Which parameter controls how often the CPM looks for Soon-to-be-expired Passwords that need to be changed. HeadStartInterval Interval ImmediateInterval The CPM does not change the password under this circumstance.
When managing SSH keys, the CPM stores the Public Key In the Vault On the target server In the Vault and On the target server
Nowhere because the public key can always be generated from the private key.
Accounts Discovery allows secure connections to domain controllers. TRUE FALSE.
As long as you are a member of the Vault Admins group, you can grant any permission on any safe that you have access to. TRUE
FALSE.
The primary purpose of exclusive accounts is to ensure non-repudiation (individual accountability). TRUE FALSE.
Target account platforms can be restricted to accounts that are stored in specific Safes using the AllowedSafes property. TRUE FALSE.
When managing SSH keys, the CPM stores the Public Key TRUE FALSE.
When on-boarding account using Accounts Feed, which of the following is true? You must specify an existing Safe where the account will be stored when it is on-boarded to the Vault. You can specify the name of a new safe that will be created where the account will be stored when it is on-boarded to the Vault. You can specify the name of a new Platform that will be created and associated with the account. Any account that is on-boarded can be automatically reconciled regardless of the platform it is associated with.
What is the purpose of the Immediate Interval setting in a CPM policy? To control how often the CPM looks for System Initiated CPM work. To control how often the CPM looks for User Initiated CPM work. To control how long the CPM rests between password changes. To control the maximum amount of time the CPM will wait for a password change to complete.
Which one of the following reports is NOT generated by using the PVWA? Account Inventory Application Inventory Safes List Compliance Status.
It is possible to control the hours of the day during which a safe may be used. TRUE FALSE.
Ad-Hoc Access (formerly Secure Connect) provides the following features. Choose all that apply. PSM connections to target devices that are not managed by CyberArk. Session Recording. Real-time live session monitoring. PSM connections from a terminal without the need to login to the PVWA.
When a group is granted the ‘Authorize Account Requests’ permission on a safe Dual Control requests must be approved by Any one person from that group Every person from that group The number of persons specified by the Master Policy That access cannot be granted to groups.
When managing SSH keys, the CPM stores the Private Key In the Vault On the target server In the Vault and On the target server
Nowhere because the public key can always be generated from the private key.
What is the primary purpose of One Time Passwords? (Req Chk)
Reduced risk of credential theft More frequent password changes Non-repudiation (individual accountability) To force a ‘collusion to commit’ fraud ensuring no single actor may use a password without authorization.
Where accounts are configured for Dual control, still need to request approval to use the account. TRUE FALSE.
Assuming a safe has been configured to be accessible during certain hours of the day, a Vault Admin may still access that safe outside of those hours. TRUE FALSE.
The Accounts Feed contains: (Req Chk) Accounts that were discovered by CyberArk in the last 30 days
Accounts that were discovered by CyberArk that have not yet been onboarded All accounts added to the vault in the last 30 days All users added to CyberArk in the last 30 days.
PSM for Windows (previously known as "RDP Proxy") supports connections to the following target systems Windows Oracle UNIX All of the above.
By default, members of which built-in groups will be able to view and configure Automatic Remediation and Session Analysis and Response in the PVWA? Vault Admins Security Admins Security Operators Auditors.
CyberArk implements license limits by controlling the number and types of users that can be provisioned in the vault. TRUE FALSE.
The vault supports Role Based Access Control. TRUE FALSE.
Can the ‘Connect’ button be used to initiate an SSH connection, as root, to a Unix system when SSH access for root is denied? Yes, when using the connect button, CyberArk uses the PMTerminal.exe process which bypasses the root SSH restriction. Yes, only if a logon account is associated with the root account and the user connects through the PSM-SSH connection component. Yes, if a logon account is associated with the root account. No, it is not possible.
A user with administrative privileges to the vault can only grant other users privileges that he himself has. TRUE FALSE.
What is the purpose of a linked account? To ensure that a particular collection of accounts all have the same password. To ensure a particular set of accounts all change at the same time. To connect the CPNI to a target system. To allow more than one account to work together as part of a password management process.
Which of the following PTA detections are included in the Core PAS offering? Suspected Credential Theft Over-Pass-The Hash Golden Ticket Unmanaged Privileged Access.
One can create exceptions to the Master Policy based on ____________________. Safes Platforms Policies Accounts.
Secure Connect provides the following features. Choose all that apply. PSM connections to target devices that are not managed by CyberArk. Session Becording. real-time live session monitoring. PSM connections from a terminal without the need to login to the PVWA.
Which onboarding method would you use to integrate CyberArk with your accounts provisioning process? Accounts Discovery Auto Detection Onboarding RestAPI functions PTA Rules.
A Reconcile Account can be specified in the Master Policy. TRUE FALSE.
