New Year Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

PAM-DEF Questions and Answers

Question # 6

You have been asked to identify the up or down status of Vault services.

Which CyberArk utility can you use to accomplish this task?

A.

Vault Replicator

B.

PAS Reporter

C.

Remote Control Agent

D.

Syslog

Full Access
Question # 7

As long as you are a member of the Vault Admins group you can grant any permission on any safe.

A.

TRUE

B.

FALSE

Full Access
Question # 8

What is required to manage loosely connected devices?

A.

PSM for SSH

B.

EPM

C.

PSM

D.

PTA

Full Access
Question # 9

Where can PTA be configured to send alerts? (Choose two.)

A.

SIEM

B.

Email

C.

Google Analytics

D.

EVD

E.

PAReplicate

Full Access
Question # 10

Where can you assign a Reconcile account? (Choose two.)

A.

in PVWA at the account level

B.

in PVWA in the platform configuration

C.

in the Master policy of the PVWA

D.

at the Safe level

E.

in the CPM settings

Full Access
Question # 11

What is the primary purpose of Dual Control?

A.

Reduced risk of credential theft

B.

More frequent password changes

C.

Non-repudiation (individual accountability)

D.

To force a 'collusion to commit' fraud ensuring no single actor may use a password without authorization.

Full Access
Question # 12

Match each key to its recommended storage location.

Full Access
Question # 13

Which Cyber Are components or products can be used to discover Windows Services or Scheduled Tasks that use privileged accounts? Select all that apply.

A.

Discovery and Audit (DMA)

B.

Auto Detection (AD)

C.

Export Vault Data (EVD)

D.

On Demand Privileges Manager (OPM)

E.

Accounts Discovery

Full Access
Question # 14

Which master policy settings ensure non-repudiation?

A.

Require password verification every X days and enforce one-time password access.

B.

Enforce check-in/check-out exclusive access and enforce one-time password access.

C.

Allow EPV transparent connections ('Click to connect') and enforce check-in/check-out exclusive access.

D.

Allow EPV transparent connections ('Click to connect') and enforce one-time password access.

Full Access
Question # 15

Which file must be edited on the Vault to configure it to send data to PTA?

A.

dbparm.ini

B.

PARAgent.ini

C.

my.ini

D.

padr.ini

Full Access
Question # 16

How much disk space do you need on the server for a PAReplicate?

A.

500 GB

B.

1 TB

C.

same as disk size on Satellite Vault

D.

same as disk size on Primary Vault

Full Access
Question # 17

Where can you check that the LDAP binding is using TCP/636?

A.

in Active Directory under "Users OU" => "User Properties" => "External Bindings" => "Port"

B.

in PVWA, under "LDAP Integration" => "LDAP" => "Directories" => "" => "Hosts" => "Host"

C.

in PrivateArk Client, under "Tools" => "Administrative Tools" => "Directory Mapping" => ""

D.

From the PVWA, connect to the domain controller using Test-NetConnection on Port 636.

Full Access
Question # 18

Your organization has a requirement to allow users to “check out passwords” and connect to targets with the same account through the PSM.

What needs to be configured in the Master policy to ensure this will happen?

A.

Enforce check-in/check-out exclusive access = active; Require privileged session monitoring and isolation = active

B.

Enforce check-in/check-out exclusive access = inactive; Require privileged session monitoring and isolation = inactive

C.

Enforce check-in/check-out exclusive access = inactive; Record and save session activity = active

D.

Enforce check-in/check-out exclusive access = active; Record and save session activity = inactive

Full Access
Question # 19

If PTA is integrated with a supported SIEM solution, which detection becomes available?

A.

unmanaged privileged account

B.

privileged access to the Vault during irregular days

C.

riskySPN

D.

exposed credentials

Full Access
Question # 20

You have been asked to secure a set of shared accounts in CyberArk whose passwords will need to be used by end users. The account owner wants to be able to track who was using an account at any given moment.

Which security configuration should you recommend?

A.

Configure one-time passwords for the appropriate platform in Master Policy.

