• After a PSM session is complete, the PSM server uploads the recording to the vault for a long term

storage
• PSM requires the Remote Desktop Session Host role service
• PSM indexes windows recordings according to which window had the focus at any particular time
• PSM captures a record of each command that was executed in Unix/ SQL Plus
• A SIEM integration allows you to forward audit records to a monitoring solution
• DBParm.ini is the main configuration file for the vault
• It is possible to disable the show and copy buttons without removing the retrieve permission on a safe
• The PrivateArk clients allows a user to view the contents of the vault like a filesystem
• The vault provides a tamper-proof audit trail
• In the vault all password are encrypted with the server key
• If a user is a member of more than one group that has authorizations on a safe, by default that user is granted the
cumulative privileges form all of those groups
• The vault Internal safe contains the configuration for an LDAP Integration
• The System safe allows access to the Vault configuration files
• You can change the vault license by uploading the new license to the system Safe
• The replicate module allows an integration with Enterprise Backup software

• One Time Password reduce the risk of Pass the Hash vulnerabilities in Windows
• The default authorizations on a safe allow a user to see the password
• An SNMP integration allows you to forward ITALOG records to a monitoring solution
• A logon account can be specified in the platform settings
• The primary purpose of exclusive accounts is to ensure non-repudiation (individual accountability)
• The vault server uses a modified version of the Microsoft firewall
• Multiple Vault servers can be load balanced
• PSM generates recordinggs on the vault in real time
• The password upload utility can be used to create safes
• During ENE integration you should specify the Fully-Qualified Domain Name (fqdn) of the SMTP.
• In order to retreive data from the vault a user MUST use an interface provided by cyberark
• Auto-Detection can be configured to leverage LDAP/s
• Server central administration interface can be edited without restarting the privateArk service
• Can object Level Access Control be enabled for Non-Predefined Safes
• Typically Access control is implemented by the safe
• Using the SSH Key Manager it is possible to allow CPM to manage SSH Keys similarly to passwords
• Users can be restricted to using certain CyberArk interfaces (e.g. PVWA or PACLI)
• It is possible to restrict the time of day, or day of week that a reconcile process can occur
• 11 : An SMTP integration allows you to forward audit records from the vault to the SIEM
• 54 : An SNMP integration allows you to forward audit records from the vault to the SIEM
• A SIEM integration allows you to forward ITALOG records to a monitoring solutio
• 6 : The Auditors group must be manually added to newly created safes so auditors will have sufficient access to run reports
• 3 : When managing SSH keys, CPM can push the private key to all system that use it
• 4 : The vault server require WINS services to work properly
• 20 : The default authorization on a safe allows a user to store a new account
• 18 : A reconcile account can be specified in the master policy

• 12 : The DR module allows an integration with Enterprise Backup Software

• 64 : HA, DR, Replicate are mutually exclusive and cannot be used in the same environment
• 34 : It is impossible to override Master Policy settings for a set of accounts ?
• 26 : The security on the Vault server is entirely dependant on the security of the network
• 39 : The Vault server required DNS Services to operate properly
• 67 : PSM Requires the Remote Control Gateway role service
• A logon Account can be specified in the Master Policy
• Can object Level Access Control be enabled for any safe
• In order to avoid conflicts with the hardening process, third party application like antivirus and backup agents should be installed on the vault server
before installing the vault FALSE
• The vault Internal safe contains all of configuration for the vault
• Question 65 : As long as you are a member of the Vault Admin Group, you can grant any permission on any safe that you have access to
true/false
• Question 68 : To simplify Access Control, CyberArk recommends implementing object level access control on all safes true/false
• Question 42 : You can enable debugging in the DBParm.ini without restarting the vault server true/false
• Question 28 : If the firewall on the vault is down, the vault is accessible and vulnerable true/false
• Question 21 : The primary purposes of the PSM server are isolation and monitoring true/false
• Question 17 : CyberArk implements license limits by controling the number and types of users that can be provisionned in the vault true/false
• Question 14 : The default authorizations on a safe allow the user to change a password true/false
• Question 2 : n true/false
• Question 32 : The RemoteApp feature of PSM allows seamless Application windows (i.e. the Desktop of the PSM server will not be visible)
true/false
• Question 35 : The connect button requires PSM to work true/false
• Question 38 : The DR Vault is pingable when the CyberArk Disaster Recovery Service is running true/false

