Defender PAM Sample Questions.docx, Exams of Nursing

Defender PAM Sample Questions.docx

Typology: Exams

2025/2026

Available from 03/29/2026

real-grades
real-grades 🇬🇧

5

(3)

11K documents

1 / 16

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Defender PAM Sample Questions
Which values are acceptable in the address field of an Account? - correct answer
Any name that is resolvable on the Central Policy Manager (CPM) server is
acceptable.
The Account Feed contains: - correct answer Accounts that
were discovered by CyberArk that have not yet been onboarded.
The password upload utility must run from the Central Policy Manager (CPM) server.
(T/F) - correct answer False
Accounts Discovery allows secure connections to domain controllers. (T/F) - correct
answer True
The password upload utility can be used to create Safes? (T/F) - correct answer
True
Which account onboarding method is considered proactive? - correct answer
A Rest API integration with account provisioning software.
When creating an onboarding rule, it will be executed upon _____? - correct answer
Any future accounts discovered by a discovery process
What are the functions of the Remote Control Agent Service (3)? - correct answer
1. Allows remote monitoring of the vault
2. Sends SNMP traps from the Vault
3. Allows CyberArk services to be managed (start/stop/status) remotely
The Vault administrator can change the Vault license by uploading the new License
to the system safe? (T/F) - correct answer True
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff

Partial preview of the text

Download Defender PAM Sample Questions.docx and more Exams Nursing in PDF only on Docsity!

Defender PAM Sample Questions

Which values are acceptable in the address field of an Account? - correct answer Any name that is resolvable on the Central Policy Manager (CPM) server is acceptable. The Account Feed contains: - correct answer Accounts that were discovered by CyberArk that have not yet been onboarded. The password upload utility must run from the Central Policy Manager (CPM) server. (T/F) - correct answer False Accounts Discovery allows secure connections to domain controllers. (T/F) - correct answer True The password upload utility can be used to create Safes? (T/F) - correct answer True Which account onboarding method is considered proactive? - correct answer A Rest API integration with account provisioning software. When creating an onboarding rule, it will be executed upon _____? - correct answer Any future accounts discovered by a discovery process What are the functions of the Remote Control Agent Service (3)? - correct answer

  1. Allows remote monitoring of the vault
  2. Sends SNMP traps from the Vault
  3. Allows CyberArk services to be managed (start/stop/status) remotely The Vault administrator can change the Vault license by uploading the new License to the system safe? (T/F) - correct answer True

CyberArk implements license limits by controlling the number and types of users that can be provisioned in the Vault? (T/F) - correct answer True PSM for Windows (previously known as RDP Proxy) supports connections to which target systems? - correct answer Windows, Unix, and Oracle PSH for SSH (previously known as PSM-SSH Proxy) supports connections to which of the following target systems? - correct answer Unix Within the Vault each password is encrypted by what? - correct answer Its own unique key Which utilities could a Vault admin use to change debugging levels on the Vault without having to restart the cault? - correct answer PAR Agent & PrivateArk Server Central Admin How does the vault admin apply a new license file? - correct answer Upload the license.xml file to the system safe Which keys are required to be present in order to start the PrivateArk Server service? - correct answer Recovery public key & Server key What is the purpose of the CyberArk Event Notification Engine service? - correct answer It sends email messages from the Vault What is the purpose of the PrivateArk Database service? - correct answer Maintains vault metadata What is the purpose of the PrivateArk Server service? - correct answer Makes vault data accessible to components What is best practice for storing the Master CD? - correct answer Store the CD in a secure location, such as a physical safe

Does the vault support Subnet Based Access Control? - correct answer Yes Assuming the Safe has been configured to be accessible during certain hours of the day, a Vault admin may still access that Safe outside those hours? (T/F) - correct answer False A Simple Mail Transfer Protocol (SMTP) integrating is critical for monitoring Vault activity and facilitating workflow processes, such as Dual Control? (T/F) - correct answer True What is the purpose of the password verify process? - correct answer To test that CyberArk is storing accurate credentials fr accounts What is the purpose of the password change process? - correct answer To change the passoword of an account according to organizationally defined password rules In order to grant a permission to a user, an admin MUST possess that permission? (T/F) - correct answer True A logon account can be specified in the platform settings? (T/F) - correct answer True What Master Policy settings must be active in order to have an account checked out by one user for a pre-determined amount of time? - correct answer Enforce check-in/check-out exclusive access and enforce one-time password access What combo of Safe member permissions will allow end users to log in to a remote machine transparently but NOT show or copy the password? - correct answer User, List Accounts CyberArk recommends implementing object level access control on all Safes? (T/F) - correct answer False

