CyberArk certifications –

préparation Defender
Infrastructure - général
•  bind password for LDAP => VaultInternal Safe
Infrastructure - Vault
• Fichiers de logs :
• Fichiers de configuration :
Infrastructure - CPM
Infrastructure – PSM/P
Infrastructure - PVWA
• Question 1 : After a PSM session is complete, the PSM server uploads the recording to the vault for a long term storage true/false
• Question 2 : A SIEM integration allows you to forward ITALOG records to a monitoring solution true/false
• Question 3 : When managing SSH keys, CPM can push the private key to all system that use it true/false
• Question 4 : The vault server require WINS services to work properly true/false
• Question 5 : PSM requires the Remote Desktop Session Host role service true/false
• Question 6 : The Auditors group must be manually added to newly created safes so auditors will have sufficient access to run reports true/false
• Question 7 : PSM captures a record of each command that was executed in Unix true/false
• Question 8 : A SIEM integration allows you to forward audit records to a monitoring solution true/false
• Question 9 : dbparm.ini is the main configuration file for the vault true/false
• Question 10 : It is possible to disable the show and copy buttons without removing the retrieve permission on a safe true/false
• Question 11 : An SMTP integration allows you to forward audit records from the vault to the SIEM true/false
• Question 12 : The DR module allows an integration with Enterprise Backup Software true/false
• Question 13 : The PrivateArk clients allows a user to view the contents of the vault like a filesystem true/false
• Question 14 : The default authorizations on a safe allow the user to change a password true/false
• Question 15 : PSM captures a record of each command that was issued in SQL Plus true/false
• Question 16 : The vault provides a tamper-proof audit trail true/false
• Question 17 : CyberArk implements license limits by controling the number and types of users that can be provisionned in the vault true/false
• Question 18 : A reconcile account can be specified in the master policy true/false
• Question 19 : It is possible to control the hours of the day during which a user may log into the vault true/false
• Question 20 : The default authorization on a safe allows a user to store a new account true/false
• Question 21 : The primary purposes of the PSM server are isolation and monitoring true/false
• Question 22 : Typically Access control is implemented by the safe true/false
• Question 23 : In the vault all password are encrypted with the server key true/false
• Question 24 : If a user is a member of more than one group that has authorizations on a safe, by default that user is granted the cumulative privileges form all of
those groups true/false
• Question 25 : The vault Internal safe contains the configuration for an LDAP Integration true/false yes
• Question 26 : The security on the vault server is entirely dependant on the security of the network true/false
• Question 27 : When managing SSH keys, CPM automatically pushes on the Public key to the target system true/false
• Question 28 : If the firewall on the vault is down, the vault is accessible and vulnerable true/false
• Question 29 : One Time Password reduce the risk of Pass the Hash vulnerabilities in Windows true/false
• Question 30 : The replicate module allows an integration with Enterprise Backup software true/false
• Question 31 : You can change the vault license by uploading the new license to the system Safe true/false
• Question 32 : The RemoteApp feature of PSM allows seamless Application windows (i.e. the Desktop of the PSM server will not be visible) true/false
• Question 33 : Using the SSH Key Manager it is possible to allow CPM to manage SSH Keys similarly to passwords true/false
• Question 34 : It is impossible to override Master Policy settings for a set of accounts ? true/false
• Question 35 : The connect button requires PSM to work true/false
• Question 36 : Users can be restricted to using certain CyberArk interfaces (e.g. PVWA or PACLI) true/false
• Question 37 : It is possible to restrict the time of day, or day of week that a reconcile process can occur true/false
• Question 38 : The DR Vault is pingable when the CyberArk Disaster Recovery Service is running true/false
• Question 39 : The Vault server required DNS Services to operate properly true/false
• Question 40 : It is possible to control the hours of the day during which a safe may be used true/false
• Question 41 : Which of the following can be configured in the Master Policy ? Choose all that apply Dual Control/One Time Password/Exclusive
Password/Password Reconciliation/Ticketing Integration/Required Properties/Custom connection Components
• Question 42 : You can enable debugging in the DBParm.ini without restarting the vault server true/false
• Question 43 : Which user is automatically given all Safe authorizations on all Safes ? Administrator/Master/Auditors/Operator