In order to connect to a target device through PSM, the account credentials used for the connection must be stored in the vault? True. False. Because the user can also enter credentials manually using Secure Connect False. Because if credentials are not stored in the vault, the PSM will log into the target device as PSMConnect. False. Because if credentials are not stored in the vault, the PSM will prompt for credentials.
SAFE Authorizations may be granted to _________________.
Select all that apply. Vault Users Vault Groups LDAP Users LDAP Groups.
The Password upload utility can be used to create safes TRUE FALSE.
Which CyberArk components products can be used to discover Windows Services or Scheduled Tasks that use privileged accounts? Select all that apply. Discovery and Audit (DNA) Auto Detection (AD) Export Vault Data (EVD) On Demand Privileges manager (OPM) Accounts Discovery.
As long as you are a member of the Vault Admins group you can grant any permission on any safe. TRUE FALSE.
In accordance with best practice, SSH access is denied for root accounts on UNIX/LINUX system.
What is the BEST way to allow CPM to manage root accounts? Create a privileged account on the target server. Allow this account the ability to SSH directly from the CPM machine. Configure this account of the target server’s root account. Create a non-privileged account on the target server. Allow this account the ability to SSH directly from the CPM machine. Configure this account as the Logon account of the target server’s root account. Configure the Unix system to allow SSH logins. Configure the CPM to allow SSH logins.
Which of the following statements are NOT true when enabling PSM recording for a target Windows server? Choose all that apply.
The PSM software must be installed on the target server. PSM must be enabled in the Master Policy (either directly, or through exception). PSMConnect must be added as a local user on the target server. RDP must be enabled on the target server.
If a password is changed manually on a server, bypassing the CPM, how would you configure the account so that the CPM could resume management automatically? Configure the Provider to change the password to match the Vault’s Password Associate a reconcile account and configure the platform to reconcile automatically. Associate a logon account and configure the platform to reconcile automatically. Run the correct auto detection process to rediscover the password.
What is the maximum number of levels of authorizations you can set up in Dual Control? 1 2 3 4.
You have associated a logon account to one of your UNIX root accounts in the vault. When attempting to change the root account’s password the CPM will Log in to the system as root, then change root’s password. Log in to the system as the logon account, then change root’s password Log in to the system as the logon account, run the su command to log in as root, and then change root’s password. None of these.
It is possible to restrict the time of day, or day of week that a verify process can occur. TRUE FALSE.
Which of the Following can be configured in the Master Policy? Choose all that apply. Dual Control One Time Passwords Exclusive Passwords Password Reconciliation Ticketing Integration Required Properties Custom Connection Components Password Aging Rules.
The System safe allows access to the Vault configuration files.
TRUE FALSE.
It is possible to restrict the time of day, or day of week that a reconcile process can occur. TRUE FALSE.
Which of the following options is not set in the Master Policy? Password Expiration Time Enabling and Disabling of the Connection Through the PSM Password Complexity The use of "One-Time-Passwords".
Which of the following files must be created or configured in order to run Password Upload Utility? Select all that apply. A. PACli.ini
Vault.ini conf.ini A comma delimited upload file.
Users can be restricted through certain CyberArk interfaces (e.g. PVWA or PACLI). TRUE FALSE.
What is the purpose of the HeadStartInterval setting in a platform? It determines how far in advance audit data is collected for reports. It instructs the CPM to initiate the password change process X number of days before expiration. It instructs the AIM Provider to ‘skip the cache’ during the defined time period. It alerts users of upcoming password changes x number of days before expiration.
What is the name of the Platform parameter that controls how long a password will stay valid when One Time Passwords are enabled via the Master Policy? MinValidityPeriod Interval ImmediateInterval Timeout.
It is possible to leverage DNA to provide discovery functions that are not available with auto-detection. TRUE FALSE.
PSM captures a record of each command that was executed in Unix. TRUE FALSE.
Platform settings are applied to______________. The entire vault. Network Areas Safes Individual Accounts.
Customers who have the ‘Access Safe without confirmation’ safe permission on a safe where accounts are configured for Dual control, still need to request approval to use the account. TRUE FALSE.
As long as you are a member of the Vault Admins group, you can grant any permission on any safe that you have access to. TRUE FALSE.
Which report provides a list of accounts stored in the vault. Privileged Accounts Inventory Privileged Accounts Compliance Status Entitlement Report Activity Log.
When on-boarding account using Accounts Feed, which of the following is true? You must specify an existing Safe where the account will be stored when it is on-boarded to the Vault. You can specify the name of a new safe that will be created where the account will be stored when it is on-boarded to the Vault. You can specify the name of a new Platform that will be created and associated with the account. Any account that is on-boarded can be automatically reconciled regardless of the platform it is associated with.
A Logon Account can be specified in the Master Policy. TRUE FALSE.
For an account attached to a platform that requires Dual Control based on a Master Policy exception, how would you configure a group of users to access a password without approval. Create an exception to the Master Policy to exclude the group from the workflow process. Edit the master policy rule and modify the advanced ‘Access safe without approval’ rule to include the group. On the safe in which the account is stored grant the group the ‘Access safe without audit’ authorization. On the safe in which the account is stored grant the group the ‘Access safe without confirmation’ authorization.