Which credentials does CyberArk use when managing a Target account? - correct answer The credentials of the Target account What is the purpose of the reconcile process? - correct answer Manage lost or unknown credentials What is the process to remove object level access control from a Safe? - correct answer This cannot be done Access control to passwords is implemented by? - correct answer Safe authorizations If a user is a member of more than one group that has authorizations on a Safe, by default that user is granted what? - correct answer The cumulative permissions of all the groups to which that user belongs Users who have the "Access Safe without confirmation" permission on a Safe where accounts are configured for Dual Control still need to request approval to use the account? (T/F) - correct answer False What is the purpose of a linked account? - correct answer To allow the use of additional passwords within a password management process A Vault admin have associated a logon account to one of their Unix root accounts in the Vault. When attempting to verify the root account's password the Central Policy Manager will do what? - correct answer login first with the logon, then run the SU command to login as root using the password in the Vault For an account attached to a platform that requires dual access based on a master policy exception, how would the vault admin configure a group of users to access a password without approval? - correct answer On the Safe in which the account is stored grant the group the "Access Safe without confirmation authorizations" What is the primary purpose of exclusive acounts? - correct answer Non-repudiation (individual accountability)

Time of day or day of week restrictions on when password reconciliations can occur are configured in the? - correct answer Platform settings A Safe was recently created by a user who is a member of the LDAP Vault Admin group. What user does NOT have access to the newly created Safe by default? (Master, Admin, Auditor, or Backup) - correct answer Admin According to the default web options sttings, which group grants access to the reports page? - correct answer PVWA Monitor What report could show all accounts that are past their expiration dates? - correct answer Privileged Account Compliance Stats report What report shows the accounts that are accessible to each user? - correct answer Entitlement report What type of automatic remediation can be performed by the PTA in case of a suspected credential theft security event? - correct answer Password Change What type of automatic remediation can be performed by the PTA in case of a suspicious password change security event? - correct answer Password reconciliation Suspected Credential Theft and Unmanaged Privileged Access are included in the Core PAS offering? (T/F? - correct answer True PTA can automatically suspend sessions if suspicious activities are detected in a privileged session, but only if the sessions made via the CyberArk PSM? (T/F) - correct answer True What PTA detections require the deployment of a Network Sensor or installing the PTA Agent on the domain controller? - correct answer Over- Pass-The-Hash and Golden Ticket

What report is not generated by using the Password Vault Web Access (PVWA)? - correct answer Active/Non-Active Users What is the purpose of EVD - correct answer To extract vault metadata into a open source platform A user has successfully conducted a short PSM session and logged off. However, the user cannot access the Monitoring tab to view the recordings. What is the issue? - correct answer Not a member of the Auditors group An auditor needs to login to the PSM in order to live monitor an active session. Which ID is used to establish the RDP connection to the PSM server? - correct answer PSM Admin Connect In order to connect to a target device through the PSM, the account credentials used for the connection must be stored in the Vault? (T/F)? - correct answer False, because the user can also enter credentials manually using Ad-Hoc Access VIA PVWA, a user initiates a PSM connection to the target Linux machine using Remote APP. When the client's machine makes an RDP connection to the PSM server, which user will be utilized? - correct answer PSM Conenct An auditor initiates a live monitoring session to PSM server to view an ongoing live session. When the auditor's machine makes an RDP connection tp the PSM server which user will be used? - correct answer PSM Admin Connect What built-in VAULT user is NOT automatically added to a Safe when it is created? - correct answer Admin Vault admin must manually add the Auditors group to newly created Safes so auditors' have sufficient access to run reports? (T/F) - correct answer False

start vault What is the command to restart the Event Notification Engine manually? - correct answer start ene What is the main function of the Server Central Administration tool - correct answer To view the italog.log file and stop/restart the vault. What is the function of the Event Notification Engine (ENE) and how do you start it from the vault server? - correct answer is essential for the Vault to send emails and alerts Restart by going into the Services tool on the Vault server and starting the service there What are the 3 steps for LDAP integration? - correct answer

