Special Summer Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

CyberArk PAM-CDE-RECERT CyberArk CDE Recertification Exam Practice Test

Page: 1 / 22
Total 221 questions

CyberArk CDE Recertification Questions and Answers

Question 1

Which user is automatically added to all Safes and cannot be removed?

Options:

A.

Auditor

B.

Administrator

C.

Master

D.

Operator

Question 2

Which type of automatic remediation can be performed by the PTA in case of a suspected credential theft security event?

Options:

A.

Password change

B.

Password reconciliation

C.

Session suspension

D.

Session termination

Question 3

Which of the following Privileged Session Management solutions provide a detailed audit log of session activities?

Options:

A.

PSM (i.e., launching connections by clicking on the "Connect" button in the PVWA)

B.

PSM for Windows (previously known as RDP Proxy)

C.

PSM for SSH (previously known as PSM SSH Proxy)

D.

All of the above

Question 4

Ad-Hoc Access (formerly Secure Connect) provides the following features. Choose all that apply.

Options:

A.

PSM connections to target devices that are not managed by CyberArk.

B.

Session Recording.

C.

Real-time live session monitoring.

D.

PSM connections from a terminal without the need to login to the PVWA.

Question 5

You are installing multiple PVWAs behind a load balancer. Which statement is correct?

Options:

A.

Port 1858 must be opened between the load balancer and the PVWAs

B.

The load balancer must be configured in DNS round robin.

C.

The load balancer must support "sticky sessions".

D.

The LoadBalancerClientAddressHeader parameter in the PVwA.ini file must be set.

Question 6

Select the best practice for storing the Master CD.

Options:

A.

Copy the files to the Vault server and discard the CD

B.

Copy the contents of the CD to a Hardware Security Module (HSM) and discard the CD

C.

Store the CD in a secure location, such as a physical safe

D.

Store the CD in a secure location, such as a physical safe, and copy the contents of the CD to a folder secured with NTFS permissions on the Vault

Question 7

Which service should NOT be running on the DR Vault when the primary Production Vault is up?

Options:

A.

PrivateArk Database

B.

PrivateArk Server

C.

CyberArk Vault Disaster Recovery (DR) service

D.

CyberArk Logical Container

Question 8

A customer is deploying PVWAs in the Amazon Web Services Public Cloud. Which load balancing option does CyberArk recommend?

Options:

A.

Network Load Balancer

B.

Classic Load Balancer

C.

HTTPS load balancer

D.

Public standard load balancer

Question 9

When a DR Vault Server becomes an active vault, it will automatically fail back to the original state once the Primary Vault comes back online.

Options:

A.

True; this is the default behavior

B.

False; this is not possible

C.

True, if the AllowFailback setting is set to “yes” in the padr.ini file

D.

True, if the AllowFailback setting is set to “yes” in the dbparm.ini file

Question 10

A Reconcile Account can be specified in the Master Policy.

Options:

A.

TRUE

B.

FALSE

Question 11

You have been asked to turn off the time access restrictions for a safe.

Where is this setting found?

Options:

A.

PrivateArk

B.

RestAPI

C.

Password Vault Web Access (PVWA)

D.

Vault

Question 12

What is the primary purpose of Dual Control?

Options:

A.

Reduced risk of credential theft

B.

More frequent password changes

C.

Non-repudiation (individual accountability)

D.

To force a 'collusion to commit' fraud ensuring no single actor may use a password without authorization.

Question 13

Which of the following statements are NOT true when enabling PSM recording for a target Windows server? (Choose all that apply)

Options:

A.

The PSM software must be instated on the target server

B.

PSM must be enabled in the Master Policy (either directly, or through exception)

C.

PSMConnect must be added as a local user on the target server

D.

RDP must be enabled on the target server

Question 14

You have been asked to limit a platform called "Wmdows_Servers" to safes called "WindowsDCT and "WindowsDC2" The platform must not be assigned to any other safe What is the correct way to accomplish this?

Options:

A.

