PAM-CDE-RECERT Questions and Answers

PVWAMonitor

ReportUsers

PVWAReports

Operators

PVWAUsers

Vault Admins

Auditors

PVWAMonitor

Accounts that were discovered by CyberArk in the last 30 days

Accounts that were discovered by CyberArk that have not yet been onboarded

All accounts added to the vault in the last 30 days

All users added to CyberArk in the last 30 days

Within PVWA

Click Administration > Platform Management

Select the platform and then click Edit.

In the left pane, click Automatic Password Management > CPM Plug-in

Set the ExeName parameter value to CyberArk TPC exe

Using PnvateArk. select the PasswordManager_Shared safe, and then select open Locate the mi file relating to the platform you wish to change and double click

At the bottom of the file, insert a line "UseTPC = True" Remove any lines that reference "PMTerminal" and save Return the mi file to the safe Restart CPM for this change to take effect

Open the process file of the platform you wish to configure to use TPC Add the following parameter under the States section; "use TPC=yes"

It is not possible to change a platform from using PMTerminal to using TPC You must locate a new version of the platform that supports TPC and import the new platform over-writing the existing platform

Recovery Private Key

Recover.exe

Vault data

Recovery Public Key

Server Key

Master Password

proxymng

psmpjnamtenance

psmpma/ntenanceuser

psmpmnguser

TRUE

FALSE

True; this is the default behavior

False; this is not possible

True, if the AllowFailback setting is set to “yes” in the padr.ini file

True, if the AllowFailback setting is set to “yes” in the dbparm.ini file

TRUE

FALSE

Specify Amazon as the cloud vendor using the CloudVendor Flag

After running the postinstall utility, restart the "PrivateArk Server" service

Specify the Cloud region using the /CloudRegion flag

Specify whether the Vault is distributed or stand alone

True

False

Master CD, Master Password, console access to the Vault server, Private Ark Client

Operator CD, Master Password, console access to the PVWA server, PVWA access

Operator CD, Master Password, console access to the Vault server, Recover.exe

Master CD, Master Password, console access to the PVWA server, Recover.exe

Ssh neil@linuxuser01:acme.corp@192.168.1.64@192.168.1.45

Ssh neil@linuxuser01#acme.corp@192.168.1.64@192.168.1.45

Ssh neil@linuxuser01@192.168.1.64@192.168.65.145

Ssh neil@linuxuser01@acme.corp@192.168.1.64@192.168.1.45

UnixPrompts.ini

plink.exe

dbparm.ini

PVConfig.xml

Log on to the PrivateArk Client, display the user properties of the user to configure, run the Authentication method drop-down list, and select RADIUS authentication.

In the RADIUS server, define the CyberArk Vault as RADIUS client/agent.

In the Vault Installation folder, run CAVaultManger as Administrator with the SecureSecretFiles command.

Navigate to /Server/Conf and open DBParms.ini and set the RadiusServersInfo parameter.

six

four

two

three

Copy the files to the Vault server and discard the CD

Copy the contents of the CD to a Hardware Security Module (HSM) and discard the CD

Store the CD in a secure location, such as a physical safe

Store the CD in a secure location, such as a physical safe, and copy the contents of the CD to a folder secured with NTFS permissions on the Vault

TRUE

FALSE

Suspected credential theft

Over-Pass-The-Hash

Golden Ticket

Unmanaged privileged access

Safes

Platforms

Policies

Accounts

To control how often the CPM looks for System Initiated CPM work.

To control how often the CPM looks for User Initiated CPM work.

To control how long the CPM rests between password changes.

To control the maximum amount of time the CPM will wait for a password change to complete.

Yes, when using the connect button, CyberArk uses the PMTerminal.exe process which bypasses the root SSH restriction.

Yes, only if a logon account is associated with the root account and the user connects through the PSM-SSH connection component.

Yes, if a logon account is associated with the root account.

No, it is not possible.

Port 1858 must be opened between the load balancer and the PVWAs

The load balancer must be configured in DNS round robin.

The load balancer must support "sticky sessions".

The LoadBalancerClientAddressHeader parameter in the PVwA.ini file must be set.

All accounts in the pending accounts list

Any future accounts discovered by a discovery process

Both “All accounts in the pending accounts list” and “Any future accounts discovered by a discovery process”

TRUE

FALS

Accounts Discovery

Auto Detection

Onboarding RestAPI functions

PTA Rules

Network Load Balancer

Classic Load Balancer

HTTPS load balancer

Public standard load balancer

The Master Policy

The Platform settings

The Safe settings

The Account Details

Window 2012 KB4558843

Remote Desktop services (RDS) Session Host Roles

Windows 2016 KB4558843

Remote Desktop services (RDS) Session Broker

TRIE

FALSE

True.

False. Because the user can also enter credentials manually using Secure Connect.

False. Because if credentials are not stored in the vault, the PSM will log into the target device as PSM Connect.

False. Because if credentials are not stored in the vault, the PSM will prompt for credentials.