B.

Configure shared account mode on the appropriate safe.

C.

Configure both one-time passwords and exclusive access for the appropriate platform in Master Policy.

D.

Configure object level access control on the appropriate safe.

Full Access
Question # 21

Which usage can be added as a service account platform?

A.

Kerberos Tokens

B.

IIS Application Pools

C.

PowerShell Libraries

D.

Loosely Connected Devices

Full Access
Question # 22

A newly created platform allows users to access a Linux endpoint. When users click to connect, nothing happens.

Which piece of the platform is missing?

A.

PSM-SSH Connection Component

B.

UnixPrompts.ini

C.

UnixProcess.ini

D.

PSM-RDP Connection Component

Full Access
Question # 23

Which parameter controls how often the CPM looks for Soon-to-be-expired Passwords that need to be changed.

A.

HeadStartInterval

B.

Interval

C.

ImmediateInterval

D.

The CPM does not change the password under this circumstance

Full Access
Question # 24

According to CyberArk, which issues most commonly cause installed components to display as disconnected in the System Health Dashboard? (Choose two.)

A.

network instabilities/outages

B.

vault license expiry

C.

credential de-sync

D.

browser compatibility issues

E.

installed location file corruption

Full Access
Question # 25

What are the mandatory fields when onboarding from Pending Accounts? (Choose two.)

A.

Address

B.

Safe

C.

Account Description

D.

Platform

E.

CPM

Full Access
Question # 26

Which of the following options is not set in the Master Policy?

A.

Password Expiration Time

B.

Enabling and Disabling of the Connection Through the PSM

C.

Password Complexity

D.

The use of “One-Time-Passwords”

Full Access
Question # 27

Which onboarding method would you use to integrate CyberArk with your accounts provisioning process?

A.

Accounts Discovery

B.

Auto Detection

C.

Onboarding RestAPI functions

D.

PTA Rules

Full Access
Question # 28

A Vault administrator have associated a logon account to one of their Unix root accounts in the vault. When attempting to verify the root account’s password the Central Policy Manager (CPM) will:

A.

ignore the logon account and attempt to log in as root

B.

prompt the end user with a dialog box asking for the login account to use

C.

log in first with the logon account, then run the SU command to log in as root using the password in the Vault

D.

none of these

Full Access
Question # 29

In the screenshot displayed, you just configured the usage in CyberArk and want to update its password.

What is the least intrusive way to accomplish this?

A.

Use the “change” button on the usage’s details page.

B.

Use the “change” button on the parent account’s details page.

C.

Use the “sync” button on the usage’s details page.

D.

Use the “reconcile” button on the parent account’s details page.

Full Access
Question # 30

How much disk space do you need on a server to run a full replication with PAReplicate?

A.

500 GB

B.

1 TB

C.

same as disk size on Satellite Vault

D.

at least the same disk size as the Primary Vault

Full Access
Question # 31

When a DR Vault Server becomes an active vault, it will automatically fail back to the original state once the Primary Vault comes back online.

A.

True; this is the default behavior

B.

False; this is not possible

C.

True, if the AllowFailback setting is set to “yes” in the padr.ini file

D.

True, if the AllowFailback setting is set to “yes” in the dbparm.ini file

Full Access
Question # 32

Which combination of Safe member permissions will allow end users to log in to a remote machine transparently but NOT show or copy the password?

A.

Use Accounts, Retrieve Accounts, List Accounts

B.

Use Accounts, List Accounts

C.

Use Accounts

D.

List Accounts, Retrieve Accounts

Full Access
Question # 33

You created a new platform by duplicating the out-of-box Linux through the SSH platform.

Without any change, which Text Recorder Type(s) will the new platform support? (Choose two.)

A.

SSH Text Recorder

B.

Universal Keystrokes Text Recorder

C.

Events Text Recorder

D.

SQL Text Recorder

E.

Telnet Commands Text Recorder

Full Access
Question # 34

For a safe with Object Level Access enabled you can turn off Object Level Access Control when it no longer needed on the safe.

