CyberArk CAU201 Defender Exam Prep Exam with complete solutions

Document Content and Description Below

Can the "Connect" button be used to initiate a SSH connection, as root, to a Unix system when SSH access for root is denied? - ANSWER Yes, only if a logon account is associated with the root account a... nd the user connects through the PSM-SSH connecting component. The password upload utility must be run from the CPM server. - ANSWER False When managing SSH keys, the CPM stores the Public Key. . . - ANSWER on the target server Which Master Policy Setting must be active in order to have an account checked-out by one user for a pre-determined amount of time? - ANSWER Enforce check-in/check-out and exclusive access Vault admins must manually add the auditors groups to newly created safes so auditors will have sufficient access to run reports. - ANSWER False You have associated a logon account to one of your Unix accounts in the Vault. When attempting to change the root account's password, the CPM will. . . - ANSWER Login to the system as the logon account, run the SU command to login as root, and then change the root's password. What is the primary purpose of One Time passwords? - ANSWER Reduced risk of credential theft. Accounts Discovery allows secure connections to domain controllers. - ANSWER False ___________________ is NOT true when enabling PSM recording for a target WIndows Server. . . - ANSWER - The PSM software must be installed on the target server. - PSMConnect must be added as a local user on the target server According to DEFAULT Web Options settings, which group grants access to the REPORTS page? - ANSWER Auditors Time of day/day of week restrictions on when password verifications an occur are configured in. . . - ANSWER Platform settings As long as you are a member of the Vault Admins group, you can grant any permissions to any safe that you have access to. - ANSWER False: being in the Vault Admins group will only give you access to safes that are created during installation. PSM for Windows (previously known as RDP Proxy) supports connections to which target systems? - ANSWER Windows A logon account can be specified in the Master Policy. - ANSWER False A user with administrative privileges to the Vault can only grant other users privileges that they have been granted. - ANSWER False The primary purpose of exclusive accounts is to ensure non-repudiation (individual accountability). - ANSWER True All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for SOME of the accounts in that safe. The members of the AD group UnixAdmins need to be able to use the SHOW, COPY, and CONNECT buttons on those passwords at any time without confirmation. The members of the AD group Operations Staff need to be able to use the SHOW, COPY, and CONNECT buttons on those passwords on an emergency basis - but only with the approval of a member of Operations Managers. The members of the AD group Operations Managers never need to be able to use the SHOW, COPY, or CONNECT buttons. Which safe permissions need to be granted to Operations Staff? - ANSWER - Use Accounts - List accounts - Retrieve Accounts When managing SSH keys, the CPM stores the Private Key. . . - ANSWER In the Vault Platform settings are applied to. . . - ANSWER Individual accounts What files must be created/configured in order to run the Password Upload Utility? - ANSWER - Vault.ini - Conf.ini - A comma delimited upload file What report cannot be generated in the PVWA? - ANSWER Safes list Users who are granted the "Access safe without confirmation" permission on a safe where accounts are configured for Dual Control still need to request approval to use accounts in that safe. - ANSWER False Which CyberArk components or products can be used to discover Windows Services or Scheduled Tasks that use privileges accounts? - ANSWER - Discovery and Audit (DNA) - Auto Detection (AD) - Accounts Discovery A reconcile account can be specified in the Master Policy. - ANSWER False The Vault does not support Role Based Access Control (RBAC). - ANSWER False What is the primary purpose of Dual Control? - ANSWER To force a "collusion of commit" fraud ensuring no single actor may use a password without authorization. Which parameter controls how often the CPM looks for soon-to-be-expired passwords that need to be changed? - ANSWER ImmediateInterval Ad-hoc Access (formerly SecureConnect) provides which features? - ANSWER - PSM connections to target devices that are not managed by CyberArk - Session Recording - Real-time live session monitoring What is the name of the Platform parameter that controls how long a password will stay valid when One Time Passwords are enabled in the Master Policy? - ANSWER MinValidityPeriod If a password is changed manually on a server, bypassing the CPM, how would you configure the account so the CPM can resume account management automatically? - ANSWER Associate a reconcile account and configure the platform to reconcile automatically. By DEFAULT, members of which built-in groups will be able to view and configure Automatic Remediation and Session Analysis and Response in the PVWA? - ANSWER Security Admins CyberArk implements license limits by controlling the number and types of users that can be provisioned in the Vault. - ANSWER True For an account attached to a platform that requires Dual Control based on a Master Policy exception, how would you configured a group of users to access a password without approval? - ANSWER Grant the group "Access safe without confirmation" permission on the safe where the account is stored. In accordance with best practice, SSH access is denied for root accounts on UNIX/LINUX systems. What is the best way to allow CPM to manage root accounts? - ANSWER - Create a non-privileged account on the target server. - Allow this account the ability to SSH directly from the CPM machine. - Configure this account as the logon account of the target server's root account. The password upload utility can be used to create safes. - ANSWER True What is the purpose of the HeadStartInterval parameter in a platform? - ANSWER It instructs the CPM to initiate the password change process a certain amount of days before expiration. As long as you are a member of the Vault Admins group, you can grant any permissions on any safe. - ANSWER False What is the maximum number of levels of authorization you can set up in Dual Control? - ANSWER Two When a group is granted the "Authorize Account Requests" permission on a safe Dual Control requests must be approved by. . . - ANSWER The number of persons specified in the Master Policy. Which can be