successfully authenticates to the Vault, an authentication token is returned.
D. Each REST API call requires that a valid authentication token be provided.

Question 38

HTML5 Gateway can be installed on which supported UNIX OS versions? (Choose two.)

Answer 38

A. Red Hat Enterprise Linux 7.x
B. CentOS 7.x
C. Ubuntu 20.x

Question 39

Which utility should be used to register the Vault in Amazon Web Services?

Answer 39

A. CAVaultManager

Question 40

You are configuring the Vault to send syslog audit data to your organization?s SIEM solution. What is a valid value for the SyslogServerProtocol parameter in DBPARM.INI file?

Answer 40

A. TLS

Question 41

When creating a distributed Vault environment architecture, what is the maximum number of Vault
servers that can be deployed?

Answer 41

C. 6 - 1 primary and 5 satellite

Question 42

Arrange the steps to complete CPM Hardening for Out-of-Domain Deployment in the correct sequence

Answer 42

2 - a. Open Powershell as Administrator and run the script
3 - b. Review these script logs: HardeniningScript.log and CYBRHardeningsecedit.log.
1 - c. Locate the CPM_Hardening.ps1 script in the installation media.

Question 43

To enable LDAP over SSL for a Vault when DNS lookups are blocked, which step must be completed?

Answer 43

A. Add the FQDN & IP details for each LDAP host into the local hosts file of the Vault server.

Question 44

In which file must the attribute ?SignAuthnRequest=?true??be added to the PartnerIdentityProvider
element to support signed SAML requests?

Answer 44

A. saml.config

Question 45

A customer is moving from an on-premises to a public cloud deployment. What is the best and most cost-effective option to secure the server key?

Answer 45

C. Install the Vault using the native cloud images and secure the server key using native cloud Key
Management Systems.

Question 46

Your customer upgraded recently to version 12.2 to allow the Linux team to use the new MFA caching
feature. The PSM for SSH was installed with default configuration settings. After setting the
Authentication to SSH key and enabling MFA Caching from the PVWA interface, the Linux Team cannot
connect successfully using the new MFA caching feature. What is the most probable cause?

Answer 46

A. OpenSSH 7.8 or above is not installed.

Question 47

Which service must be set to Automatic (delayed start) after the Vault is installed and configured?

Answer 47

A. Windows Time service

Question 48

You want to add an additional maintenance user on the PSM for SSH.
How can you accomplish this if InstallCyberarkSSHD is set to Yes or No?

Answer 48

B. Create a local user called proxymng<number>.</number>

Question 49

Which SMTP address can be set on the Notification Settings page to re-invoke the ENE setup wizard
after the initial Vault installation?

Answer 49

D. 1.1.1.1

Question 50

CyberArk User Neil is trying to connect to the Target Linux server 192.168.1.164 using a domain
account ACME/linuxuser01 on domain acme.corp using PSM for SSH server 192.168.65.145. What is the correct syntax?

Answer 50

B. ssh neil@linuxuser01#acme.corp@192.168.1.164@192.168.65.145

Question 51

In addition to bit rate and estimated total duration of recordings per day, what is needed to determine
the amount of storage required for PSM recordings?

Answer 51

A. retention period

Question 52

Which components can connect to a satellite Vault in a distributed Vault architecture?

Answer 52

B. PVWA, PSM

Question 53

You are installing PSM for SSH with AD-Bridge and CyberArkSSHD mode set to integrated for your
customer. Which additional packages do you need to install to meet the customer?s needs? (Choose two.)

Answer 53

A. CARKpsmp-infra
B. libssh

Question 54

Which component should be installed on the Vault if Distributed Vaults are used with PSM?

Answer 54

A. RabbitMQ

Question 55

What is the default username for the PSM for SSH maintenance user when InstallCyberarkSSHD is set to yes?

Answer 55

A. proxymng

Question 56

Which parameter must be identical for both the Identity Provider (IdP) and the PVWA?

Answer 56

C. IdP “Audience” and “ServiceProviderName” in the PVWA saml.config file

Question 57

All 80 employees from your satellite Tokyo office are complaining that browsing the PVWA site is very
slow; however, your New York headquarters users are not experiencing this. The current PAM solution
is:
2 distributed Vaults, the primary one in New York and a satellite in Tokyo
2 PVWA servers, both in New York with load balancing configured
2 PSM servers, both in New York without load balancing configured
1 CPM server in New York
All PVWA, PSM, and CPM servers are connected to the primary Vault
Which proposal optimally resolves the performance issue while minimizing the impact to production?

