PAM-SEN V2 Flashcards
After a PSM session is complete, the PSM server uploads the recording to the Vault for long-term
storage.
A. TRUE
By default, the vault secure protocol uses which IP port and protocol.
A. TCP/1858
What is the best practice for storing the Master CD?
C. Store the CD in a secure location, such as a physical safe.
What utility is used to create or update a credential file?
A. CreateCredFile.exe
You are successfully managing passwords in the alpha.cyberark.com domain; however, when you
attempt to manage a password in the beta.cyberark.com domain, you receive the ‘network path not
found’ error. What should you check first?
B. That the CPM can successfully resolve addresses in the beta.cyberark.com domain.
What is the name of the account used to establish the initial RDP session from the end user client
machine to the PSM server?
A. PSMConnect
To apply a new license file you must:
A. Upload the license.xml file to the System Safe.
At what point is a transparent user provisioned in the vault?
C. The first time the user logs in.
Which of the following are supported authentication methods for CyberArk? Check all that apply.
A. CyberArk Password (SRP)
B. LDAP
C. SAML
D. PKI
E. RADIUS
F. OracleSSO
The security of the Vault Server is entirely dependent on the security of the network.
B. FALSE
What would be a good use case for the Disaster Recovery module?
C. Off site replication is required.
Which of the correct order of installation for PAS components?
A. Vault, CPM, PVWA, PSM
The RemoteApp feature of PSM allows seamless Application windows (i.e the Desktop of the PSM
server will not be visible.)
A. TRUE
Does CyberArk need service accounts on each server to change passwords?
D. No, the CPM uses the account information stored in the vault to login and change the account’s
password using its own credentials.
Which of the following protocols need to be installed on a standalone vault server? Check all that apply.
D. Internet Protocol version 4 (TCP/IPv4)
Which of the following are prerequisites for installing PVWA.
A. Web Services Role
In order to retrieve data from the vault a user MUST use an interface provided by CyberArk.
A. TRUE
Name two ways of viewing the ITAlog:
A. Log into the vault locally and navigate to the Server folder under the PrivateArk install location.
C. Access the System Safe from the PrivateArk client.
Which CyberArk component changes passwords on Target Devices?
B. CPM
In an SMTP integration it is possible to use the fully-qualified domain name (FQDN) when specifying theSMTP server address(es).
B. FALSE
The PrivateArk clients allows a user to view the contents of the vault like a filesystem.
A. TRUE
Which of the following are secure options for storing the contents of the Operator CD, while still allowing the contents to be accessible upon a planned Vault restart? Choose all that apply.
A. Store the CD in a physical safe and mount the CD every time vault maintenance is performed
C. Copy the contents of the CD to a folder on the vault server and secure it with NTFS permissions.
D. Store the server key in a Hardware Security Module.
The Remote Desktop Services role must be properly licensed by Microsoft.
A. TRUE
Which file would you modify to configure your Vault Server to forward Activity Logs to a SIEM or
SYSLOG server?
A. dbparm.ini
Which keys are required to be present in order to start the PrivateArk Server Service?
A. Server Key
You are installing a CPM.
In addition to Add Safes, Add/Update Users, Reset Users?Passwords and Manage Server File
Categories, which Vault authorization(s) does a CyberArk user need to install the CPM?
B. Activate Users
You are configuring SNMP remote monitoring for your organization?s Vault servers.
In the PARAgent.ini, which parameter specifies the destination of the Vault SNMP traps?
A. SNMPHostIP
In which configuration file do you add LoadBalancerClientAddressHeader when you enable x-forwardingon the PVWA loadbalancer?
B. web.config
You want to improve performance on the CPM by restricting accounts for the CYBRWINDAD platform toonly the WINDEMEA and WINDEMEA_Admin safes. How do you set this in CyberArk?
A. In the CYBRWINDAD platform, under Automatic Password Management/General, configure
AllowedSafes and set to (WINDEMEA)|(WINDEMEA_ADMIN).
Before the hardening process, your customer identified a PSM Universal Connector executable that will
be required to run on the PSM. Which file should you update to allow this to run?
A. PSMConfigureAppLocker.xml
How should you configure PSM for SSH to support load balancing?
A. by using a network load balancer
In which configuration file on the Vault can filters be configured to either include or exclude log
messages that are sent through SNMP?
A. PARAgent.ini
A first PSM server has been installed. What should you confirm before installing any additional PSM servers?
C. The user performing the installation is not a direct owner in the PSMUnmanagedSessionAccounts
Safe
During the PSM installation process, Safes and a User are created.
In addition to Add Safes, Add/Update Users, Reset Users?Passwords, and Activate Users, which
authorization(s) does the Vault user installing the PSM need to enable them to be successfully created?
B. Manage Server File Categories
Your customer wants to store the Safes Data on Vault Drive D instead of Drive C. Which file should you edit?
A. TSparm.ini
What must you do to prepare a Windows server for PVWA installation?
A. In the InstallationAutomation folder, run the PVWA_Prerequisites.ps1 file as an administrator in
Powershell.
Which statement about REST API is correct? (Choose two.)
A. When a user successfully authenticates to the Vault, an authentication token is returned.
D. Each REST API call requires that a valid authentication token be provided.
HTML5 Gateway can be installed on which supported UNIX OS versions? (Choose two.)
A. Red Hat Enterprise Linux 7.x
B. CentOS 7.x
C. Ubuntu 20.x
Which utility should be used to register the Vault in Amazon Web Services?
A. CAVaultManager
You are configuring the Vault to send syslog audit data to your organization?s SIEM solution. What is a valid value for the SyslogServerProtocol parameter in DBPARM.INI file?
A. TLS
When creating a distributed Vault environment architecture, what is the maximum number of Vault
servers that can be deployed?
C. 6 - 1 primary and 5 satellite
Arrange the steps to complete CPM Hardening for Out-of-Domain Deployment in the correct sequence
2 - a. Open Powershell as Administrator and run the script
3 - b. Review these script logs: HardeniningScript.log and CYBRHardeningsecedit.log.
1 - c. Locate the CPM_Hardening.ps1 script in the installation media.
To enable LDAP over SSL for a Vault when DNS lookups are blocked, which step must be completed?
A. Add the FQDN & IP details for each LDAP host into the local hosts file of the Vault server.
In which file must the attribute ?SignAuthnRequest=?true??be added to the PartnerIdentityProvider
element to support signed SAML requests?
A. saml.config
A customer is moving from an on-premises to a public cloud deployment. What is the best and most cost-effective option to secure the server key?
C. Install the Vault using the native cloud images and secure the server key using native cloud Key
Management Systems.
Your customer upgraded recently to version 12.2 to allow the Linux team to use the new MFA caching
feature. The PSM for SSH was installed with default configuration settings. After setting the
Authentication to SSH key and enabling MFA Caching from the PVWA interface, the Linux Team cannot
connect successfully using the new MFA caching feature. What is the most probable cause?
A. OpenSSH 7.8 or above is not installed.
Which service must be set to Automatic (delayed start) after the Vault is installed and configured?
A. Windows Time service
You want to add an additional maintenance user on the PSM for SSH.
How can you accomplish this if InstallCyberarkSSHD is set to Yes or No?
B. Create a local user called proxymng<number>.</number>
Which SMTP address can be set on the Notification Settings page to re-invoke the ENE setup wizard
after the initial Vault installation?
D. 1.1.1.1
CyberArk User Neil is trying to connect to the Target Linux server 192.168.1.164 using a domain
account ACME/linuxuser01 on domain acme.corp using PSM for SSH server 192.168.65.145. What is the correct syntax?
B. ssh neil@linuxuser01#acme.corp@192.168.1.164@192.168.65.145
In addition to bit rate and estimated total duration of recordings per day, what is needed to determine
the amount of storage required for PSM recordings?
A. retention period
Which components can connect to a satellite Vault in a distributed Vault architecture?
B. PVWA, PSM
You are installing PSM for SSH with AD-Bridge and CyberArkSSHD mode set to integrated for your
customer. Which additional packages do you need to install to meet the customer?s needs? (Choose two.)
A. CARKpsmp-infra
B. libssh
Which component should be installed on the Vault if Distributed Vaults are used with PSM?
A. RabbitMQ
What is the default username for the PSM for SSH maintenance user when InstallCyberarkSSHD is set to yes?
A. proxymng
Which parameter must be identical for both the Identity Provider (IdP) and the PVWA?
C. IdP “Audience” and “ServiceProviderName” in the PVWA saml.config file
All 80 employees from your satellite Tokyo office are complaining that browsing the PVWA site is very
slow; however, your New York headquarters users are not experiencing this. The current PAM solution
is:
2 distributed Vaults, the primary one in New York and a satellite in Tokyo
2 PVWA servers, both in New York with load balancing configured
2 PSM servers, both in New York without load balancing configured
1 CPM server in New York
All PVWA, PSM, and CPM servers are connected to the primary Vault
Which proposal optimally resolves the performance issue while minimizing the impact to production?
A. Install two new PVWA servers in Tokyo data center, configure load balancing, connect to the local
satellite Vault and provide the URL of new PVWA servers to the local employees.
You have been asked to limit a platform called “Windows_Servers”to safes called “WindowsDC1”and
“WindowsDC2”. The platform must not be assigned to any other safe. What is the correct way to accomplish this?
A. Edit the “Windows_Servers”platform, expand “Automatic Password Management”, then select
General and modify “AllowedSafes”to be (WindowsDC1)|(WindowsDC2).
The account used to install a PVWA must have ownership of which safes? (Choose two.)
A. VaultInternal
D. Notification Engine
DRAG DROP -
Arrange the steps to install the Password Vault Web Access (PVWA) in the correct sequence.
2 - A) Run the PVWAInstallation.ps1 script in Powershell as Administrator.
1 - B) Run the PVWA_Prerequisites.ps1 script in Powershell as Administrator.
3 - C) Run the PVWARegisterComponent.ps1 script with the Vault password and run the
PVWA_Hardening.ps1 script in Powershell as Administrator.
Which configuration file and Vault utility are used to migrate the server key to an HSM?
A. DBparm.ini and CAVaultManager.exe
There is a requirement for a password to change between 01:00 and 03:00 on Saturdays and Sundays;
however, this does not work consistently. Which platform setting may be the cause?
A. The Interval setting for the platform is incorrect and must be less than 120.
What must you do to synchronize a new Vault server with an organization?s NTP server?
A. Configure an AllowNonStandardFWAddresses rule for the organization?s NTP server in DBParm.ini
on the Vault server.
You need to add a new PSM server to an existing CyberArk environment. What is the best way to determine the sizing of this server?
A. Review the ?Recommended Server Specifications?for PSMs in the CyberArk Documents website.
Which file must you edit to ensure the PSM for SSH server is not hardened automatically after
installation?
C. psmpparms
When integrating a Vault with HSM, which file is uploaded to the HSM device?
A. server.key
What is a prerequisite step before CyberArk can be configured to support RADIUS authentication?
B. In the RADIUS server, define the CyberArk Vault as a RADIUS client/agent.
A customer wants to store PSM recordings for 100 days and estimates they will have 10 Windows
sessions per day for 100 minutes each. What is the minimum storage required for the Vault and PAReplicate for the PSM recordings?
A. 25 GB
In large-scale environments, it is important to enable the CPM to focus its search operations on specificSafes instead of scanning all Safes it sees in the Vault. How is this accomplished?
B. AllowedSafe Parameter on each platform policy
In addition to disabling Windows services or features not needed for PVWA operations, which tasks
does PVWA_Hardening.ps1 perform when run? (Choose two.)
A. performs IIS hardening
E. imports the CyberArk INF configuration
When SAML authentication is used to sign in to the PVWA, which service performs the actual
authentication?