configured in Master Policy? - ANSWER - Dual Control - One Time Passwords - Exclusive Passwords - Password Aging Rules Which onboarding method should be used to integrate CyberArk with another account provisioning process? - ANSWER Auto Detection What is the purpose of the ImmediateInterval setting in a CPM policy? - ANSWER To control how often the CPM looks for USER initiated work. When onboarding accounts using the Accounts Feed, what is true? - ANSWER You can specify the name of a new safe that will be created to store the account when its onboarded to the Vault. Which parameter controls how often the CPM looks for accounts that need to be changed from recently completed Dual Control requests? - ANSWER Interval Which utilities can be used to change debugging level on the Vault without having to restart the Vault server? - ANSWER - PAR Agent - PrivateArk Server Central Administration For a safe with Object Level Access enabled you can turn off Object Level Access Control when it's no longer needed on that safe. - ANSWER False Vault authorizations may be granted to. . . - ANSWER - Vault Users - LDAP Users What log is generated by the PVWA? - ANSWER CyberArk.WebApplication.log What log is generated by the CPM? - ANSWER pm.log What log is generated by the Vault? - ANSWER ITA.log What log is generated by the PTA? - ANSWER diamond.log In order to connect to a target device through PSM, the account credentials used for the connection have to be stored in the Vault? - ANSWER False - because the user can also enter credentials manually using Secure Connect. It is possible to control the hours of the day that a user can login to the Vault. - ANSWER True Which report provides a list of accounts stored in the Vault? - ANSWER Privileged Accounts Inventory The Vault supports Subnet Based Access Control. - ANSWER True Safe authorizations may be granted to. . . - ANSWER - Vault users - Vault groups - LDAP users - LDAP groups If a user is a member of more than one group that has authorizations on a safe, by DEFAULT that user is granted. . . - ANSWER the cumulative permissions on all groups to which that user belongs. What is the purpose of the Interval setting in a CPM policy? - ANSWER To control how often the CPM looks for SYSTEM initiated CPM work. Assuming a safe has been configured to be accessible during certain hours of the day, Vault Admins may still access that safe outside of those hours. - ANSWER False Which PTA detection is included in the Core PAS offering? - ANSWER Unmanaged Privileged Access It is possible to leverage DNA to provide discovery functions that are not available with Auto Detection. - ANSWER True Which Privileged Session Management solution provides a detailed audit log of session activities? - ANSWER PSM (i.e., launching connections by clicking "Connect" in the PVWA) What is the purpose of a linked account? - ANSWER To allow more than one account to work together as a part of a password management process. Target account platforms can be restricted to accounts that are stored in specific safes using the AllowedSafes property. - ANSWER True It is possible to restrict the time of the day/day of the week that a reconcile process can occur. - ANSWER True What option is not set in the Master Policy? - ANSWER Password Complexity By DEFAULT, members of what built-in group is able to view and configure Automatic Remediation, Session Analysis, and Response in the PVWA? - ANSWER Security Admins PSM captures a record of each command that's executed in UNIX. - ANSWER True It's possible to restrict the time of day/day of the week that a verify process can occur. - ANSWER True Users can be restricted to using certain CyberArk interfaces (i.e., PVWA or PACLI). - ANSWER True The Accounts Feed contains. . . - ANSWER Accounts that were discovered by CyberArk in the last 30 days. The System safe allows access to the Vault configuration files. - ANSWER True Using the SSH Key Manager, it is possible to allow CPM to manage SSH Keys similarly to passwords. - ANSWER True Which built-in group grants access to the Administration page? - ANSWER Vault Admins Reports can be scheduled to run on a periodic basis. - ANSWER True Which user is automatically given all safe authorizations on all safes? - ANSWER Master What conditions must be met in order to log into the Vault as the Master user? - ANSWER - Logon must be originated from the console of the Vault server or an EmergencyStation defined in DBParm.ini - User must provide the correct master password - Logon requires the Recovery Private Key to be accessible to the Vault The Application Inventory report is related to AIM. - ANSWER True What is the purpose of the AllowedSafes parameter in a CPM policy? - ANSWER - To improve performance by reducing CPM workload - To prevent accidental use of a policy in the wrong safe When managing SSH keys, the CPM automatically pushes the Private Key to all systems that use it. - ANSWER False Exceptions to the Master Policy can be created based on. . . - ANSWER Platforms When managing SSH keys, the CPM automatically pushes the Public Key to the target system. - ANSWER True Auto-detection can be configured to leverage LDAP/S - ANSWER True It is possible to disable the SHOW and COPY buttons without removing the Retrieve permission on a safe. - ANSWER True It is impossible to override Master Policy settings for a platform. - ANSWER False Which report could show all audit data in the Vault? - ANSWER Activity log All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for SOME of the accounts in that safe. The members of the AD group UnixAdmins need to be able to use the SHOW, COPY, and CONNECT buttons on those passwords at any time without confirmation. The members of the AD group Operations Staff need to be able to use the SHOW, COPY, and CONNECT buttons on those passwords on an emergency basis - but only with the approval of a member of Operations Managers. The members of the AD group Operations Managers never need to be able to use the SHOW, COPY, or CONNECT buttons. Which safe permissions need to be granted to UnixAdmins? - ANSWER - Use accounts - List accounts - Access safe without authorization - Retrieve accounts One time passwords reduce the risk of Pass the Hash vulnerabilities in Windows. - ANSWER True PSM captures a record of each command that is issued in SQL Plus. - ANSWER True Which report provides a list of accounts stored in the Vault? - ANSWER Privileged Accounts Inventory In Accounts Discovery, you can configured a Windows Discovery to scan. . . - ANSWER only on OU [Show More]

Last updated: 1 year ago

Preview 1 out of 9 pages