CyberArk PAM-DEF CyberArk Defender - PAM Exam Practice Test

Answer : C

One-time passwords and exclusive access are security features that can be configured for a platform in the Master Policy. These features enhance the security and accountability of shared accounts by ensuring that each password is used only once and by only one user at a time. One-time passwords generate a new password for each check-out and check-in of an account, preventing password reuse and exposure. Exclusive access prevents multiple users from accessing the same account simultaneously, avoiding conflicts and confusion. By configuring both one-time passwords and exclusive access for the appropriate platform, the account owner can track who was using an account at any given moment and ensure that the passwords are always secure and unique.Reference:One-Time Passwords,Exclusive Access,Master Policy

Answer : B

To manage loosely connected devices, which are not always connected to the network, CyberArk uses the Endpoint Privilege Manager (EPM). EPM is capable of rotating credentials of accounts on Windows and macOS devices that are loosely connected to the enterprise network.It operates over the internet and can communicate with the corporate PVWA to retrieve the new password and change it on the device1.Reference: The information provided is based on general knowledge of CyberArk PAM best practices and the management of loosely connected devices as outlined in CyberArk's official documentation1.

Answer : B, D

When configuring a discovery scan for UNIX, you must specify theCPM Scannerand thelist of machines to scan. The CPM Scanner is the component responsible for executing the discovery process, and it requires a list of target machines to scan for new and modified accounts and their dependencies.This list can be provided in the form of a CSV file for UNIX machines1.The discovery process will then scan the predefined machines to identify privileged accounts that should be onboarded into the Vault for secure and automated management according to enterprise compliance policies2.

CyberArk Docs - Manage discovery processes1

CyberArk Docs - Scan for accounts using Account Discovery

Answer : A

To support LDAP over SSL, the Vault requires the CA Certificate(s) that were used to sign the certificate of the External Directory. This is necessary to establish a trusted SSL connection between the Vault and the External Directory.The CA Certificate(s) must be imported into the Windows certificate store on the Vault machine to facilitate this SSL connection1.Reference: The information provided is based on general knowledge of CyberArk PAM best practices and the requirements for configuring LDAP over SSL as outlined in CyberArk's official documentation1.

Answer : B

Being a member of the Vault Admins group does not automatically grant you any permission on any safe that you have access to. The Vault Admins group is a predefined group that is created during the installation or upgrade of the vault.This group has the Vault Admin authorization, which allows its members to perform administrative tasks on the vault, such as managing users, groups, platforms, policies, and safes1.However, this authorization does not include any safe member authorizations, such as View, Retrieve, Use, or Manage Safe2. Therefore, to grant any permission on a safe, you need to be added as a safe member with the appropriate authorizations, either directly or through another group. The Vault Admins group can be added to safes with all safe member authorizations, but this is not done automatically for all safes.By default, this group is only added to a number of system safes, such as the Password Manager Safe, the PVWAConfig Safe, and the Notification Methods Safe3.For other safes, the Vault Admins group can be added manually by the safe owner or another user with the Manage Safe authorization4.Reference:

1:Predefined users and groups, Predefined groups subsection

2: [CyberArk Privileged Access Security Implementation Guide], Chapter 3: Managing Safes, Section: Safe Authorizations, Table 2-1: Safe Authorizations

3:What default groups can be automatically added to Safes when they are created?

4: [CyberArk Privileged Access Security Administration Guide], Chapter 3: Managing Safes, Section: Adding Safe Members

Answer : D

According to the web search results, exclusive accounts are a feature of CyberArk Defender PAM that enables organizations to permit users to check out a 'one-time' password and lock it so that no other users can retrieve it at the same time1. After the user has used the password, the user checks the password back into the Vault. This ensures exclusive usage of the privileged account, enabling full control and tracking for the password.The duration of the check-out period can be configured in the platform settings for each account1.

The primary purpose of exclusive accounts is to prevent a single user from accessing a sensitive account without authorization, which could lead to fraud or misuse of privileges. By requiring a check-out and check-in process, exclusive accounts ensure that there is a 'collusion to commit' fraud, meaning that at least two users are involved in the malicious activity and are accountable for it. One user must check out the password and use it, while another user must approve the check-in and verify the password change. This way, exclusive accounts add an additional measure of protection and accountability for accessing sensitive accounts.

Answer : B

To ensure that Windows Domain password changes occur outside of business hours, the settings that must be updated are found in theMaster Policyunder theAccount Change Windowsection. Here, you can specify theToHourandFromHourto define the time frame outside of which the passwords should be rotated.This setting allows you to control when password changes can occur, ensuring that they do not interfere with business operations by taking place during non-business hours1.

CyberArk Docs - Set password policies