Notes

Which values are acceptable in the address field of an Account?
• It must be a Fully Qualified Domain Name (FQDN).
• It must be an IP address.
• It must be NetBIOS name.
• Any name that is resolvable on the Central Policy Manager (CPM) server is acceptable.
The Accounts Feed contains:
• accounts that were discovered by CyberArk in the last 30 days.
• accounts that were discovered by CyberArk that have not yet been onboarded.
• all accounts added to the vault in the last 30 days.
• all users added to CyberArk in the last 30 days.
Accounts Discovery allows secure connections to domain controllers.
• True
• False
Which of these accounts onboarding methods is considered proactive?
• Accounts Discovery
• Detecting accounts with PTA
• A Rest API integration with account provisioning software
• A DNA scan
When creating an onboarding rule, it will be executed upon:
• All accounts in the pending accounts list.
• Any future accounts discovered by a discovery process.
• Both A and B
What are the functions of the Remote Control Agent service? (Choose 3)
• Allows remote monitoring of the Vault
• Sends SNMP traps from the Vault
• Maintains audit data
• Allows CyberArk services to be managed (start/stop/status) remotely
The Vault administrator can change the Vault license by uploading the new license to the system Safe.
• True
• False
CyberArk implements license limits by controlling the number of and types of users that can be provisioned in the Vault.
• True
• False
PSM for Windows (previously known as RDP Proxy) supports connections to the which of the following target systems?
• Windows
• Unix
• Oracle
• All of the above
PSM for SSH (previously known as PSM-SSH Proxy) supports connections to which of the following target systems?
• Windows
• Unix
• Oracle
• All of the above
Within the Vault each password is encrypted by:
• the server key.
• the recovery public key.
• the recovery private key.
• its own unique key.
Which utilities could a Vault administrator use to change debugging levels on the Vault without having to restart the Vault? Select the two correct options.
• PAR Agent
• PrivateArk Server Central Administration
• Edit DBParm.ini in a text editor.
• Setup.exe
How does the Vault administrator apply a new license file?
• Upload the license.xml file to the system Safe and restart the PrivateArk Server service.
• Upload the license.xml file to the system Safe.
• Upload the license.xml file to the Vault Internal Safe and restart the PrivateArk Server service.
• Upload the license.xml file to the Vault Internal Safe.

Which keys are required to be present in order to start the PrivateArk Server service? (Choose 2)
• Recovery public key
• Recovery private key
• Server key
• Safe key
What is the purpose of the CyberArk Event Notification Engine service?
• It sends email messages from the Central Policy Manager (CPM).
• It sends email messages from the Vault.
• It processes audit report messages.
• It makes Vault data available to components.
What is the purpose of the PrivateArk Database service?
• Communicates with components
• Sends email alerts from the Vault
• Executes password changes
• Maintains Vault metadata
What is the purpose of the PrivateArk Server service?
• Executes password changes
• Maintains Vault metadata
• Makes Vault data accessible to components
• Sends email alerts from the Vault
Select the best practice for storing the Master CD.
• Copy the files to the Vault server and discard the CD.
• Copy the contents of the CD to a Hardware Security Module (HSM) and discard the CD.
• Store the CD in a secure location, such as a physical safe.
• Store the CD in a secure location, such as a physical safe, and copy the contents of the CD to a folder secured with NTFS permissions on the Vault.
Which of the following are secure options for storing the contents of the Operator CD, while still allowing the contents to be accessible upon a planned Vault restart? Choose the three correct options.
• Store the CD in a physical safe and mount the CD every time Vault maintenance is performed.
• Copy the entire contents of the CD to the system Safe on the Vault.
• Copy the entire contents of the CD to a folder on the Vault Server and secure it with NTFS permissions.
• Store the server key in a Hardware Security Module (HSM) and copy the rest of the keys from the CD to a folder on the Vault Server and secure it with NTFS permissions.
Which service should NOT be running on the DR Vault when the primary Production Vault is up?
• PrivateArk Database
• PrivateArk Server
• CyberArk Vault Disaster Recovery (DR) service
• CyberArk Logic Container
Which of the following logs contains information about errors related to PTA?
• ITAlog.log
• diamond.log
• pm_error.log
• WebApplication.log
When a DR Vault Server becomes an active vault, it will automatically fail back to the original state once the Primary Vault comes back online.
• True; this is the default behavior.
• False, this is not possible.
• True, if the AllowFailback setting is set to “yes” in the padr.ini file.
• True, if the AllowFailback setting is set to “yes” in the dbparm.ini file.
When a DR Vault Server becomes an active vault, it will automatically revert back to DR mode once the Primary Vault comes back online.
• True; this is the default behavior.
• False, the Vault administrator must manually set the DR Vault to DR mode by setting "FailoverMode=no" in the padr.ini file.
• True, if the AllowFailback setting is set to “yes” in the padr.ini file.
• False, the Vault administrator must manually set the DR Vault to DR mode by setting "FailoverMode=no" in the dbparm.ini file.
Which of the following components can be used to create a tape backup of the Vault?
• Disaster Recovery
• Distributed Vaults
• Replicate
• High Availability

