Practice CyberArk Security Questions PDF

Practice 1. What do you need on the Vault to support LDAP over SSL? A. CA Certificate(s) used to sign the External Directory certificate B. RECPRV.key C. a private key for the external directory D. self-signed Certificate(s) for the Vault Sol: On the Vault machine, import the CA certificate that signed the certificate used by the external directory into the Windows certificate store to facilitate an SSL connection between the vault and the external directory (recommended). 2. You are troubleshooting a PVWA slow response. Which log files should you analyze first? (Choose two.) A. ITALog.log B. web.config C. CyberArk.WebApplication.log D. CyberArk.WebConsole.log Sol: PVWA log files: PVWA.App.log PVWA.Reports.log PVWA.Console.log PVWA.Casos.log CyberArk.WebSession.General.log CyberArk.WebServiceSession.log CyberArk.WebServiceSession..log 3. What is the easiest way to duplicate an existing platform? A. From PrivateArk, copy/paste the appropriate Policy.ini file; then rename it. B. From the PVWA, navigate to the platforms page, select an existing platform that is similar to the new target account platform and then click Duplicate; name the new platform. C. From PrivateArk, copy/paste the appropriate settings in PVConfiguration.xml; then update the policyName variable. D. From the PVWA, navigate to the platforms page, select an existing platform that is similar to the new target account platform, manually update the platform settings and click "Save as" INSTEAD of save to duplicate and rename the platform. 4. DRAG DROP - Match each key to its recommended storage location. Sol: Recovery Private Key: Store in a Physical Safe (Master CD) Recovery Public Key: Store on the Vault Server Disk Drive Server Key: Store in a Hardware Security Module SSH Keys: Store in the Vault. 5. Due to corporate storage constraints, you have been asked to disable session monitoring and recording for 500 testing accounts used for your lab environment. How do you accomplish this? A. Master Policy>select Session Management>add Exceptions to the platform(s)>disable Session Monitoring and Recording policies B. Administration>Platform Management>select the platform(s)>disable Session Monitoring and Recording C. Polices>Access Control (Safes)>select the safe(s)>disable Session Monitoring and Recording policies D. Administration>Configuration Options>Options>select Privilege Session Management>disable Session Monitoring and Recording policies Sol: The answer is B. Here's why: Platform-Level Control: Session monitoring and recording are managed at the platform level in CyberArk. Platforms represent the type of systems you are managing (e.g., Windows Domain Accounts, Linux SSH, Oracle Database). Master Policy and Exceptions: The Master Policy sets the baseline rules, but you can create exceptions to these rules for specific platforms. This lets you fine-tune how different systems are managed. Disabling Session Management: To disable session monitoring and recording for your testing accounts, you would: 1. Go to Administration > Platform Management. 2. Select the platform(s) associated with your 500 testing accounts. 3. Modify the Privileged Session Management settings within the platform configuration to disable monitoring and recording. Why the other options are incorrect: A. Master Policy: While the Master Policy governs overall settings, you need to apply exceptions at the platform level for specific groups of accounts. C. Access Control (Safes): Safes are for storing and managing access to privileged accounts. While you can control who has access to recordings within a Safe, disabling recording itself is done at the platform level. D. Administration > Configuration Options: Configuration Options typically manage system-wide settings, not platform-specific session recording rules. 6. A user requested access to view a password secured by dual-control and is unsure who to contact to expedite the approval process. The Vault Admin has been asked to look at the account and identify who can approve their request. What is the correct location to identify users or groups who can approve? A. PVWA > Administration > Platform Configuration > Edit Platform > UI & Workflow > Dual Control > Approvers B. PVWA > Policies > Access Control (Safes) > Select the safe > Safe Members > Workflow > Authorize Password Requests C. PVWA > Account List > Edit > Show Advanced Settings > Dual Control > Direct Managers D. PrivateArk > Admin Tools > Users and Groups > Auditors (Group Membership) Sol: The correct answer is B. Here's why: Dual Control and Safe Membership: Dual control in CyberArk is implemented through Safe membership and permissions. It means that you define who can approve password requests within the context of a specific Safe. Requesters and Approvers: Requesters: Users who need to use privileged accounts. They have "Use" (and/or "Retrieve") and "List" permissions on the Safe. Approvers: Users or groups responsible for authorizing requests for privileged accounts. They typically have "List" and "Authorize" permissions on the Safe, without necessarily having "Use" or "Retrieve" permissions. Safe Members Tab: To identify the approvers, you would navigate to the Safe where the password-protected account is stored and check the "Safe Members" tab. Within this tab, the "Workflow" section will show users or groups with "Authorize Password Requests" permissions. This is where you find who can approve the user's request. Let's look at why the other options are incorrect: A. PVWA > Administration > Platform Configuration > Edit Platform > UI & Workflow > Dual Control > Approvers: While platform configuration contains settings related to dual control, it doesn't list specific approvers for individual Safes. Dual control settings at the platform level are more about enabling the feature and defining general rules, such as the number of approvers required. You set up exceptions to the Master Policy on a per-platform basis. The settings for managing passwords are in the Automatic Password Management section. C. PVWA > Account List > Edit > Show Advanced Settings > Dual Control > Direct Managers: Direct managers are a specific type of approver that you can configure in advanced dual control settings. However, this option won't show all potential approvers, only those who are designated as direct managers in Active Directory. D. PrivateArk > Admin Tools > Users and Groups > Auditors (Group Membership): The Auditors group has specific auditing permissions by default but doesn't automatically have approval rights for dual control. They can list accounts, view Safe members, and view the audit log. Approvers are set at the Safe level. The key concept here is that approval for dual control is tied to the specific Safe containing the password-protected account. The Vault admin needs to look within the Safe's settings to identify who has been granted the "Authorize Password Requests" permission. 7. What must you specify when configuring a discovery scan for UNIX? (Choose two.) A. Vault Administrator B. CPM Scanner C. root password for each machine D. list of machines to scan E. safe for discovered accounts Sol: To configure a discovery scan for UNIX, you must specify the following two options: B. CPM Scanner: The CPM (CyberArk Privileged Account Security) Scanner is a component that connects to target systems to discover and manage accounts. It performs the actual scanning process and collects information about privileged accounts. When setting up a UNIX discovery scan, you need to specify which CPM Scanner will be used to connect to the target UNIX/Linux machines. D. list of machines to scan: To perform a UNIX discovery scan, you need to supply a list of IP addresses for the target Unix/Linux machines in a CSV (Comma Separated Value) file. This file contains the addresses of the systems you want to scan for privileged accounts. Why the other options are incorrect: A. Vault Administrator: While the Vault Administrator role has access to configure discovery scans, the Vault Administrator's username is not a required parameter for the scan itself. Discovery scans are initiated and managed by the CPM Scanner, not the Vault Administrator directly. C. root password for each machine: A default password is required when setting up a UNIX discovery scan, but it is not necessary to know the root password of each individual machine in the scan. E. safe for discovered accounts: The safe where discovered accounts will be stored is determined by Automatic Onboarding Rules. If no rule is defined, the accounts will be sent to the Pending Safe for manual onboarding. The safe destination is not a parameter required at the time of scan configuration. 8. To change the safe where recordings are kept for a specific platform, which setting must you update in the platform configuration? A. SessionRecorderSafe B. SessionSafe C. RecordingsPath D. RecordingLocation Sol: The setting you must update to change the safe where recordings are kept for a specific platform is A. SessionRecorderSafe. The sources state that you can customize session recordings in the Privileged Session Management section of Platform Management. You can define a recording safe using the SessionRecorderSafe property. This property is used to specify the name of the safe where recordings for a platform will be stored. The sources also describe how recordings can be stored in various ways: by predefined safe name, by a generated name that includes the account safe name, or by a generated name that includes the values of specific connection parameters. The other options are not correct: B. SessionSafe: This term is not used in the sources provided. C. RecordingsPath and D. RecordingLocation: While the sources refer to a RecordingsDirectory parameter for changing the temporary location where recordings are saved on the PSM server before being uploaded to the vault, they do not mention configuration options named "RecordingsPath" or "RecordingLocation." The sources focus on the SessionRecorderSafe setting for controlling the final destination of session recordings within the CyberArk Vault. 9. Which processes reduce the risk of credential theft? (Choose two.) A. require dual control password access approval B. require password change every X days C. enforce check-in/check-out exclusive access D. enforce one-time password access Sol: The two processes that reduce the risk of credential theft are: A. require dual control password access approval: Dual control is a security measure that requires approval from multiple authorized individuals before a privileged account can be accessed. This process helps prevent a single individual from having unauthorized access to sensitive credentials and ensures that access is granted only when legitimately needed. C. enforce check-in/check-out exclusive access: Enforcing check- in/check-out exclusive access means that only one user can have access to a privileged account at any given time. This practice helps prevent unauthorized access by ensuring that credentials are not shared or left open for misuse. When a user checks out an account, it becomes locked, preventing others from using it until it's checked back in. Let's examine why the other options are not as directly related to reducing the risk of credential theft: B. require password change every X days: Requiring regular password changes is a good security practice, but it is more effective at mitigating the damage caused by a credential theft that has already happened. It doesn't actively prevent the initial theft. The sources highlight the importance of password management, but they do not directly link this practice to the prevention of credential theft. D. enforce one-time password access: Enforcing one-time password access enhances security by ensuring that each password is used only once. However, this process doesn't necessarily prevent the initial theft of credentials. Once a one-time password is compromised, an attacker can potentially use it before it expires. Similar to option B, the sources discuss one-time passwords, but they do not explicitly state that this process reduces the risk of credential theft. 