Edit the "Wmdows_Servers" platform, expand "Automatic Password Management", then select General and modify "AllowedSafes" to be (WindowsDC1)|(WindowsDC2).

B.

Edit the "Windows_Servers" platform, expand "Automatic Password Management", then select Options and modify "AllowedSafes" to be (Win")

C.

Edit the "WindowsDCI" and "WindowsDC2" safes through Safe Management. Add "Wmdows_Servers" to the "AliowedPlatforms".

D.

Log in to PnvateArk using an Administrative user, Select File Server File Categories. Locate the category "WindowsServersAllowedSafes" and specify "WindowsDC! WindowsDC2"

Question 15

In the screenshot displayed, you just configured the usage in CyberArk and want to update its password.

What is the least intrusive way to accomplish this?

Question # 15

Options:

A.

Use the “change” button on the usage’s details page.

B.

Use the “change” button on the parent account’s details page.

C.

Use the “sync” button on the usage’s details page.

D.

Use the “reconcile” button on the parent account’s details page.

Question 16

In the Private Ark client, how do you add an LDAP group to a CyberArk group?

Options:

A.

Select Update on the CyberArk group, and then click Add > LDAP Group

B.

Select Update on the LDAP Group, and then click Add > LDAP Group

C.

Select Member Of on the CyberArk group, and then click Add > LDAP Group

D.

Select Member Of on the LDAP group, and then click Add > LDAP Group

Question 17

Which PTA sensors are required to detect suspected credential theft?

Options:

A.

Logs, Vault Logs

B.

Logs, Network Sensor, Vault Logs

C.

Logs, PSM Logs, CPM Logs

D.

Logs, Network Sensor, EPM

Question 18

An auditor initiates a live monitoring session to PSM server to view an ongoing live session. When the auditor’s machine makes an RDP connection the PSM server, which user will be used?

Options:

A.

PSMAdminConnect

B.

Shadowuser

C.

PSMConnect

D.

Credentials stored in the Vault for the target machine

Question 19

You are configuring the vault to send syslog audit data to your organization's SIEM solution. What is a valid value for the SyslogServerProtocol parameter in DBPARM.ini file?

Options:

A.

TLS

B.

SSH

C.

SMTP

D.

SNMP

Question 20

A user has successfully conducted a short PSM session and logged off. However, the user cannot access the Monitoring tab to view the recordings.

What is the issue?

Options:

A.

The user must login as PSMAdminConnect

B.

The PSM service is not running

C.

The user is not a member of the PVWAMonitor group

D.

The user is not a member of the Auditors group

Question 21

A Vault administrator have associated a logon account to one of their Unix root accounts in the vault. When attempting to verify the root account’s password the Central Policy Manager (CPM) will:

Options:

A.

ignore the logon account and attempt to log in as root

B.

prompt the end user with a dialog box asking for the login account to use

C.

log in first with the logon account, then run the SU command to log in as root using the password in the Vault

D.

none of these

Question 22

What is the purpose of the PrivateArk Server service?

Options:

A.

Executes password changes

B.

Maintains Vault metadata

C.

Makes Vault data accessible to components

D.

Sends email alerts from the Vault

Question 23

Which of the following PTA detections are included in the Core PAS offering?

Options:

A.

Suspected Credential Theft

B.

Over-Pass-The Hash

C.

Golden Ticket

D.

Unmanaged Privileged Access

Question 24

Your customer has five main data centers with one PVWA in each center under different URLs. How can you make this setup fault tolerant?

Options:

A.

This setup is already fault tolerant

B.

Install more PVWAs in each data center

C.

Continuously monitor PVWA status and send users the link to another PVWA if issues are encountered

D.

Load balance all PVWAs under same urL

Question 25

When a DR Vault Server becomes an active vault, it will automatically revert back to DR mode once the Primary Vault comes back online.

Options:

A.

True; this is the default behavior

B.

False, the Vault administrator must manually set the DR Vault to DR mode by setting “FailoverMode=no” in the padr.ini file

C.

True, if the AllowFailback setting is set to “yes” in the padr.ini file

D.