• The correct answer is A. Using the PARAgent utility, we can choose the SetParm directive together with the /Immediate parameter (apply
changes immediately) to modify the debug level . This modification will also be reflected in DBParm.ini. Notice letter C is wrong as this option
requires a restart of the Vault service.
• Question 43 : Which user is automatically given all Safe authorizations on all Safes ? /Master/
• Question 44 : A vault Admin received an email notification that a password verification process has failed. From which service was the message
sent ? The CyberArk Event Notification Engine Service on the Vault
• Question 45 : What is the purpose of CyberArk Event Notification Engine ? Sends email messages from the Vault
• Question 46 : You have associated a logon account to one of your UNIX root accounts in the vault. When attempting to change the root
account’s password the CPM will… Log into the system as the logon account, run the su command to log in as root and then change root’s
password
• Question 47 :What would be a good use case for the Replicate module ? Recovery Time Objectives or Recovery Point Objectives are at or near
zero/Integration with an Enterprise Backup Solution is required/Off site replication is required/PSM is used
• Question 48 : Which built-in group grants access to the ADMINISTRATION page ? Vault Admins
• Question 49: Which utility would you use to change debugging levels on the vault without having to restart the vault ? PrivateArk Agent
PARAgent.ini /PrivateArk Server Remote Control Agent
• Question 50 :When a DR vault server becomes an active vault, it will automatically fail back to the original state once the primary vault comes
back online False, this is not possible
• Question 51 : Does CyberArk need service accounts on each server to change password ? No, the CPM uses the account information stored in
the vault to login and change the account’s password using its own credentials
• Question 52 : Which of the following status is true ? Select all that apply The Digital Vault requires a dedicated server/The CPM and PVWA can
be installed on the same server/The CPM should not be part of the domain and should have no third party software installed/PSM cannot
be installed on the vault server
• Question 57 : Which Built-In group grants access to the ADMINISTRATION page? PVWAMonitor/PVWAUsers/Auditors/VaultAdmins
• Question 58 : In accordance with best practice, SSH access is denied for root accounts on UNIX/LINUX systems. What is the BEST way to allow
CPM to manage root accounts. Create a privileged account on the target server. Allow this account the ability to SSH directly from the CPM
machine. Configure this account as the Reconcile account of the target server's root account / Create a non-privileged account on the target
server. *Allow this account the ability to SSH directly from the CPM machine. *Configure this account as the Logon account of the target
server's root account / Configure the Unix system to allow SSH logins / Configure the CPM to allow SSH logins
• Question 59 : Which report provides a list of accounts stored in the Vault? Privileged Accounts Inventory / Privileged Accounts Compliance/
Status Entitlement Report / Activity Log
• Question 60 : Settings in the Password Managment section of the Master Policy are implemented by which component? PVWA / CPM / PSM /
The Vault
• Question 61 : Platform settings are applied to : The entire vault / Network areas / Safes / Individual accounts
• Question 62 : Can the 'Connect' button be used to initiate an SSH connection, as root, to a Unix system when SSH access for root is denied?
Yes, when using the connect button. CyberArk uses the PMTerminal.exe process which bypasses the root SSH restriction / Yes, only if a logos
account is associated with the root account and the user connects through the PSM-SSH connection component / Yes, only if a logos
account is associated with the root account / No, it is not possible.
• Question 63 : Does CyberArk need service accounts on each server to change passwords? Yes, it requires a domain administrator account to
change any password on any server / Yes, it requires a local administrator account on any Windows server and a root level account on any
Unix server / No, passwords are changed by the Password Provider Agent / No, the CPM uses the account information stored in the vault to
login and change the account's password using its own credentials
• Question 64 : Which Users or Groups can be used to grant VAULT authorizations? Vault Users / LDAP Users
• Question 65 : What is the purpose of the Server Key? The Server Key is used only in recovery scenarios / The Server key is used to encrypt the
connections the Vault from the CyberArk component servers / The Server Key encrypts and decrypts the Safe Keys / The Server Key unlocks
the vault server
• Question 41 : Which of the following can be configured in the Master Policy ? Choose all that apply Dual Control/One Time
Password/Exclusive Password/Password Reconciliation/Ticketing Integration/Required Properties/Custom connection Components
• It’s possible to restrict the time of day a safe can be accessed using config setting ??? PrivateArk client??? Q25 – 33 . 32 .
• DBParm.ini :Vault config file > must be restart PrivateArk server service if any changes in file (BackupSoftware and BackupServerIP) (third party
backup system to backup your Vault)
• Passpam.ini : Password policy for vault
• PARAgent.ini : PrivateArk Agent – remote & SNMP configuration (debugging levels on the vault without having to restart the vault)
• PACLI.ini can be used to perform quick vault level functions without loggin to the privateArk client ( Vault.ini must be configured to run It)

 
• PADR.ini : Data replication config | you can include the BackupPoolName parameter to avoid backup files conflicting

• Upload license on system safe

• ITALog => • PrivateArk client 》 System safe • Vault 》 ProgFiles>PrivateArk>ServerDirec

• Configured in the Master Policy -Exclusive Access for an account -Password Aging Rules -Exclusive Paaswords
• -​Dual Control -One Time Passwords
• Password expiration time - enabling of the connection through the PSM - The use of "One Time Passwords"
v