10. You are onboarding 5,000 UNIX root accounts for rotation by the CPM. You discover that the CPM is unable to log in directly with the root account and will need to use a secondary account. How can this be configured to allow for password management using least privilege? A. Configure each CPM to use the correct logon account. B. Configure each CPM to use the correct reconcile account. C. Configure the UNIX platform to use the correct logon account. D. Configure the UNIX platform to use the correct reconcile account. Sol: The correct answer is C. Configure the UNIX platform to use the correct logon account. Here's why: Root Account Restrictions: The scenario states that the CPM (Central Policy Manager) cannot log in directly with the root account. This situation is common because, as a security best practice, many organizations disable direct remote root logins via SSH. The sources discuss this, stating that "The root user is often prevented from logging in remotely as part of best practices" and explaining how this can cause root password change failures. Logon Accounts: The sources explain that a logon account is a non- privileged account that the CPM can use to connect to the target system and then escalate privileges (like switching to root) to perform password management tasks. They offer the solution: "onboard a non- privileged account that we can use to connect and then switch to root in order to perform the password change. This account is the Logon Account". Associating a Logon Account with a Platform: The sources describe how to associate a logon account with a specific platform in the CyberArk Vault. This means that whenever the CPM needs to manage accounts on that platform, it will use the designated logon account to establish the initial connection. The sources state that "when we re-run a password change, we will see that the PasswordManager user has changed the password" because of the logon account. Least Privilege: Using a logon account adheres to the principle of least privilege. The logon account only has the necessary permissions to connect to the system and escalate privileges for password management. The sources mention that privileged accounts should be managed using the concept of least privilege. It doesn't have full root privileges, minimizing the potential security risks associated with using a highly privileged account for routine tasks. Let's analyze why the other options are incorrect: A. Configure each CPM to use the correct logon account: Configuring the logon account at the CPM level is not the most efficient or secure approach. It is more practical to configure this association at the platform level. The sources state that platforms have a primary purpose: to "Define the technical settings required to manage passwords" The sources advocate using platform-level settings for password management. B. Configure each CPM to use the correct reconcile account: A reconcile account is used for password reconciliation, which is a process for resetting passwords when they are unknown or out of sync with the Vault. While reconcile accounts are important for managing passwords, they are not used for the initial login process. D. Configure the UNIX platform to use the correct reconcile account: As stated above, a reconcile account serves a different purpose than a logon account and wouldn't be used for initial login and privilege escalation. The sources distinguish between logon accounts and reconcile accounts, stating that logon accounts are for "regular use", while reconcile accounts should be used less frequently. In summary: To manage UNIX root accounts where direct root login is restricted, you need to configure the UNIX platform in CyberArk to use a designated logon account. This configuration allows the CPM to connect using a less privileged account, escalate privileges for password management, and adhere to the principle of least privilege. 11. DRAG DROP - A DR Vault became active due to a failure of the primary Vault. Service on the primary Vault has now been restored. Arrange the steps to return the DR vault to its normal standby mode in the correct sequence. Sol: Set the DR Server Back into DR Mode 12. Sign into the DR Server as a local server Administrator. 13. Open the file explorer and navigate to C:\Program Files (x86)\PrivateArk\PADR\Conf. Double click on the padr.ini file to edit it with Notepad. 14. Set the “FailoverMode=No” and delete the last two lines (log number and timestamp of the last successful replication) in the file. Save the file and close it. These changes will trigger the DR service on the Primary Vault to perform a full replication once the PADR Service is started. Figure 20: Preparing for a Full Replication 4. Using the Windows Services applet, stop the PrivateArk Server service on DR Server. Figure 21: Stopping the PrivateArk Server Service 5. Then start the CyberArk Vault Disaster Recovery Service on the DR Server. Figure 22: Starting the PADR Service 6. Check the tail running on the padr.log file on the DR Server and confirm that a full replication process started and that the replication (from the Primary Vault to the DR Vault) has ended successfully. 7. Which methods can you use to add a user directly to the Vault Admin Group? (Choose three.) A. REST API B. PrivateArk Client C. PACLI D. PVWA E. Active Directory F. Sailpoint Sol: PrivateArk Client can do definitely. REST API and PACLI are something that can do directly. for PACLI: AddGroupMember 13. Which Automatic Remediation is configurable for a PTA detection of a "Suspected Credential Theft"? A. Add to Pending B. Rotate Credentials C. Reconcile Credentials D. Disable Account Sol: The answer is B. Rotate Credentials. The Privileged Threat Analytics (PTA) component can detect several suspicious events, one of which is "Suspected Credential Theft". This occurs when privileged accounts are used without retrieving the credentials from CyberArk. To respond to this security event, the PTA can trigger the CyberArk system to automatically rotate the credentials for the compromised account. Source explains that the PTA achieves this by comparing the login time on the target machine with the last time the password was retrieved from the vault. If the password wasn't retrieved recently, the PTA assumes a "Suspected Credential Theft" and initiates a password change. Source details how to configure the PTA to detect "Suspected Credential Theft" and automatically rotate credentials. The process involves: Adding the PTA user accounts ( PTAAppUser and PTAUser ) to the relevant safe with appropriate permissions. Configuring the "Suspicious Password Change" policy to enable automatic password reconciliation. By configuring the PTA in this way, you can enhance your security posture by proactively responding to potential credential theft and mitigating the risk of unauthorized access. 14. Which item is an option for PSM recording customization? A. Windows events text recorder with automatic play-back B. Windows events text recorder and universal keystrokes recording simultaneously C. Universal keystrokes text recorder with windows events text recorder disabled D. Custom audio recording for windows events Sol: The correct answer is C. Universal keystrokes text recorder with windows events text recorder disabled. Here's why: Universal keystrokes text recording can be enabled for various connection components in PSM, including PSM-RDP. This recording captures all keystrokes typed during a session. Windows events text recording can also be enabled for Windows connections. It records the titles of all Windows accessed during a session. However, both universal keystrokes recording and Windows events recording cannot be enabled simultaneously for the same connection if more than one language is enabled. Therefore, if you want to use universal keystrokes text recording, you need to disable Windows events text recording. Let's break down why the other options are incorrect: A. Windows events text recorder with automatic play-back: While Windows events text recording captures window titles, the sources do not mention any automatic playback feature for this type of recording. The recording can be viewed, but the sources don't indicate an automatic playback function. B. Windows events text recorder and universal keystrokes recording simultaneously: As explained above, these two recording types cannot be enabled simultaneously if multiple languages are configured on the target system. You must choose one or the other. D. Custom audio recording for windows events: The sources don't mention any functionality for custom audio recording in relation to PSM. PSM recording options focus on video, text, and audit trails. Key Concepts and Insights PSM Recording Flexibility: PSM offers a range of recording options, including video, text, and audit trails, to provide comprehensive session documentation. Customization at Different Levels: You can customize recording settings at both the system and platform level. System-level settings apply to all connections, while platform-level settings allow for granular control over specific platforms. Security Considerations: The ability to disable password recording during SSH and Telnet sessions demonstrates a focus on security and protecting sensitive information. Language Support Impact: Support for multiple languages on target systems affects available recording options. This limitation highlights the technical complexities involved in capturing keystrokes across different language inputs. Performance Optimization: The dynamic adjustment of the video recording frame rate based on PSM server load emphasizes a focus on performance and ensuring smooth operation even under high-demand scenarios. This detailed explanation clarifies the available options for PSM recording customization, the rationale behind the limitations, and the key concepts to consider when configuring recording settings. Remember to consult the official CyberArk documentation or contact CyberArk support for the most up- to-date information on PSM customization features. 