Answer 57

A. Install two new PVWA servers in Tokyo data center, configure load balancing, connect to the local
satellite Vault and provide the URL of new PVWA servers to the local employees.

Question 58

You have been asked to limit a platform called “Windows_Servers”to safes called “WindowsDC1”and
“WindowsDC2”. The platform must not be assigned to any other safe. What is the correct way to accomplish this?

Answer 58

A. Edit the “Windows_Servers”platform, expand “Automatic Password Management”, then select
General and modify “AllowedSafes”to be (WindowsDC1)|(WindowsDC2).

Question 59

The account used to install a PVWA must have ownership of which safes? (Choose two.)

Answer 59

A. VaultInternal
D. Notification Engine

Question 60

DRAG DROP -
Arrange the steps to install the Password Vault Web Access (PVWA) in the correct sequence.

Answer 60

2 - A) Run the PVWAInstallation.ps1 script in Powershell as Administrator.
1 - B) Run the PVWA_Prerequisites.ps1 script in Powershell as Administrator.
3 - C) Run the PVWARegisterComponent.ps1 script with the Vault password and run the
PVWA_Hardening.ps1 script in Powershell as Administrator.

Question 61

Which configuration file and Vault utility are used to migrate the server key to an HSM?

Answer 61

A. DBparm.ini and CAVaultManager.exe

Question 62

There is a requirement for a password to change between 01:00 and 03:00 on Saturdays and Sundays;
however, this does not work consistently. Which platform setting may be the cause?

Answer 62

A. The Interval setting for the platform is incorrect and must be less than 120.

Question 63

What must you do to synchronize a new Vault server with an organization?s NTP server?

Answer 63

A. Configure an AllowNonStandardFWAddresses rule for the organization?s NTP server in DBParm.ini
on the Vault server.

Question 64

You need to add a new PSM server to an existing CyberArk environment. What is the best way to determine the sizing of this server?

Answer 64

A. Review the ?Recommended Server Specifications?for PSMs in the CyberArk Documents website.

Question 65

Which file must you edit to ensure the PSM for SSH server is not hardened automatically after
installation?

Answer 65

C. psmpparms

Question 66

When integrating a Vault with HSM, which file is uploaded to the HSM device?

Answer 66

A. server.key

Question 67

What is a prerequisite step before CyberArk can be configured to support RADIUS authentication?

Answer 67

B. In the RADIUS server, define the CyberArk Vault as a RADIUS client/agent.

Question 68

A customer wants to store PSM recordings for 100 days and estimates they will have 10 Windows
sessions per day for 100 minutes each. What is the minimum storage required for the Vault and PAReplicate for the PSM recordings?

Answer 68

A. 25 GB

Question 69

In large-scale environments, it is important to enable the CPM to focus its search operations on specificSafes instead of scanning all Safes it sees in the Vault. How is this accomplished?

Answer 69

B. AllowedSafe Parameter on each platform policy

Question 70

In addition to disabling Windows services or features not needed for PVWA operations, which tasks
does PVWA_Hardening.ps1 perform when run? (Choose two.)

Answer 70

A. performs IIS hardening
E. imports the CyberArk INF configuration

Question 71

When SAML authentication is used to sign in to the PVWA, which service performs the actual
authentication?

Answer 71

B. Identity Provider (IdP)

Question 72

Which components support load balancing? (Choose two.)

Answer 72

B. PVWA
C. PSM

Question 73

Which method can be used to directly authenticate users to PSM for SSH? (Choose three.)

Answer 73

A. CyberArk authentication
B. LDAP authentication
C. RADIUS authentication

Question 74

You are designing the number of PVWAs a customer must deploy. The customer has three data centerswith a distributed Vault in each, requires high availability, and wants to use all Vaults at all times. How many PVWAs does the customer need?

Answer 74

A. six or more

Question 75

After installing the Vault, you need to allow Firewall Access for Windows Time service to sync with NTPservers 10.1.1.1 and 10.2.2.2. What should you do?

