To support a fault tolerant and high-availability architecture, the Password Vault Web Access (PVWA) servers need to be configured to communicate with the Primary Vault and Satellite Vaults.
What file needs to be changed on the PVWA to enable this setup?
- A . Vault.ini
- B . dbparm.ini
- C . pvwa.ini
- D . Satellite.ini
Auto-Detection can be configured to leverage LDAP/S.
- A . TRUE
- B . FALSE
Vault admins must manually add the auditors group to newly created safes so auditors will have sufficient access to run reports.
- A . TRUE
- B . FALSE
When a group is granted the ‘Authorize Account Requests’ permission on a safe Dual Control requests must be approved by:
- A . Any one person from that group
- B . Every person from that group
- C . The number of persons specified by the Master Policy
- D . That access cannot be granted to groups
When creating an onboarding rule, it will be executed upon.
- A . All accounts in the pending accounts list.
- B . Any future accounts discovered by a discovery process.
- C . All accounts in the pending accounts list and any future accounts discovered by a discovery process.
B
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Managing-Discovery-Processes.htm
You are successfully managing passwords in the alpha.cyberark com domain; however when you attempt to manage a password in the beta.cyberark.com domain, you receive the ‘network path not found* error.
What should you check first?
- A . That the username and password are correct.
- B . That the CPM can successfully resolve addresses in the beta cyberark com domain
- C . That the end user has the correct permissions on the safe
- D . That an appropriate trust relationship exists between alphaxyberark.com and beta.cyberark.com
Which service should NOT be running on the DR Vault when the primary production Vault is up?
- A . PrivateArk Database
- B . PrivateArk Server
- C . CyberArk Vault Disaster Recovery Service
- D . CyberArk Logical Container
Which of the following statements are NOT true when enabling PSM recording for a target Windows server? Choose all that apply
- A . The PSM software must be installed on the target server
- B . PSM must be enabled in the Master Policy {either directly, or through exception).
- C . PSMConnect must be added as a local user on the target server
- D . RDP must be enabled on the target server
What is the primary purpose of Exclusive Accounts?
- A . Reduced risk of credential theft
- B . More frequent password changes
- C . Non-repudiation (individual accountability)
- D . To force a ‘collusion to commit’ fraud ensuring no single actor may use a password without authorization
Which of the following are prerequisites for installing PVWA Check all that Apply
- A . Web Services Role
- B . NET 4.5.1 Framework Feature
- C . Remote Desktop Services Role
- D . Windows BitLocker
To support a fault tolerant and high-availability architecture, the Password Vault Web Access (PVWA) servers must to be configured to communicate with the Primary Vault and Satellite Vaults.
Which file needs to be changed on the PVWA to enable this setup?
- A . Vault.ini
- B . dbparm.ini
- C . pvwa.ini
- D . Satellite.ini
A
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/11.1/en/Content/PAS%20INST/Password-Vault-Web-Access-Installation.htm
PSM captures a record of each command that was issues in SQL Plus.
- A . TRUE
- B . FALSE
In Accounts Discovery, you can configure a Windows discovery to scan______________.
- A . as many OUs as you wish
- B . up to three OUs.
- C . only one OU.
- D . a number of OUs determined by the OUstoScan setting under the Accounts Feed section in the Administration tab
One of your users is receiving the error message “ITATS006E Station is suspended for User jsmith” when attempting to sign in to the pvwa.
Which utility would you use to correct this problem?
- A . createcredfile.exe
- B . cavaultmanager.exe
- C . PrivateArk
- D . PVWA
Which of the following is NOT a use case for installing multiple CPMS?
- A . A single CPM cannot accommodate the total number of accounts managed
- B . Accounts are managed in multiple sites or VLANs protected by firewall
- C . Reduce network traffic across WAN links
- D . Provide load balancing capabilities when managing passwords on target devices
Which service should NOT be running on the DR Vault when the primary Production Vault is up?
- A . PrivateArk Database
- B . PrivateArk Server
- C . CyberArk Vault Disaster Recovery (DR) service
- D . CyberArk Logical Container
Where does the Vault administrator configure in Password Vault Web Access (PVWA) the Fully Qualified Domain Name (FQDN) of the domain controller during LDAP/S integration?
- A . PVWA > Platform Management > LDAP Integration
- B . PVWA > Administration > LDAP Integration
- C . PVWA > Administration > Options > LDAP Integration
- D . PVWA > LDAP Integration
B
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/Landing%20Pages/LPLDAPIntegration.htm
What is the purpose of the password Change process?
- A . To test that CyberArk is storing accurate credentials for accounts
- B . To change the password of an account according to organizationally defined password rules
- C . To allow CyberArk to manage unknown or lost credentials
- D . To generate a new complex password
Which keys are required to be present in order to start the PrivateArk Server Service? Select all that apply.