A Vault administrator has associated a logon account to one of their Unix root accounts in the Vault. When attempting to change the root account's password the Central Policy Manager (CPM) will:
• log in to the system as root, then change root's password.
• log in to the system as the logon account, then change root's password.
• log in to the system as the logon account, run the SU command to log in as root, and then change root's password.
• none of these.
For a Safe with object level access control enabled the Vault administrator is able to turn off object level access control when it no longer needed on the Safe.
• True
• False
The Vault supports Subnet Based Access Control.
• True
• False
The Vault does NOT support Subnet Based Access Control.
• True
• False
Assuming a Safe has been configured to be accessible during certain hours of the day, a Vault administrator may still access that Safe outside of those hours.
• True
• False
A Simple Mail Transfer Protocol (SMTP) integration is critical for monitoring Vault activity and facilitating workflow processes, such as Dual Control.
• True
• False
What is the purpose of the password verify process?
• To test that CyberArk is storing accurate credentials for accounts
• To change the password of an account according to organizationally defined password rules
• To allow CyberArk to manage unknown or lost credentials
• To generate a new complex password
What is the purpose of the password change process?
• To test that CyberArk is storing accurate credentials for accounts
• To change the password of an account according to organizationally defined password rules
• To allow CyberArk to manage unknown or lost credentials
• To generate a new complex password
In order to grant a permission to a user, an administrator MUST possess that permission.
• True
• False
A logon account can be specified in the platform settings.
• True
• False
Which Master Policy setting must be active in order to have an account checked out by one user for a pre-determined amount of time?
• Require Dual Control password access approval.
• Enforce check-in/check-out exclusive access.
• Enforce one-time password access.
• Enforce check-in/check-out exclusive access and enforce one-time password access.
Which combination of Safe member permissions will allow end users to log in to a remote machine transparently but NOT show or copy the password?
• Use Accounts, Retrieve Accounts, List Accounts
• Use Accounts, List Accounts
• Use Accounts
• List Accounts, Retrieve Accounts
CyberArk recommends implementing object level access control on all Safes.
• True
• False
Which credentials does CyberArk use when managing a target account?
• Those of the service account for the CyberArk Password Manager service
• A domain administrator account created for this purpose
• The credentials of the target account
• An account assigned by the Master Policy
What is the purpose of the password reconcile process?
• To test that CyberArk is storing accurate credentials for accounts
• To change the password of an account according to organizationally defined password rules
• To allow CyberArk to manage unknown or lost credentials
• To generate a new complex password
What is the process to remove object level access control from a Safe?
• Uncheck the 'Enable Object Level Access Control' on the Safe Details page in the PVWA.
• Uncheck the 'Enable Object Level Access Control' box in the Safe Properties in PrivateArk.
• This cannot be done.
• Remove all ACLs from the Safe.
Access control to passwords is implemented by:
• Vault authorizations.
• Safe authorizations.
• Master Policy.
• Platform settings.
If a user is a member of more than one group that has authorizations on a Safe, by default that user is granted:
• the Vault will not allow this situation to occur.
• only those permissions that exist on the group added to the Safe first.
• only those permissions that exist in all groups to which the user belongs.
• the cumulative permissions of all the groups to which that user belongs.
Users who have the 'Access Safe without confirmation' permission on a Safe where accounts are configured for Dual Control still need to request approval to use the account.
• True
• False
Which is the purpose of a linked account?
• To ensure that a particular collection of accounts all have the same password
• To ensure a particular set of accounts all change at the same time
• To connect the CPM to a target system
• To allow the use of additional passwords within a password management process

