PAM-DEF CyberArk Exam Questions and Free Practice Test

Question 55

What is the purpose of the PrivateArk Server service?

A. Executes password changes

B. Maintains Vault metadata

C. Makes Vault data accessible to components

D. Sends email alerts from the Vault

Correct Answer:C
The purpose of the PrivateArk Server service is to make Vault data accessible to components, such as the PVWA, the CPM, the PSM, and the PTA, and handle the requests from the clients and components. The PrivateArk Server service is a Windows service that runs the Vault and communicates with the PrivateArk Database service, which maintains the Vault metadata. The PrivateArk Server service can start automatically or manually depending on the Server’s key configuration. The PrivateArk Server service can also be run in “console” mode for troubleshooting purposes1.
The other options are not the purpose of the PrivateArk Server service, although they may be related to other services or components of the Vault. The Central Policy Manager component is the component that executes password changes, verifications, and reconciliations for the accounts that are managed by the Vault. The Event Notification Engine service is the service that sends email alerts from the Vault, based on predefined events and recipients. The PrivateArk Client is a utility that allows the Vault administrator to access and manage the Vault data, users, groups, policies, and settings. References:
✑ Server Components - CyberArk, section “The PrivateArk Server process (Dbmain)”

Question 56

Target account platforms can be restricted to accounts that are stored m specific Safes using the Allowed Safes property.

A. TRUE

B. FALSE

Correct Answer:A
Target account platforms can be restricted to accounts that are stored in specific Safes using the Allowed Safes property. This property is a parameter that can be configured in the Platform Management settings for each platform. The Allowed Safes property specifies the name or names of the Safes where the platform can be applied. The default value is .*, which means that the platform can be used in any Safe. However, if you want to limit the platform to certain Safes, you can enter the name or names of the Safes, separated by a pipe (|) character. For example, if you want to restrict the platform to Safes called WindowsPasswords and LinuxPasswords, you can enter AllowedSafes=(WindowsPasswords)|(LinuxPasswords). This feature is useful for preventing unauthorized users from accessing passwords, especially if you implement the reconciliation functionality. It also helps the CPM to focus its search operations on specific Safes, instead of scanning all Safes it can see in the Vault1. References:
✑ 1: Limit Platforms to Specific Safes

Question 57

Which permissions are needed for the Active Directory user required by the Windows Discovery process?

A. Domain Admin

B. LDAP Admin

C. Read/Write

D. Read

Correct Answer:D
The Active Directory user required by the Windows Discovery process needs to have Read permissions in the OU to scan and all sub-OUs1. This allows the Discovery process to scan predefined machines for new and modified accounts and their dependencies without requiring elevated privileges such as Domain Admin or LDAP Admin rights. The Read permission is sufficient for the Discovery process to retrieve the necessary information about the accounts that should be onboarded into the Vault. References:
✑ CyberArk’s official documentation on managing discovery processes outlines the permissions required for the Discovery process, including the need for Read permissions for the Active Directory user performing the discovery1.
✑ Additional details on the required credentials for scanning and the Discovery process can be found in the supported target machines section of CyberArk’s documentation2.

Question 58

An auditor initiates a live monitoring session to PSM server to view an ongoing live session. When the auditor’s machine makes an RDP connection the PSM server, which user will be used?

A. PSMAdminConnect

B. Shadowuser

C. PSMConnect

D. Credentials stored in the Vault for the target machine

Correct Answer:A
According to the web search results, when an auditor initiates a live monitoring session to PSM server to view an ongoing live session, the auditor’s machine makes an RDP connection to the PSM server using the PSMAdminConnect user. The PSMAdminConnect user is a local or domain user that starts PSM sessions on the PSM machine for authorized users who want to monitor or terminate active sessions1. The PSMAdminConnect user has limited permissions and access rights on the PSM server, and its credentials are managed by the CPM. The PSMAdminConnect user retrieves the credentials of the target account from the vault and uses them to establish a secure connection to the target machine. The auditor can then view the live session through the PSM session, while the PSM server records and audits the session activity.

Question 59

A Reconcile Account can be specified in the Master Policy.

A. TRUE

B. FALSE

Correct Answer:B
A Reconcile Account is not specified in the Master Policy, but in the Platform settings. The Master Policy defines the general password management settings for all the accounts in the Vault, such as the frequency of password rotation and verification. The Platform settings define the specific password management settings for each type of target system, such as the password complexity and the Reconcile Account. References:
✑ Defender PAM course, Module 2: Password Management, Lesson 2: Master Policy and Platforms, slide 8
✑ Defender PAM course, Module 2: Password Management, Lesson 3: Reconcile and Logon Accounts, slide 2
✑ Defender PAM Sample Items Study Guide, Question 37
✑ CyberArk Privileged Access Security Documentation, Password Management - Master Policy
✑ CyberArk Privileged Access Security Documentation, Password Management - Platforms

Question 60

In PVWA, you are attempting to play a recording made of a session by user jsmith, but there is no option to “Fast Forward” within the video. It plays and only allows you to skip between commands instead. You are also unable to download the video.
What could be the cause?

A. Recording is of a PSM for SSH session.

B. The browser you are using is out of date and needs an update to be supported.

C. You do not have the “View Audit” permission on the safe where the account is stored.

D. You need to update the recorder settings in the platform to enable screen capture every 10000 ms or less.

Correct Answer:A
The inability to “Fast Forward” within a video recording in the PVWA and the restriction to only skip between commands suggests that the recording is of a PSM for SSH session. PSM for SSH sessions are typically recorded as text-based logs that capture command-level activities, which allows for skipping between commands but not fast- forwarding through a video timeline. Additionally, the lack of an option to download the video is consistent with the behavior of text-based session recordings, which do not provide a video file for download1.
References:
✑ CyberArk’s official documentation on Recorded Sessions, which explains the playback functionalities and limitations of different types of session recordings1.
✑ Information on configuring video and text recordings in PSM, which details how recordings are managed and the options available for different session types2.

START PAM-DEF EXAM