- A . Server Key
- B . Recovery Public Key
- C . Recovery Private Key
- D . Safe Key
A
Explanation:
Reference: https://www.reddit.com/r/CyberARk/comments/8s96n8/certificat_problem_with_ my_vault/
Which utilities could you use to change debugging levels on the vault without having to restart the vault Select all that apply.
- A . PAR Agent
- B . PrivateArk Server Central Administration
- C . Edit DBParm.ini in a text editor.
- D . Setup exe
What is the purpose of the CyberArk Event Notification Engine service.
- A . It sends email messages from the CPM
- B . It sends email messages from the Vault.
- C . It processes audit report messages
- D . It makes vault data available to components.
The Vault does not support dual factor authentication.
- A . True
- B . False
B
Explanation:
Reference: https://duo.com/docs/cyberark
Any user can monitor live sessions in real time when users initiate RDP connection via Secure Connect through PSM?
- A . TRUE
- B . FALSE
A safe was recently created by a user who is a member of the LDAP Vault Administrators group.
Which of the following users does not have access to the newly created safe by default?
- A . Master
- B . Administrator
- C . Auditor
- D . Backup
Which file is used to configure the ENE service?
- A . ENE.ini
- B . ENEConfig.ini
- C . dbparm.ini
- D . paragent.ini
All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of the accounts in that safe The members of the AD group UnixAdmms need to be able to use the show, copy, and connect buttons on those passwords at any time without confirmation The members of the AD group OperationsStaff need to be able to use the show, copy and connect buttons on those passwords on an emergency basis, but only with the approval of a member of OperationsManagers The members of OperationsManagers never need to be able to use the show, copy or connect buttons themselves.
Which safe permissions do you need to grant to UnixAdmins? Check all that apply
- A . Use Accounts
- B . Retrieve Accounts
- C . List Accounts
- D . Authorize Password Requests
- E . Access Safe without Authorization
The Application Inventory report is related to AIM.
- A . TRUE
- B . FALSE
When managing SSH keys, the CPM stores the Public Key ________________.
- A . In the Vault
- B . On the target server
- C . A & B
- D . Nowhere because the public key can always be generated from the private key
The ACME Company has been a CyberArk customer for many years. ACME Management has asked you to perform a “Health Check" review of the CyberArk deployment. During your analysis you discover that the PSM Component server is fully functional. The RDP SSL certificate is self-signed and the CyberArk Privileged Session Management Service is running under the Local Service. SSL 3.0 is enabled in the Registry.
- A . The PSM Component Server is configured as defined in PAS Installation Guide.
- B . The PSM Component Server has been installed correctly but PSM Hardening procedures have not been followed and must be rebuilt.
- C . The PSM Component Server has been installed correctly but PSM Hardening procedures have not been followed. Hardening procedures must be applied manually to the existing configuration.
- D . The PSM Component Server has been installed correctly but PVWA Hardening procedures have not been followed. Hardening procedures can be applied via the Installation Automation script or manually to the existing configuration.
All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of the accounts in that safe. The members of the AD group UnixAdmins need to be able to use the show, copy, and connect buttons on those passwords at any time without confirmation. The members of the AD group OperationsStaff need to be able to use the show, copy and connect buttons on those passwords on an emergency basis, but only with the approval of a member of OperationsManagers. The members of OperationsManagers never need to be able to use the show, copy or connect buttons themselves.
Which safe permissions do you need to grant to OperationsManagers? (Choose all that apply.)
- A . Use Accounts
- B . Retrieve Accounts
- C . List Accounts
- D . Authorize Password Requests
- E . Access Safe without Authorization
tsparm.ini is the main configuration file for the vault.
- A . TRUE
- B . FALSE
What is the proper way to allow the Vault to resolve host names?
- A . Define a DNS server.
- B . Define a WINS server.
- C . Define the local hosts file.
- D . The Vault cannot resolve host names due to security standards.
A
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/Configuring-Transparent-User-Management.htm
Which one of the following reports is NOT generated by using the PVWA?
- A . Accounts Inventory
- B . Application Inventory
- C . Active/Non-Active Users
- D . Compliance Status
When working with the CyberArk Disaster Recovery (DR) solution, which services should be running on the DR Vault?
- A . CyberArk Vault Disaster Recovery (DR), PrivateArk Database
- B . CyberArk Vault Disaster Recovery
- C . CyberArk Vault Disaster Recovery, PrivateArk Database, PrivateArk Server
- D . CyberArk Vault Disaster Recovery, PrivateArk Database, CyberArk Event Notification Engine
Which parameter controls how often the CPM looks for accounts that need to be changed from recently completed Dual control requests?
