What would be a good use case for the Replicate module?
- A . Recovery Time Objectives or Recovery Point Objectives are at or near zero
- B . Integration with an Enterprise Backup Solution is required.
- C . Off site replication is required.
- D . PSM is used
What is the PRIMARY reason for installing more than 1 active CPM?
- A . Installing CPMs in multiple sites prevents complex firewall rules to manage devices at remote sites.
- B . Multiple instances create fault tolerance.
- C . Multiple instances increase response time.
- D . Having additional CPMs increases the maximum number of devices CyberArk can manage
What is the purpose of the password Reconcile process?
- A . To test that CyberArk is storing accurate credentials for accounts.
- B . To change the password of an account according to organizationally defined password rules
- C . To allow CyberArk to manage unknown or lost credentials.
- D . To generate a new complex password.
B
Explanation:
Reference: https://www.cyberark.com/blog/securing-privileged-accounts-best-practices-guide-part-4/
Which file would you modify to configure the vault to send SNMP traps to your monitoring solution?
- A . dbparm ini
- B . paragent.ini
- C . ENEConf.ini I
- D . padr ini
When a DR vault server becomes an active vault, it will automatically fail back to the original state once the primary vault comes back online.
- A . True, this is the default behavior
- B . False, this is not possible
- C . True, if the ‘AllowFailback’ setting is set to yes in the PADR.ini file.
- D . True if the ‘AllowFailback’ setting is set to yes in the dbparm mi file
In order to avoid conflicts with the hardening process, third party applications like Antivirus and Backup Agents should be installed on the Vault server before installing the Vault.
- A . TRUE
- B . FALSE
If a transparent user matches two different directory mappings, how does the system determine which user template to use?
- A . The system will use the template for the mapping listed first.
- B . The system will use the template for the mapping listed last.
- C . The system will grant all of the vault authorizations from the two templates.
- D . The system will grant only the vault authorizations that are listed in both templates
The primary purpose of the CPM is Password Management.
- A . TRUE
- B . FALSE
A
Explanation:
Reference: https://www.cse-cst.gc.ca/en/system/files/pdf_documents/cyberark-v91-sec-eng.pdf (7)
The vault server uses a modified version of the Microsoft Windows firewall.
- A . TRUE
- B . FALSE
In a SIEM integration it is possible to use the fully-qualified domain name (FQDN) when specifying the SIEM server address(es)
- A . TRUE
- B . FALSE
What would be a good use case for a High Availability vault?
- A . Recovery Time Objectives or Recovery Point Objectives are at or near zero.
- B . Integration with an Enterprise Backup Solution is required.
- C . Off site replication is required
- D . PSM is used.
What are the operating system prerequisites for installing CPM? Select all that apply.
- A . NET 3.51 Framework Feature
- B . Web Services Role
- C . Remote Desktop Services Role
- D . Windows 2008 R2 or higher.
A
Explanation:
Reference: https://www.cse-cst.gc.ca/en/system/files/pdf_documents/cyberark-v91-sec-eng.pdf (11)
A vault admin received an email notification that a password verification process has failed.
Which service sent the message?
- A . The PrivateArk Server Service on the Vault.
- B . The CyberArk Password Manager service on the Components Server.
- C . The CyberArk Event Notification Engine Service on the Vault
- D . The CyberArk Privileged Session Manager service on the Vault.
A stand alone Vault server requires DNS services to operate properly.
- A . TRUE
- B . FALSE
After a PSM session is complete, the PSM server uploads the recording to the Vault for long-term storage.
- A . TRUE
- B . FALSE
By default, the vault secure protocol uses which IP port and protocol.
- A . TCP/1858
- B . TCP/443
- C . UDP/1858
- D . TCP/80
A
Explanation:
Reference: http://docplayer.net/53689072-The-cyberark-digital-vault-built-for-security.html
What is the best practice for storing the Master CD?
- A . Copy the files to the Vault server and discard the CD.
- B . Copy the contents of the CD to a Hardware Security Module and discard the CD.
- C . Store the CD in a secure location, such as a physical safe.
- D . Store the CD in a secure location, such as a physical safe, and copy the contents of the CD to a folder (secured with NTFS permissions} on the vault.
What utility is used to create or update a credential file?