A.

TRUE

B.

FALSE

Full Access
Question # 35

Which Automatic Remediation is configurable for a PTA detection of a “Suspected Credential Theft”?

A.

Add to Pending

B.

Rotate Credentials

C.

Reconcile Credentials

D.

Disable Account

Full Access
Question # 36

When managing SSH keys, the CPM stored the Private Key

A.

In the Vault

B.

On the target server

C.

A & B

D.

Nowhere because the private key can always be generated from the public key.

Full Access
Question # 37

As long as you are a member of the Vault Admins group, you can grant any permission on any safe that you have access to.

A.

TRUE

B.

FALSE

Full Access
Question # 38

Which of the following files must be created or configured m order to run Password Upload Utility? Select all that apply.

A.

PACli.ini

B.

Vault.ini

C.

conf.ini

D.

A comma delimited upload file

Full Access
Question # 39

You created a new safe and need to ensure the user group cannot see the password, but can connect through the PSM.

Which safe permissions must you grant to the group? (Choose two.)

A.

List Accounts Most Voted

B.

Use Accounts Most Voted

C.

Access Safe without Confirmation

D.

Retrieve Files

E.

Confirm Request

Full Access
Question # 40

A password compliance audit found:

1) One-time password access of 20 domain accounts that are members of Domain Admins group in Active Directory are not being enforced.

2) All the sessions of connecting to domain controllers are not being recorded by CyberArk PSM.

What should you do to address these findings?

A.

Edit the Master Policy and add two policy exceptions: enable "Enforce one-time password access", enable "Record and save session activity".

B.

Edit safe properties and add two policy exceptions: enable "Enforce one-time password access", enable "Record and save session activity".

C.

Edit CPM Settings and add two policy exceptions: enable "Enforce one-time password access", enable "Record and save session activity".

D.

Contact the Windows Administrators and request them to add two policy exceptions at Active Directory Level: enable "Enforce one-time password access", enable "Record and save session activity".

Full Access
Question # 41

Which dependent accounts does the CPM support out-of-the-box? (Choose three.)

A.

Solaris Configuration file

B.

Windows Services

C.

Windows Scheduled

D.

Windows DCOM Applications

E.

Windows Registry

F.

Key Tab file

Full Access
Question # 42

Which of the following statements are NOT true when enabling PSM recording for a target Windows server? (Choose all that apply)

A.

The PSM software must be instated on the target server

B.

PSM must be enabled in the Master Policy (either directly, or through exception)

C.

PSMConnect must be added as a local user on the target server

D.

RDP must be enabled on the target server

Full Access
Question # 43

Which option in the Private Ark client is used to update users’ Vault group memberships?

A.

Update > General tab

B.

Update > Authorizations tab

C.

Update > Member Of tab

D.

Update > Group tab

Full Access
Question # 44

What is the purpose of the HeadStartlnterval setting m a platform?

A.

It determines how far in advance audit data is collected tor reports

B.

It instructs the CPM to initiate the password change process X number of days before expiration.

C.

It instructs the AIM Provider to ‘skip the cache' during the defined time period

D.

It alerts users of upcoming password changes x number of days before expiration.

Full Access
Question # 45

For an account attached to a platform that requires Dual Control based on a Master Policy exception, how would you configure a group of users to access a password without approval.

A.

Create an exception to the Master Policy to exclude the group from the workflow process.

B.

Edith the master policy rule and modify the advanced’ Access safe without approval’ rule to include the group.

C.

On the safe in which the account is stored grant the group the’ Access safe without audit’ authorization.

D.

On the safe in which the account is stored grant the group the’ Access safe without confirmation’ authorization.

Full Access
Question # 46

To enable the Automatic response “Add to Pending” within PTA when unmanaged credentials are found, what are the minimum permissions required by PTAUser for the PasswordManager_pending safe?

A.

List Accounts, View Safe members, Add accounts (includes update properties), Update Account content, Update Account properties

B.