  1. Create the connection to the LDAP server, which in our case is Active Directory.
  2. Create the directory mappings between the AD groups and the built-in CyberArk roles. What vault authorizations are automatically given to users mapped the role of Vault Admins - correct answer Everything but BACKUP ALL SAFES How do you reactivate a user who gets suspened? - correct answer In the Private Ark Client. Login, then click on tools, administrative tools, users and groups What needs to happen in order to use the master user? - correct answer The dparm.ini file must point to the location of the Recovery Private Key. How many safes appear when you log onto Private Ark as the master user? - correct answer 35 How many safes appear when you log onto Private Ark as admin? - correct answer 32

What setting in Platform management prompts the CPM to automatically verify the password whenever a new account assigned to the platform is added? - correct answer UI & Workflows--> AutoVerifyOnAdd Where do you create a safe and is this where you can add members to the safe? - correct answer Policies--> Access Control (Safes)--> Add Safe. Yes How do you add account from AD to CyberArk PAS? - correct answer Accounts View--> Add Account Is the user who creates a safe automatically given full permissions by default? (T/F)

  • correct answer True Dual control - requiring a manager to validate a request for access approval for certain accounts - is a 2-step process. What are the two steps? - correct answer
  1. You must activate the policy Require dual control password access approval, either globally or by exception for a certain Platform (which is the usual case and what we will do).
  2. Add an approver to a Safe, either a group or a user, with at least the List Accounts and Authorize account requests permissions. What does the Accounts Discovery Process require? - correct answer An account to login to the domain and scan the individual machines How do you enable the HTML5 Gateway? - correct answer ADMINISTRATION > Configuration Options > Options. Next, go to Privileged Session Management > Configured PSM Servers > PSMServer > Connection Details > PSM Gateway. The ability to toggle between RDP file and HTML5GW connections is defined at the Connection Component level? (T/F) - correct answer True

When the PTA detects a suspected credential theft event how does it respond? - correct answer rotates password When the PTA detects a suspicious password change t event how does it respond? - correct answer reconciliation What does WinRC=5 Aceess is denied CPM domain controller mean? - correct answer User is not authorized to change their own password Where is the Recovery Private Key stored? - correct answer Physical Safe Where is the Recovery Public Key stored? - correct answer HSM Where is the SSH Key stored? - correct answer Digital Vault What is SSH keys parameter file called - correct answer Key file When onboarding multiple accounts, what setting needs to be the same across all platforms? - correct answer Platforms How to check to see who has permissions over authorizing requests. Basically, how to check who is the approver. - correct answer checking the safe over which the account is located on and seeing who has "Approve Account Requests" permission Your organization has a policy that rotates passwords from 1-300 on SAT and SUN, however it only works inconsistently. Why is this? - correct answer headstart interval when a health check is mandatory for the PTA (hint: 3) - correct answer

  1. PSM service installed on windows 2012, 2016, 2019
  1. Web Server (IIS 8.5) role is installed
  2. A valid SSL certificate is installed on the Web Server You cannot fast forward or download a recorded session, why is this? - correct answer You have to adjust the bitrate of your video to 10,000 or less Maximum number of Vaults? - correct answer 6 What are the basic permissions a user would need in order to use the connect with an account through the PVWA? - correct answer - List accounts and Use Accounts "Add to Pending Accounts" permissions for the PTA to do this automatically: - correct answer - Add Accounts
  • Update Account Content
  • Update Account Properties Write the authentication chart - correct answer IIS: PKI (cert) Windows (password) RSA (token) Vault: LDAP (password) RADIUS (token CyberArk (password) an appropriate authentication method from a list of options, any combination of IIS
  • Vault authentication is an appropriate authentication method (T/F) - correct answer True

How does the PTA detect Suspected Credential Theft - correct answer The PTA compares the login time on the target machine w/ the last time the password was retrieved from the vault. How do you configure the PTA to detect when a risky command is used in a privileged session and to suspent automatically? - correct answer Go to security--> security configuration--> Privileged Session Analysis and Response