15. DRAG DROP - Match the built-in Vault user with the correct definition. Sol: DOC 16. You want to create a new onboarding rule. Where do you accomplish this? A. In PVWA, click Reports > Unmanaged Accounts > Rules B. In PVWA, click Options > Platform Management > Onboarding Rules C. In PrivateArk, click Tools > Onboarding Rules D. In PVWA, click Accounts > Onboarding Rules 17. What does the Export Vault Data (EVD) utility do? A. exports data from the Vault to TXT or CSV files, or to MSSQL databases B. generates a backup file that can be used as a cold backup C. exports all passwords and imports them into another instance of CyberArk D. keeps two active vaults in sync Sol: The correct answer is A. exports data from the Vault to TXT or CSV files, or to MSSQL databases. Here's a comprehensive explanation based on the source materials: The Export Vault Data (EVD) utility is a powerful tool within the CyberArk suite that serves a specific purpose: extracting data from the CyberArk Vault for analysis and reporting by external applications. Source clearly states that the EVD utility "exports data from the Vault to text or CSV files. From there, they can be imported into third-party applications or databases for analysis." This means the EVD acts as a bridge, enabling you to leverage the data stored within the CyberArk Vault for purposes beyond the immediate functionality of the CyberArk platform itself. Let's understand why the other options are incorrect: B. generates a backup file that can be used as a cold backup: The EVD utility is not intended for backup purposes. The sources explain that the PrivateArk Replicate Utility is the recommended method for creating Vault backups. This utility creates encrypted files that can be used for cold backups. The backup process involves creating a copy of the Vault's data and metadata, including Safes, user information, and configuration files. The backup can then be stored securely and used to restore the Vault in case of data loss or system failure. C. exports all passwords and imports them into another instance of CyberArk: While the EVD utility can export various types of data, it is not designed to export passwords directly. The sources emphasize the importance of password security and do not describe any functionality for directly exporting passwords using the EVD. D. keeps two active vaults in sync: The EVD utility does not play a role in synchronizing active Vaults. The sources explain that Disaster Recovery (DR) functionality, specifically the CyberArk Disaster Recovery Service, is used to replicate data between a primary and a DR Vault. This replication process ensures that the DR Vault remains up-to-date with the primary Vault, enabling a seamless failover in case of an outage or disaster. EVD Usage and Functionality The EVD utility is installed separately from the main CyberArk components and can be deployed on any server that has network access to the Vault. It uses a combination of configuration files to connect to the Vault and authenticate: Vault.ini: This file contains the network address and port of the Vault server. Cred File: This file stores the username and a hash of the password used to authenticate to the Vault. The sources emphasize the importance of hardening the cred file to protect these credentials from unauthorized access. Once connected, the EVD utility can generate a variety of reports, including: Files List Report User and Safe Activities Report Master Policy Report System Log Report Requests List Report Users List Report Groups List Report Group Members List Report Safes List Report Owners List Report The EVD utility outputs these reports as text files with values enclosed in quotation marks. Key Concepts and Insights Data Export for External Analysis: The EVD utility extends the value of the CyberArk Vault by enabling you to utilize its data for purposes beyond the core functionality of the platform. This could include feeding data into SIEM (Security Information and Event Management) tools, generating custom reports, or performing in-depth analysis of user activity and system events. Importance of Secure Configuration: The emphasis on hardening the cred file highlights the criticality of protecting sensitive information, even when dealing with utilities like EVD. CyberArk's focus on security permeates all aspects of the platform, ensuring that data remains protected throughout its lifecycle. Separation of Concerns: CyberArk's modular architecture is evident in the way different components handle specific tasks. The EVD utility focuses solely on data export, while other components like PrivateArk Replicate handle backups, and DR functionality manages Vault synchronization. This separation of concerns enhances both security and manageability. Complementing Built-in Reporting: While CyberArk offers built-in reporting capabilities within PVWA and PrivateArk Client, the EVD utility caters to scenarios requiring custom reporting or integration with external tools. This flexibility ensures you can tailor your reporting and analysis to meet your specific needs. The EVD utility is a valuable addition to the CyberArk toolkit, providing a secure and flexible way to extract data from the Vault for analysis and reporting purposes. By understanding its capabilities and proper configuration, you can unlock the full potential of the data stored within your CyberArk Vault. 18. When are external vault users and groups synchronized by default? A. They are synchronized once every 24 hours between 1 AM and 5 AM. B. They are synchronized once every 24 hours between 7 PM and 12 AM. C. They are synchronized every 2 hours. D. They are not synchronized according to a specific schedule. Sol: The default parameter value specifies that the Vault’s External users and groups will be synchronized with the External Directory once in a 24- hour cycle between the hours of 1 and 5, as shown below: AutoSyncExternalObjects=Yes,24,1,5 19. You created a new safe and need to ensure the user group cannot see the password, but can connect through the PSM. Which safe permissions must you grant to the group? (Choose two.) A. List Accounts B. Use Accounts C. Access Safe without Confirmation D. Retrieve Files E. Confirm Request Sol: A. List Accounts and B. Use Accounts Explanation: List Accounts: This permission allows users to view the list of accounts within the safe. Without this, they won't be able to select the account they need to connect to via the PSM. Use Accounts: This permission grants users the ability to utilize the accounts in the safe for establishing connections through the PSM. It enables them to initiate a PSM connection without the need to see the account password. Why the other options are incorrect: C. Access Safe without Confirmation: This permission allows users to bypass dual control workflows and access accounts without requiring approval. While it provides unrestricted access, it doesn't directly relate to password visibility. D. Retrieve Files: This permission is specifically for accessing and retrieving files stored within a safe, and not for accessing passwords. E. Confirm Request: This permission enables users to act as approvers in dual control workflows, but it doesn't grant them access to accounts or passwords themselves. Conclusion: By granting the "List Accounts" and "Use Accounts" permissions to the user group, you strike a balance between providing access to PSM functionality while safeguarding the confidentiality of passwords. This configuration ensures a secure and compliant environment for managing privileged access within your organization. 20. During a High Availability node switch you notice an error and the Cluster Vault Manager Utility fails back to the original node. Which log files should you check to investigate the cause of the issue? (Choose three.) A. CyberArk Webconsole.log B. VaultDB.log C. PM_Error.log D. ITALog.log E. ClusterVault.console.log F. logiccontainer.log Sol: BDE B. VaultDB.log: This file records the activities of the Vault database and might contain entries related to the node switch or errors encountered during the process. D. ITALog.log: This file serves as the primary log file for the Vault server and is likely to contain entries related to the node switch, errors encountered, and the overall status of the Vault during the event. E. ClusterVault.console.log: This file, although not explicitly mentioned in the sources, is a highly probable log file for the Cluster Vault Manager Utility. By analogy with other components like the Password Vault Web Access (PVWA) having a "CyberArk.WebConsole.log" file, it's reasonable to assume that the Cluster Vault Manager Utility would have a console log file to record its activities and errors. Reasoning: A High Availability node switch involves a transfer of database operations and Vault services from one node to another. The VaultDB.log file would likely capture database-related events during this switch, providing insights into potential database-level issues. The ITALog.log file, as the main Vault server log, captures a wide range of events and errors. It's highly probable that this log would contain entries related to the node switch initiation, progress, completion, and any errors encountered during the process. The ClusterVault.console.log file, although not directly mentioned in the sources, would likely be the primary log for the Cluster Vault Manager Utility. This utility orchestrates the node switch process, and its log file would likely contain detailed information about the steps taken, commands executed, and errors encountered, making it a valuable resource for troubleshooting the failure. Why the other options are less likely: A. CyberArk Webconsole.log: This file pertains to the PVWA component and is less likely to contain relevant information about a node switch, which is primarily a backend process managed by the Cluster Vault Manager Utility. C. PM_Error.log: This file specifically records errors related to the CyberArk Password Manager (CPM) component. While the CPM might be affected by a node switch, it's not directly involved in the switch process itself. F. logiccontainer.log: This log file relates to the Logic Container component of the Vault server, which handles policy evaluations and other internal operations. While it might provide some insights into the overall Vault status during the switch, it's less likely to contain specific information about the node switch process or the Cluster Vault Manager Utility's activities. Additional Considerations: While the sources provide valuable information about various CyberArk components and log files, they lack specifics on High Availability node switch procedures and troubleshooting. Consulting CyberArk's official documentation, knowledge base articles, or support resources would provide more detailed guidance on troubleshooting Cluster Vault Manager Utility failures and analyzing relevant log files. The information about the "ClusterVault.console.log" is an educated guess based on the naming conventions of other CyberArk log files. You should confirm its existence and location through official documentation or support channels. 