The vault does not support Role Based Access Control TRUE
FALSE.
The Remote Desktop Services role must be properly licensed by Microsoft.
TRUE FALSE.
One can create exceptions to the Master Policy based on ____________. Safes Platforms Policies Accounts.
Which of the following statements are NOT true when enabling PSM recording for a target Windows server? The PSM software must be installed on the target server. PSM must be enabled in the Master Policy (either directly, or through exception). PSMConnect must be added as a local user on the target server. RDP must be enabled on the target server.
It is possible to disable the Show and Copy buttons without removing the Retrieve permission on a safe. TRUE FALSE.
During LDAP/S integration you should specify the Fully Qualified Domain Name (FQDN) of the Domain
Controller TRUE FALSE.
Which of the following options is not set in the Master Policy?
Password Expiration Time Enabling and Disabling of the Connection Through the PSM Password Complexity The use of “One-Time Passwords.
When on-boarding accounts using Accounts Feed, which of the following is true? You must specify an existing Safe where the account will be stored when it is on-boarded to the Vault. You can specify the name of a new safe that will be created where the account will be stored when it is onboarded the Vault. You can specify the name of a new Platform that will be created and associated with the account. Any account that is on-boarded can be automatically reconciled regardless of the platform it is associated with.
The Vault Internal safe contains the configuration for an LDAP integration. TRUE FALSE.
PSM captures a record of each command that was issued in SQL Plus. TRUE FALSE.
What is the purpose of the Allowed Safes parameter in a Central Policy Manager (CPM) policy? (Choose all
that apply.)
To improve performance by reducing CPM workload.
To prevent accidental use of a policy in the wrong Safe. To allow users to access only the passwords they should be able to access. To enforce Least Privilege in CyberArk.
The Vault Internal safe contains all of the configuration for the vault. TRUE FALSE.
One time passwords reduce the risk of Pass the Hash vulnerabilities in Windows. TRUE FALSE.
What are the operating system prerequisites for installing Central Policy Manager (CPM)? .NET Framework 4.5.2 Feature Web Services Role Remote Desktop Services Role Windows 2012 R2 or higher.
The vault provides a tamper-proof audit trail. TRUE FALSE.
It is possible to restrict the time of day, or day of week that a verify process can occur TRUE FALSE.
When managing SSH keys, Central Policy Manager (CPM) automatically pushes the Private Key to all systems that use it. TRUE FALSE.
Which one of the built-in Vault users is not automatically added to the safe when it is first created in PWA? Master Administrator Auditor Operator all in the answer added to the safe.
What conditions must be met in order to log into the vault as the Master user? (Choose all that apply.)
A. Logon must be originated from the console of the Vault Server or an EmergencyStation defined in DBParm.ini User must provide the correct master password. Logon requires the Recovery Private Key to be accessible to the vault. Logon must satisfy a challenge response request.
The Vault supports multiple instances of the following components. (Choose all that Apply.) - NEED TO CHECK ANSWER FURTHER
PVWA CPM PSM AIM Provider.
In a Security Information and Event Management (SIEM) integration it is recommended to use the Fully Qualified Domain Name (FQDN) when specifying the
SIEM server address(es). !NTCA! TRUE FALSE.
The vault supports a number of dual factor authentication methods. TRUE FALSE.
You are successfully managing passwords in the alpha.cyberark.com domain; however, when you attempt to manage a password in the beta.cyberark.com domain, you receive the ג€˜network path not foundג€™ error. What should you check first? That the username and password are correct. That the Central Policy Manager (CPM) can successfully resolve addresses in the beta.cyberark.com domain That the end user has the correct permissions on the safe. That an appropriate trust relationship exists between alpha.cyberark.com and beta.cyberark.com.
In order to connect to a target device through PSM, the account credentials used for the connection must be stored in the vault. True. False. Because the user can also enter credentials manually using Secure Connect. False. Because if credentials are not stored in the vault, the PSM will log into the target device as PSMConnect. False. Because if credentials are not stored in the vault, the PSM will prompt for credentials.
The Vault Server uses a modified version of the Microsoft Windows firewall. TRUE FALSE.
A Vault administrator have associated a logon account to one of your UNIX root accounts in the vault. When attempting to change the root accountג€™s password the
CPM willג€¦ Log in to the system as root, then change rootג€™s password. Log in to the system as the logon account, then change rootג€™s password. Log in first with the logon account, then run the SU command to log in as root, and then change rootג€™s password. None of these.
