Quiz For Cyberark's Cau302: Defender + Sentry (Over 230 Questions In Quiz Engine)

1. Reports can be scheduled to run on a periodic basis.

True

False

2. The vault provides a tamper-proof audit trail.

True

False

3. The best practice for storing the Master CD is to store the CD in a secure location, such as a physical safe.

True

False

4. Which CyberArk component changes passwords on Target Devices?

PVWA

CPM

PSM

Vault

5. CyberArk recommends two-factor authentication, preferably over RADIUS, for increased Vault security.

True

False

EXPLANATION for Answer: Please, review CyberArk’s documentation on this topic: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/Security/Security%20Fundamentals-Introduction.htm

Explanation

EXPLANATION for Answer: Please, review CyberArk’s documentation on this topic: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/Security/Security%20Fundamentals-Introduction.htm

6. Password Vault Web Access is an ASP .NET application, deployed on IIS Server (WebServer).

True

False

7. Remote Desktop Session host needs a client access license (CAL).

True

False

8. Which Built-In group grants access to the ADMINISTRATION page?

PVWAMonitor

PVWAUsers

Auditors

Vault Admins

9. Using the SSH Key Manager it is possible to allow CPM to manage SSH Keys similarly to passwords.

True

False

10. PSM captures a record of each command that was executed in Unix.

True

False

11. PSM captures a record of each command that was issued in SQL Plus.

True

False

12. Auto-Detection can be configured to leverage LDAP/S.

True

False

13. Users can be restricted to using certain CyberArk interfaces (e.g. PVWA or PACLI)

True

False

14. The primary purpose of exclusive accounts is to ensure non-repudiation (individual accountability).

True

False

15. One time passwords reduce the risk of Pass the Hash vulnerabilities in Windows.

True

False

16. In order to retrieve data from the vault a user MUST use an interface provided by CyberArk.

True

False

17. The Remote Desktop Services role must be properly licensed by Microsoft.

True

False

18. The vault supports a number of dual factor authentication methods.

True

False

19. A vault admin received an email notification that a password verification process has failed, which service sent the message?

The PrivateArk Server Service on the Vault.

The CyberArk Password Manager service on the Components Server.

The CyberArk Event Notification Engine Service on the Vault.

The CyberArk Privileged Session Manager service on the Vault.

20. The primary purpose of the PSM server is Password Management.

True

False

21. In the vault each password is encrypted with a unique encryption key.

True

False

22. The CreateCredFile.exe utility is used to create or update a credential file.

True

False

23. CyberArk supports role based access control?

True

False

24. The Privileged Session Manager SSH Proxy (PSMP) should be installed on the Vault server.

True

False

EXPLANATION for Answer: The PSMP must be installed on a dedicated machine, thus, not shared with other CyberArk products, that has access to the Vault and to the target systems.

Explanation

EXPLANATION for Answer: The PSMP must be installed on a dedicated machine, thus, not shared with other CyberArk products, that has access to the Vault and to the target systems.

25. DNS must be enabled on the Digital Vault Server.

True

False

EXPLANATION for Answer: To maintain the security and integrity of the Digital Vault, CyberArk requires complete isolation to prevent Command and Control (C2) channels. Thus, DNS must NOT be enabled on the Digital Vault Server. DNS is known to be used by threat actors as a covert channel to bypass network segmentation and utilize internal resources as an outside interface.

Explanation

EXPLANATION for Answer: To maintain the security and integrity of the Digital Vault, CyberArk requires complete isolation to prevent Command and Control (C2) channels. Thus, DNS must NOT be enabled on the Digital Vault Server. DNS is known to be used by threat actors as a covert channel to bypass network segmentation and utilize internal resources as an outside interface.

26. The Digital Vault Server must be built from the original Microsoft installation media, and no third-party software, such as anti-virus or remote management solutions, must be installed.

True

False

EXPLANATION for Answer: To avoid the potential for untrusted operating system components or the inadvertent introduction of third-party software, it is important that the Digital Vault Server be built from trusted original media. Any third-party software installed on the Digital Vault Server introduces risks not present in a standard, secure configuration. Such risks include: The opening of firewall ports, which introduce additional external attack vectors. Security vulnerabilities, potentially present in any third-party software, can create pivot points and introduce new attack vectors. Operational risks, including an impact to server availability, stemming from conflict between internal components of the Digital Vault and third-party software. Such conflicts often delay troubleshooting, which impacts CyberArk’s support SLAs and increase the time to resolution.

Explanation

EXPLANATION for Answer: To avoid the potential for untrusted operating system components or the inadvertent introduction of third-party software, it is important that the Digital Vault Server be built from trusted original media. Any third-party software installed on the Digital Vault Server introduces risks not present in a standard, secure configuration. Such risks include: The opening of firewall ports, which introduce additional external attack vectors. Security vulnerabilities, potentially present in any third-party software, can create pivot points and introduce new attack vectors. Operational risks, including an impact to server availability, stemming from conflict between internal components of the Digital Vault and third-party software. Such conflicts often delay troubleshooting, which impacts CyberArk’s support SLAs and increase the time to resolution.

27. You have associated a logon account to one of your UNIX root accounts in the vault. When attempting to verify the root account's password the CPM will…

Ignore the logon account and attempt to log in as root.

Prompt the end user with a dialog box asking for the login account to use.

None of these.

28. The System safe allows access to the Vault configuration files.

True

False

29. The Password upload utility can be used to create safes.

True

False

30. When managing SSH keys, CPM automatically pushes the Public Key to the target system.

True

False

EXPLANATION for Answer: CPM automatically pushes the Public Key to the target system. CPM automatically pushes the Private Key to the vault. Please, read from CyberArk's website: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/SSHKM/Introduction.htm. Also, see video created by SSH Communications Security, https://youtu.be/ke_M3t_L3iY?t=49.