• Question 44 : A vault Admin received an email notification that a password verification process has failed. From which service was the message
sent ? The PrivateArk Server Service on the Vault/The CyberArk Password manager service on the components Server/The CyberArk Event
Notification Engine Service on the Vault/The CyberArk Privileged Session Manager service on the vault
• Question 45 : What is the purpose of CyberArk Event Notification Engine ? Sends email messages from the Vault/Sends email messages from
the CPM/Processes audit reports/Make vault data available to components
• Question 46 : You have associated a logon account to one of your UNIX root accounts in the vault. When attempting to change the root
account’s password the CPM will… Log into the system as root, then change root password/Log into the system as the logon account, then
change root’s password/Log into the system as the logon account, run the su command to log in as root and then change root’s
password/None of the above
• Question 47 :What would be a good use case for the Replicate module ? Recovery Time Objectives or Recovery Point Objectives are at or near
zero/Integration with an Enterprise Backup Solution is required/Off site replication is required/PSM is used
• Question 48 : Which built-in group grants access to the ADMINISTRATION page ? PVWAMonitor/PVWAUsers/Auditor/Vault Admins
• Question 49: Which utility would you use to change debugging levels on the vault without having to restart the vault ? PrivateArk
Client/PrivateArk Server Remote Control Agent/Edit DBParm.ini in a text editor/Setup.exe
• Question 50 :When a DR vault server becomes an active vault, it will automatically fail back to the original state once the primary vault comes
back online True, this is the default behavior/False, this is not possible/True, if the « AllowFailback » setting is set to yes in the PADR.ini file/
True, if the « AllowFailback » setting is set to yes in the DBParm.ini file
• Question 51 : Does CyberArk need service accounts on each server to change password ? Yes, it requires a domain administrator account to
change any password on any server/Yes, it requires a local administrator account on any Windows servers and a root level access on Unix
servers/No Password are changed by the password provider agent/No, the CPM uses the account information stored in the vault to login
and change the account’s password using its own credentials
• Question 52 : Which of the following status is true ? Select all that apply The Digital Vault requires a dedicated server/The CPM and PVWA can
be installed on the same server/The CPM should not be part of the domain and should have no third party software installed/PSM cannot
be installed on the vault server
• Question 53 : PSM indexes windows recordings according to which window had the focus at any particular time true/false
• Question 54 : An SNMP integration allows you to forward audit records from the vault to the SIEM true/false
• Question 55 : The default authorizations on a safe allow a user to see the password true/false
• Question 56 : An SNMP integration allows you to forward ITALOG records to a monitoring solution true/false
• Question 57 : A logon account can be specified in the platform settings true/false
• Question 57 : The primary purpose of exclusive accounts is to ensure non-repudiation (individual accountability) true/false
• Question 58 : The vault server uses a modified version of the Microsoft firewall true/false
• Question 59 : The vault Internal safe contains the configuration for a LEAP integration true/false
• Question 60 : Multiple Vault servers can be load balanced true/false
• Question 61 : PSM generates recordinggs on the vault in real time true/false
• Question 62 : The primary purpose of the CPM is password management true/false
• Question 63 : The System safe allos access to the Vault configuration files true/false
• Question 64 : HA, DR, Replicate are mutually exclusive and cannot be used in the same environment true/false
• Question 65 : As long as you are a member of the Vault Admin Group, you can grant any permission on any safe that you have access to
true/false
• Question 66 : The Vault supports Role Based Access Control true/false
• Question 67 : PSM Requires the Remote Control Gateway role service true/false
• Question 68 : To simplify Access Control, CyberArk recommends implementing object level access control on all safes true/false
• Question 53 : All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of the accounts in that safe. The
members of the AD group UnixAdmins need to be able to access those passwords at any time without confirmation. The members of the AD
group OperationsStaff need to be able to access those passwords on an emergency basis, but only with the approval of a member of
OperationsManagers. The members of OperationsManagers do not need to be able to access those passwords themselves. Which safe