21. Which parameters can be used to harden the Credential Files (CredFiles) while using CreateCredFile Utility? (Choose three.) A. OS Username B. Current machine IP C. Current machine hostname D. Operating System Type (Linux/Windows/HP-UX) E. Vault IP Address F. Time Frame Sol: The updated CreateCredFile utility can enforce any of the following restrictions: Specific application – The credentials file can only be used by a specific CyberArk application or module. This can be specified for Password, Token, or PKI authentication but not for Proxy authentication. For more details about specific applications, refer to CreateCredFile Utility. Specific path – The credentials file can only be used by an executable located in a certain path. IP address or hostname – The credentials file can only be used on the machine where it is created. Specific application – The credentials file can only be used by a specific CyberArk application or module. This can be specified for Password, Token, or PKI authentication but not for Proxy authentication. For more details about specific applications, refer to CreateCredFile Utility. Operating System user – The credentials file can only be used by an application started by a specified Operating System user. 22. Where can a user with the appropriate permissions generate a report? (Choose two.) A. PVWA > Reports B. PrivateArk Client C. Cluster Vault Manager D. PrivateArk Server Monitor E. PARClient Sol: Based on the sources you provided, a user with appropriate permissions can generate reports in the following two locations: A. PVWA > Reports: The sources emphasize that in CyberArk version 14 and later, all reports can be generated from the PVWA by users with access to the Reports tab. This consolidation streamlines report generation, providing a centralized location for accessing various reports. For instance, users can generate a Privileged Accounts Inventory report through the PVWA. The sources also detail the process of generating a report, including filtering options, subscriber management, and the ability to download reports in different formats. Additionally, the sources highlight the importance of permissions, noting that users can only generate reports on Safes to which they have access. B. PrivateArk Client: The sources indicate that before version 14, some reports were exclusively available in the PrivateArk Client. This client application provides tools for managing various aspects of the CyberArk environment, including users, groups, Safes, and reports. While the sources don't list all reports available within the PrivateArk Client, they do mention that reports can be accessed under the Tools menu. Furthermore, one of the sources mentions Generating PrivateArk Reports but doesn't explicitly state which specific reports can be generated. The sources also discuss using the Export Vault Data Utility to extract data from the Vault for creating custom reports using third-party tools. Why the other options are incorrect: C. Cluster Vault Manager: This utility focuses on managing high availability and disaster recovery for the Vault. While the sources mention the Cluster Vault Manager Utility, they don't indicate any reporting capabilities within this tool. D. PrivateArk Server Monitor: The sources mention the PrivateArk Server but don't explicitly refer to a component called "PrivateArk Server Monitor." E. PARClient: The sources do not mention any component or utility named "PARClient." By understanding the locations and key concepts related to report generation within CyberArk, users can effectively leverage the available reporting tools to gain valuable insights into privileged account usage, compliance status, and overall system health. 23. Users are unable to launch Web Type Connection components from the PSM server. Your manager asked you to open the case with CyberArk Support. Which logs will be most useful for the CyberArk Support Team to debug the issue? (Choose three.) A. PSMConsole.log B. PSMDebug.log C. PSMTrace.log D..Component.log E. PMconsole.log F. ITALog.log Sol: When users are unable to launch Web Type Connection components from the PSM server, the following three logs are the most useful to provide to CyberArk Support for debugging: A. PSMConsole.log: This log file contains informational messages and errors that refer to PSM function. Since the issue relates to PSM functionality, this log will likely contain valuable clues about the problem. C. PSMTrace.log: This log file provides detailed entries of workflows related to the PSM component. It can reveal step-by-step actions taken by the PSM during the connection attempt, helping pinpoint the exact stage where the failure occurs. D..Component.log: This log provides errors and trace messages specifically related to the connection client used for the Web Type component. Analyzing this log can help identify if the issue stems from the connection client itself or from interactions between the client and the PSM server. Why the other options are less relevant: B. PSMDebug.log: While a “PSMDebug.log” might seem relevant, the sources do not explicitly mention a log file with this exact name. The closest reference is to the generic concept of "Debug Logs," which provide detailed debugging information. However, without specific confirmation from CyberArk documentation or support, assuming the existence of "PSMDebug.log" might be misleading. E. PMconsole.log: This log pertains to the Password Manager component (CPM), not the Privileged Session Manager (PSM). Since the issue is with launching Web Type components from the PSM, the CPM logs are less likely to contain directly relevant information. F. ITALog.log: This log file is the primary log for the Vault server itself. While Vault issues could indirectly impact PSM functionality, it's more efficient to focus on PSM-specific logs first. If initial analysis of the PSM logs suggests a potential Vault-related problem, then ITALog.log might become relevant. 24. You have been asked to identify the up or down status of Vault Services. Which CyberArk utility can you use to accomplish this task? A. PrivateArk Central Administration Console B. PAS Reporter C. PrivateArk Remote Control Agent D. Syslog Sol: The CyberArk utility that can be used to identify the up or down status of Vault Services is the C. PrivateArk Remote Control Agent. This agent, installed as part of the Vault on both the primary and DR servers, runs as a Windows service and allows administrators to perform several remote tasks on Vault components. One of these tasks is retrieving machine statistics such as memory and processor usage. To check the status of Vault Services, an administrator can use the Remote Control Agent to see if these statistics are being reported. If they are, then the Vault Services are up and running. If not, then the Vault Services are likely down. The PrivateArk Central Administration Console is used to view the ITALog.log file and to stop and restart the Vault. PAS Reporter is not a utility referenced in the sources. Syslog is a protocol used to send Vault health statistics to SIEM applications, which can be used to monitor the Vault. By understanding how to use the various CyberArk components and utilities, administrators can effectively monitor the Vault's status and troubleshoot any potential issues that arise. 25. A new colleague created a directory mapping between the Active Directory groups and the Vault. Where can the newly Configured directory mapping be tested? A. Connect to the Active Directory and ensure the organizational unit exists. B. Connect to Sailpoint (or similar tool) to ensure the organizational unit is correctly named; log in to the PVWA with "Administrator" and confirm authentication succeeds. C. Search for members that exist only in the mapping group to grant them safe permissions through the PVWA. D. Connect to the PrivateArk Client with the Administrator Account to see if there is a user in the Vault Admin Group. Sol: The best way to test the newly configured directory mapping is to C. Search for members that exist only in the mapping group to grant them safe permissions through the PVWA. When a new directory mapping is created, it links an LDAP group with a CyberArk group. Users are provisioned in the Vault the first time they authenticate through LDAP. Their roles and attributes within the Vault are determined by the directory mapping. So, searching for a member that only exists within the newly mapped LDAP group ensures that their provisioning and access are solely determined by the new mapping. If the user is successfully provisioned and can be granted appropriate permissions through the PVWA, it confirms the directory mapping is working as intended. Let's examine why the other options are not the most effective for testing directory mapping: A. Connect to the Active Directory and ensure the organizational unit exists. While verifying the existence of the organizational unit (OU) in Active Directory is a necessary prerequisite for directory mapping, it doesn't confirm whether the mapping itself is functional. The mapping relies on group membership within Active Directory, not just the existence of the OU. B. Connect to Sailpoint (or similar tool) to ensure the organizational unit is correctly named; log in to the PVWA with "Administrator" and confirm authentication succeeds. Sailpoint is a third-party identity governance and administration (IGA) tool. While it might interact with Active Directory, it's not directly involved in CyberArk directory mapping. The sources do not mention Sailpoint or any other third-party IGA tools. Logging in to the PVWA with the "Administrator" account doesn't test the new directory mapping because the "Administrator" is a built-in CyberArk user, not a user provisioned through LDAP. D. Connect to the PrivateArk Client with the Administrator Account to see if there is a user in the Vault Admin Group. Similar to option B, connecting with the "Administrator" account doesn't test the new mapping. Also, while you can manage users and groups via the PrivateArk Client, it's generally recommended to manage users with an external LDAP directory such as Active Directory. The focus of testing should be on the LDAP integration and directory mapping. Important Considerations from the Sources: Transparent User Provisioning: CyberArk uses a concept called "transparent users" for users provisioned via LDAP. These users are automatically created in the Vault upon their first LDAP authentication. This automatic provisioning is a key aspect of directory mapping. Vault Authorization and Safe Authorization: The sources distinguish between Vault authorizations and Safe authorizations. Vault authorizations govern actions within the Vault itself, while Safe authorizations control access to specific Safes. Directory mapping can influence both types of authorizations. LDAP Synchronization: CyberArk performs LDAP synchronization to keep Vault users and groups aligned with the external directory. This synchronization process ensures that changes in group memberships in Active Directory are reflected in the Vault, affecting the users provisioned and their associated permissions. 26. A user needs to view recorded sessions through the PVWA. Without giving auditor access, which safes does a user need access to view PSM recordings? (Choose two.) A. Recordings safe B. Safe the account is in C. System safe D. PVWAConfiguration safe E. VaultInternal safe Sol: To view recorded sessions through the PVWA without being given auditor access, a user needs access to the following two safes: A. Recordings safe: PSM recordings are stored in a dedicated Recordings safe. This safe is created automatically by the PSM when it uploads the first recording to the Vault. By default, it is named "PSMRecordings", although custom recording safes can be defined at the platform level. Therefore, access to the Recordings safe is essential for viewing PSM recordings. B. Safe the account is in: To view recordings of sessions initiated with a specific account, the user needs access to the Safe where that account is stored. This is because access to recordings can be granted through permissions on both Account Safes and Recording Safes. Specifically, the user needs "List accounts/files" permission on the Account Safe to access recordings from the Account Details page. Let's understand why the other options are not required: C. System safe: The System safe is used to store CyberArk configuration files and logs, not PSM recordings. While it is possible to access the System safe from remote stations using the PrivateArk Client, this does not provide access to PSM recordings. D. PVWAConfiguration safe: The PVWAConfiguration safe contains the configuration settings for the PVWA. This safe does not contain PSM recordings, and access to it is not required to view recordings. E. VaultInternal safe: The VaultInternal safe contains configuration data for CyberArk LDAP integration. It is not related to PSM recordings, and access to it is not necessary for viewing recordings. Key Points from the Sources and Conversation History: PSM Recording Storage: PSM recordings are stored in designated Recording Safes within the Vault. This ensures secure storage and controlled access to sensitive session data. Permissions for Viewing Recordings: Users need specific permissions on both Account Safes and Recording Safes to view PSM recordings. This emphasizes the principle of least privilege, ensuring users only have access to the information necessary for their roles. Auditors Group: By default, members of the Auditors group have automatic access to all Recording Safes. However, you are specifically seeking a solution without granting auditor access, highlighting the need for alternative access methods based on safe permissions. Therefore, to view PSM recordings without auditor access, a user needs to be granted permissions on both the relevant Recordings safe and the Safe where the account used to initiate the session is stored. This approach provides a balance between security and usability, enabling users to view necessary recordings without granting excessive privileges. 