Explanation

EXPLANATION for Answer: CPM automatically pushes the Public Key to the target system. CPM automatically pushes the Private Key to the vault. Please, read from CyberArk's website: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/SSHKM/Introduction.htm. Also, see video created by SSH Communications Security, https://youtu.be/ke_M3t_L3iY?t=49.

31. The Application Inventory report is related to AIM.

True

False

32. Multiple PSM Servers can be load balanced.

True

False

33. What is the purpose of the PrivateArk Database service?

Maintains Vault metadata.

Communicates with components.

Sends email alerts from the vault ID.

Executes password changes

34. The primary purpose of the CPM is Password Management.

True

False

35. You can change the vault license by uploading the new license to the system safe.

True

False

36. The PrivateArk client allows a user to view the contents of the vault like a filesystem.

True

False

37. The RemoteApp feature of PSM allows seamless Application windows (i.e. the Desktop of the PSM server will not be visible).

True

False

38. Which of the following protocols need to be installed on a standalone vault server?

SSH with CORE

Internet Protocol Version 6 (TCP/IPv6)

Putty

Internet Protocol Version 4 (TCP/IPv4)

39. The AllowedSafes parameter allows a regular expression that lists the safes that the target platform policy can be applied to.

True

False

40. Application inventory is related to AIM.

True

False

41. The Password Upload utility can be used to create safes.

True

False

42. To connect to a Windows server through PVWA, RDP is utilized.

True

False

43. To connect to a Unix server through PVWA, SSH is utilized.

True

False

44. Use the _____ to find and detect all the SSH Keys in your organization, and display the trusts relationships formed by SSH Keys between all the machines in the organization.

EXPLANATION for Answer: To learn more, read more about CyberArk's SSH Keys Lifecycle Management.

Explanation

EXPLANATION for Answer: To learn more, read more about CyberArk's SSH Keys Lifecycle Management.

Submit

45. CyberArk's PrivateArk Command Line Interface (PACLI) can be used to perform quick Vault-level functions without logging in to the PrivateArk client.

True

False

46. If a password is changed manually on a server, bypassing the CPM, how would you configure the account so that the CPM could resume management automatically?

Configure the Provider to change the password to match the Vault’s Password.

Associate a reconcile account and configure the platform to reconcile automatically.

Associate a logon account and configure the platform to reconcile automatically.

Run the correct auto detection process to rediscover the password.

47. A Reconcile Account can be specified in the platform settings.

True

False

48. In order to retrieve data from the vault a user MUST use an interface provided by CyberArk.

True

False

49. In order to avoid conflicts with the hardening process, third-party applications like Antivirus and Backup Agents should be installed on the Vault server before installing the Vault.

True

False

50. Multiple PVWA servers are always all active.

True

False

51. Tsparm.ini is the main configuration file for the vault.

True

False

52. After a PSM session is complete, the PSM server uploads the recording to the Vault for long-term storage.

True

False

53. What is the name of the account used to establish the initial RDP session from the end user client machine to the PSM server?

PSMConnect

PSMAdminConnect

PSM

The credentials the end user retrieved from the vault.

54. With Automatic Installation, you can use the PAS deployment scripts provided with the installation package to automatically install and deploy the Core PAS components on multiple servers, according to your organizational requirements.

True

False

55. Does CyberArk need service accounts on each server to change passwords?

Yes, it requires a domain administrator account to change any password on any server.

Yes, it requires a local administrator account on any Windows server and a root level account on any Unix server.

No, the passwords are changed by the Password Provider Agent.

56. A standalone Vault server requires DNS services to operate properly.

True

False

57. By default, the vault secure protocol uses which IP port and protocol.

TCP/1858

UTP/4848

UTP/1858

TCP/4848

58. In accordance with best practice, SSH access is denied for root accounts on UNIX/LINUX systems. What is the best way to allow CPM to manage accounts?

Configure the Unix system to allow SSH logins.

Configure the CPM to allow SSH logins.

59. It is possible to leverage DNA to provide discovery functions that are not available with auto-detection.

True

False

60. The Master Account and Master CD should be used only when either the Vault Administrator is locked out or the Vault Administrator has forgotten the password.

True

False

61. One can create exceptions to the Master Policy based on _____________.

Safes

Platforms

Policies

Accounts

62. What is the purpose of the HeadStartInterval setting in a platform?

It determines how far in advance audit data is collected for reports.

It instructs the CPM to initiate the password change process X number of days before expiration.

It instructs that AIM Provider to ‘skip the cache’ during the defined time period.

It alerts users of upcoming password changes x number of days before expiration.

EXPLANATION for Answer: The number of days before the password expires (according to the ExpirationPeriod parameter) that the CPM will initiate a password change process. This parameter is not relevant if the policy will be applied to a member of the account group.

Explanation

EXPLANATION for Answer: The number of days before the password expires (according to the ExpirationPeriod parameter) that the CPM will initiate a password change process. This parameter is not relevant if the policy will be applied to a member of the account group.

63. A Logon Account can be specified in the Master Policy.

True

False

64. Which one of the following reports is NOT generated by using PVWA?

Privileged Accounts Inventory

Applications Inventory

Safes List

Privileged Accounts Compliance Status

65. It is possible to leverage DNA to provide discovery functions that are not available with auto-detection.

True

False

66. Which report provides a list of accounts stored in the vault?

Privileged Account Inventory

Privileged Accounts Compliance Status

Entitlement Report

Activity Log

67. When managing SSH keys, CPM automatically pushes the Private Key to all target systems that use it.

True

False

EXPLANATION for Answer: FALSE, because even though CPM automatically pushes the Private Key it is NEVER to the target system. Rather, the CPM automatically pushes the Private Key to the vault. Please, read from CyberArk's website: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/SSHKM/Introduction.htm. Also, see video created by SSH Communications Security, https://youtu.be/ke_M3t_L3iY?t=49.