A Security Information and Event Management (SIEM) integration allows you to forward ITALOG records to a monitoring solution. TRUE FALSE.
What is the purpose of the CyberArk Event Notification Engine service? sends email messages from the vault. sends email messages from the CPM. processes audit reports. makes vault data available to components.
The DR module allows an integration with Enterprise Backup software. TRUE FALSE.
What is the purpose of the PrivateArk Server service? Executes password changes. Makes Vault data accessible to components. Maintains vault metadata. Sends email alert from the Vault.
Auto-Detection can be configured to leverage LDAP/S. TRUE FALSE.
It is impossible to override Mater Policy settings for a Platform TRUE FALSE.
The following applications are pre-configured to work with PSM, but first need to be installed on the PSM server.
SQL Plus Putty RDP WinSCP Toad VMWare vSphere Client Microsoft SQL Management Studio.
What is the PRIMARY reason for installing more than 1 active Central Policy Manager (CPM)? Installing CPMs in multiple sites prevents complex firewall rules to manage devices at remote sites. Multiple instances create fault tolerance. Multiple instances increase response time. Having additional CPMs increases the maximum number of devices CyberArk can manage.
When planning to load balance at least 2 PSM Servers in an "in-domain" deployment, is it required to move the PSMConnect and PSMAdminConnect users to the domain level? Yes, but only the PSMConnect user must be moved to the domain. No, this is the customersג€™ decision and will work with local or domain based users. Yes, both PSMConnect and PSMAdminConnect users should be moved to the domain. No, both accounts must be left as local accounts.
Name two ways of viewing the ITAlog: Log into the vault locally and navigate to the Server folder under the PrivateArk install location. Log into the PVWA and go to the Reports tab. Access the System Safe from the PrivateArk client. Go to the Thirdpary log directory on the CPM.
All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of the accounts in that safe. The members of the AD group
UnixAdmins need to be able to use the show, copy, and connect buttons on those passwords at any time without confirmation. The members of the AD group
OperationsStaff need to be able to use the show, copy and connect buttons on those passwords on an emergency basis, but only with the approval of a member of OperationsManagers. The members of OperationsManagers never need to be able to use the show, copy or connect buttons themselves.
Which safe permissions do you need to grant to UnixAdmins?
Use Accounts Retrieve Accounts List Accounts Authorize Password Requests Access Safe without Authorization.
A Simple Mail Transfer Protocol (SMTP) integration allows you to forward audit records to a monitoring solution. TRUE FALSE.
The System safe allows access to the Vault configuration files. TRUE FALSE.
Which of the Following can be configured in the Master Policy? (Choose all that apply.) Dual Control One Time Passwords Exclusive Passwords Password Reconciliation Ticketing Integration Required Properties Custom Connection Components Password Aging Rules.
Multiple PSM Servers can be load balanced. TRUE FALSE.
Which file would you modify to configure your Vault Server to forward Activity Logs to a Security Information and Event Management (SIEM) or SYSLOG server? dbparm.ini PARagent.ini ENEConf.ini padr.ini.
In accordance with best practice, SSH access is denied for root accounts on UNIX/LINUX systems. What is the BEST way to allow Central Policy Manager (CPM) to manage root accounts? Create a privileged account on the target server. Allow this account the ability to SSH directly from the CPM machine. Configure this account as the Reconcile account of the target serverג€™s root account. Create a non-privileged account on the target server. Allow this account the ability to SSH directly from the CPM machine. Configure this account as the Logon account of the target serverג€™s root account. Configure the Unix system to allow SSH logins. Configure the CPM to allow SSH logins.
It is possible to leverage DNA to provide discovery functions that are not available with auto-detection. TRUE FALSE.
In order to retrieve data from the vault a user MUST use an interface provided by CyberArk. TRUE FALSE.
When a DR Vault Server becomes an active vault, it will automatically fail back to the original state once the Primary Vault comes back online. True, this is the default behavior. False, this is not possible. True, if the ג€˜AllowFailbackג€™ setting is set to yes in the PADR.ini file. True, if the ג€˜AllowFailbackג€™ setting is set to yes in the dbparm.ini file.
PSM requires the Remote Desktop Session Host role service. TRUE FALSE.
Which is the correct order of installation for PAS components? Vault, CPM, PVWA, PSM CPM, Vault, PSM, PVWA Vault, CPM, PSM, PVWA PVWA, Vault, CPM, PSM Vault, PVWA, CPM,PSM.
Which utilities could you use to change debugging levels on the Vault without having to restart the Vault? (Choose two.)