27. Which file must be edited on the Vault to configure it to send data to PTA? A. dbparm.ini B. PARAgent.ini C. my.ini D. padr.ini Sol: The system logger of the Vault must be configured to send logging data to the PTA machine for real-time data analysis. To Configure syslog on the Vault Machine. The syslog parameters are available in the dbparm.sample.ini file. Copy the parameters to the dbparm.ini configuration file. 28. You want to build a connector that connects to a website through the Web applications for PSM framework. Which default connector do you duplicate and modify? A. PSM-ChromeSample B. PSM-WebForm C. PSM-WebApp D. PSM-WebAppSample Sol: To build a connector that connects to a website through the Web Applications for PSM framework, you should duplicate and modify the D. PSM-WebAppSample connector. Here's a breakdown of the connection components and their supported audit types: PSM-WinSCP: This connection component supports Windows Events Text Recorder, Keystrokes Text Recorder, Windows Events Audit, and Keystrokes Audit. PSM-WebFormSample: This component supports Windows Events Text Recorder, Keystrokes Text Recorder, Windows Events Audit, and Keystrokes Audit. PSM-WebAppSample: This component supports Windows Events Text Recorder, Keystrokes Text Recorder, Windows Events Audit, and Keystrokes Audit. PSM-VSPHERE-Web and PSM-VSPHERE: These components support Windows Events Text Recorder, Keystrokes Text Recorder, Windows Events Audit, and Keystrokes Audit. PSM-VNCClientSample-AutoDeployed and PSM-VNCClientSample: These components support Windows Events Text Recorder, Keystrokes Text Recorder, Windows Events Audit, and Keystrokes Audit. While the sources do not explicitly explain the functionalities of each sample connector, based on the naming convention and the context of your query, the PSM-WebAppSample seems to be the most appropriate starting point for building a connector for web applications. Additional Considerations (not from the sources): Universal Connector: It is worth exploring the Universal Connector framework mentioned in source. It is designed to simplify the creation of custom connection components using AutoIT, a freeware programming language. This might provide a more flexible and robust approach to building your connector. CyberArk Marketplace: Consider checking the CyberArk Marketplace for pre-built connectors that might already meet your requirements. This could save significant development time and effort. Remember to thoroughly test your custom connector to ensure it functions correctly and securely within the PSM framework. Ω 28. DRAG DROP - A new HTML5 Gateway has been deployed in your organization. From the PVWA, arrange the steps to configure a PSM host to use the HTML5 Gateway in the correct sequence. sol: Administration > Options Privileged Session Management Configured PSM Servers and select existing PSM host Connection Details Add PSM gateway 29. When an account is unable to change its own password, how can you ensure that password reset with the reconcile account is performed each time instead of a change? A. Set the parameter RCAllowManualReconciliation to Yes. B. Set the parameter ChangePasswordinResetMade to Yes. C. Set the parameter IgnoreReconcileOnMissingAccount to No. D. Set the UnlockUserOnReconcile to Yes. sol: The answer is B. Set the parameter ChangePasswordinResetMade to Yes. The sources describe how to configure a reconcile account for situations where an account cannot change its own password. When this parameter is set to "Yes", the reconcile account will be used to reset the password each time, instead of attempting a password change. Let's examine why the other options are incorrect: A. Set the parameter RCAllowManualReconciliation to Yes. This parameter enables manual reconciliation, but does not specifically address the use of the reconcile account for password resets. C. Set the parameter IgnoreReconcileOnMissingAccount to No. This parameter determines whether reconciliation should be attempted even if the account is missing, but doesn't dictate whether a change or reset is performed. D. Set the UnlockUserOnReconcile to Yes. This option is not mentioned in the sources. 30. In a default CyberArk installation, which group must a user be a member of to view the "reports" page in PVWA? A. PVWAMonitor B. ReportUsers C. PVWAReports D. Operators sol: The answer is A. PVWAMonitor. By default, users must be a member of the PVWAMonitor group to view and generate reports in PVWA. The ManageReportsGroup parameter in the PVWA determines which group has this permission, and it defaults to the PVWAMonitor group. Vault Administrators are usually members of this group. You can find the ManageReportsGroup parameter under Administration → Options → Reports. To protect or unprotect reports, you must also be a member of the PVWAMonitor group. This action also requires Retrieve files/accounts permissions to protect reports and Unlock files/accounts permissions to unprotect reports in the Safe where the reports are stored. The default Safe for reports is PVWAReports. 31. Your organization requires all passwords be rotated every 90 days.Where can you set this requirement? A Master Policy B Safe Templates C PVWAConfig.xml D Platform Configuration 32. According to CyberArk, which issues most commonly cause installed components to display as disconnected in the System Health Dashboard? (Choose two.) A network instabilities/outages B vault license expiry C credential de-sync D browser compatibility issues E installed location file corruption sol: The two issues that most commonly cause installed components to display as disconnected in the CyberArk System Health Dashboard are: A. Network instabilities/outages: Network issues can prevent components from communicating with the Vault, leading to a disconnected status. The source states, "Components will continue to communicate to whichever Vault they are connected to until they lose connection with it." If a component loses its network connection to the Vault due to network instability or an outage, it will appear as disconnected in the System Health Dashboard. C. Credential de-sync: When the password stored in the Vault for a component user no longer matches the password stored in the component's credential file, it is referred to as credential de-sync. This situation prevents the component from authenticating to the Vault, causing it to display as disconnected. Let's look at why the other options are less likely to be the primary causes of disconnections: B. Vault license expiry: While an expired Vault license can cause major disruptions, it would typically prevent the Vault from starting up altogether rather than just causing components to disconnect. The source mentions that an expired Vault license will prevent the DR Vault from starting up. This suggests that an expired license on the primary Vault would likely have a similar effect, preventing it from running at all. D. Browser compatibility issues: Browser compatibility issues primarily affect the user interface of the PVWA and wouldn't directly cause other components to disconnect. The sources do not provide specific information about the System Health Dashboard displaying components as disconnected due to browser compatibility issues. E. Installed location file corruption: File corruption in the installed location of a component could potentially cause issues, but it's a less common cause of disconnections compared to network problems or credential mismatches. The sources do not directly mention file corruption in the installed location as a reason for components to disconnect. 33. Where can reconcile and/or logon accounts be linked to an account? (Choose two.) A account settings B platform settings C master policy D safe settings E service account settings sol: Reconcile and logon accounts can be linked to an account in these two locations: A. account settings: The sources provide several examples of linking logon and reconcile accounts within the account settings. For instance, to associate a logon account with a root account, you would navigate to the Account Details of the root account and link the desired logon account. Similarly, when configuring a reconcile account, you would specify its details in the relevant fields within the account settings of the account that requires reconciliation. B. platform settings: While not directly linking the accounts, platform settings play a crucial role in determining the availability and behavior of reconcile and logon account functionalities. The parameter 'AllowedSafes' in the platform settings restricts the use of a particular platform to accounts stored within specific Safes. This setting is particularly important for logon accounts, as demonstrated by the example where the platform 'Lin Logon 30' is restricted to accounts stored in Safes containing the string '-LIN-S-LOGON'. This indirect linking through Safe restrictions ensures that logon accounts are only used with the appropriate target accounts. Let's look at why the other options are not correct: C. master policy: The master policy establishes global settings and guidelines for password management and access control. While it can influence whether reconcile and logon account functionalities are enabled or disabled, it does not directly involve the linking of these accounts to specific accounts. D. safe settings: Safe settings primarily focus on access control and permissions for users and groups, not on the linking of reconcile or logon accounts. E. service account settings: Service account settings pertain to accounts used by applications or services and are not directly related to the linking of reconcile or logon accounts. Doc 34. You are running a "Privileged Accounts Inventory" Report through the Reports page in PVWA on a specific safe. To show complete account inventory information, which permission/s are needed on that safe? A List Accounts, View Safe Members B Manage Safe Owners C List Accounts, Access Safe without confirmation D Manage Safe, View Audit sol: The answer is A. List Accounts, View Safe Members. To generate a "Privileged Accounts Inventory" report for a specific Safe, the user needs the "List Accounts" and "View Safe Members" permissions on that Safe. This report provides a comprehensive list of all accounts within the specified Safe. The "List Accounts" permission allows the user to see the accounts, while the "View Safe Members" permission enables them to view the Safe's membership details, which are included in the report. The other options are not required to run this report: B. Manage Safe Owners: This permission grants control over Safe ownership but is not necessary for generating the "Privileged Accounts Inventory" report. C. List Accounts, Access Safe without confirmation: "Access Safe without confirmation" allows users to bypass the dual control mechanism for accessing accounts within the Safe, but it is not needed to view the account inventory information. D. Manage Safe, View Audit: The "Manage Safe" permission allows modification of Safe properties, and the "View Audit" permission grants access to the Safe's audit log. Neither of these permissions is required to generate the "Privileged Accounts Inventory" report. 