Explanation

EXPLANATION for Answer: FALSE, because even though CPM automatically pushes the Private Key it is NEVER to the target system. Rather, the CPM automatically pushes the Private Key to the vault. Please, read from CyberArk's website: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/SSHKM/Introduction.htm. Also, see video created by SSH Communications Security, https://youtu.be/ke_M3t_L3iY?t=49.

68. It is possible to disable the Show and Copy buttons without removing the Retrieve permission on a safe.

True

False

69. What conditions must be met in order to log into the Vault as the Master user? (select all that apply)

Logon must be originated from the console of the Vault server or an EmergencyStation defined in DBParm.ini

User must provide the correct master password.

Logon requires the Recovery Private Key to be accessible to the vaults.

Logon must satisfy a challenge response request.

Submit

70. CyberArk implements license limits by controlling the number and types of users that can be provisioned in the vault.

True

False

71. To on-board Linux accounts using the Account Discovery utility, a CSV file can be uploaded.

True

False

72. Within the Vault each password is encrypted by

The Server Key

The Recovery Public Key

The Recovery Private key

Its own unique key.

73. Prior to v10.7, which is the correct order of installation for PAS (Privileged Account Security) components?

Vault. CPM. PVWA. PSM.

CPM. Vault. PSM. PVWA.

Vault. CPM. PSM. PVWA.

PVWA. Vault. CPM. PSM.

74. PSM requires the Remote Desktop Session Host role service.

True

False

75. What is the purpose of the CyberArk Event Notification Engine service?

Sends email messages from the vault

Sends email messages from the CPM

Processes audit reports

Make Vault data available to components

76. The vault server uses a modified version of the Microsoft Windows firewall service.

True

False

EXPLANATION for Answer: The firewall rules can be modified through Windows Firewall service. To more rigorously monitor the firewall rules parameter MonitorFWRulesInterval can be added to the dbparm.ini file

Explanation

EXPLANATION for Answer: The firewall rules can be modified through Windows Firewall service. To more rigorously monitor the firewall rules parameter MonitorFWRulesInterval can be added to the dbparm.ini file

77. What is the purpose of the PrivateArk Server service?

Executes password changes

Makes vault data accessible to components

Maintains vault metadata

Sends email alert from the Vault

78. Parameters for the SIEM path is in the DBParm.ini.

True

False

79. What is the purpose of the password Reconcile process?

To test that CyberArk is storing accurate credentials for accounts.

To change the password of an account according to organizationally defined password rules.

To allow CyberArk to manage unknown or lost credentials.

To generate a new complex password.

80. Which of these is not a report generated by the PVWA:

Accounts Inventory

Application Inventory

Safes List

Compliance Status

81. To connect to a Windows server through PVWA, SSH is utilized.

True

False

EXPLANATION for Answer: To connect to a Windows server through PVWA it does so using RDP, NOT SSH. SSH is used to connect to a Unix server.

Explanation

EXPLANATION for Answer: To connect to a Windows server through PVWA it does so using RDP, NOT SSH. SSH is used to connect to a Unix server.

82. Due to the complexity of controlling and managing SSH Keys they pose an even greater risk than unmanaged privileged passwords.

True

False

83. Users within the PSMLiveSessions safe may view the PSM live monitoring feature in an environment with multiple PVWAs.

True

False

84. Dual Control is one of the foundations of Information Security as it is based upon the premise that, for a breach to be committed, then both parties would need to be in collusion and, because one should always alternate the pairs of people, it would require a much greater level of corruption in order to breach dual control procedures.

True

False

85. Users who have the 'Access Safe without confirmation' safe permission on a safe where accounts are configured for Dual Control, still need to request approval to use the account.

True

False

86. In Accounts Discovery, you can configure a Windows discovery to scan ______________.

As many OUs as you wish.

Up to three OUs.

Only one OU.

A number of OUs determined by the OUstoScan setting under the Account Feed section in the Administration tab.

87. Target account platforms can be restricted to accounts that are stored in specific Safes using the AllowedSafes property.

True

False

88. A Reconcile Account can be specified in the Master Policy.

True

False

89. The vault does NOT support Role Based Access Control.

True

False

90. Interval is the number of minutes that the CPM waits between loops when processing accounts associated with this platform.

True

False

91. During LDAP/S integration you should specify the Fully Qualified Domain Name (FQDN) of the Domain Controller.

True

False

92. Typically, Access control is implemented by the safes.

True

False

93. The vault server requires WINS services to work properly.

True

False

EXPLANATION for Answer: Windows Internet Name Service (WINS) is a legacy computer name registration and resolution service that maps computer NetBIOS names to IP addresses. If you do not already have WINS deployed on your network, do not deploy WINS on the Vault Server.

Explanation

EXPLANATION for Answer: Windows Internet Name Service (WINS) is a legacy computer name registration and resolution service that maps computer NetBIOS names to IP addresses. If you do not already have WINS deployed on your network, do not deploy WINS on the Vault Server.

94. The security of the Vault Server is entirely dependent on the security of the network.

True

False

95. The DR Vault is pingable when the CyberArk Disaster Recovery service is running.

True

False

96. The purpose of the password change process is to change the password according to organizational requirements.

True

False

97. The purpose of the password verification is to verify CyberArk is storing credentials correctly.

True

False

98. SIEM integration is a powerful tool to correlate Privileged Accounts and Privileged Activity.

True

False

EXPLANATION for Answer: Please, read CyberArk’s documentation on this topic: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Integrating-with-SIEM-Applications.htm?Highlight=siem

Explanation

EXPLANATION for Answer: Please, read CyberArk’s documentation on this topic: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Integrating-with-SIEM-Applications.htm?Highlight=siem

99. What is the purpose of the Activity Log?

100. The Dbparm.ini file, in the Server\Conf installation folder, contains the general parameters of the Vault database.

True

False

101. It is not possible to use the Microsoft Windows native client, Remote Desktop Connection, for RDP to target server.

True

False

EXPLANATION for Answer: It is possible to use the Microsoft Windows native client, Remote Desktop Connection, for RDP to a target server when a property value is properly configured. DisableRemoteApp needs to be set to No. To do this, login to PVWA and click Administration. Go to Options, and search for DisableRemoteApp, then update property value to No.

Explanation

EXPLANATION for Answer: It is possible to use the Microsoft Windows native client, Remote Desktop Connection, for RDP to a target server when a property value is properly configured. DisableRemoteApp needs to be set to No. To do this, login to PVWA and click Administration. Go to Options, and search for DisableRemoteApp, then update property value to No.

102. What is the maximum number of levels of authorizations you can set up in Dual Control?

1

2

3

4

103. If a user is a member of more than one group that has authorizations on a safe, by default that user is granted _______________.

The vault will not allow this situation to occur.

Only those permissions that exist on the group added to the safe first.

Only those permissions that exist in all groups to which the user belongs.

The cumulative permissions of all the groups to which that user belongs.

104. Which of the following options is NOT set in the Master Policy?

Password Expiration Time

Enabling and Disabling of the Connection Through the PSM

Password Complexity

The use of “One-Time-Passwords”

105. When managing SSH keys, CPM automatically stores the Private Key:

In the vault

In the target system

In the vault and target system

None of the available answers.

EXPLANATION for Answer: Please, read from CyberArk's website: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/SSHKM/Introduction.htm. Also, see video created by SSH Communications Security, https://youtu.be/ke_M3t_L3iY?t=49 .

Explanation

EXPLANATION for Answer: Please, read from CyberArk's website: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/SSHKM/Introduction.htm. Also, see video created by SSH Communications Security, https://youtu.be/ke_M3t_L3iY?t=49 .

106. ImmediateInterval is the number of minutes that will elapse between when the user initiates an account management process and when the process is performed.

True

False

107. In an SMTP integration it is recommended to use the fully-qualified domain name (FQDN) when specifying the SMTP server address(es).

True

False

108. The vault internal safe contains the configuration for an LDAP integration.

True

False

109. When a DR vault server becomes an active vault, it will automatically fail back to the original state once the primary vault comes back online.

True, this is the default behavior.

False, this is not possible.

True, if the ‘AllowFailback’ setting is set to Yes in the PADR.ini file.

True, if the ‘AllowFailback’ setting is set to Yes in the dbparm.ini file.

110. A Vault Administrator wants to change the PSM Server ID to comply with a naming standard, what is the process for changing the PSM Server ID?

None of the options are the correct procedure.

111. You can connect to remote systems and applications without knowing or specifying the required password or key?

True

False

EXPLANATION for Answer: It is possible with Privileged Single Sign-On.

Explanation

EXPLANATION for Answer: It is possible with Privileged Single Sign-On.

112. You can install the HTML5 Gateway for PSM on a dedicated machine or on the same machine as PSM for SSH.

True

False

EXPLANATION for Answer: See CyberArk’s documentation on this topic: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/Install_PSM_HTML5.htm

Explanation

EXPLANATION for Answer: See CyberArk’s documentation on this topic: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/Install_PSM_HTML5.htm

113. At what point is a transparent user provisioned in the vault?

When a directory mapping matching that user id is created.

When a vault admin runs LDAP configuration wizard.

The first time the user logs in.

During the vault’s nightly LDAP refresh.

114. Which default vault user is automatically able to access any safe?

Vault Admin

Master

Auditor

Backup

115. What is the purpose of the Entitlement Report?

116. Vault firewall rules can never be modified once applied.

True

False

EXPLANATION for Answer: Yes, the firewall rules can be modified through Windows Firewall service. To more rigorously monitor the firewall rules parameter MonitorFWRulesInterval can be added to the dbparm.ini file.EXPLANATION for Answer: Yes, the firewall rules can be modified through the dbparm.ini file.

Explanation

EXPLANATION for Answer: Yes, the firewall rules can be modified through Windows Firewall service. To more rigorously monitor the firewall rules parameter MonitorFWRulesInterval can be added to the dbparm.ini file.EXPLANATION for Answer: Yes, the firewall rules can be modified through the dbparm.ini file.

117. It is impossible to override Master Policy settings for a Platform.

True

False

EXPLANATION of Answer: It is possible to override the Master Policy through an exception.

Explanation

EXPLANATION of Answer: It is possible to override the Master Policy through an exception.

118. Which user is automatically given all Safe authorizations on all Safes?

Administrator

Master

Auditor

Operator

119. HA, DR, Replicate are mutually exclusive and cannot be used in the same environment.

True

False

EXPLANATION for Answer: While each of the components are mutually exclusive they CAN be used in the same environment.

Explanation

EXPLANATION for Answer: While each of the components are mutually exclusive they CAN be used in the same environment.