- A . CreateCredFile exe
- B . CAVaultManager.exe
- C . Central Policy Manager
- D . Password Vault Web Access
A
Explanation:
Reference: https://edoc.site/pas-install-and-configuration-pdf-free.html
You are successfully managing passwords in the alpha cyberark com domain; however, when you attempt to manage a password in the beta cyberark com domain, you receive the ‘network path not found’ error.
What should you check first?
- A . That the username and password are correct
- B . That the CPM can successfully resolve addresses in the beta cyberark com domain
- C . That the end user has the correct permissions on the safe.
- D . That an appropriate trust relationship exists between alpha.cyberark com and beta cyberark.com
What is the name of the account used to establish the initial RDP session from the end user client machine to the PSM server?
- A . PSMConnect
- B . PSMAdminConnect
- C . PSM
- D . The credentials the end user retrieved from the vault
To apply a new license file you must:
- A . Upload the license.xml file to the System Safe
- B . Upload the license.xml file to the Vaultlnternal Safe.
- C . Upload the license.xml file to the System Safe and restart the PrivateArk Server service.
- D . Upload the license.xml file to the Vaultlnternal Safe and restart the PrivateArk Server service.
A
Explanation:
Reference: https://www.reddit.com/r/CyberARk/comments/9bjkvd/unable_to_retrieve_licensexml_from_system_safe/
At what point is a transparent user provisioned in the vault?
- A . When a directory mapping matching that user id is created.
- B . When a vault admin runs LDAP configuration wizard.
- C . The first time the user logs in.
- D . During the vault’s nightly LD|^P refresh
Which of the following are supported authentication methods for CyberArk? Check all that apply
- A . CyberArk Password (SRP)
- B . LDAP
- C . SAML
- D . PKI
- E . RADIUS
- F . OracleSSO
- G . Biometric
BDE
Explanation:
Reference: https://training.cyberark.com/instructor-led-training/cyberark-privileged-account-security-pas-install-and-configure
The security of the Vault Server is entirely dependent on the security of the network.
- A . TRUE
- B . FALSE
What would be a good use case for the Disaster Recovery module?
- A . Recovery Time Objectives or Recovery Point Objectives are at or near zero.
- B . Integration with an Enterprise Backup Solution is required.
- C . Off site replication is required.
- D . PSM is used.
Which is the correct order of installation for PAS components?
- A . Vault, CPM. PVWA, PSM
- B . CPM, Vault. PSM, PVWA
- C . Vault, CPM. PSM, PVWA
- D . PVWA, Vault, CPM, PSM
The RemoteApp feature of PSM allows seamless Application windows (i e the Desktop of the PSM server will not be visible)
- A . TRUE
- B . FALSE
Does CyberArk need service accounts on each server to change passwords?
- A . Yes. it requires a domain administrator account to change any password on any server.
- B . Yes. it requires a local administrator account on any Windows server and a root level account on any Unix server.
- C . No. passwords are changed by the Password Provider Agent.
- D . No. the CPM uses the account information stored in the vault to login and change the account’s password using its own credentials
Which of the following protocols need to be installed on a standalone vault server? Check all that apply.
- A . Client for Microsoft Networks
- B . QoS Packet Scheduler
- C . File and Printer Sharing for Microsoft Networks
- D . Internet Protocol version 4 (TCP/IPv4)
- E . NIC Teaming Driver, if applicable
Which of the following are prerequisites for installing PVWA Check all that Apply.
- A . Web Services Role
- B . NET 4.5.1 Framework Feature
- C . Remote Desktop Services Role
- D . Windows BitLocker
In order to retrieve data from the vault a user MUST use an interface provided by CyberArk.
- A . TRUE
- B . FALSE
Name two ways of viewing the ITAlog
- A . Log into the vault locally and navigate to the Server folder under the PrivateArk install location.
- B . Log into the PVWA and go to the Reports tab.
- C . Access the System Safe from the PrivateArk client.
- D . Go to the Thirdpary log directory on the CPM
Which CyberArk component changes passwords on Target Devices?
- A . Vault
- B . CPM
- C . PVWA
- D . PSM
- E . PrivateArk
- F . OPM
- G . AIM
In an SMTP integration it is possible to use the fully-qualified domain name (FQDN) when specifying the SMTP server address(es)
- A . TRUE
- B . FALSE
The PrivateArk clients allows a user to view the contents of the vault like a filesystem.
- A . TRUE
- B . FALSE
Which of the following are secure options for storing the contents of the Operator CD, while still allowing the contents to be accessible upon a planned Vault restart? Choose all that apply
- A . Store the CD in a physical safe and mount the CD every time vault maintenance is performed.