35. Which dependent accounts does the CPM support out-of-the-box? (Choose three.) A Solaris Configuration file B Windows Services C Windows Scheduled Tasks D Windows DCOM Applications E Windows Registry F Key Tab file sol: The CPM supports these three dependent accounts out of the box: B. Windows Services: The sources mention Windows Services as a dependent account type that the CPM can manage. They explain that when a Windows user account is also used as a service account, it becomes a usage that needs to be managed by the CPM. This means that when the CPM changes the password for the main user account, it also synchronizes the password for the associated service account. C. Windows Scheduled Tasks: Windows Scheduled Tasks are another type of dependent account that the CPM supports out of the box. The sources use the example of a scheduled task that sends emails. When the scheduled task uses a specific Windows user account, the CPM needs to manage the password for that usage as well. E. Windows Registry: While not explicitly mentioned as "out of the box", the sources list "Windows Registry" as a non-discoverable dependent account type. This implies that the CPM supports managing Windows Registry entries that store credentials, but they need to be added manually. This section includes out-of-the-box plugins for service accounts. In this section: Windows Services Windows Scheduled Tasks Windows IIS Application Pools Windows IIS Directory Security (Anonymous Access) COM+ Applications Configuration files Accounts stored in databases Private SSH Key Windows Registry 36. A password compliance audit found: 1. One-time password access of 20 domain accounts that are members of Domain Admins group in Active Directory are not being enforced. 2. All the sessions of connecting to domain controllers are not being recorded by CyberArk PSM. What should you do to address these findings? A Edit the Master Policy and add two policy exceptions: enable "Enforce one-time password access", enable "Record and save session activity". B Edit safe properties and add two policy exceptions: enable "Enforce one-time password access", enable "Record and save session activity". C Edit CPM Settings and add two policy exceptions: enable "Enforce one- time password access", enable "Record and save session activity". D Contact the Windows Administrators and request them to add two policy exceptions at Active Directory Level: enable "Enforce one-time password access", enable "Record and save session activity". sol: The correct answer is A. Edit the Master Policy and add two policy exceptions: enable "Enforce one-time password access", enable "Record and save session activity". Let's break down why: One-time password access: The sources explain that one-time passwords (OTPs) are enabled in the Master Policy. By adding an exception to the Master Policy and enabling "Enforce one-time password access" for the platform used to manage those 20 domain accounts, you can ensure that the password is changed after each use. This enhances security by preventing the reuse of compromised passwords. Recording sessions: The sources state that the Privileged Session Manager (PSM) can be activated by exceptions to the "Require privileged session monitoring and isolation" setting in the Master Policy. To address the finding that sessions connecting to domain controllers are not recorded, you need to enable "Record and save session activity" specifically for the platform used to connect to domain controllers. This is also done through an exception in the Master Policy. Enabling session recording for connections to domain controllers is crucial for maintaining an audit trail of sensitive activities and meeting compliance requirements. Why other options are incorrect: B. Edit safe properties and add two policy exceptions: enable "Enforce one-time password access", enable "Record and save session activity". While Safes play a vital role in access control and organization of accounts, they don't manage OTP enforcement or session recording policies. These settings are controlled at the platform level and through exceptions in the Master Policy. C. Edit CPM Settings and add two policy exceptions: enable "Enforce one-time password access", enable "Record and save session activity". The CPM (CyberArk Privileged Account Security Solution) is responsible for automated password management, but the settings for OTP enforcement and session recording are not managed within the CPM settings. They are controlled through the Master Policy and platform configurations. D. Contact the Windows Administrators and request them to add two policy exceptions at Active Directory Level: enable "Enforce one-time password access", enable "Record and save session activity". OTP enforcement and session recording by CyberArk are functionalities handled by the CyberArk components (Master Policy, platforms, and PSM) and are not directly controlled by Active Directory settings. Active Directory typically manages password policies like complexity requirements, minimum password age, and lockout thresholds, but not features like OTPs or session recording. 37. If PTA is integrated with a supported SIEM solution, which detection becomes available? A unmanaged privileged account B privileged access to the Vault during irregular days C riskySPN D exposed credentials sol: # What Detections Does PTA Report? 38. Which change could CyberArk make to the REST API that could cause existing scripts to fail? A adding optional parameters in the request B adding additional REST methods C removing parameters D returning additional values in the response 39. You created a new platform by duplicating the out-of-box Linux through the SSH platform.Without any change, which Text Recorder Type(s) will the new platform support? (Choose two.) A SSH Text Recorder B Universal Keystrokes Text Recorder C Events Text Recorder D SQL Text Recorder E Telnet Commands Text Recorder sol: The two Text Recorder Types that a new platform based on the out-of- box Linux through the SSH platform would support are: A. SSH Text Recorder: This is the primary text recorder for SSH connections. The sources indicate that when you duplicate a platform, the new platform inherits the settings of the original platform. As the out-of-the-box Linux through the SSH platform is configured to record SSH sessions, the duplicated platform will also support the SSH Text Recorder. The SSH Text Recorder captures all keystrokes typed during the session and can be viewed as a text file or a video. B. Universal Keystrokes Text Recorder: This recorder captures all keystrokes typed during a session, regardless of the connection type. While the sources state that Universal Keystrokes Text Recording for RDP connections is only possible in single language support environments, they do not explicitly mention such limitations for SSH connections. Therefore, it is likely that the duplicated Linux SSH platform will also support the Universal Keystrokes Text Recorder by default. You may want to verify this assumption in the platform configuration. The other options are not supported by a standard Linux SSH platform: C. Events Text Recorder: This type of recorder is typically associated with Windows connections, capturing Windows events and titles accessed during a session. It is not relevant to a Linux SSH platform. D. SQL Text Recorder: This recorder is specifically for SQL connections, capturing the SQL commands executed during a session. It is not applicable to a Linux SSH platform, which uses SSH for remote access, not SQL for database operations. E. Telnet Commands Text Recorder: While the sources do mention Telnet connections, there isn't a specific "Telnet Commands Text Recorder" mentioned. The SSH Text Recorder likely handles both SSH and Telnet text recordings, as they both involve command-line interactions. 40. You are creating a Dual Control workflow for a team's safe. Which safe permissions must you grant to the Approvers group? A List accounts, Authorize account request B Retrieve accounts, Access Safe without confirmation C Retrieve accounts, Authorize account request D List accounts, Unlock accounts sol: The correct answer is A. List accounts, Authorize account request. Here's a detailed explanation: Dual Control Workflow: The sources describe Dual Control as a workflow in CyberArk that requires users to obtain authorization before accessing privileged accounts. This process involves: Requesters: Users who need to use the privileged accounts. They typically have "Use Accounts" (and/or "Retrieve Accounts") and "List Accounts" permissions on the Safe. Approvers: Users responsible for approving or rejecting requests for access. They usually don't need to use the accounts themselves. Essential Approver Permissions: The sources explicitly state that Approvers in a Dual Control workflow require two key Safe permissions: List Accounts: This permission allows approvers to see the list of accounts within the Safe. Without this, they wouldn't be able to identify which accounts are being requested and make informed decisions. Authorize account request: This permission enables approvers to review incoming requests from requesters and either grant or deny access to the requested privileged account. Why other options are incorrect: B. Retrieve accounts, Access Safe without confirmation: "Retrieve Accounts" allows users to view the actual passwords of the accounts, which is not generally necessary for approvers. Additionally, "Access Safe without confirmation" would defeat the purpose of Dual Control as it grants unrestricted access to the Safe, bypassing the approval process. C. Retrieve accounts, Authorize account request: While "Authorize account request" is correct, "Retrieve accounts," as explained above, is not necessary for approvers and could pose a security risk. D. List accounts, Unlock accounts: "Unlock Accounts" allows users to unlock accounts that have been locked due to failed login attempts or other reasons. This is an account management function that's not directly related to the approver's role in a Dual Control workflow. 