B. Identity Provider (IdP)
Which components support load balancing? (Choose two.)
B. PVWA
C. PSM
Which method can be used to directly authenticate users to PSM for SSH? (Choose three.)
A. CyberArk authentication
B. LDAP authentication
C. RADIUS authentication
You are designing the number of PVWAs a customer must deploy. The customer has three data centerswith a distributed Vault in each, requires high availability, and wants to use all Vaults at all times. How many PVWAs does the customer need?
A. six or more
After installing the Vault, you need to allow Firewall Access for Windows Time service to sync with NTPservers 10.1.1.1 and 10.2.2.2. What should you do?
A. Edit DBParm.ini to add:
AllowNonStandardFWAddresses=[10.1.1.1,10.2.2.2],Yes,123:outbound/udp.
Which command should be executed to harden a Vault after registering it to Azure?
A. HardenAzureFW.ps1
Which files does the Vault Installation Wizard prompt you for during the Vault install?
A. Operator CD and License
Which statement is correct about a post-install hardening?
C. It is executed after Vault installation by running CAVaultHarden.exe and hardening options can be
edited by changing the Hardening.ini file.
As a member of a PAM Level-2 support team, you are troubleshooting an issue related to load
balancing four PVWA servers at two data centers. You received a note from your Level-1 support teamstating ?When testing PVWA website from a workstation, we noticed that the ?Source IP of last sign-in?
was shown as the VIP (Virtual IP address) assigned to the four PVWA servers instead of the workstationIP where the PVWA site was launched from.?
Which step should you take?
A. Verify the ?LoadBalancerClientAddressHeader?parameter setting in PVWA configuration file
Web.config is set to ?X-Forwarded-For?.
You are installing the HTML5 gateway on a Linux host using the RPM provided.
After installing the Tomcat webapp, what is the next step in the installation process?
A. Deploy the HTML5 service (guacd)
What is required before the first CPM can be installed?
A. The environment must have at least one Vault and one PVWA installed
When configuring RADIUS authentication, which utility is used to create a file containing an encrypted
version of the RADIUS secret?
A. CAVaultManager
What is the purpose of the CPM_Preinstallation.ps1 script included with the CPM installation package?
D. It verifies the NET version installed on the server and sets the IIS SSL TLS server configuration.
Which tools are used during a CPM renaming process? (Choose two.)
A. APIKeyManager Utility
B. CreateCredFile Utility
When performing ?In Domain?hardening of a PSM server, which steps must be performed? (Choose
two.)
A. Import CyberArk policy settings from the provided file into a new GPO.
C. Link GPO to a dedicated OU containing CyberArk PSM servers.
Which step is required to register a Vault manually in Amazon Web Services using CAVaultManager?
C. Specify the Cloud region using the /CloudRegion flag
What authentication methods can be implemented to enforce Two-Factor Authentication (2FA) for usersauthenticating to CyberArk using both the PVWA (through the browser) and the PrivateArk Client?
A. LDAP and RADIUS
Which pre-requisite step must be completed before installing a Vault?
B. Install a clean operating system.
Which browser is supported for PSM Web Connectors developed using the CyberArk Plugin Generator
Utility (PGU)?
B. Google Chrome
What is a valid combination of primary and secondary layers of authentication to a company’s two-factorauthentication policy?
A. RSA SecurID Authentication (in PVWA) and LDAP Authentication
You want to add an additional maintenance user on the PSM for SSH.
C. Create a local user and add it to group configured for the parameter AllowGroups in the
/etc/sshd_config file.
Which authentication methods does PSM for SSH support?
D. CyberArk Password, LDAP, RADIUS
Which statement is correct about CPM behavior in a distributed Vault environment?
A. CPMs should only access the primary Vault. When it is unavailable, CPM cannot access any Vault
until another Vault is promoted as the new primary Vault.
What is the purpose of the PSM health check hardening?
