PAM-DEF CyberArk Exam Questions and Free Practice Test

Question 49

Which statement is correct concerning accounts that are discovered, but cannot be added to the Vault by an automated onboarding rule?

A. They are added to the Pending Accounts list and can be reviewed and manually uploaded.

B. They cannot be onboarded to the Password Vault.

C. They must be uploaded using third party tools.

D. They are not part of the Discovery Process.

Correct Answer:A
When accounts are discovered by CyberArk but do not match any automated onboarding rule, they are added to the Pending Accounts list. This allows administrators to review these accounts and decide whether to onboard them manually into the Vault. The Pending Accounts list serves as a holding area for accounts that require further review or do not meet the criteria set by existing onboarding rules1.
References:
✑ CyberArk’s official documentation on Onboarding Rules, which explains the process of managing accounts that are discovered but not automatically onboarded1.

Question 50

Which processes reduce the risk of credential theft? (Choose two.)

A. require dual control password access approval

B. require password change every X days

C. enforce check-in/check-out exclusive access

D. enforce one-time password access

Correct Answer:BD

Question 51

You are onboarding 5,000 UNIX root accounts for rotation by the CPM. You discover that the CPM is unable to log in directly with the root account and will need to use a secondary account.
How should this be configured to allow for password management using least privilege?

A. Configure each CPM to use the correct logon account.

B. Configure each CPM to use the correct reconcile account.

C. Configure the UNIX platform to use the correct logon account.

D. Configure the UNIX platform to use the correct reconcile account.

Correct Answer:C
When onboarding a large number of UNIX root accounts for password rotation by the Central Policy Manager (CPM), and the CPM cannot log in directly with the root account, it is necessary to configure the UNIX platform to use a secondary logon account that has the appropriate privileges. This secondary account should have the minimum necessary permissions to perform password management tasks, adhering to the principle of least privilege1. By configuring the UNIX platform with the correct logon account, the CPM can use this account to manage the root accounts securely and efficiently.
References:
✑ CyberArk’s official documentation on Least Privileges and Privileged Access Manager provides guidance on configuring on-demand privileges for UNIX environments, which includes setting up the correct logon account for tasks that require elevated privileges1.
✑ Additional information on managing UNIX and Linux accounts, including the configuration of logon and reconcile accounts, can be found in the Unix plugin documentation for CyberArk

Question 52

PSM for Windows (previously known as “RDP Proxy”) supports connections to the following target systems

A. Windows

B. UNIX

C. Oracle

D. All of the above

Correct Answer:D
PSM for Windows supports connections to various types of target systems, including Windows, UNIX, Oracle, and others. PSM for Windows uses different connection components to establish and manage the sessions, depending on the type and protocol of the target system. For example, PSM-RDP is used for Windows systems, PSM-SSH and PSM-Telnet are used for UNIX systems, PSM-Toad and PSM-SQLPlus are used for Oracle databases, and so on. References:
✑ PSM for Windows
✑ Connect through Privileged Session Manager for Windows
✑ Supported connection components

Question 53

You notice an authentication failure entry for the DR user in the ITALog. What is the correct process to fix this error? (Choose two.)

A. PrivateArk Client > Tools > Administrative Tools > Users and Groups > DR User > Update > Authentication > Update Password.

B. Create a new credential file, on the DR Vault, using the CreateCredFile utility and the newly set password.

C. Create a new credential file, on the Primary Vault, using the CreateCredFile utility and the newly set password.

D. PVWA > User Provisioning > Users and Groups > DR User > Update Password.

E. PrivateArk Client > Tools > Administrative Tools > Users and Groups > PAReplicate User > Update > Authentication > Update Password.

Correct Answer:AB
When an authentication failure for the DR user is noticed in the ITALog, the correct process to fix this error involves two steps. First, you need to update the password for the DR user. This is done through the PrivateArk Client by navigating to Tools > Administrative Tools > Users and Groups > DR User > Update > Authentication > Update Password. After updating the password, the next step is to create a new credential file on the DR Vault using the CreateCredFile utility with the newly set password. This ensures that the DR Vault has the updated credentials necessary for the DR user to authenticate successfully12.
References:
✑ CyberArk’s official documentation on troubleshooting authentication issues, which includes steps on updating user passwords and creating new credential files1.
✑ Community discussions and support articles on resolving DR user authentication failures, which provide practical insights and recommended actions2

Question 54

Which Automatic Remediation is configurable for a PTA detection of a “Suspected Credential Theft”?

A. Add to Pending

B. Rotate Credentials

C. Reconcile Credentials

D. Disable Account

Correct Answer:B
For a Privileged Threat Analytics (PTA) detection of a “Suspected Credential Theft,” the automatic remediation that can be configured is Rotate Credentials. This remediation action is designed to automatically initiate password changes when PTA identifies a suspected credential threat, such as a credential theft event. By rotating the credentials, CyberArk ensures that the potentially compromised credentials are changed, thus mitigating the risk of unauthorized access1.
References:
✑ CyberArk’s official documentation on configuring PTA remediations, which includes information on automatic password rotation for suspected credential threats2.
✑ Additional details on the remediation actions that can be configured for different types of PTA detections, including Suspected Credential Theft1.

START PAM-DEF EXAM