41. In addition to add accounts and update account contents, which additional permission on the safe is required to add a single account? A Upload Accounts Properties B Rename Accounts C Update Account Properties D Manage Safe sol: To add a single account to a safe, in addition to the “Add accounts” and “Update account contents” permissions, you also need the C. Update Account Properties permission. Here's why: Adding an Account: This process involves specifying various properties of the account, such as the address, username, password, and platform. These properties are crucial for CyberArk to manage the account effectively, including rotating its password, verifying its credentials, and facilitating secure access through the PSM. Account Properties: The sources mention several specific account properties, such as: Address: This is the network address of the target machine where the account is located. Username: This is the login name of the privileged account on the target machine. Password: This is the sensitive credential that allows authentication to the privileged account. In many cases, the initial password provided during account creation is temporary, and CyberArk will automatically change it according to the defined security policies. Platform: This defines the type of account (e.g., Windows domain account, Linux SSH account, Oracle database account) and its associated technical settings for password management and connection protocols. The platform determines how CyberArk handles the account's lifecycle and security. Safe: This is the secure storage location within CyberArk where the account is housed. Safes provide an additional layer of access control, ensuring that only authorized users can view or use the accounts they contain. "Update Account Properties" Permission: This permission is essential for modifying the properties of an existing account. When adding a single account, you need to define these properties. It is logical to conclude that you would also need the permission to update them. 42. You want to give a newly-created group rights to review security events under the Security pane. You also want to be able to update the status of these events. Where must you update the group to allow this? A in the PTAAuthorizationGroups parameter, found in Administration > Options > PTA B in the PTAAuthorizationGroups parameter, found in Administration > Options > General C in the SecurityEventsAuthorizationGroups parameter, found in Administration > Security > Options D in the SecurityEventsFeedAuthorizationGroups parameter, found in Administration > Options > General sol: Activity Permissions Review Users in the Vault Admins, Security Admins, and Security Events Operators groups can view information about security events and update the status of the events. You can update the groups in the SecurityEventsFeedAuthorizationGroups parameter, found in Administration > Options > General. 43. What is required to manage loosely connected devices? A PSM for SSH B EPM C PSM D PTA 44. Your organization has a requirement to allow only one user to "check out passwords" and connect through the PSM securely. What needs to be configured in the Master policy to ensure this will happen? A Enforce check-in/check-out exclusive access = active; Require privileged session monitoring and isolation = active B Enforce check-in/check-out exclusive access = inactive; Require privileged session monitoring and isolation = inactive C Enforce check-in/check-out exclusive access = inactive; Record and save session activity = active D Enforce check-in/check-out exclusive access = active; Record and save session activity = inactive 45. When should vault keys be rotated? A when it is copied to file systems outside the vault B annually C whenever a CyberArk user leaves the organization D when migrating to a new data center 46. Where can PTA be configured to send alerts? (Choose two.) A SIEM B Email C Google Analytics D EVD E PAReplicate sol: The two destinations where PTA can be configured to send alerts are: A SIEM B Email The sources provide extensive details about how CyberArk's PTA integrates with SIEM systems and utilizes email for notifications. SIEM Integration PSM Log Forwarding: The sources explain that the Privileged Session Manager (PSM) forwards logs to both SIEM systems and the PTA. This suggests real-time monitoring and analysis of privileged sessions for suspicious activities. Real-Time Audit Data: The PSM transmits session audit data to the Vault, which then forwards this information in real-time to SIEM systems and/or the PTA for activity risk analysis. This real-time data flow enables swift detection and response to potential threats. Vault Health Monitoring: The Vault itself can send health statistics to SIEM applications via the syslog protocol. This allows security teams to monitor the performance and stability of the Vault and detect any anomalies that might indicate an issue. PTA as a SIEM Data Source: The sources depict PTA as a component that collects and analyzes data from various critical external components, including SIEM solutions. This highlights the bidirectional relationship between PTA and SIEM, where PTA leverages SIEM data for analysis while also serving as a source of security event data for the SIEM. Email Notifications Dual Control Approvals: In Dual Control workflows, the requester receives email notifications upon approval or rejection of their access requests. This ensures timely communication and facilitates the access control process. PVWA Report Notifications: The sources mention that users can subscribe to receive email notifications when scheduled PVWA reports are generated. These notifications include a link to the report, enabling convenient access to the report data. Component Monitoring Alerts: The Vault can be configured to send email notifications if specific CyberArk components become inactive. This proactive monitoring helps to ensure the availability and proper functioning of critical CyberArk components. Backup and DR Monitoring: The sources describe how to configure email notifications for failed Backup and DR replications. This functionality provides crucial alerts to ensure the integrity and recoverability of the CyberArk system. Why other options are incorrect: C Google Analytics: Google Analytics is a web analytics service focused on website traffic and user behavior. It's not typically used for security alerts or related to CyberArk's functionalities. D EVD: The sources don't mention EVD as a destination for PTA alerts. EVD might be an internal CyberArk component or a term not covered in the provided documentation. E PAReplicate: PAReplicate is the utility used for replicating data between CyberArk Vaults for disaster recovery purposes. It's not associated with sending alerts. doc 47. In your organization the "click to connect" button is not active by default. How can this feature be activated? A Policies > Master Policy > Allow EPV transparent connections > Inactive B Policies > Master Policy > Session Management > Require privileged session monitoring and isolation > Add Exception C Policies > Master Policy > Allow EPV transparent connections > Active D Policies > Master Policy > Password Management 48. What are the mandatory fields when onboarding from Pending Accounts? (Choose two.) A Address B Safe C Account Description D Platform E CPM sol: doc 49. DRAG DROP - Match each permission to where it can be found. sol: Add Accounts --> Safe Initiate CPM account management operations -> Safe Add/Update Users -> Vault Add Safes -> Vault 50. Which accounts can be selected for use in the Windows discovery process? (Choose two.) A an account stored in the Vault B an account specified by the user C the Vault Administrator D any user with Auditor membership E the PasswordManager user sol: The two accounts that can be selected for use in the Windows discovery process are: A. an account stored in the Vault B. an account specified by the user The sources provide specific instructions on how to configure and run a Windows discovery process, highlighting the role of a designated account in this process. Account Requirements The sources explicitly state that the account used for Windows discovery: Must be a domain account. Must have read permissions on Active Directory. Must have local administrative rights on the discovered Windows servers and workstations. Account Selection The sources describe the process of initiating a new Windows discovery, which includes selecting the account responsible for conducting the scan. During this process, users can: Utilize the "Click to select an account from the Vault" option, indicating that the discovery process can leverage an existing account stored within the CyberArk Vault. The sources use the example of using the cpm-scan account for this purpose. This account was created earlier in the source and stored in the CyberArk-Service-Accounts Safe. This demonstrates the use of a Vault-stored account for discovery. The sources also mention that a new account can be created specifically for running account discovery scans. In this case, the user specifies the account details, including username and password. This implies that the user has the flexibility to choose an account that meets the necessary requirements, whether it's an existing account or a newly created one. Why the other options are incorrect: C. the Vault Administrator: While the Vault Administrator has extensive privileges within the CyberArk system, the sources don't specifically mandate using the Vault Administrator account for Windows discovery. The emphasis is on using a domain account with appropriate permissions, which could be a dedicated account rather than the Vault Administrator account. D. any user with Auditor membership: Auditors primarily focus on monitoring and reviewing security events and activities within the CyberArk environment. They typically don't have the administrative privileges required to perform discovery scans, which involve accessing Active Directory and target servers. E. the PasswordManager user: The sources don't mention a "PasswordManager user." It's possible that this refers to a component or user role not covered in the provided documentation. 51. You are concerned about the Windows Domain password changes occurring during business hours. Which settings must be updated to ensure passwords are only rotated outside of business hours? A In the platform policy - Automatic Password Management > Password Change > ToHour & FromHour B in the Master Policy Account Change Window > ToHour & From Hour C Administration Settings - CPM Settings > ToHour & FromHour D On each individual account - Edit > Advanced > ToHour & FromHour sol: To ensure that Windows Domain password changes occur exclusively outside of business hours, you need to modify the ToHour and FromHour settings within the platform policy. The correct answer to your query is A, In the platform policy - Automatic Password Management > Password Change > ToHour & FromHour. Platform Policies: Platforms in CyberArk are used to define password and SSH key management policies for specific device types and accounts. You can configure password complexity rules, rotation schedules, and other settings related to account management within the Platform policy. The sources explain that you can create Platform policies for different operating systems and environments, allowing you to tailor your security controls based on the specific requirements of each platform. Automatic Password Management: Within a Platform, the Automatic Password Management section focuses on automated tasks related to password management, including password changing, verification, and reconciliation. This section provides granular control over how the CyberArk system manages passwords, ensuring compliance with security policies and operational requirements. Password Change Settings: The Password Change settings within the Automatic Password Management section define the parameters for automatic password rotation. This includes settings like PerformPeriodicChange, which enables or disables periodic password changes based on a defined schedule, and ImmediateInterval, which controls the frequency of immediate password changes after certain events. These settings provide organizations with flexibility in defining their password rotation strategies. ToHour & FromHour: The sources highlight the importance of the ToHour and FromHour parameters in scheduling automated tasks within the CyberArk environment. While not explicitly mentioned within the context of password changes, the principles outlined in the sources suggest that these parameters are likely available within the Password Change settings of a Platform