- A . HeadStartInterval
- B . Interval
- C . ImmediateInterval
- D . The CPM does not change the password under this circumstance
Which of the following PTA detections are included in the Core PAS offering? (Choose all that apply.)
- A . Suspected Credential Theft
- B . Over-Pass-The-Hash
- C . Golden Ticket
- D . Unmanaged Privileged Access
Name two ways of viewing the ITAlog:
- A . Log into the vault locally and navigate to the Server folder under the PrivateArk install location.
- B . Log into the PVWA and go to the Reports tab.
- C . Access the System Safe from the PrivateArk client.
- D . Go to the Thirdpary log directory on the CPM
Which utility can be used to copy a server key to an HSM?
- A . PrivateArk Client
- B . A proprietary utility provided by the HSM Vendor
- C . ChangeServerKeys.exe
- D . CAVaultManager.exe
B
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Distributed-Vault-HSM.htm
What is the name of the Platform parameter that controls how long a password will stay valid when One Time Passwords are enabled via the Master Policy?
- A . MinValidityPeriod
- B . Interval
- C . Immediatelnterval
- D . Timeout
Which combination of safe member permissions will allow End Users to log in to a remote machine transparently but NOT show or copy the password?
- A . Use Accounts, Retrieve Accounts, List Accounts
- B . Use Accounts, List Accounts
- C . Use Accounts
- D . List Accounts, Retrieve Accounts
A SIEM integration allows you to forward ITALOG records to a monitoring solution.
- A . TRUE
- B . FALSE
You have associated a logon account to one of your UNIX root accounts in the vault When attempting to verify the root account’s password the CPM will…
- A . Ignore the logon account and attempt to log in as root.
- B . Prompt the end user with a dialog box asking for the login account to use.
- C . Log in first with the logon account, then run the su command to log in as root using the
password in the vault - D . None of these.
Which of the following sends out Simple Network Management Protocol (SNMP) traps?
- A . PrivateArk Remote Control Agent
- B . PrivateArk Server
- C . CyberArk Event Notification Engine
- D . CyberArk SNMP agent
A
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Configuring-Remote-Monitoring.htm#_Ref364686578
The Vault Internal safe contains all of the configuration for the vault.
- A . TRUE
- B . FALSE
What is the purpose of a password group?
- A . To ensure that a particular collection of accounts all have the same password
- B . To ensure a particular set of accounts all change at the same time
- C . To connect the CPM to a target system
- D . To allow more than one account to work together as part of a password management process
Which credentials does CyberArk use when managing a target account?
- A . Those of the service account for the CyberArk Password Manager service
- B . A Domain Administrator account created for this purpose
- C . The credentials of the target account
- D . An account assigned by the Master Policy
What is the proper way to allow the Vault to resolve host names?
- A . Define a DNS server
- B . Define a WINS server
- C . Defining the local hosts file
- D . The Vault cannot resolve host names due to security standards
Time of day of week restrictions on when password changes can occur are configured in ________________.
- A . The Master Policy
- B . The Platform settings
- C . The Safe settings
- D . The Account Details
In a Disaster Recovery (DR) environment, which of the following should NEVER be configured for automatic failover due to the possibility of split-brain phenomenon?
- A . Password Vault Web Access (PVWA)
- B . PSM
- C . CPM
- D . PTA
A SIEM integration allows you to forward audit records to a monitoring solution.
- A . TRUE
- B . FALSE
A Reconcile Account can be specified in the Master Policy.
- A . TRUE
- B . FALSE
What is the chief benefit of PSM?
- A . Privileged session isolation
- B . Automatic password management
- C . Privileged session recording
- D . Privileged session isolation and privileged session recording
C
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20SysReq/System%20Requirements%20-%20PSM.htm
Which of the Following can be configured in the Master Policy? Choose all that apply
- A . Dual Control
- B . One Time Passwords
- C . Exclusive Passwords
- D . Password Reconciliation
- E . Ticketing Integration
- F . Required Properties
- G . Custom Connection Components
- H . Password Aging Rules
A,B,C,H
Explanation: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/11.4/en/Content/PASIMP/Working-with-Master-Policy-Rules.htm
What is the primary purpose of Dual Control?
- A . Reduced risk of credential theft
- B . More frequent password changes
- C . Non-repudiation (individual accountability)
- D . To force a ‘collusion to commit’ fraud ensuring no single actor may use a password without authorization
It is possible to restrict the time of day. or day of week that a verify process can occur
- A . TRUE
- B . FALSE
The Vault supports multiple instances of the following components Choose all that Apply
- A . PVWA
- B . CPM
- C . PSM
- D . AIM Provider
A user has successfully conducted a short PSM session and logged off. However, the user cannot access the Monitoring tab to view the recordings.
What is the issue?
- A . The user must login as PSMAdminConnect.
- B . The PSM service is not running.
