PAM/ DEFENDER CERTIFICATE STUDY GUIDE
1. Which permissions are needed for the Active Directory user required by the Windows
Discovery process?
a. Domain Admin
b. Ldap Admin
c. Read/Write
d. Read - Answer- Answer: A
2. Match each component to its respective Log File location. - Answer- PTA
/opt/tomcat/logs
PSM for SSH (PSMP) /var/opt/CARKpsmp/logs
Disaster RecoveryC:\Program Files (x86)\PrivateArk\Server\PADR
You Received this Error: "Error in changepass to user domain\user on domain server (\
domain)winRC=50 Access is denied"
Which root cause should you investigate?
a. The account does not have sufficient permissions to change its own password
b. The domain controller is unreachable
c. The password has been changed recently and minimum password age is preventing
the change.
d. The CPM service is disabled and will need to be restarted. - Answer- Answer: A
4. As vault Admin you have been asked to configure LDAP authentication for your
organization's CyberArk users. Which permissions do you need to complete this task?
a. Audit Users and Add Network Areas
b. Audit Users and Manage Directory Mapping
c. Audit Users and Add/Update Users
d. Audit Users and Activate Users - Answer- Answer: B
5. Which PTA sensors are required to detect suspected credential theft.
a. Logs, Vault Logs
b. Logs, Network Sensor, Vault Logs
c. Logs, PSM Logs, CPM Logs
d. Logs, Network Sensor, EPM - Answer- Answer: A
,6. You are installing HTML5 gateway on a Linux host using the RPM provided. After
installing the Tomcat webapp, what is the next step in the installation process?
a. Deploy the HTML5 service (guacd)
b. Secure the connection between the guacd and the webapp
c. Secure the webapp and JWT validation endpoint
d. Configure ASLR - Answer- Answer: B
7. To enable automatic response "Add to Pending" within PTA when unmanaged
credentials are found, what are the minimum permissions required by PTAUser for the
PasswordManager_Pending safe?
a. List Accounts, View Safe Members, Add Accounts (includes update properties),
Update Account Content, Update Account Properties.
b. List Accounts, Add Accounts (includes update properties), Delete Accounts, Manage
Safe
c. Add Accounts (includes update properties), Update Account Content, Update
Account properties, View Audit.
d. View Accounts, Update Account Content, Update Account Properties, Access Safe
without Confirmation, Mange Safe, View Audit. - Answer- Answer: A
8. A customer's environment three data centers, consisting of 5,000 servers in
Germany, 10,000 servers in Canada, 1,500 servers in Singapore. You want to manage
target servers and avoid complex firewall rules. How many CPM's should you deploy?
a. 1
b. 3, total, 1 per data center
c. 15
d. 6, total, 2 per data center - Answer- Answer: B
9. What is a prerequisite step before CyberArk can be configured to support RADIUS
authentication?
a. Log on to the PrivateArk Client, display the user properties of the user to configure,
run the Authentication method drop-down list, and select RADIUS authentication.
b. In the RADIUS server, define the CyberArk Vault as RADIUS client/agent.
c. In the Vault Installation folder, run CAVaultManger as Administrator with the
SecureSecretFiles command.
d. Navigate to /Server/Conf and open DBParms.ini and set the RadiusServersInfo
parameter. - Answer- Answer: B
, 10. Which components can connect to a satellite Vault in distributed Vault architecture?
a. CPM, EPM, PTA
b. PVWA, PSM
c. CPM,PVWA, PSM
d. CPM, PSM - Answer- Answer: B
11. You are onboarding 5,000 UNIX root accounts for rotation by the CPM. You
discover that the CPM is unable to log in directly with the root account and will need to
use a secondary account. How should this be configured to allow for password
management using least privilege?
a. Configure each CPM to use the correct logon account
b. Configure each CPM to use the correct reconcile account
c. Configure the UNIX Platform to use the correct logon account
d. Configure the UNIX Platform to use the correct reconcile account - Answer- Answer:
C
12. Match the built-in Vault user with the correct definition.
a. This user appears on the highest level of the user hierarchy and has all the possible
permissions. As such, it can create and manage other Users on any level on the Users'
hierarchy.
b. This user appears at the to of the User hierarchy, enabling it to view all the Users in
the Safe. The user can produce reports of Safe activities and User activities, which
enables it to keep track of activity in the Safe and User requirements.
c. This user is an internal user that cannot be logged onto and carries out internal tasks,
such as automatically clearing expired user and Safe History.
d. This user has all available Safe member authorizations except Authorize password
requests. This user has complete system control, manages a full recovery when
necessary and cannot be removed from any Safe. - Answer- A: Administrator
B: Auditor
C: Batch
D: Master
13. A new HTML5 Gateway has been deployed in your organization. Where do you
configure the PSM to use the HTML5 Gateway?