- B . Copy the contents of the CD to the System Safe on the vault
- C . Copy the contents of the CD to a folder on the vault server and secure it with NTFS permissions.
- D . Store the server key in a Hardware Security Module.
- E . Store the server key in the Provider cache
The Remote Desktop Services role must be property licensed by Microsoft.
- A . TRUE
- B . FALSE
Which file would you modify to configure your Vault Server to forward Activity Logs to a SIEM or SYSLOG server?
- A . dbparm.ini
- B . PARagent.ini
- C . ENEConf.ini
- D . padr.ini
Which keys are required to be present in order to start the PrivateArk Server Service? Select all that apply.
- A . Server Key
- B . Recovery Public Key
- C . Recovery Private Key
- D . Safe Key
A
Explanation:
Reference: https://www.reddit.com/r/CyberARk/comments/8s96n8/certificat_problem_with_my_vault/
What is a requirement for setting fault tolerance for PSMs?
- A . Use a load balancer
- B . Use a backup solution
- C . CPM must be in all data centers
- D . Install the Vault in an HA cluster
What is a valid combination of primary and secondary layers of authentication to a company’s two-factor authentication policy?
- A . RSA SecurID Authentication (in PVWA) and LDAP Authentication
- B . CyberArk Authentication and RADIUS Authentication
- C . Oracle SSO (in PVWA) and SAML Authentication
- D . LDAP Authentication and RADIUS Authentication
A customer wants to store PSM recordings for 100 days and estimates they will have 10 Windows sessions per day for 100 minutes each.
What is the minimum storage required for the Vault and PAReplicate for the PSM recordings?
- A . 25 GB Most Voted
- B . 250 GB
- C . 500 GB
- D . 5GB
CyberArk User Neil is trying to connect to the Target Linux server 192.168.1.164 using a domain account ACME/linuxuser01 on domain acme.corp using PSM for SSH server 192.168.65.145.
What is the correct syntax?
- A . ssh neil@linuxuser01: acme.corp@192.168.1.164@192.168.65.145
- B . ssh neil@linuxuser01#acme.corp@192.168.1.164@192.168.65.145 Most Voted
- C . ssh neil@linuxuser01@192.168.1.164@192.168.65.145
- D . ssh neil@linuxuser01@acme.corp@192.168.1.164@192.168.65.145
During the PSM installation process, Safes and a User are created.
In addition to Add Safes, Add/Update Users, Reset Users’ Passwords, and Activate Users, which authorization(s) does the Vault user installing the PSM need to enable them to be successfully created?
- A . Manage Vault File Categories Most Voted
- B . Manage Server File Categories
- C . Manage Directory Mapping, Manage Server File Categories
- D . Manage Directory Mapping, Manage Vault File Categories
What authentication methods can be implemented to enforce Two-Factor Authentication (2FA) for users authenticating to CyberArk using both the PVWA (through the browser) and the PrivateArk Client?
- A . LDAP and RADIUS Most Voted
- B . CyberArk and RADIUS
- C . SAML and Cyber Ark
- D . SAML and RADIUS
DRAG DROP –
Arrange the steps to complete CPM Hardening for Out-of-Domain Deployment in the correct sequence.
In which configuration file do you add LoadBalancerClientAddressHeader when you enable x-forwarding on the PVWA loadbalancer?
- A . PVconfiguration.xml
- B . web.config
- C . apigw.ini
- D . CyberArkScheduledTasks.exe.config
You want to add an additional maintenance user on the PSM for SSH.
How can you accomplish this if InstallCyberarkSSHD is set to Integrated?
- A . Create a local user and add it to the PSMMaintenance Group.
- B . Create a local user called proxymng.
- C . Create a local user and add it to group configured for the parameter AllowGroups in the /etc/sshd_config file
- D . Create a local user, called psmpmng.
There is a requirement for a password to change between 01:00 and 03:00 on Saturdays and Sundays; however, this does not work consistently.
Which platform setting may be the cause?
- A . The Interval setting for the platform is incorrect and must be less than 120.
- B . The ImmediateInterval setting for the platform is incorrect and must be greater than or equal to 1.
- C . The DaysToRun setting for the platform is incorrect and must be set to Sat,Sun.
- D . The HeadStartInterval setting for the platform is incorrect and must be set to 0.