120. A Logon Account can be specified in the Platform settings.

True

False

121. The replicate module allows an integration with Enterprise Backup Software.

True

False

122. What would be a good use case for a High Availability vault?

Recovery Time Objectives or Recovery Point Objectives are at or near zero.

Integration with an Enterprise Backup Solution is required.

Off-site replication is required.

PSM is used.

123. Which file can be used to help monitor firewall rule changes for the vault server?

Padr.ini

Vault.ini

Dbparm.ini

Confi.ini

EXPLANATION for Answer: The firewall rules can be modified through Windows Firewall service. To more rigorously monitor the firewall rules parameter MonitorFWRulesInterval can be added to the dbparm.ini file.

Explanation

EXPLANATION for Answer: The firewall rules can be modified through Windows Firewall service. To more rigorously monitor the firewall rules parameter MonitorFWRulesInterval can be added to the dbparm.ini file.

124. When a safe is restricted for use during certain times a Vault Admin can still use the safe during those restricted times.

True

False

125. There are 2 types of backups: Continuous and Intermediate.

True

False

EXPLANATION for Answer: There are only 2 types of backups, however they are not called Continuous and Intermediate. One of the backups is Indirect backup, and is the recommended backup. Indirect backup is an install of the Replicate Utility in any of the Node - PSM, PVWA, CPM .. any domain server which is reachable to vault. The other backup is called a Direct backup, and is an install of the Replicate Utility directly on Vault Server.

Explanation

EXPLANATION for Answer: There are only 2 types of backups, however they are not called Continuous and Intermediate. One of the backups is Indirect backup, and is the recommended backup. Indirect backup is an install of the Replicate Utility in any of the Node - PSM, PVWA, CPM .. any domain server which is reachable to vault. The other backup is called a Direct backup, and is an install of the Replicate Utility directly on Vault Server.

126. As long as you are a member of the Vault Admins group you can grant any permission on any safe?

True

False

EXPLANATION for Answer: Being in Vault admins group only give you access to safes which are created during installation (safe created during installation process ) - This is clearly mentioned in documents.

Explanation

EXPLANATION for Answer: Being in Vault admins group only give you access to safes which are created during installation (safe created during installation process ) - This is clearly mentioned in documents.

127. It is possible to restrict the time of day, or day of week that password reconcile process occurs is managed in _______________.

PVWA -> Master Policy (aka Policies)

PVWA -> Administration -> Platform settings/management

PrivateArk client

PVWA -> Administration -> Configuration Options

128. What conditions must be met in order to log into the vault as the Master user? (select all that apply)

Logon must be originated from the console of the Vault server or an EmergencyStation defined in DBParm.ini

User must provide the correct master password

Logon requires the Recovery Private Key to be accessible to the vault

Logon must satisfy a challenge response request

Submit

129. The vault does support Role Based Access Control.

True

False

130. Account Discovery utility can be used to perform a scan for all domain joined Windows systems, and each account identified can be automatically on-boarded.

True

False

131. When attempting to connect to a platform and the connect button is NOT enabled (v10) or you receive error message "Java is not enabled on your browser" (v9), to connect you likely need to first update the Master Policy setting "Require privileged session monitoring and isolation" to Active.

True

False

132. It is possible for an Auditor to watch PSM sessions in real time.

True

False

133. The default authorizations on a safe allow the user to delete an account.

True

False

134. What is the primary reason for installing more than 1 active CPM?

Installing CPMs in multiple site prevents complex firewall rules to manage devices at remote sites.

Multiple instances create fault tolerance.

Multiple instances increase response time.

Having additional CPMs increases the maximum number of devices CyberArk can manage.

135. The TSParm.ini file, in the Server\Conf installation folder, contains the list of directories that can store Safes databases.

True

False

136. What value should be used in the field named Address to configure an LDAP connection through PVWA? Select the best answer.

IP Address

Hostname

DNS

Whatever value can be resolved.

137. Restricting the time of day, or day of week that a password change occurs is managed in _______________.

PVWA -> Master Policy (aka Policies)

PVWA -> Administration -> Platform settings/management

PrivateArk client

PVWA -> Administration -> Configuration Options

138. In order to connect to a target device through PSM, the account credentials used for the connection must be stored in the vault?

TRUE.

FALSE. Because the user can also enter credentials manually using Secure Connect.

FALSE. Because if credentials are not stored in the vault, the PSM will log into the target device as PSMConnect.

FALSE. Because if credentials are not stored in the vault, the PSM will prompt for credentials.

139. Which CyberArk components or products can be used to discover Windows Services or Scheduled Tasks that use privileged accounts?

Discovery and Audit (DNA)

Auto Detection (AD)

Export Vault Data (EVD)

On Demand Privileges Manager (OPM)

Accounts Discovery

Submit

140. Name two ways of viewing the ITAlog:

Log into the vault locally and navigate to the Server folder under the PrivateArk install location.

Log into the PVWA and go to the Reports tab.

Access the System Safe from the PrivateArk client.

Go to the Third-party log directory on the CPM

Submit

141. Multiple PVWA servers provide automatic load balancing.

True

False

EXPLANATION for Answer: While multiple PVWA servers can be load balanced, it requires a manual configuration and is not automatic.

Explanation

EXPLANATION for Answer: While multiple PVWA servers can be load balanced, it requires a manual configuration and is not automatic.

142. Which of the following are supported authentication methods for CyberArk. Check all that apply.

LDAP

SAML

PKI

Radius

OracleSSO

RSA

Submit

143. A SIEM integration allows you to forward audit records to a monitoring solution.

True

False

144. When attempting to login to a linux server and it does NOT permit root account login, PermitRootLogin=No, use the Reconcile Account feature to seamlessly overcome the issue.