List Accounts, Add accounts (includes update properties), Delete Accounts, Manage Safe

C.

Add accounts (includes update properties), Update Account content, Update Account properties, View Audit

D.

View Accounts, Update Account content, Update Account properties, Access Safe without confirmation, Manage Safe, View Audit

Full Access
Question # 47

What is the purpose of the CyberArk Event Notification Engine service?

A.

It sends email messages from the Central Policy Manager (CPM)

B.

It sends email messages from the Vault

C.

It processes audit report messages

D.

It makes Vault data available to components

Full Access
Question # 48

What is the chief benefit of PSM?

A.

Privileged session isolation

B.

Automatic password management

C.

Privileged session recording

D.

‘Privileged session isolation’ and ‘Privileged session recording’

Full Access
Question # 49

In accordance with best practice, SSH access is denied for root accounts on UNIX/LINUX system. What is the BEST way to allow CPM to manage root accounts.

A.

Create a privileged account on the target server. Allow this account the ability to SSH directly from the CPM machine. Configure this account as the Reconcile account of the target server’s root account.

B.

Create a non-privileged account on the target server. Allow this account the ability to SSH directly from the CPM machine. Configure this account as the Logon account of the target server’s root account.

C.

Configure the Unix system to allow SSH logins.

D.

Configure the CPM to allow SSH logins.

Full Access
Question # 50

Which statement about the Master Policy best describes the differences between one-time password and exclusive access functionality?

A.

Exclusive access means that only a specific group of users may use the account. After an account on a one-time password platform is used, the account is deleted from the safe automatically.

B.

Exclusive access locks the account indefinitely. One-time password can be used replace invalid account passwords.

C.

Exclusive access is enabled by default in the Master Policy. One-time password should only be enabled for emergencies.

D.

Exclusive access allows only one person to check-out an account at a time. One-time password schedules an account for a password change after the MinValidityPeriod period expires.

Full Access
Question # 51

All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of the accounts in that safe. The members of the AD group UnixAdmins need to be able to use the show, copy, and connect buttons on those passwords at any time without confirmation. The members of the AD group Operations Staff need to be able to use the show, copy and connect buttons on those passwords on an emergency basis, but only with the approval of a member of Operations Managers never need to be able to use the show, copy or connect buttons themselves.

Which safe permission do you need to grant Operations Staff? Check all that apply.

A.

Use Accounts

B.

Retrieve Accounts

C.

Authorize Password Requests

D.

Access Safe without Authorization

Full Access
Question # 52

You are onboarding 5,000 UNIX root accounts for rotation by the CPM. You discover that the CPM is unable to log in directly with the root account and will need to use a secondary account.

How should this be configured to allow for password management using least privilege?

A.

Configure each CPM to use the correct logon account.

B.

Configure each CPM to use the correct reconcile account.

C.

Configure the UNIX platform to use the correct logon account.

D.

Configure the UNIX platform to use the correct reconcile account.

Full Access
Question # 53

Match each component to its respective Log File location.

Full Access
Question # 54

A new HTML5 Gateway has been deployed in your organization.

From the PVWA, arrange the steps to configure a PSM host to use the HTML5 Gateway in the correct sequence.

Full Access
Question # 55

Which parameters can be used to harden the Credential Files (CredFiles) while using CreateCredFile Utility? (Choose three.)

A.

Operating System Username

B.

Host IP Address

C.

Client Hostname

D.

Operating System Type (Linux/Windows/HP-UX)

E.

Vault IP Address

F.

Time Frame

Full Access
Question # 56

A user requested access to view a password secured by dual-control and is unsure who to contact to expedite the approval process. The Vault Admin has been asked to look at the account and identify who can approve their request.

What is the correct location to identify users or groups who can approve?

A.

PVWA> Administration > Platform Configuration > Edit Platform > UI & Workflow > Dual Control> Approvers

B.

PVWA> Policies > Access Control (Safes) > Safe Members > Workflow > Authorize Password Requests

C.

PVWA> Account List > Edit > Show Advanced Settings > Dual Control > Direct Managers

D.