a. Administration > Options > Privileged Session Management > Configured PSM
Servers > Connection Details > Add PSM Gateway
1. Which permissions are needed for the Active Directory user required by the Windows
Discovery process?
a. Domain Admin
b. Ldap Admin
c. Read/Write
d. Read - Answer- Answer: A
2. Match each component to its respective Log File location. - Answer- PTA
/opt/tomcat/logs
PSM for SSH (PSMP) /var/opt/CARKpsmp/logs
Disaster RecoveryC:\Program Files (x86)\PrivateArk\Server\PADR
You Received this Error: "Error in changepass to user domain\user on domain server (\
domain)winRC=50 Access is denied"
Which root cause should you investigate?
a. The account does not have sufficient permissions to change its own password
b. The domain controller is unreachable
c. The password has been changed recently and minimum password age is preventing
the change.
d. The CPM service is disabled and will need to be restarted. - Answer- Answer: A
4. As vault Admin you have been asked to configure LDAP authentication for your
organization's CyberArk users. Which permissions do you need to complete this task?
a. Audit Users and Add Network Areas
b. Audit Users and Manage Directory Mapping
c. Audit Users and Add/Update Users
d. Audit Users and Activate Users - Answer- Answer: B
5. Which PTA sensors are required to detect suspected credential theft.
a. Logs, Vault Logs
b. Logs, Network Sensor, Vault Logs
c. Logs, PSM Logs, CPM Logs
d. Logs, Network Sensor, EPM - Answer- Answer: A
,6. You are installing HTML5 gateway on a Linux host using the RPM provided. After
installing the Tomcat webapp, what is the next step in the installation process?
a. Deploy the HTML5 service (guacd)
b. Secure the connection between the guacd and the webapp
c. Secure the webapp and JWT validation endpoint
d. Configure ASLR - Answer- Answer: B
7. To enable automatic response "Add to Pending" within PTA when unmanaged
credentials are found, what are the minimum permissions required by PTAUser for the
PasswordManager_Pending safe?
a. List Accounts, View Safe Members, Add Accounts (includes update properties),
Update Account Content, Update Account Properties.
b. List Accounts, Add Accounts (includes update properties), Delete Accounts, Manage
Safe
c. Add Accounts (includes update properties), Update Account Content, Update
Account properties, View Audit.
d. View Accounts, Update Account Content, Update Account Properties, Access Safe
without Confirmation, Mange Safe, View Audit. - Answer- Answer: A
8. A customer's environment three data centers, consisting of 5,000 servers in
Germany, 10,000 servers in Canada, 1,500 servers in Singapore. You want to manage
target servers and avoid complex firewall rules. How many CPM's should you deploy?
a. 1
b. 3, total, 1 per data center
c. 15
d. 6, total, 2 per data center - Answer- Answer: B
9. What is a prerequisite step before CyberArk can be configured to support RADIUS
authentication?
a. Log on to the PrivateArk Client, display the user properties of the user to configure,
run the Authentication method drop-down list, and select RADIUS authentication.
b. In the RADIUS server, define the CyberArk Vault as RADIUS client/agent.
c. In the Vault Installation folder, run CAVaultManger as Administrator with the
SecureSecretFiles command.
d. Navigate to /Server/Conf and open DBParms.ini and set the RadiusServersInfo
parameter. - Answer- Answer: B
, 10. Which components can connect to a satellite Vault in distributed Vault architecture?
a. CPM, EPM, PTA
b. PVWA, PSM
c. CPM,PVWA, PSM
d. CPM, PSM - Answer- Answer: B
11. You are onboarding 5,000 UNIX root accounts for rotation by the CPM. You
discover that the CPM is unable to log in directly with the root account and will need to
use a secondary account. How should this be configured to allow for password
management using least privilege?
a. Configure each CPM to use the correct logon account
b. Configure each CPM to use the correct reconcile account
c. Configure the UNIX Platform to use the correct logon account
d. Configure the UNIX Platform to use the correct reconcile account - Answer- Answer:
C
12. Match the built-in Vault user with the correct definition.
a. This user appears on the highest level of the user hierarchy and has all the possible
permissions. As such, it can create and manage other Users on any level on the Users'
hierarchy.
b. This user appears at the to of the User hierarchy, enabling it to view all the Users in
the Safe. The user can produce reports of Safe activities and User activities, which
enables it to keep track of activity in the Safe and User requirements.
c. This user is an internal user that cannot be logged onto and carries out internal tasks,
such as automatically clearing expired user and Safe History.
d. This user has all available Safe member authorizations except Authorize password
requests. This user has complete system control, manages a full recovery when
necessary and cannot be removed from any Safe. - Answer- A: Administrator
B: Auditor
C: Batch
D: Master
13. A new HTML5 Gateway has been deployed in your organization. Where do you
configure the PSM to use the HTML5 Gateway?
a. Administration > Options > Privileged Session Management > Configured PSM
Servers > Connection Details > Add PSM Gateway