True

False

EXPLANATION for Answer: The Logon Account feature should be used to associate a logon account with the root account. The Reconcile Account feature is for when a primary account’s password is either not reconcilable or not known, so a secondary account that has more permissions is associated with the primary account and has permissions to reconcile the primary accounts password between the vault and the target system.

Explanation

EXPLANATION for Answer: The Logon Account feature should be used to associate a logon account with the root account. The Reconcile Account feature is for when a primary account’s password is either not reconcilable or not known, so a secondary account that has more permissions is associated with the primary account and has permissions to reconcile the primary accounts password between the vault and the target system.

145. Once the object level access control setting is checked, it can be unchecked at a later time.

True

False

146. To setup LDAP go to:

PVWA -> Administration -> LDAP Integration

PVWA -> LDAP Integration

PVWA -> Administration -> Configuration Options -> LDAP Integration

PVWA -> Policies -> Platform Settings -> LDAP Integration

147. PSM offers: (select all that apply)

Isolation: Isolates workstations/desktops from target machines thus preventing cyber attacks.

Control: Ensure accountability and control over privileged session with live monitoring, policies & workflows.

Monitoring: Recording of each session with compliance in mind and with zero footprint on target server.

Real-Time Storage: Real-time videos are simultaneously saved for immediate retrieval.

EXPLANATION for Answer: Videos are stored for retrieval ONLY after the real-time recording has concluded.

Explanation

EXPLANATION for Answer: Videos are stored for retrieval ONLY after the real-time recording has concluded.

Submit

148. Which report can be generated in both PVWA and PrivateArk?

Privileged Accounts Inventory

Active/Non-active Safes

Owners List

Entitlement Report

EXPLANATION for Answer: See CyberArk’s documentation: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Auditing-sessions.htm

Explanation

EXPLANATION for Answer: See CyberArk’s documentation: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Auditing-sessions.htm

149. Restricting the time of day, or day of week that a password verify process occurs is managed in _______________.

PVWA -> Master Policy (aka Policies)

PVWA -> Administration -> Platform settings/management

PrivateArk client

PVWA -> Administration -> Configuration Options

150. When on-boarding accounts using Account Feed, which of the following is true?

You must specify an existing Safe where the account will be stored when it is on-boarded to the Vault.

You can specify the name of a new Platform that will be created and associated with the account.

Any account that is on-boarded can be automatically reconciled regardless of the platform it is associated with.

151. Which file would you modify to configure your vault Server to forward Activity Logs to a SIEM or SYSLOG server.

Dbparm.ini

PARagent.ini

ENEConf.ini

Padre.ini

152. You are successfully managing passwords in the alpha.cyberark com domain; however when you attempt to manage a password in the beta.cyberark.com domain, you receive the 'network path not found* error What should you check first?

That the username and password are correct.

That the CPM can successfully resolve addresses in the beta cyberark com domain.

That the end user has the correct permissions on the safe.

That an appropriate trust relationship exists between alphaxyberark.com and beta.cyberark.com.

153. The connect button requires PSM to work.

True

False

154. The Administrator user has all vault authorizations but no access to data by default.

True

False

155. VAULT authorizations may be granted to ________________. (select all that apply.)

Vault Users

Vault Groups

LDAP Users

LDAP Groups

Submit

156. Which report could show all audit data in the vault?

Privileged Account Compliance Status

Activity Log

Privileged Accounts Inventory

Applications Inventory

157. For an account attached to a platform that requires Dual Control based on a Master Policy exception, how would you configure a group of users to access a password without approval.

Create an exception to the Master Policy to exclude the group from the work-flow process.

Edit the master policy rule and modify the advanced ‘Access safe without approval’ rule to include the group.

On the safe in which the account is stored grant the group the ‘Access safe with audit’ authorization.

On the safe in which the account is stored grant the group the ‘Access safe without confirmation’ authorization.

158. What is the name of the Platform parameter that controls how long a password will stay valid when One Time Passwords are enabled via the Master Policy?

MinValidityPeriod

Interval

ImmediateInterval

Timeout

EXPLANATION for Answer: MinValidityPeriod -The number of minutes to wait from the last retrieval of the password until it is replaced. This gives the user a minimum period to be able to use the password before it is replaced. Use -1 to ignore this property. This parameter is also used to release exclusive accounts automatically.

Explanation

EXPLANATION for Answer: MinValidityPeriod -The number of minutes to wait from the last retrieval of the password until it is replaced. This gives the user a minimum period to be able to use the password before it is replaced. Use -1 to ignore this property. This parameter is also used to release exclusive accounts automatically.

159. Which of the following files must be created or configured in order to run Password Upload Utility?

PACli.ini

Vault.ini

Conf.ini

A comma delimited upload file

Submit

160. The Vault supports multiple instances of the following components. Choose all that apply.

PVWA

CPM

PSM

AIM Provider

Submit

161. The Vault needs to send SNMP traps to an SNMP solution. In which configuration file do you set the IP address of the SNMP solution?

PARAgent.ini

Dbparm.ini

ENEConf.ini

My.ini

162. The default authorization on a safe allow a user to store a new account.

True

False

163. Which file would you modify to configure the vault to send SNMP traps to your monitoring solution?

Dbparm.ini

Paragent.ini

ENEConf.ini

Padr.ini

164. If a transparent user matches two different directory mappings, how does the system determine which user template to use?

The system uses the template of the mapping listed first.

The system will use the template for the mapping listed last.

The system will grant all of the vault authorizations from the two templates.

The system will grant only the vault authorizations that are listed in both templates.

165. What would be a good use case for the Disaster Recovery module?

Recovery Time Objectives or Recovery Point Objectives are at or near zero.