False, the Vault administrator must manually set the DR Vault to DR mode by setting “FailoverMode=no” in the dbparm.ini file

Question 26

You received a notification from one of your CyberArk auditors that they are missing Vault level audit permissions. You confirmed that all auditors are missing the Audit Users Vault permission.

Where do you update this permission for all auditors?

Options:

A.

Private Ark Client > Tools > Administrative Tools > Directory Mapping > Vault Authorizations

B.

Private Ark Client > Tools > Administrative Tools > Users and Groups > Auditors > Authorizations tab

C.

PVWA User Provisioning > LDAP integration > Vault Auditors Mapping > Vault Authorizations

D.

PVWA> Administration > Configuration Options > LDAP integration > Vault Auditors Mapping > Vault Authorizations

Question 27

The Privileged Access Management solution provides an out-of-the-box target platform to manage SSH keys, called UNIX Via SSH Keys.

How are these keys managed?

Options:

A.

CyberArk stores Private keys in the Vault and updates Public keys on target systems.

B.

CyberArk stores Public keys in the Vault and updates Private keys on target systems.

C.

CyberArk does not store Public or Private keys and instead uses a reconcile account to create keys on demand.

D.

CyberArk stores both Private and Public keys and can update target systems with either key.

Question 28

Which of the following properties are mandatory when adding accounts from a file? (Choose three.)

Options:

A.

Safe Name

B.

Platform ID

C.

All required properties specified in the Platform

D.

Username

E.

Address

F.

Hostname

Question 29

You are onboarding 5,000 UNIX root accounts for rotation by the CPM. You discover that the CPM is unable to log in directly with the root account and will need to use a secondary account.

How should this be configured to allow for password management using least privilege?

Options:

A.

Configure each CPM to use the correct logon account.

B.

Configure each CPM to use the correct reconcile account.

C.

Configure the UNIX platform to use the correct logon account.

D.

Configure the UNIX platform to use the correct reconcile account.

Question 30

According to the DEFAULT Web Options settings, which group grants access to the REPORTS page?

Options:

A.

PVWAUsers

B.

Vault Admins

C.

Auditors

D.

PVWAMonitor

Question 31

As vault Admin you have been asked to configure LDAP authentication for your organization's CyberArk users. Which permissions do you need to complete this task?

Options:

A.

Audit Users and Add Network Areas

B.

Audit Users and Manage Directory Mapping

C.

Audit Users and Add/Update Users

D.

Audit Users and Activate Users

Question 32

CyberArk implements license limits by controlling the number and types of users that can be provisioned in the vault.

Options:

A.

TRUE

B.

FALSE

Question 33

Users who have the 'Access Safe without confirmation' safe permission on a safe where accounts are configured for Dual control, still need to request approval to use the account.

Options:

A.

TRUE

B.

FALSE

Question 34

Which permissions are needed for the Active Directory user required by the Windows Discovery process?

Options:

A.

Domain Admin

B.

LDAP Admin

C.

Read/Write

D.

Read

Question 35

To use PSM connections while in the PVWA, what are the minimum safe permissions a user or group will need?

Options:

A.

List Accounts, Use Accounts

B.

List Accounts, Use Accounts, Retrieve Accounts

C.

Use Accounts

D.

List Accounts, Use Accounts, Retrieve Accounts, Access Safe without confirmation

Question 36

In your organization the “click to connect” button is not active by default.

How can this feature be activated?

Options:

A.

Policies > Master Policy > Allow EPV transparent connections > Inactive

B.

Policies > Master Policy > Session Management > Require privileged session monitoring and isolation > Add Exception

C.

Policies > Master Policy > Allow EPV transparent connections > Active

D.

Policies > Master Policy > Password Management

Question 37

Match each permission to where it can be found.

Question # 37

Options:

Question 38

Which usage can be added as a service account platform?

Options:

A.

Kerberos Tokens

B.

IIS Application Pools

C.

PowerShell Libraries

D.