- C . The user is not a member of the PVWAMonitor group.
- D . The user is not a member of the Auditors group.
D
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Monitoring-Privileged-Sessions.htm
Which is the purpose of the HeadStartInterval setting in a platform?
- A . It determines how far in advance audit data is collected for reports.
- B . It instructs the CPM to initiate the password change process certain number of days before expiration.
- C . It instructs the AIM provider to ‘skip the cache’ during the defined time period.
- D . It alerts users of upcoming password changes a certain number of days before expiration.
B
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PrivCloud/Latest/en/Content/PASREF/Automatic%20Password%20Management%20-%20Password%20Change.htm
The Vault server requires WINS services to work properly.
- A . True
- B . False
When managing SSH keys. CPM automatically pushes the Public Key to the target system.
- A . TRUE
- B . FALSE
What is the purpose of the Interval setting in a CPM policy?
- A . To control how often the CPM looks for System Initiated CPM work
- B . To control how often the CPM looks for User Initiated CPM work.
- C . To control how long the CPM rests between password changes
- D . To control the maximum amount of time the CPM will wait for a password change to complete
Multiple PVWA servers provide automatic load balancing.
- A . TRUE
- B . FALSE
Is it possible to modify the CyberArk Vault Audit Log?
- A . Yes, a Vault administrator can modify the Audit log
- B . No, the audit trail is tamper proof and cannot be edited, not even by Master
- C . Yes, but only the Master user can modify the Audit log
- D . Yes, a Vault administrator can edit the Audit log but only with explicit permission from CyberArk
Which of the following logs contain information about errors related to PTA?
- A . ITAlog.log
- B . diamond.log
- C . pm_error.log
- D . WebApplication.log
PSM captures a record of each command that was executed in Unix.
- A . TRUE
- B . FALSE
The System safe allows access to the Vault configuration files.
- A . TRUE
- B . FALSE
Which of these accounts onboarding methods is considered proactive?
- A . Accounts Discovery
- B . Detecting accounts with PTA
- C . A Rest API integration with account provisioning software
- D . A DNA scan
Which onboarding method would you use to integrate CyberArk with your accounts provisioning process?
- A . Accounts Discovery
- B . Auto Detection
- C . Onboarding RestAPI functions
- D . PTA Rules
A logon account can be specified in the platform settings.
- A . True
- B . False
A
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Configuring-Accounts-for-Automatic-Management.htm
When the PSM Gateway (also known as the HTML5 ( End Point in order to launch connections via the PSM
- A . True
- B . False, when the PSM Gateway is implemented, the user only requires a browser in order launch a connection via the PSM
What is the purpose of the password verify process?
- A . To test that CyberArk is storing accurate credentials for accounts.
- B . To change the password of an account according to organizationally defined password rules.
- C . To allow CyberArk to manage unknown or lost credentials.
- D . To generate a new complex password.
A
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Verifying-Passwords.htm#:~:text=The%20CPM%20can%20verify%20password,manually%20by%20 an%20authorized%20user.
Accounts Discovery allows secure connections to domain controllers.
- A . TRUE.
- B . FALSE
Access Control to passwords is implemented by ________________.
- A . Virtual Authorizations
- B . Safe Authorizations
- C . Master Policy
- D . Platform Settings
It is possible to control the hours of the day during which a safe may be used.
- A . TRUE
- B . FALSE
In a Distributed Vaults environment, which of the following components will NOT be communicating with the Satellite Vaults?
- A . AAM Credential Provider (previously known as AIM Credential Provider)
- B . ExportVaultData utility
- C . PAReplicate utility
- D . Central Policy Manager
Which Master Policy?
- A . Password Expiration Time
- B . Enabling and Disabling of the Connection Through the PSM
- C . Password Complexity
- D . The use of "One-Time-Passwords"
One can create exceptions to the Master Policy based on_________.
- A . Safes
- B . Platforms
- C . Policies
- D . Accounts
It is possible to disable the Show and Copy buttons without removing the Retrieve permission on a safe.
- A . TRUE
- B . FALSE
In accordance with best practice. SSH access is denied for root accounts on UNIX/LINUX systems.
What is the BEST way to allow CPM to manage root accounts?
- A . Create a privileged account on the target server Allow this account the ability to SSH directly from the CPM machine Configure this account as the Reconcile account of the target server’s root account.
- B . Create a non-privileged account on the target server Allow this account the ability to SSH directly from the CPM machine. Configure this account as the Logon account of the target server’s root account
- C . Configure the Unix system to allow SSH logins.
- D . Configure the CPM to allow SSH logins
According to the default web options settings, which group grants access to the reports page?
- A . PVWAMonitor
- B . PVWAUsers
- C . Auditors
- D . Vault administrators
A
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/ReportsInPVWA.htm