Integration with an Enterprise Backup Solution is required.

Off-site replication is required.

PSM is used.

166. The vault allows the use of Subnet Role Based Permissions?

True

False

167. What is the purpose of the Privileged Accounts Compliance Status?

168. To apply a new license file you must:

Upload the license.xml file to the System Safe.

Upload the license.xml file to the VaultInternalSafe.

Upload the license.xml file to the System Safe and restart the PrivateArk Server service.

Upload the license.xml file to the VaultInternal Safe and restart the PrivateArk Server service.

169. A server that has NOT yet been on-boarded with the Vault can NOT be connected to using PSM.

True

False

EXPLANATION for Answer: Through the Secure Connect feature, servers that are NOT yet on-boarded to the Vault can be accessed by PSM.

Explanation

EXPLANATION for Answer: Through the Secure Connect feature, servers that are NOT yet on-boarded to the Vault can be accessed by PSM.

170. Ad-Hoc Access (formerly Secure Connect) provides the following features. (select all that apply)

PSM connections to target devices that are not managed by CyberArk.

Session Recording.

Real-time live session monitoring.

PSM connections from a terminal without the need to login to the PVWA.

Submit

171. Platform settings are applied to _______________.

The entire vault.

Network Areas

Safes

Individual Accounts

172. When managing SSH keys, CPM automatically stores the Public Key:

In the vault

In the target system

In the vault and target system

None of the available answers.

EXPLANATION for Answer: Please, read from CyberArk's website: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/SSHKM/Introduction.htm . Also, see video created by SSH Communications Security, https://youtu.be/ke_M3t_L3iY?t=49 .

Explanation

EXPLANATION for Answer: Please, read from CyberArk's website: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/SSHKM/Introduction.htm . Also, see video created by SSH Communications Security, https://youtu.be/ke_M3t_L3iY?t=49 .

173. Beginning with v10.7, which is the correct order of installation for PAS (Privileged Account Security) components?

Vault. CPM. PVWA. PSM.

CPM. Vault. PSM. PVWA

Vault. PVWA. CPM. PSM

PVWA. Vault. CPM. PSM.

NOTE: See documentation from CyberArk webpage: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/InstallationOverview.htm

Explanation

NOTE: See documentation from CyberArk webpage: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/InstallationOverview.htm

174. What are the operating system prerequisites for installing CPM? (select all that apply)

NET 3.51 Framework Feature

Web Services Role

Remote Desktop Services Role

Windows 2008 R2 or higher

Submit

175. SAFE authorizations may be granted to ________________. (select all that apply.)

Vault Users

Vault Groups

LDAP Users

LDAP Groups

Submit

176. Which of the following are prerequisites for installing PVWA. Check all that Apply.

Web Services Role

NET 4.5.1 Framework Feature

Remote Desktop Services Role

Windows BitLocker

Submit

177. PSM generates recordings on the Vault server in real time.

True

False

178. It is possible for a vault admin to access a safe at a restricted time.

True

False

179. For a user who is logged into PVWA and receives error message "ITATS006E Station is suspended for User .", the recommended action is to:

Define a Network Area for this user for this IP address, or log on from another station.

Reactivate the Trusted Network Area or log on from another station.

An error occurred during service input parameters parsing. Specify additional information with it. Contact CyberArk support.

180. If Vault Administrator has forgotten the password or is locked out and the Master Account and/or Master CD are forgotten/lost, there is no way to regain Administrative access to the PAS.

True

False

EXPLANATION for Answer: CyberArk Professional Services Team, for a fee, can reset the passwords of both the Administrator and Master account.

Explanation

EXPLANATION for Answer: CyberArk Professional Services Team, for a fee, can reset the passwords of both the Administrator and Master account.

181. CyberArk recommends DNA (Discovery and Audit) scans once a ____________ to discover unprotected backdoors.

Day

Week

Month

Quarter

Year

182. Which of the following statements are NOT true when enabling PSM recording for a target Windows server? (select all that apply)

The PSM software must be installed on the target server.

PSM must be enabled in the Master Policy (either directly, or through exception).

PSMConnect must be added as a local user on the target server.

RDP must be enabled on the target server.

Submit

183. The DR module allows an integration with Enterprise Backup software.

True

False

184. Which one of the built-in Vault users is not automatically added to the safe when it is first created in PVWA?

Master

Vault Admin

Auditor

Operator

EXPLANATION for Answer: Vault Admin is automatically added to safes created during the installation process, however post-installation all newly created safes, created via PVWA, are NOT automatically added to the safe.

Explanation

EXPLANATION for Answer: Vault Admin is automatically added to safes created during the installation process, however post-installation all newly created safes, created via PVWA, are NOT automatically added to the safe.

185. The vault internal safe contains all of the configuration for the vault.

True

False

186. Which CyberArk component requires disabling the Data Execution Prevention (DEP) so that none of the features within will be hindered?

PSM

ENE

CPM

PSM with SSH

187. Multiple Vault servers can be load balanced.

True

False

EXPLANATION for Answer: Through Disaster Recovery (DR) configurations Satellite Vaults servers can and should be established, however, there is no “load balancing” between vaults.

Explanation

EXPLANATION for Answer: Through Disaster Recovery (DR) configurations Satellite Vaults servers can and should be established, however, there is no “load balancing” between vaults.