A Vault administrator has associated a logon account to one of their Unix root accounts in the Vault. When attempting to verify the root account's password the Central Policy Manager (CPM) will:
• ignore the logon account and attempt to log in as root.
• prompt the end user with a dialog box asking for the login account to use.
• log in first with the logon account, then run the SU command to log in as root using the password in the Vault.
• none of these.
For an account attached to a platform that requires Dual Control based on a Master Policy exception, how would the Vault administrator configure a group of users to access a password without approval?
• Create an exception to the Master Policy to exclude the group from the workflow process.
• Edit the Master Policy rule and modify the advanced 'Access Safe without approval' rule to include the group.
• On the Safe in which the account is stored grant the group the 'Access Safe without audit' authorization.
• On the Safe in which the account is stored grant the group the 'Access Safe without confirmation' authorization.
Which is the primary purpose of exclusive accounts?
• Reduced risk of credential theft
• More frequent password changes
• Non-repudiation (individual accountability)
• To force a 'collusion to commit' fraud ensuring no single actor may use a password without authorization
Which is the primary purpose of one-time passwords?
• Reduced risk of credential theft
• More frequent password changes
• Non-repudiation (individual accountability)
• To force a 'collusion to commit' fraud ensuring no single actor may use a password without authorization
Which is the primary purpose of Dual Control?
• Reduced risk of credential theft
• More frequent password changes
• Non-repudiation (individual accountability)
• To force a 'collusion to commit' fraud ensuring no single actor may use a password without authorization
What is the name of the platform parameter that determines the length of time a person is allowed to use a one-time password?
• MinValidityPeriod
• Interval
• ImmediateInterval
• Timeout
Which is the purpose of the HeadStartInterval setting in a platform?
• It determines how far in advance audit data is collected for reports.
• It instructs the CPM to initiate the password change process certain number of days before expiration.
• It instructs the AIM provider to 'skip the cache' during the defined time period.
• It alerts users of upcoming password changes a certain number of days before expiration.
Platform settings are applied to:
• the entire Vault.
• network areas.
• Safes.
• individual accounts.
One can create exceptions to the Master Policy based on:
• Safes.
• platforms.
• policies.
• accounts.
When managing SSH keys, the Central Policy Manager (CPM) stores the public key:
• in the Vault.
• on the target server.
• A and B.
• nowhere because the public key can always be generated from the private key.
When managing SSH keys, the Central Policy Manager (CPM) stores the private key:
• in the Vault.
• on the target server.
• A and B.
• nowhere because the private key can always be generated from the public key.
 