Answer 75

A. Edit DBParm.ini to add:
AllowNonStandardFWAddresses=[10.1.1.1,10.2.2.2],Yes,123:outbound/udp.

Question 76

Which command should be executed to harden a Vault after registering it to Azure?

Answer 76

A. HardenAzureFW.ps1

Question 77

Which files does the Vault Installation Wizard prompt you for during the Vault install?

Answer 77

A. Operator CD and License

Question 78

Which statement is correct about a post-install hardening?

Answer 78

C. It is executed after Vault installation by running CAVaultHarden.exe and hardening options can be
edited by changing the Hardening.ini file.

Question 79

As a member of a PAM Level-2 support team, you are troubleshooting an issue related to load
balancing four PVWA servers at two data centers. You received a note from your Level-1 support teamstating ?When testing PVWA website from a workstation, we noticed that the ?Source IP of last sign-in?
was shown as the VIP (Virtual IP address) assigned to the four PVWA servers instead of the workstationIP where the PVWA site was launched from.?
Which step should you take?

Answer 79

A. Verify the ?LoadBalancerClientAddressHeader?parameter setting in PVWA configuration file
Web.config is set to ?X-Forwarded-For?.

Question 80

You are installing the HTML5 gateway on a Linux host using the RPM provided.
After installing the Tomcat webapp, what is the next step in the installation process?

Answer 80

A. Deploy the HTML5 service (guacd)

Question 81

What is required before the first CPM can be installed?

Answer 81

A. The environment must have at least one Vault and one PVWA installed

Question 82

When configuring RADIUS authentication, which utility is used to create a file containing an encrypted
version of the RADIUS secret?

Answer 82

A. CAVaultManager

Question 83

What is the purpose of the CPM_Preinstallation.ps1 script included with the CPM installation package?

Answer 83

D. It verifies the NET version installed on the server and sets the IIS SSL TLS server configuration.

Question 84

Which tools are used during a CPM renaming process? (Choose two.)

Answer 84

A. APIKeyManager Utility
B. CreateCredFile Utility

Question 85

When performing ?In Domain?hardening of a PSM server, which steps must be performed? (Choose
two.)

Answer 85

A. Import CyberArk policy settings from the provided file into a new GPO.
C. Link GPO to a dedicated OU containing CyberArk PSM servers.

Question 86

Which step is required to register a Vault manually in Amazon Web Services using CAVaultManager?

Answer 86

C. Specify the Cloud region using the /CloudRegion flag

Question 87

What authentication methods can be implemented to enforce Two-Factor Authentication (2FA) for usersauthenticating to CyberArk using both the PVWA (through the browser) and the PrivateArk Client?

Answer 87

A. LDAP and RADIUS

Question 88

Which pre-requisite step must be completed before installing a Vault?

Answer 88

B. Install a clean operating system.

Question 89

Which browser is supported for PSM Web Connectors developed using the CyberArk Plugin Generator
Utility (PGU)?

Answer 89

B. Google Chrome

Question 90

What is a valid combination of primary and secondary layers of authentication to a company’s two-factorauthentication policy?

Answer 90

A. RSA SecurID Authentication (in PVWA) and LDAP Authentication

Question 91

You want to add an additional maintenance user on the PSM for SSH.

Answer 91

C. Create a local user and add it to group configured for the parameter AllowGroups in the
/etc/sshd_config file.

Question 92

Which authentication methods does PSM for SSH support?

Answer 92

D. CyberArk Password, LDAP, RADIUS

Question 93

Which statement is correct about CPM behavior in a distributed Vault environment?

Answer 93

A. CPMs should only access the primary Vault. When it is unavailable, CPM cannot access any Vault
until another Vault is promoted as the new primary Vault.

Question 94

What is the purpose of the PSM health check hardening?

Answer 94

A. Remove IIS settings which can be considered security vulnerabilities.

Question 95

A customer’s environment has three data centers consisting of 5,000 servers in Germany, 10,000
servers in Canada, and 1,500 servers in Singapore. You want to manage target servers and avoid
complex firewall rules. How many CPMs should you deploy?

Answer 95

B. 3 total, 1 per data center

Question 96

What is a step to enable NTP synchronization on a stand-alone Vault?