Loosely Connected Devices

Question 39

Customers who have the ‘Access Safe without confirmation’ safe permission on a safe where accounts are configured for Dual control, still need to request approval to use the account.

Options:

A.

TRUE

B.

FALSE

Question 40

The Password upload utility can be used to create safes.

Options:

A.

TRUE

B.

FALS

Question 41

It is possible to restrict the time of day, or day of week that a [b]verify[/b] process can occur

Options:

A.

TRUE

B.

FALSE

Question 42

When on-boarding account using Accounts Feed, Which of the following is true?

Options:

A.

You must specify an existing Safe where are account will be stored when it is on boarded to the Vault

B.

You can specify the name of a new sale that will be created where the account will be stored when it is on-boarded to the Vault.

C.

You can specify the name of a new Platform that will be created and associated with the account

D.

Any account that is on boarded can be automatically reconciled regardless of the platform it is associated with.

Question 43

When a group is granted the 'Authorize Account Requests' permission on a safe Dual Control requests must be approved by

Options:

A.

Any one person from that group

B.

Every person from that group

C.

The number of persons specified by the Master Policy

D.

That access cannot be granted to groups

Question 44

What is the configuration file used by the CPM scanner when scanning UNIX/Linux devices?

Options:

A.

UnixPrompts.ini

B.

plink.exe

C.

dbparm.ini

D.

PVConfig.xml

Question 45

You are helping a customer prepare a Windows server for PSM installation. What is required for a successful installation?

Options:

A.

Window 2012 KB4558843

B.

Remote Desktop services (RDS) Session Host Roles

C.

Windows 2016 KB4558843

D.

Remote Desktop services (RDS) Session Broker

Question 46

In a rule using “Privileged Session Analysis and Response” in PTA, which session options are available to configure as responses to activities?

Options:

A.

Suspend, Terminate, None

B.

Suspend, Terminate, Lock Account

C.

Pause, Terminate, None

D.

Suspend, Terminate

Question 47

Which user(s) can access all passwords in the Vault?

Options:

A.

Administrator

B.

Any member of Vault administrators

C.

Any member of auditors

D.

Master

Question 48

A customer is moving from an on-premises to a public cloud deployment. What is the best and most cost-effective option to secure the server key?

Options:

A.

Install the Vault in the cloud the same way that you would in an on-premises environment Place the server key in a password protected folder on the operating system

B.

Install the Vault in the cloud the same way that you would in an on-premises environment Purchase a Hardware Security Module to secure the server key

C.

Install the Vault using the Amazon Machine Images and secure the server key using native cloud Key Management Systems

D.

Install the Vault using the Amazon Machine Images and secure the server key with a Hardware Security Module

Question 49

Which of the following PTA detections require the deployment of a Network Sensor or installing the PTA Agent on the domain controller?

Options:

A.

Suspected credential theft

B.

Over-Pass-The-Hash

C.

Golden Ticket

D.

Unmanaged privileged access

Question 50

Which option in the PrivateArk client is used to update users' Vault group memberships?

Options:

A.

Update > General tab

B.

Update > Authorizations tab

C.

Update > Member Of tab

D.

Update > Group tab

Question 51

If a user is a member of more than one group that has authorizations on a safe, by default that user is granted________.

Options:

A.

the vault will not allow this situation to occur.

B.

only those permissions that exist on the group added to the safe first.

C.

only those permissions that exist in all groups to which the user belongs.

D.

the cumulative permissions of all groups to which that user belongs.

Question 52

What is the purpose of a linked account?

Options:

A.

To ensure that a particular collection of accounts all have the same password.

B.

To ensure a particular set of accounts all change at the same time.

C.

To connect the CPNI to a target system.

D.

To allow more than one account to work together as part of a password management process.

Question 53

A new domain controller has been added to your domain. You need to ensure the CyberArk infrastructure can use the new domain controller for authentication.

Which locations must you update?