TRUE

FALS

Replicate data from DR Vault to Primary Vault > Shutdown PrivateArk Server on DR Vault > Start replication on DR vault

Shutdown PrivateArk Server on DR Vault > Start replication on DR vault

Shutdown PrivateArk Server on Primary Vault > Replicate data from DR Vault to Primary Vault > Shutdown PrivateArk Server on DR Vault > Start replication on DR vault

Shutdown PrivateArk Server on DR Vault > Replicate data from DR Vault to Primary Vault > Shutdown PrivateArk Server on DR Vault > Start replication on DR vault

List accounts, Authorize account request

Retrieve accounts, Access Safe without confirmation

Retrieve accounts, Authorize account request

List accounts, Unlock accounts

on the Vault server in Windows\System32\Etc\Hosts and in the PVWA Application under Administration > LDAP Integration > Directories > Hosts

on the Vault server in Windows\System32\Etc\Hosts and on the PVWA server in Windows\System32\Etc\Hosts

in the Private Ark client under Tools > Administrative Tools > Directory Mapping

on the Vault server in the certificate store and on the PVWA server in the certificate store

Password change

Password reconciliation

Session suspension

Session termination

Reduced risk of credential theft

More frequent password changes

Non-repudiation (individual accountability)

To force a ‘collusion to commit’ fraud ensuring no single actor may use a password without authorization

Install the Vault in the cloud the same way that you would in an on-premises environment Place the server key in a password protected folder on the operating system

Install the Vault in the cloud the same way that you would in an on-premises environment Purchase a Hardware Security Module to secure the server key

Install the Vault using the Amazon Machine Images and secure the server key using native cloud Key Management Systems

Install the Vault using the Amazon Machine Images and secure the server key with a Hardware Security Module

The entire vault.

Network Areas

Safes

Individual Accounts

Discovery and Audit (DMA)

Auto Detection (AD)

Export Vault Data (EVD)

On Demand Privileges Manager (OPM)

Accounts Discovery

Performs IIS hardening: Imports the CyberArk INF configuration

Performs IIS hardening: Configures all group policy settings

Performs IIS hardening: Renames the local Administrator Account

Configures Windows Firewall: Removes all installation files.

Log in to the system as root, then change root's password

Log in to the system as the logon account, then change roofs password

Log in to the system as the logon account, run the su command to log in as root, and then change root’s password.

None of these

True; this is the default behavior

False, the Vault administrator must manually set the DR Vault to DR mode by setting “FailoverMode=no” in the padr.ini file

True, if the AllowFailback setting is set to “yes” in the padr.ini file

False, the Vault administrator must manually set the DR Vault to DR mode by setting “FailoverMode=no” in the dbparm.ini file

Activity report

Entitlement report

Privileged Accounts Compliance Status report

Applications Inventory report

TRUE

FALSE

Logs, Vault Logs

Logs, Network Sensor, Vault Logs

Logs, PSM Logs, CPM Logs

Logs, Network Sensor, EPM

Administrator

Any member of Vault administrators

Any member of auditors

Master

Executes password changes

Maintains Vault metadata

Makes Vault data accessible to components

Sends email alerts from the Vault

The heartbeat s no longer detected on the private network.

The shared storage array is offline.

An alert is generated in the Windows Event log.

The Digital Vault Cluster does not detect a node failure.

It must be a Fully Qualified Domain Name (FQDN)

It must be an IP address

It must be NetBIOS name

Any name that is resolvable on the Central Policy Manager (CPM) server is acceptable

Password Expiration Time

Enabling and Disabling of the Connection Through the PSM

Password Complexity

The use of “One-Time-Passwords”

PSM connections to target devices that are not managed by CyberArk.

Session Recording

Real-time live session monitoring.

PSM connections from a terminal without the need to login to the PVWA

TRUE

FALSE

PSM (i.e., launching connections by clicking on the "Connect" button in the PVWA)

PSM for Windows (previously known as RDP Proxy)

PSM for SSH (previously known as PSM SSH Proxy)

All of the above

Vault Users

Vault Group

LDAP Users

LDAP Groups

To test that CyberArk is storing accurate credentials for accounts

To change the password of an account according to organizationally defined password rules

To allow CyberArk to manage unknown or lost credentials

To generate a new complex password

Edit the "Wmdows_Servers" platform, expand "Automatic Password Management", then select General and modify "AllowedSafes" to be (WindowsDC1)|(WindowsDC2).

Edit the "Windows_Servers" platform, expand "Automatic Password Management", then select Options and modify "AllowedSafes" to be (Win")

Edit the "WindowsDCI" and "WindowsDC2" safes through Safe Management. Add "Wmdows_Servers" to the "AliowedPlatforms".

Log in to PnvateArk using an Administrative user, Select File Server File Categories. Locate the category "WindowsServersAllowedSafes" and specify "WindowsDC! WindowsDC2"

Domain Admin

LDAP Admin

Read/Write

Read