Time of day or day of week restrictions on when password changes can occur are configured in the:
• Master Policy.
• platform settings.
• Safe settings.
• account details.
Time of day or day of week restrictions on when password verifications can occur are configured in the:
• Master Policy.
• platform settings.
• Safe settings.
• account details.
Time of day or day of week restrictions on when password reconciliations can occur are configured in the:
• Master Policy.
• platform settings.
• Safe settings.
• account details.
A Safe was recently created by a user who is a member of the LDAP Vault Administrators group. Which of the following users does NOT have access to the newly created Safe by default?
• Master
• Administrator
• Auditor
• Backup
According to the default web options settings, which group grants access to the reports page?
• PVWAUsers
• Vault Administrators
• Auditors
• PVWAMonitor
Which report could show all accounts that are past their expiration dates?
• Privileged Account Compliance Status report
• Activity log
• Privileged Account Inventory report
• Application Inventory report
Which report shows the accounts that are accessible to each user?
• Activity report
• Entitlement report
• Privileged Accounts Compliance Status report
• Applications Inventory report
Which type of automatic remediation can be performed by the PTA in case of a suspected credential theft security event?
• Password change
• Password reconciliation
• Session suspension
• Session termination
Which type of automatic remediation can be performed by the PTA in case of a suspicious password change security event?
• Password change
• Password reconciliation
• Session suspension
• Session termination
Which of the following PTA detections are included in the Core PAS offering? Choose 2.
• Suspected Credential Theft (checked)
• Over-Pass-The-Hash
• Golden Ticket
• Unmanaged Privileged Access (checked)
PTA can automatically suspend sessions if suspicious activities are detected in a privileged session, but only if the session is made via the CyberArk PSM.
• True (checked)
• False, the PTA can suspend sessions whether the session is made via the PSM or not.
Which of the following PTA detections require the deployment of a Network Sensor or installing the PTA Agent on the domain controller?
• Suspected credential theft
• Over-Pass-The-Hash (checked)
• Golden Ticket (checked)
• Unmanaged privileged access
 
Which one of the following reports is NOT generated by using the Password Vault Web Access (PVWA)?
• Accounts Inventory
• Application Inventory
• Active/Non-Active Users (checked)
• Compliance Status
What is the purpose of EVD?
• To extract vault metadata into an open database platform. (checked)
• To allow editing of vault metadata.
• To create a backup of the MySQL database.
• To extract audit data from the vault.
A user has successfully conducted a short PSM session and logged off. However, the user cannot access the Monitoring tab to view the recordings. What is the issue?
• The user must login as PSMAdminConnect.
• The PSM service is not running.
• The user is not a member of the PVWAMonitor group.
• The user is not a member of the Auditors group. (checked)
An auditor needs to login to the PSM in order to live monitor an active session. Which user ID is used to establish the RDP connection to the PSM server?
• PSMConnect
• PSMMaster
• PSMGwUser
• PSMAdminConnect (checked)
In order to connect to a target device through PSM, the account credentials used for the connection must be stored in the Vault.
• True
• False, because the user can also enter credentials manually using Ad-Hoc Access. (checked)
• False, because if credentials are not stored in the Vault, the PSM will log into the target device as PSM Connect.
• False, because if credentials are not stored in the Vault, the PSM will prompt for credentials.
 
Via Password Vault Web Access (PVWA), a user initiates a PSM connection to the target Linux machine using RemoteApp. When the client's machine makes an RDP connection to the PSM server, which user will be utilized?
• Credentials stored in the Vault for the target machine
• Shadowuser
• PSMConnect (checked)
• PSMAdminConnect
An auditor initiates a live monitoring session to PSM server to view an ongoing live session. When the auditor's machine makes an RDP connection the PSM server, which user will be used?
• PSMAAdminConnect (checked)
• Shadowuser
• PSMConnect
• Credentials stored in the Vault for the target machine
Which one of these built-in Vault users is NOT automatically added to a Safe when it is created?
• Master
• Administrator
• Auditor
• Operator
Vault administrators must manually add the Auditors group to newly created Safes so auditors will have sufficient access to run reports.
• True
• False (checked)
Which user(s) can access all passwords in the Vault?
• Administrator
• Any member of Vault administrators
• Any member of auditors
• Master (checked)
A user is receiving the error message "ITATS006E Station is suspended for User jsmith" when attempting to sign into the Password Vault Web Access (PVWA). Which utility would a Vault administrator use to correct this problem?
• createcredfile.exe
• cavaultmanager.exe
• PrivateArk (checked)
• PVWA
Which user is automatically added to all Safes and cannot be removed?
• Auditor
• Administrator
• Master
• Operator