permissions do you need to grant to UnixAdmins? Check all that apply. Use Accounts/Retrieve Account/List Accounts/Authorize Password
Requests/Access Safe without Authorization
• Question 54 : All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of the accounts in that safe. The
members of the AD group UnixAdmins need to be able to access those passwords at any time without confirmation. The members of the AD
group OperationsStaff need to be able to access those passwords on an emergency basis, but only with the approval of a member of
OperationsManagers. The members of OperationsManagers do not need to be able to access those passwords themselves. Which safe
permissions do you need to grant to OperationsStaff? Check all that apply. Use Accounts/Retrieve Account/List Accounts/Authorize Password
Requests/Access Safe without Authorization
• Question 55 : All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of the accounts in that safe. The
members of the AD group UnixAdmins need to be able to access those passwords at any time without confirmation. The members of the AD
group OperationsStaff need to be able to access those passwords on an emergency basis, but only with the approval of a member of
OperationsManagers. The members of OperationsManagers do not need to be able to access those passwords themselves. Which safe
permissions do you need to grant to OperationsManagers? Check all that apply. Use Accounts/Retrieve Account/List Accounts/Authorize
Password Requests/Access Safe without Authorization
• Question 56 : The password upload utility can be used to create safes true/false
• Question 57 : Which Built-In group grants access to the ADMINISTRATION page? PVWAMonitor/PVWAUsers/Auditors/VaultAdmins
• Question 58 : In accordance with best practice, SSH access is denied for root accounts on UNIX/LINUX systems. What is the BEST way to allow
CPM to manage root accounts. Create a privileged account on the target server. Allow this account the ability to SSH directly from the CPM
machine. Configure this account as the Reconcile account of the target server's root account / Create a non-privileged account on the target
server. *Allow this account the ability to SSH directly from the CPM machine. *Configure this account as the Logon account of the target
server's root account / Configure the Unix system to allow SSH logins / Configure the CPM to allow SSH logins
• Question 59 : Which report provides a list of accounts stored in the Vault? Privileged Accounts Inventory / Privileged Accounts Compliance/
Status Entitlement Report / Activity Log
• Question 60 : Settings in the Password Managment section of the Master Policy are implemented by which component? PVWA / CPM / PSM /
The Vault
• Question 61 : Platform settings are applied to : The entire vault / Network areas / Safes / Individual accounts
• Question 62 : Can the 'Connect' button be used to initiate an SSH connection, as root, to a Unix system when SSH access for root is denied?
Yes, when using the connect button. CyberArk uses the PMTerminal.exe process which bypasses the root SSH restriction / Yes, only if a logos
account is associated with the root account and the user connects through the PSM-SSH connection component / Yes, only if a logos
account is associated with the root account / No, it is not possible.
• Question 63 : Does CyberArk need service accounts on each server to change passwords? Yes, it requires a domain administrator account to
change any password on any server / Yes, it requires a local administrator account on any Windows server and a root level account on any
Unix server / No, passwords are changed by the Password Provider Agent / No, the CPM uses the account information stored in the vault to
login and change the account's password using its own credentials
• Question 64 : Which Users or Groups can be used to grant VAULT authorizations? Vault Users / Vault Groups / LDAP Users / LDAP Groups
• Question 65 : What is the purpose of the Server Key? The Server Key is used only in recovery scenarios / The Server key is used to encrypt the
connections the Vault from the CyberArk component servers / The Server Key encrypts and decrypts the Safe Keys / The Server Key unlocks
the vault server

• During ENE integration you should specify the Fully-Qualified Domain Name (fqdn) of the SMTP. TRUE
• In order to retreive data from the vault a user MUST user a interface provided by cyberark TRUE
• In order to avoid conflicts with the hardening process, third party application like antivirus and backup agents should be installed on the vault
server before installing the vault FALSE

• An SMTP integration allows you to forward ITALog records to a monitoring solution TRUE
• It’s possible to restrict the time of day a safe can be accessed using
config setting ??? PrivateArk client???
• PVWA > Administration > configuration Options >LDAP Integration
• Q25 – 33 . 32 .