PAR Agent PrivateArk Server Central Administration Edit DBParm.ini in a text editor. Setup.exe.
What is the maximum number of levels of authorizations you can set up in Dual Control? 1 2 3 4.
Within the Vault each password is encrypted by __________ . The Server Key The Recovery Public Key The Recovery Private Key Its own unique key.
In Accounts Discovery, you can configure a Windows discovery to scan ___________.
as many OUs as you wish. up to three OUs. only one OU. a number of OUs determined by the OUstoScan setting under the Accounts Feed section in the Administration tab.
Which report could show all audit data in the vault? Privileged Account Compliance Status Report Activity Log Privileged Account Inventory Report Application Inventory Report.
When managing SSH keys, Central Policy Manager (CPM) automatically pushes the Public Key to the target system. TRUE FALSE.
A Vault Administrator wants to change the PSM Server ID to comply with a naming standard. What is the process for changing the PSM Server ID? First, logon to the PrivateArk Client as Administrator and open the PVWAConfig safe. Retrieve and edit the PVConfiguration.xml file. Search for the PSMServer Name and update the ID of the server you want to rename. Save the file and copy back to the PWAConfig safe. Restart the ג€CyberArk Privileged Session Managerג€ service on the PSM server. Login to the PVWA, then change the PSMServer ID in Administration, System Configuration, Options, Privileged Session Management, Configured PSM Servers. Run an IISRESET on all PVWA servers. First, login to the PVWA, browse to Administration, System Configuration, Options, Privileged Session Management, Configured PSM Servers and select the PSM Server you need to change from the list of servers. In the properties pane, set the value of the ID property to the new Server ID, click Apply and OK. Next, edit the basic_psm.ini file located on the PSM server in the PSM root directory and update the PSMServerID parameter with the new Server ID, save the file and restart the ג€CyberArk Privileged Session Managerג€ service on the PSM server. Options A and B above is the correct procedure.
Customers who have the ג€˜Access Safe without confirmationג€™ safe permission on a safe where accounts are configured for Dual control, still need to request approval to use the account. TRUE FALSE.
The Vault needs to send Simple Network Management Protocol (SNMP) traps to an SNMP solution. In which configuration file do you set the IP address of the
SNMP solution? PARAgent.ini dbparm.ini ENEConf.ini my.ini.
A Security Information and Event Management (SIEM) integration allows you to forward audit records to a monitoring solution. TRUE FALSE.
Which of the following are secure options for storing the contents of the Operator CD, while still allowing the contents to be accessible upon a planned Vault restart? (Choose all that apply.) Store the CD in a physical safe and mount the CD every time vault maintenance is performed. Copy the entire contents of the CD to the System Safe on the vault. Copy the entire contents of the CD to a folder on the Vault Server and secure it with NTFS permissions. Store the server key in a Hardware Security Module (HSM) and copy the reset the keys from the CD to a folder on the Vault Server and secure it with NTFS permissions.
It is possible to control the hours of the day during which a safe may be used. TRUE FALSE.
A Logon Account can be specified in the Master Policy TRUE FALSE.
Platform settings are applied to______________. The entire vault. Network Areas Safes Individual Accounts.
Which user is automatically added to all Safes and cannot be removed? Auditor Administrator Master Operator.
A vault admin received an email notification that a password verification process has failed. From which service was the message sent? The PrivateArk Server Service on the Vault. The CyberArk Password Manager service on the Components Server. The CyberArk Event Notification Engine Service on the Vault. The CyberArk Privileged Session Manager service on the Vault.
PSM captures a record of each command that was executed in Unix. TRUE FALSE.
Using the SSH Key Manager it is possible to allow Central Policy Manager (CPM) to manage SSH Keys similarly to passwords. TRUE FALSE.
Which of the following are prerequisites for installing Password Vault Web Access (PVWA)? Web Services Role .NET 4.5.1 Framework Feature Remote Desktop Services Role Windows BitLocker.
SAFE Authorizations may be granted to ________________.
(Choose all that apply.) Vault Users Vault Groups LDAP Users LDAP Groups.
Which Built-In group grants access to the ADMINISTRATION page? >>>? PVWAMonitor PVWAUsers Auditors Vault Admins.
Multiple Password Vault Web Access (PVWA) servers provide automatic load balancing. TRUE FALSE.
What is the name of the Platform parameter that controls how long a password will stay valid when One Time Passwords are enabled via the Master Policy?
MinValidityPeriod Interval ImmediateInterval Timeout.
|