policy. These parameters would allow administrators to define a specific time window during which password changes are permitted, enabling them to restrict password rotations to outside of business hours. Therefore, to prevent password changes from disrupting operations during business hours, you would modify the ToHour and FromHour parameters within the Password Change settings of the relevant Windows Domain Platform policy. This would allow you to specify a time window outside of business hours for password rotations. For example, you might set FromHour to 18 (6 PM) and ToHour to 6 (6 AM), ensuring that password changes occur overnight. Let's examine why the other options are incorrect: B, in the Master Policy Account Change Window > ToHour & From Hour: The Master Policy serves as a global configuration template for various CyberArk features, including password management. However, the sources do not mention an "Account Change Window" within the Master Policy. It's possible that this setting exists but is not covered in the provided documentation. The sources focus on configuring password change schedules and restrictions within individual Platform policies, implying that this level of granularity is managed at the Platform level. C, Administration Settings - CPM Settings > ToHour & FromHour: While CPM Settings within Administration Settings encompass various configuration options for the CyberArk Central Policy Manager (CPM), the sources do not explicitly mention ToHour and FromHour parameters within this context. The sources primarily associate time-based scheduling parameters with individual Platform policies, suggesting that this level of control is delegated to the Platform level rather than a global CPM setting. D, On each individual account - Edit > Advanced > ToHour & FromHour: While it might be technically feasible to define a password change window on individual accounts, the sources highlight that CyberArk emphasizes managing password policies at the Platform level. This centralized approach streamlines administration and ensures consistency across similar accounts. The sources emphasize using Platform policies for defining password rotation schedules, indicating that this is the preferred method for managing password changes. 52. The Privileged Access Management solution provides an out-of-the-box target platform to manage SSH keys, called UNIX Via SSH Keys. How are these keys managed? A CyberArk stores Private keys in the Vault and updates Public keys on target systems. B CyberArk stores Public keys in the Vault and updates Private keys on target systems. C CyberArk does not store Public or Private keys and instead uses a reconcile account to create keys on demand. D CyberArk stores both Private and Public keys and can update target systems with either key 53. The Active Directory User configured for Windows Discovery needs which permission(s) or membership? A Member of Domain Admin Group B Member of LDAP Admin Group C Read and Write Permissions D Read Only Permissions sol: The Active Directory user configured for Windows Discovery needs Read Only Permissions (D) and does not need to be a member of the Domain Admin or LDAP Admin groups. The sources specify that the account used for Windows Discovery must have Read permissions on Active Directory. This enables the account to read necessary information from Active Directory during the discovery process. The account also needs Local administrative rights on discovered Windows servers and workstations to successfully scan for accounts and privileged credentials. It is important to note that the sources emphasize the principle of least privilege when it comes to assigning permissions. Therefore, while a Domain Admin or LDAP Admin account would technically possess the necessary permissions for Windows Discovery, it is not recommended to use such accounts. Granting only the required Read permissions to a dedicated account minimizes the potential impact of compromise and aligns with best security practices. 54. Which command generates a full backup of the Vault? A PAReplicate.exe Vault.ini /LogonFromFile user.ini /FullBackup B PAPreBackup.exe C:\PrivateArk\Server\Conf\Vault.ini Backup/Asdf1234 /full C PARestore.exe PADR ini /LogonFromFile vault.ini /FullBackup D CAVaultManager.exe RecoverBackupFiles /BackupPoolName BkpSvr1 sol: The command that generates a full backup of the Vault is: A. PAReplicate.exe Vault.ini /LogonFromFile user.ini /FullBackup Source lists this command as an example of how to perform a backup using PAReplicate.exe. The backup is initiated from the command line and uses parameters to specify the vault.ini file for configuration, the user.ini file for authentication, and the /FullBackup switch to indicate a full backup. Let's examine why the other options are incorrect: B. PAPreBackup.exe C:\PrivateArk\Server\Conf\Vault.ini Backup/Asdf1234 /full : The sources do not mention a PAPreBackup.exe executable. The provided command syntax also deviates from the conventions established in the sources, making this option unlikely. C. PARestore.exe PADR ini /LogonFromFile vault.ini /FullBackup : While PARestore.exe is used for restoring Vault data, it is not the correct command for generating a backup. The command syntax also includes PADR ini , which is not a standard file name mentioned in the sources. D. CAVaultManager.exe RecoverBackupFiles /BackupPoolName BkpSvr1 : The sources do not reference CAVaultManager.exe or the /BackupPoolName parameter. While RecoverBackupFiles might suggest a backup-related function, the lack of supporting information in the sources renders this option inconclusive. Key Concepts The process of generating a full Vault backup involves the following key concepts: Replicate Utility: CyberArk provides a dedicated utility called PAReplicate.exe for backing up and restoring Vault data. This utility enables organizations to create copies of their sensitive information, ensuring its protection against data loss or system failures. Configuration Files ( vault.ini ): CyberArk components, including the Replicate utility, rely on configuration files to define their operational parameters. The vault.ini file contains essential information such as the Vault server address, port number, and other settings. Credential Files ( user.ini ): CyberArk utilizes credential files to store authentication details for users and components. These files typically contain a username and a hash of the password, ensuring secure access to Vault resources. The credential file for backup operations is named user.ini in this context. Full Backup Switch ( /FullBackup ): Command-line switches provide a way to modify the behavior of executable files. The /FullBackup switch instructs the Replicate utility to generate a complete backup of all Vault data, including Safes, accounts, policies, and other essential information. Backup Strategies The sources recommend an indirect backup approach using the Replicate utility, as opposed to a direct backup approach involving third-party backup software installed directly on the Vault server. The indirect method enhances security by isolating the backup process from the Vault server itself. Direct Backup (Not Recommended) Involves installing third-party backup software directly on the Vault server. Introduces an external application to the Vault, potentially compromising security. Indirect Backup (Recommended) Employs the Replicate utility installed on a separate server. The Replicate utility pulls Vault data as encrypted files to the backup server. Enterprise backup software then backs up these files. In conclusion, generating a full backup of the Vault involves using the utility with appropriate configuration, credential, and PAReplicate.exe command-line switch parameters. The indirect backup approach enhances security by separating the backup process from the Vault server itself. 55. You have been asked to create an account group and assign three accounts which belong to a cluster. When you try to create a new group, you receive an unauthorized error; however, you are able to edit other aspects of the account properties. Which safe permission do you need to manage account groups? A create folders B specify next account content C rename accounts D manage safe sol: To create an account group, users require the following permissions in the Safe where the group is created: Add accounts Update account content Update account properties Create folders 56. DRAG DROP - Match the built-in Vault user with the correct definition. sol: as it is 57. You receive this error: "Error in changepass to user domain\user on domain server(\domain.(winRc=5) Access is denied." Which could be the cause?link A. The account does not have sufficient permissions to change its own password. B. The domain controller is unreachable. C. The password has been changed recently and minimum password age is preventing the change. D. The CPM service is disabled and will need to be restarted. sol: doc 58. How do you create a cold storage backup? A. On the DR Vault, install PAReplicate according to the Installation guide, configure the logon ini file, and define the Schedule tasks for full and incremental backups. B. Install the Vault Backup utility on a different machine from the Enterprise Password Vault server and trigger the full backup. C. Configure the backup options in the PVWA. D. On the DR Vault, configure the cold storage backup path in TSParm.ini file. sol: Use the CyberArk Backup Proces 59. https://www.examtopics.com/discussions/cyberark/view/101464- exam-pam-def-topic-1-question-59-discussion/ Where can you assign a Reconcile account? (Choose two.) A. in PVWA at the account level B. in PVWA in the platform configuration C. in the Master policy of the PVWA D. at the Safe level E. in the CPM settings 60. https://www.examtopics.com/discussions/cyberark/view/105710- exam-pam-def-topic-1-question-60-discussion/ You notice an authentication failure entry for the DR user in the ITALog. What is the correct process to fix this error? (Choose two.) A. PrivateArk Client > Tools > Administrative Tools > Users and Groups > DR User > Update > Authentication > Update Password. B. Create a new credential file, on the DR Vault, using the CreateCredFile utility and the newly set password. С. Create a new credential file, on the Primary Vault, using the CreateCredFile utility and the newly set password. D. PVWA > User Provisioning > Users and Groups > DR User > Update Password. E. PrivateArk Client > Tools > Administrative Tools > Users and Groups > PAReplicate User > Update > Authentication > Update Password. sol: If the DR user cannot log on to the Primary Vault, the credential file may not be synchronized with the Vault. 1. Log on to the Primary Vault with the Vault admin user. 2. Change the relevant DR user's password. 3. Create a credential file with the new password. For the DR user: CreateCredFile.exe user.cred Password /username /password /OSUsername /AppType DR 4. https://www.examtopics.com/discussions/cyberark/view/105715- exam-pam-def-topic-1-question-61-discussion/ Why is user "EMEALevel2Support" unable to change the password for user "Operator"? A. EMEALevel2Support’s hierarchy level is not the same or higher than Operator. B. EMEALevel2Support does not have the "Manage Directory Mapping" role. C. Operator can only be reset by the Master user. D. EMEALevel2Support does not have rights to reset passwords for other users. sol: confused 62. https://www.examtopics.com/discussions/cyberark/view/138241- exam-access-def-topic-1-question-62-discussion/ When logging on to

Practice CyberArk Security Questions PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue