ANSWERS GRADED A+
✔✔Explain object level access control? - ✔✔Access control is individualized based on
objects in safe rather than by safe
✔✔Using Accounts Discovery, what are the three stages accounts will go through? -
✔✔Discovery - Pending - Onboarding
✔✔Which account does the PVWA use to impersonate the end user? - ✔✔Gateway
User
✔✔Name the five criteria for a safe model - ✔✔1. Organizational structure
2. Security classification
3. Functional structure
4. Compliance requirements
5. Geographical structure
✔✔What are four ways to onboard accounts? - ✔✔1. Manual entry through PVWA
2. Accounts Discovery
3. Password Upload Utility
4. Rest API
✔✔A failover procedure is triggered when the CPM detects one of the following events.
- ✔✔Failure of:
1. Vault Services
2. Storage Availability
3. Virtual IP Availability
4. Loss of Quorum Ownership
✔✔Describe three aspects of Vault Authorizations. - ✔✔- Can be assigned only at the
user level
- Cannot be inherited via group membership
- Defined only via the PrivateArk client
✔✔1. How does PTA detect Kerberos Attacks?
2. How can Kerberos be used by an attacker? - ✔✔1. By running deep pocket
inspection
2. To achieve privilege escalation and persistency within the network
✔✔Permissions required to run Privileged Account Compliance Status Report? - ✔✔-
List Accounts
- View audit or confirm safe request (in safes that are configured for dual control)
- Member of the PVWA Monitor Group
,- To run the report for the entire Vault: membership of the auditors group
✔✔Where can you fine the "Events Feed Authorization" parameter? - ✔✔Administration
- Options - General
✔✔What is stored in the PSM safe? - ✔✔PSM Safe contains the password objects of
the unique PSM users created locally.
✔✔How can PTA contain in-progress attacks by automatically? - ✔✔- Onboarding
unmanaged accounts
- Rotating credentials
- Reconciling credentials
- Terminating or suspending sessions
✔✔What are the two types of reports available? - ✔✔PrivateArk Client and PVWA
✔✔Provides information about eh Application IDs in the system. - ✔✔Application
Inventory for AIM Report.
✔✔What are the OS Installation prerequisites for Basic PSM functionality? - ✔✔-
Windows R2 or Windows 2016 with only remote Desktop Services (RDS) Session Host
Role
- Remote Desktop Session Host (requires RDS CAL licensing)
✔✔What is the precedence of files when automatically onboarding? - ✔✔A new rule
take precedence over an existing rule
✔✔Which of these are not automatically added to the safe when created first in the
PVWA? - ✔✔Administrator
✔✔Which safes are shared by all CPMs? - ✔✔PasswordManagerShared and
PassManager_Pending
✔✔PVWAs will all share the same safes. - ✔✔True
✔✔Vault permissions may be applied to groups and users. - ✔✔False, Vault
permissions may only be applied to users
✔✔What permission is needed for Applications Inventory Report? - ✔✔Audit users
✔✔In Accounts Discovery, you can configure a Windows discovery to scan
__________. - ✔✔Only one OU
, ✔✔This onboarding method allows customers to create integrations with their active
directories or other account provisioning software and CyberArk. - ✔✔Rest API
✔✔Which groups have the authority to configure security rules and automate
remediation actions? - ✔✔Vault Admin Group and Security Admin Group
✔✔This file is used to determine which disks store vault data? - ✔✔TSParm.ini
✔✔Name the six CPM safes. Which two are shared by all CPMs? - ✔✔1. Password
Manager
2. PasswordManager_ADInternal
3. PasswordManager_Information
4. PasswordManager_Pending
5. PasswordManager_Workspace
PasswordManager and PasswordManager_Pending are shared by all CPMs.
✔✔Which utilities could you use to change debugging levels on the Vault without having
to restart the Vault? - ✔✔1. PARagent
2. PrivateArk Server Central Administration
✔✔What four things can you specify through access control? - ✔✔1. Location of Access
2. Days of Access
3. Window of Time for Access
4. Time Limits
✔✔What abnormal behaviors are detected by the PTA? - ✔✔- Access to the Vault
during irregular hours or days
- Access to the Vault from irregular IP addresses
- Excessive access to privileged accounts in the Vault
- Actively by dormant Vault users
✔✔Name the four methods used for onboarding accounts. - ✔✔1. Manual Entry
(PVWA)
2. Password Upload Utility
3. Accounts Discovery
4. Rest API
✔✔Master Policy can configure what? - ✔✔- Dual Control
- Exclusive Passwords
- One-Time Passwords
- Password Aging Rules
✔✔Describe the two phases of Windows Discovery. - ✔✔Phase One:
- Log into the PVWA