All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of the accounts in that safe. The members of the AD group
UnixAdmins need to be able to use the show, copy, and connect buttons on those passwords at any time without confirmation. The members of the AD group
OperationsStaff need to be able to use the show, copy and connect buttons on those passwords on an emergency basis, but only with the approval of a member of OperationsManagers. The members of OperationsManagers never need to be able to use the show, copy or connect buttons themselves.
Which safe permissions do you need to grant to OperationsStaff? Check all that apply. Use Accounts Retrieve Accounts List Accounts Authorize Password Requests Access Safe without Authorization.
Which utilities could you use to change debugging levels on the vault without having to restart the vault. Select all that apply.
A. PAR Agent
B. PrivateArk Server Central Administration
C. Edit DBParm.ini in a text editor.
D. Setup.exe PAR Agent PrivateArk Server Central Administration Edit DBParm.ini in a text editor. Setup.exe.
It is possible to control the hours of the day during which a user may long into the vault. TRUE FALSE.
VAULT authorizations may be granted to ____________________.
Select all that apply. Vault Users Vault Groups LDAP Users LDAP Groups.
What is the purpose of the Interval setting in a CPM policy? To control how often the CPM looks for System Initiated CPM work. To control how often the CPM looks for User Initiated CPM work. To control how long the CPM rests between password changes. To control the maximum amount of time the CPM will wait for a password change to comple.
If a user is a member of more than one group that has authorizations on a safe, by default that user is granted____________________. the vault will not allow this situation to occur. only those permissions that exist on the group added to the safe first. only those permissions that exist in all groups to which the user belongs. the cumulative permissions of all the groups to which that user belongs.
Which Built-in group grants access to the ADMINISTRATION page? Auditors PVWAMonitor PVWAUsers Vault Admins.
It is impossible to override Mater Policy settings for a Platform
TRUE FALSE.
One time passwords reduce the risk of Pass the Hash vulnerabilities in Windows. TRUE FALSE.
It is possible to restrict the time of day, or day of week that a change process can occur. TRUE FALSE.
What is the purpose of the Allowed Safes parameter in a CPM policy? Select all that apply. To improve performance by reducing CPM workload. To prevent accidental use of a policy in the wrong safe. To allow users to access only the passwords they should be able to access. To enforce Least Privilege in CyberArk.
A Reconcile Account can be specified in the Platform Settings TRUE FALSE.
The password upload utility can be used to create safes TRUE FALSE.
VAULT authorizations may be granted to_____. LDAP Groups Vault Groups Vault Users LDAP Users.
In Accounts Discovery, you can configure a Windows discovery to scan ___________. as many OUs as you wish. up to three OUs. only one OU. a number of OUs determined by the OUstoScan setting under the Accounts Feed section in the Administration tab.
In accordance with best practice. SSH access is denied for root accounts on UNIX/LINUX systems. What is the BEST way to allow CPM to manage root accounts.
Create a non-privileged account on the target server Allow this account the ability to SSH directly from the CPM machine. Configure this account as the Logon account of the target server's root account Configure the CPM to allow SSH logins Configure the Unix system to allow SSH logins. Create a privileged account on the target server Allow this account the ability to SSH directly from the CPM machine Configure this account as the Reconcile account of the target server's root account.
When managing SSH keys, CPM automatically pushes the Public Key to the target system. TRUE FALSE.
When managing SSH keys, CPM automatically pushes the Private Key to all systems that use it TRUE FALSE.
PSM captures a record of each command that was executed in SQL Plus TRUE FALSE.
Which report could show all audit data in the vault? Privileged Account Compliance Status Report Activity Log Privileged Account Inventory Report Application Inventory Report.
The vault does not supports Role Based Access Control. TRUE FALSE.
Reports can be scheduled to run on a periodic basis TRUE FALSE.
It is possible to disable the Show and Copy buttons without removing the Retrieve permission on a safe. TRUE FALSE.
The Application Inventory report is related to AIM TRUE FALSE.
Which user is automatically given all Safe authorizations on all Safes? Administrator Master Auditor Operator.
All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of the accounts in that safe. The members of the AD group
UnixAdmins need to be able to use the show, copy, and connect buttons on those passwords at any time without confirmation. The members of the AD group
OperationsStaff need to be able to use the show, copy and connect buttons on those passwords on an emergency basis, but only with the approval of a member of OperationsManagers. The members of OperationsManagers never need to be able to use the show, copy or connect buttons themselves.
Which safe permissions do you need to grant to UnixAdmins? Check all that apply. Use Accounts Retrieve Accounts List Accounts Authorize Password Requests Access Safe without Authorization.
Using the SSH Key Manager it is possible to allow CPM to manage SSH Keys similarly to passwords.
TRUE FALSE.
|