Answer 96

C. Edit dbparm.ini and add a Firewall rule for the NTP address.

Question 97

What are the basic network requirements to deploy a CPM server?

Answer 97

A. Port 1858 to Vault and Port 443 to PVWA

Question 98

You want to change the name of the PVWAappuser of the second PVWA server.

Answer 98

D. Rename user in PrivateArk
E. Create new cred file for user

Question 99

Which statements are correct about the PSM HTML5 gateway? (Choose two.)

Answer 99

B. It does not support connections to target system where NLA is enabled on the PSM server
D. Printer redirection cannot be enabled

Question 100

A customer has five PVWA servers. Three are located at the primary data center and the remaining twoare at a satellite data center.

Answer 100

A. It must not alter page content, or should include a mechanism to prevent pages from being altered.
B. It must support “sticky sessions”

Question 101

A new domain controller has been added to your domain. You need to ensure the CyberArk
infrastructure can use the new domain controller for authentication. Which locations must you update?

Answer 101

A. on the Vault server in C:\Windows\System32\drivers\etc\hosts and in the PVWAApplication under
Administration > LDAP Integration > Directories > Hosts

Question 102

You are beginning the post-install process after a manual PSM installation is completed.

Answer 102

A. Disable screen saver for the PSM local users.

Question 103

As Vault Admin, you have been asked to enable your organization’s CyberArk users to authenticate
using LDAP.

Answer 103

• B. Manage Directory Mapping

Question 104

Which user is enabled when replicating data between active and stand-by Vaults?

Answer 104

A. DR

Question 105

This value needs to be added to the PVWA configuration file:
Assuming all CyberArk PVWA servers were installed using default paths/folders, which configuration fileshould you locate and edit to accomplish this?

Answer 105

A. c:\inetpub\wwwroot\passwordvault\web.config

Question 106

A customer has five main data centers with one PVWA in each center under different URLs.

Answer 106

D. Load balance all PVWAs under same URL.

Question 107

What is the recommended method to determine if a PVWA is unavailable and should be disabled in a
load balancing pool?

Answer 107

B. Monitor Port 1858 on the PVWA server

Question 108

For redundancy, you want to add a secondary RADIUS server.
What must you do to accomplish this?

Answer 108

C. Open the DBParm.ini on the Vault server. Add the second RADIUS server configuration settings
after the first one, separated by a comma.

Question 109

Which parameter must be provided when registering a primary Vault in Azure, but not in Amazon Web
Services?

Answer 109

D. /RDPGateway

Question 110

Which component must be installed before the first CPM installation?

Answer 110

C. PVWA

Question 111

You are setting up a Linux host to act as an HTML 5 gateway for PSM sessions.

Answer 111

A. PSM and PVWA

Question 112

What is a requirement for setting fault tolerance for PSMs?

Answer 112

A. Use a load balancer

Question 113

A customer asked you to help scope the company’s PSM deployment.
What should be included in the scoping conversation?

Answer 113

C. Recordings retention period

Question 114

A customer has three data centers distributed globally and wants highly-available PSM connections in
each segmented zone. In addition, the customer needs a highly-available PSM connection for the
CyberArk Admins.
What will best satisfy this customer’s needs?

Answer 114

C. two PSMs per zone with a load balancer and two PSMs for Admins with a dedicated load balancer

Question 115

A customer has two data centers and requires a single PVWA url.
Which deployment provides the fastest time to reach the PVWA and the most redundancy?

Answer 115

D. Deploy two PVWAs using DNS round robin.

Question 116

What is determined by the “MaxConcurrentConnections” setting within a platform?

Answer 116

A. maximum number of concurrent connections that can be opened between the CPM and the remotemachines for the platform

Question 117

If a customer has one data center and requires fault tolerance, how many PVWAs should be deployed?

Answer 117

A. two or more

Question 118

You are installing multiple PVWAs behind a load balancer.
Which statement is correct?

Answer 118

C. The load balancer must support “sticky sessions”.

Question 119

What is a prerequisite step before installing the Vault on Windows 2019?

Answer 119

B. Check that the server IP address is correctly configured and that it is static

Question 120

After installing the first PSM server and before installing additional PSM servers, you must ensure the
user performing the installation is not a direct owner of which safe?

Answer 120

A. PSMUnmanagedSessionAccounts Safe