Options:

A.

on the Vault server in Windows\System32\Etc\Hosts and in the PVWA Application under Administration > LDAP Integration > Directories > Hosts

B.

on the Vault server in Windows\System32\Etc\Hosts and on the PVWA server in Windows\System32\Etc\Hosts

C.

in the Private Ark client under Tools > Administrative Tools > Directory Mapping

D.

on the Vault server in the certificate store and on the PVWA server in the certificate store

Question 54

Which report provides a list of account stored in the vault.

Options:

A.

Privileged Accounts Inventory

B.

Privileged Accounts Compliance Status

C.

Entitlement Report

D.

Active Log

Question 55

Which components can connect to a satellite Vault in distributed Vault architecture?

Options:

A.

CPM, EPM, PTA

B.

PVWA, PSM

C.

CPM,PVWA, PSM

D.

CPM, PSM

Question 56

Secure Connect provides the following. Choose all that apply.

Options:

A.

PSM connections to target devices that are not managed by CyberArk.

B.

Session Recording

C.

Real-time live session monitoring.

D.

PSM connections from a terminal without the need to login to the PVWA

Question 57

Which CyberArk group does a user need to be part of to view recordings or live monitor sessions?

Options:

A.

Auditors

B.

Vault Admin

C.

DR Users

D.

Operators

Question 58

You are creating a new Rest API user that utilizes CyberArk Authentication.

What is a correct process to provision this user?

Options:

A.

Private Ark Client > Tools > Administrative Tools > Users and Groups > New > User

B.

Private Ark Client > Tools > Administrative Tools > Directory Mapping > Add

C.

PVWA > User Provisioning > LDAP Integration > Add Mapping

D.

PVWA > User Provisioning > Users and Groups > New > User

Question 59

Your organization has a requirement to allow users to “check out passwords” and connect to targets with the same account through the PSM.

What needs to be configured in the Master policy to ensure this will happen?

Options:

A.

Enforce check-in/check-out exclusive access = active; Require privileged session monitoring and isolation = active

B.

Enforce check-in/check-out exclusive access = inactive; Require privileged session monitoring and isolation = inactive

C.

Enforce check-in/check-out exclusive access = inactive; Record and save session activity = active

D.

Enforce check-in/check-out exclusive access = active; Record and save session activity = inactive

Question 60

Within the Vault each password is encrypted by:

Options:

A.

the server key

B.

the recovery public key

C.

the recovery private key

D.

its own unique key

Question 61

Which option in the Private Ark client is used to update users’ Vault group memberships?

Options:

A.

Update > General tab

B.

Update > Authorizations tab

C.

Update > Member Of tab

D.

Update > Group tab

Question 62

When Dual Control is enabled a user must first submit a request in the Password Vault Web Access (PVWA) and receive approval before being able to launch a secure connection via PSM for Windows (previously known as RDP Proxy).

Options:

A.

True

B.

False, a user can submit the request after the connection has already been initiated via the PSM for Windows

Question 63

Which parameter controls how often the CPM looks for Soon-to-be-expired Passwords that need to be changed.

Options:

A.

HeadStartInterval

B.

Interval

C.

ImmediateInterval

D.

The CPM does not change the password under this circumstance

Question 64

PSM captures a record of each command that was executed in Unix.

Options:

A.

TRIE

B.

FALSE

Question 65

Which built-in report from the reports page in PVWA displays the number of days until a password is due to expire?

Options:

A.

Privileged Accounts Inventory

B.

Privileged Accounts Compliance Status

C.

Activity Log

D.

Privileged Accounts CPM Status

Question 66

CyberArk user Neil is trying to connect to the Target Linux server 192.168.1.64 using a domain account ACME/linuxuser01 on Domain Acme.corp using PSM for SSH server 192.168.65.145. What is the correct syntax?

Options:

A.

Ssh neil@linuxuser01:acme.corp@192.168.1.64@192.168.1.45

B.

Ssh neil@linuxuser01#acme.corp@192.168.1.64@192.168.1.45

C.

Ssh neil@linuxuser01@192.168.1.64@192.168.65.145

D.

Ssh neil@linuxuser01@acme.corp@192.168.1.64@192.168.1.45

Page: 1 / 22
Total 221 questions