PrivateArk > Admin Tools > Users and Groups > Auditors (Group Membership)

Full Access
Question # 57

Which certificate type do you need to configure the vault for LDAP over SSL?

A.

the CA Certificate that signed the certificate used by the External Directory

B.

a CA signed Certificate for the Vault server

C.

a CA signed Certificate for the PVWA server

D.

a self-signed Certificate for the Vault

Full Access
Question # 58

What are the minimum permissions to add multiple accounts from a file when using PVWA bulk-upload? (Choose three.)

A.

add accounts

B.

rename accounts

C.

update account content

D.

update account properties

E.

view safe members

F.

add safes

Full Access
Question # 59

You have been asked to create an account group and assign three accounts which belong to a cluster. When you try to create a new group, you receive an unauthorized error; however, you are able to edit other aspects of the account properties.

Which safe permission do you need to manage account groups?

A.

create folders Most Voted

B.

specify next account content

C.

rename accounts

D.

manage safe

Full Access
Question # 60

Which authorizations are required in a recording safe to allow a group to view recordings?

Full Access
Question # 61

Which of the following properties are mandatory when adding accounts from a file? (Choose three.)

A.

Safe Name

B.

Platform ID

C.

All required properties specified in the Platform

D.

Username

E.

Address

F.

Hostname

Full Access
Question # 62

PTA can automatically suspend sessions if suspicious activities are detected in a privileged session, but only if the session is made via the CyberArk PSM.

A.

True

B.

False, the PTA can suspend sessions whether the session is made via the PSM or not

Full Access
Question # 63

You receive this error:

“Error in changepass to user domain\user on domain server(\domain.(winRc=5) Access is denied.”

Which root cause should you investigate?

A.

The account does not have sufficient permissions to change its own password.

B.

The domain controller is unreachable.

C.

The password has been changed recently and minimum password age is preventing the change.

D.

The CPM service is disabled and will need to be restarted.

Full Access
Question # 64

When managing SSH keys, the CPM stores the Public Key

A.

In the Vault

B.

On the target server

C.

A & B

D.

Nowhere because the public key can always be generated from the private key.

Full Access
Question # 65

When an account is unable to change its own password, how can you ensure that password reset with the reconcile account is performed each time instead of a change?

A.

Set the parameter RCAllowManualReconciliation to Yes.

B.

Set the parameter ChangePasswordinResetMade to Yes.

C.

Set the parameter IgnoreReconcileOnMissingAccount to No.

D.

Set the UnlockUserOnReconcile to Yes.

Full Access
Question # 66

A Logon Account can be specified in the Master Policy.

A.

TRUE

B.

FALSE

Full Access
Question # 67

Via Password Vault Web Access (PVWA), a user initiates a PSM connection to the target Linux machine using RemoteApp. When the client’s machine makes an RDP connection to the PSM server, which user will be utilized?

A.

Credentials stored in the Vault for the target machine

B.

Shadowuser

C.

PSMConnect

D.

PSMAdminConnect

Full Access
Question # 68

What do you need on the Vault to support LDAP over SSL?

A.

CA Certificate(s) used to sign the External Directory certificate Most Voted

B.

RECPRV.key

C.

a private key for the external directory

D.

self-signed Certificate(s) for the Vault

Full Access
Question # 69

You have been asked to turn off the time access restrictions for a safe.

Where is this setting found?

A.

PrivateArk

B.

RestAPI

C.

Password Vault Web Access (PVWA)

D.

Vault

Full Access
Question # 70

It is possible to leverage DNA to provide discovery functions that are not available with auto-detection.

A.

TRUE

B.

FALS

Full Access
Question # 71

Platform settings are applied to _________.

A.

The entire vault.

B.

Network Areas

C.

Safes

D.

Individual Accounts

Full Access
Question # 72

When onboarding multiple accounts from the Pending Accounts list, which associated setting must be the same across the selected accounts?

A.

Platform

B.

Connection Component

C.

CPM

D.

Vault

Full Access