188. When using the CyberArk Cluster, the following are running on the passive vault(s):

Cluster, PrivateArk Database, Remote Desktop Protocol

Cluster, PrivateArk Database

Cluster

Cluster, Remote Desktop Protocol

EXPLANATION for Answer: Please, read CyberArk’s documentation on this topic https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/Installing-the-CyberArk-Cluster-Vault-on-Distributed-Vaults.htm

Explanation

EXPLANATION for Answer: Please, read CyberArk’s documentation on this topic https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/Installing-the-CyberArk-Cluster-Vault-on-Distributed-Vaults.htm

189. Which CyberArk component permits the use of Subnet Mask?

CPM

PVWA

PSM for SSH

PSM

EXPLANATION for Answer: Please, review CyberArk’s documentation on this topic: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Configuring-a-Subnet-Mask.htm

Explanation

EXPLANATION for Answer: Please, review CyberArk’s documentation on this topic: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Configuring-a-Subnet-Mask.htm

190. Which utilities could you use to change debugging levels on the vault without having to restart the vault. (select all that apply)

PAR Agent

PrivateArk Server Central Administration

Edit DBParm.ini in a text editor

Setup.exe

EXPLANATION for Answer: PAR-Private Ark Remote Control Agent allows you to perform several Vault admin tasks (without restarting the Vault) and view machine statistics.

Explanation

EXPLANATION for Answer: PAR-Private Ark Remote Control Agent allows you to perform several Vault admin tasks (without restarting the Vault) and view machine statistics.

Submit

191. An SMTP integration allows you to forward audit records to a monitoring solution.

True

False

EXPLANATION for Answer: While the SMTP canNOT forward audit records to a monitoring solution, a SIEM integration can.

Explanation

EXPLANATION for Answer: While the SMTP canNOT forward audit records to a monitoring solution, a SIEM integration can.

192. After firewall rules are applied to the vault, can they be modified?

Yes, The firewall rules can be modified through the FirewallRules.ini file and the vault server must be restarted.

Yes, the firewall rules can be modified using the dbparm.ini.

No, the firewall rules for the vault can never be altered after established.

Yes, the firewall rules can be modified using the Window Firewall settings.

EXPLANATION for Answer: Yes, the firewall rules can be modified through Windows Firewall service. To more rigorously monitor the firewall rules parameter MonitorFWRulesInterval can be added to the dbparm.ini file.

Explanation

EXPLANATION for Answer: Yes, the firewall rules can be modified through Windows Firewall service. To more rigorously monitor the firewall rules parameter MonitorFWRulesInterval can be added to the dbparm.ini file.

193. To update a license, upload it to the system safe and then you must restart the PrivateArk service.

True

False

EXPLANATION for Answer: It is NOT necessary to restart the PrivateArk service when ONLY the license file is updated.

Explanation

EXPLANATION for Answer: It is NOT necessary to restart the PrivateArk service when ONLY the license file is updated.

194. What would be a good use case for the Replicate Module?

Recovery Time Objectives or Recovery Point Objectives are at or near zero.

Integration with an Enterprise Backup Solution is required.

Off-site replication is required.

PSM is used.

195. All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of the accounts in that safe. The members of the AD group UNIXAdmins need to be able to use the show, copy, and connect buttons on those passwords at any time without confirmation. The members of the AD group OperationsStaff need to be able to use the show, copy, and connect buttons on those passwords on an emergency basis, but only with the approval of a member of OperationsManagers. The members of OperationsManagers never need to be able to use the show, copy or connect buttons themselves. Which safe permissions do you need to grant to OperationsStaff. Check all that apply.

Use accounts

List accounts

Access Safe without Authorization

Retrieve Accounts

Authorize Password Requests

Submit

196. Which files govern the password upload utility:

PACli.exe

CSV

Config.ini

Vault.ini

Submit

197. The Timeout setting is defined as:

The number of minutes that the CPM waits between loops when processing accounts of this platform.

The number of seconds to wait for the change password plug-in to finish its execution.

The time until when the CPM can change passwords, either manually or automatically.

198. When on-boarding a Satellite Vault you must update ____________.

Vault.ini file

Padr.ini file

Satellite.ini file

Vault.ini and padr.ini files

EXPLANATION for Answer: Please, read CyberArk’s documentation on this topic: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/Installing-the-CyberArk-Satellite-Vault.htm?Highlight=satellite.ini

Explanation

EXPLANATION for Answer: Please, read CyberArk’s documentation on this topic: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/Installing-the-CyberArk-Satellite-Vault.htm?Highlight=satellite.ini

199. Match the following Privileged Access Workflow definitions to their respective terms.

Users must receive approval from one or more authorized users before they can access passwords. This enables you to see who wants to access passwords, when, and for what purpose. The number of authorized users required to confirm password requests can be customized in the Advanced Settings of this rule.

Users can check out an account and lock it so that no other users can retrieve it at the same time. After the user has used the password, they check the password back into the Vault. Together with enforcing one-time password access, this restricts access to a single user, ensuring exclusive usage of the privileged account and guaranteeing accountability.

Accounts can be retrieved for one-time use only, and the password stored inside must be changed after each use before the account is released and can be used again. Passwords can be changed automatically by the Privileged Access Security solution’s password management capability.

Users can connect to remote devices without needing to know or specify the required password. This prevents the password from being exposed to the user and maintains productivity as the user does not have to open a login session and then copy and paste the password credentials into it.

Submit

200. Auto-Detection is NOT recommended for use, because it forces each discovered server to on-board all discovered accounts even though NOT all accounts need to be on-boarded.

True

False

EXPLANATION: Auto-Detection should NOT be utilized, instead CyberArk recommends using a more capable product called Accounts Discovery which provides the functionality to or not to on-board an account.

Explanation

EXPLANATION: Auto-Detection should NOT be utilized, instead CyberArk recommends using a more capable product called Accounts Discovery which provides the functionality to or not to on-board an account.