A. Remove IIS settings which can be considered security vulnerabilities.
A customer’s environment has three data centers consisting of 5,000 servers in Germany, 10,000
servers in Canada, and 1,500 servers in Singapore. You want to manage target servers and avoid
complex firewall rules. How many CPMs should you deploy?
B. 3 total, 1 per data center
What is a step to enable NTP synchronization on a stand-alone Vault?
C. Edit dbparm.ini and add a Firewall rule for the NTP address.
What are the basic network requirements to deploy a CPM server?
A. Port 1858 to Vault and Port 443 to PVWA
You want to change the name of the PVWAappuser of the second PVWA server.
D. Rename user in PrivateArk
E. Create new cred file for user
Which statements are correct about the PSM HTML5 gateway? (Choose two.)
B. It does not support connections to target system where NLA is enabled on the PSM server
D. Printer redirection cannot be enabled
A customer has five PVWA servers. Three are located at the primary data center and the remaining twoare at a satellite data center.
A. It must not alter page content, or should include a mechanism to prevent pages from being altered.
B. It must support “sticky sessions”
A new domain controller has been added to your domain. You need to ensure the CyberArk
infrastructure can use the new domain controller for authentication. Which locations must you update?
A. on the Vault server in C:\Windows\System32\drivers\etc\hosts and in the PVWAApplication under
Administration > LDAP Integration > Directories > Hosts
You are beginning the post-install process after a manual PSM installation is completed.
A. Disable screen saver for the PSM local users.
As Vault Admin, you have been asked to enable your organization’s CyberArk users to authenticate
using LDAP.
- B. Manage Directory Mapping
Which user is enabled when replicating data between active and stand-by Vaults?
A. DR
This value needs to be added to the PVWA configuration file:
Assuming all CyberArk PVWA servers were installed using default paths/folders, which configuration fileshould you locate and edit to accomplish this?
A. c:\inetpub\wwwroot\passwordvault\web.config
A customer has five main data centers with one PVWA in each center under different URLs.
D. Load balance all PVWAs under same URL.
What is the recommended method to determine if a PVWA is unavailable and should be disabled in a
load balancing pool?
B. Monitor Port 1858 on the PVWA server
For redundancy, you want to add a secondary RADIUS server.
What must you do to accomplish this?
C. Open the DBParm.ini on the Vault server. Add the second RADIUS server configuration settings
after the first one, separated by a comma.
Which parameter must be provided when registering a primary Vault in Azure, but not in Amazon Web
Services?
D. /RDPGateway
Which component must be installed before the first CPM installation?
C. PVWA
You are setting up a Linux host to act as an HTML 5 gateway for PSM sessions.
A. PSM and PVWA
What is a requirement for setting fault tolerance for PSMs?
A. Use a load balancer
A customer asked you to help scope the company’s PSM deployment.
What should be included in the scoping conversation?
C. Recordings retention period
A customer has three data centers distributed globally and wants highly-available PSM connections in
each segmented zone. In addition, the customer needs a highly-available PSM connection for the
CyberArk Admins.
What will best satisfy this customer’s needs?
C. two PSMs per zone with a load balancer and two PSMs for Admins with a dedicated load balancer
A customer has two data centers and requires a single PVWA url.
Which deployment provides the fastest time to reach the PVWA and the most redundancy?
D. Deploy two PVWAs using DNS round robin.
What is determined by the “MaxConcurrentConnections” setting within a platform?
A. maximum number of concurrent connections that can be opened between the CPM and the remotemachines for the platform
If a customer has one data center and requires fault tolerance, how many PVWAs should be deployed?
A. two or more
You are installing multiple PVWAs behind a load balancer.
Which statement is correct?
C. The load balancer must support “sticky sessions”.
What is a prerequisite step before installing the Vault on Windows 2019?
B. Check that the server IP address is correctly configured and that it is static
After installing the first PSM server and before installing additional PSM servers, you must ensure the
user performing the installation is not a direct owner of which safe?
A. PSMUnmanagedSessionAccounts Safe
