CyberArk PAM-DEF Exam Practice Test Instant Access

Question 1

Which statement about the Master Policy best describes the differences between one-time password and exclusive access functionality?

AExclusive access means that only a specific group of users may use the account. After an account on a one-time password platform is used, the account is deleted from the safe automatically.

BExclusive access locks the account indefinitely. One-time password can be used replace invalid account passwords.

CExclusive access is enabled by default in the Master Policy. One-time password should only be enabled for emergencies.

DExclusive access allows only one person to check-out an account at a time. One-time password schedules an account for a password change after the MinValidityPeriod period expires.

Answer : D

The Master Policy in CyberArk defines the behavior of one-time passwords and exclusive accessExclusive accessensures that only one user can check out an account at any given time, effectively locking the account during its use to prevent simultaneous access1. On the other hand,one-time passwordfunctionality is designed to change the account's password after it is used, based on a timer set by theMinValidityPeriodparameter in the policy file.This means that once the password is checked out and the timer expires, the Central Policy Manager (CPM) will change the password2. These settings are often used together to maintain accountability and security for the usage of shared privileged accounts.Reference:

CyberArk Docs: One-time passwords and exclusive accounts1

CyberArk Knowledge Article: CPM: What is the difference between ''One Time'' and ''Exclusive'' passwords?2

Question 2

What is required to enable access over SSH to a Unix account through both PSM and PSMP?

AThe platform must contain connection components for PSM-SSH and PSMP-SSH.

BPSM and PSMP must already have stored the SSH Fingerprint for the Unix host.

CThe 'Enable PSMP' setting in the Unix platform must be set to Yes.

DA duplicate platform (Called) with the PSMP settings must be created.

Answer : A

To enable access over SSH to a Unix account through both Privileged Session Manager (PSM) and Privileged Session Manager Proxy (PSMP), the platform must contain the necessary connection components for both PSM-SSH and PSMP-SSH.This ensures that the system can handle SSH connections through PSM for a native user experience and through PSMP for secure, transparent connections to remote systems12.Reference:

CyberArk Docs: Connect through PSM for SSH1

CyberArk Docs: Connect to Unix machines (using PSM for SSH)2

Question 3

When should vault keys be rotated?

Awhen it is copied to file systems outside the vault

Bannually

Cwhenever a CyberArk user leaves the organization

Dwhen migrating to a new data center

Answer : D

Vault keys should be rotated when there is a significant event that could potentially compromise the security of the keys, such as when migrating to a new data center. This is because the keys may be exposed to new environments and systems, and rotating them ensures that any potential exposure does not result in a security breach.Additionally, periodic rotation of encryption keys is recommended to maintain the integrity of the encryption and to adhere to best practices for security1.Reference:

CyberArk Docs: Credentials Rotation Policy2

HashiCorp Developer: Key Rotation

Question 4

Which file must be edited on the Vault to configure it to send data to PTA?

Adbparm.ini

BPARAgent.ini

Cmy.ini

Dpadr.ini

Answer : A

To configure the CyberArk Vault to send data to Privileged Threat Analytics (PTA), you must edit thedbparm.inifile on the Vault.This file contains parameters that specify how the Vault should forward syslog events to PTA, ensuring that the Vault can send secured syslog data to PTA for analysis and threat detection1.Reference:

CyberArk Docs: Configure Vault Trusted Connection to PTA2

Netenrich: CyberArk Vault via Syslog1

Question 5

According to CyberArk, which issues most commonly cause installed components to display as disconnected in the System Health Dashboard? (Choose two.)

Anetwork instabilities/outages

Bvault license expiry

Ccredential de-sync

Dbrowser compatibility issues

Einstalled location file corruption

Answer : A, C

The System Health Dashboard in CyberArk provides a visual representation of the health status of different CyberArk components. When components are displayed as disconnected, the most common issues are network instabilities/outages and credential de-sync.Network issues can disrupt the connectivity between components and the Vault, while credential de-sync indicates that a component is no longer able to authenticate to the Vault due to synchronization problems with the credentials12.Reference:

CyberArk Docs: Monitor system health1

CyberArk Docs: System Health Dashboard details

Question 6

Which dependent accounts does the CPM support out-of-the-box? (Choose three.)

ASolaris Configuration file

BWindows Services

CWindows Scheduled

DWindows DCOM Applications

EWindows Registry

FKey Tab file

Answer : B, C, E

Dependent accounts are accounts that represent resources such as Windows Services, Windows Scheduled Tasks, and others, which are accessed from a target machine and require the same credentials as the target machine. The CyberArk Privileged Account Security Solution's Central Policy Manager (CPM) supports out-of-the-box dependent accounts for Windows Services, Windows Scheduled Tasks, and Windows Registry. When changing a password, the CPM synchronizes the target account password with all other occurrences of that password in any related dependent accounts.This ensures that all dependent accounts are updated simultaneously to maintain security and functionality12.Reference:

CyberArk Docs: Manage dependent accounts1

CyberArk Docs: Supported dependent accounts

Question 7

A password compliance audit found:

1) One-time password access of 20 domain accounts that are members of Domain Admins group in Active Directory are not being enforced.

2) All the sessions of connecting to domain controllers are not being recorded by CyberArk PSM.

What should you do to address these findings?

AEdit the Master Policy and add two policy exceptions: enable 'Enforce one-time password access', enable 'Record and save session activity'.

BEdit safe properties and add two policy exceptions: enable 'Enforce one-time password access', enable 'Record and save session activity'.

CEdit CPM Settings and add two policy exceptions: enable 'Enforce one-time password access', enable 'Record and save session activity'.

DContact the Windows Administrators and request them to add two policy exceptions at Active Directory Level: enable 'Enforce one-time password access', enable 'Record and save session activity'.

Answer : A

To address the findings of the password compliance audit, you should edit theMaster Policyin CyberArk Privileged Access Manager. The Master Policy is where you can enforce one-time password access and record session activity.One-time password access ensures that each password is used only once and then changed, which is a security measure to prevent unauthorized reuse of passwords1.Recording session activity is a feature of the Privileged Session Manager (PSM) that allows all activities during a session to be recorded for auditing purposes2. By enabling these settings in the Master Policy, you ensure that the domain accounts have one-time password access enforced and that all sessions connecting to domain controllers are recorded by CyberArk PSM.Reference:

CyberArk Docs: One-time passwords and exclusive accounts1

CyberArk PAM-DEF CyberArk Defender - PAM Exam Practice Test