CyberArk Defender - PAM PAM-DEF Exam Questions

Answer : A

Before failing back to the production infrastructure after a Disaster Recovery (DR) exercise, it is crucial to ensure that the Production Instance replicates all changes that occurred from the Disaster Recovery Instance. This includes all audit history and any other changes made during the DR event.The replication process ensures that no data is lost and that the audit history is maintained consistently across both the DR and Production environments1.

CyberArk Docs - Reports and Audits1

CyberArk Docs - Vault Audit Action Codes2

CyberArk Blog - Failover and Failback Process

Answer : C

When a DR Vault Server becomes an active vault, it will automatically fail back to the original state once the Primary Vault comes back online, if the AllowFailback setting is set to ''yes'' in the padr.ini file. The padr.ini file is the configuration file for the Disaster Recovery application, which enables the DR Vault to replicate data from the Primary Vault and take over its role in case of a failure. The AllowFailback setting determines whether the DR Vault will automatically switch back to the passive mode when the Primary Vault is restored.The default value of this setting is ''no'', which means that the DR Vault will remain active until a manual failback is performed1.To enable the automatic failback, the setting must be changed to ''yes'' and the padr service must be restarted1.The dbparm.ini file is not relevant to this setting, as it is the main configuration file for the Vault database2.Reference:

Configure the DR Vault - CyberArk, section ''AllowFailback''

DBParm.ini - CyberArk, section ''Main parameters''

Answer : A

According to the CyberArk documentation1, the Password Upload utility must run from the Central Policy Manager (CPM) server. This utility works by uploading passwords and their properties into the Password Vault from a pre-prepared file, creating the required environment, when necessary.It is run from a command line whenever a password upload is required1.

Answer : A, B

To use the show, copy, and connect buttons on the accounts in the safe UnixRoot, the Operations Staff need to have theUse Accountspermission, which allows them to request access to the accounts and perform actions on them. However, since dual control is enabled for some of the accounts, they also need to have theRetrieve Accountspermission, which allows them to view the password of the account after it is authorized by another user. TheAuthorize Password Requestspermission is not needed, as it is only required for the users who can approve the requests, not the ones who make them. TheAccess Safe without Authorizationpermission is not needed, as it would bypass the dual control mechanism and allow the Operations Staff to access the accounts without approval.Reference:

[Defender PAM Sample Items Study Guide], page 10, question 5

[CyberArk Privileged Access Security Implementation Guide], page 30, table 2-1

[CyberArk Privileged Access Security Administration Guide], page 43, section 3.2.2.1

Answer : B

According to the CyberArk Defender PAM documentation, the Master Policy setting that must be active in order to have an account checked-out by one user for a pre-determined amount of time is Enforce check-in/check-out exclusive access. This setting enables organizations to permit users to check out a 'one-time' password and lock it so that no other users can retrieve it at the same time. After the user has used the password, the user checks the password back into the Vault. This ensures exclusive usage of the privileged account, enabling full control and tracking for the password. The duration of the check-out period can be configured in the platform settings for each account.Reference:

Account check-out and check-in - CyberArk

Master Policy - CyberArk

Answer : B

When managing SSH keys, the CPM stores the public key on the target server. The CPM generates a new random SSH key pair and updates the public SSH key on the target machine. The public SSH key is stored in the home directory of the privileged user on the target machine, usually in the file~/.ssh/authorized_keys. The public SSH key is not stored in the Vault, as this would be redundant and unnecessary. The public SSH key cannot be generated from the private key, as this would defeat the purpose of asymmetric encryption.Reference:

Manage SSH Keys

SSH Key Manager

Use SSH Keys

Answer : C

The ''click to connect'' button is a feature that allows users to connect to target systems without entering their credentials manually. It is also known as EPV transparent connections or PSM transparent connections. To activate this feature, you need to enable theAllow EPV transparent connectionsparameter in the Master Policy. This parameter determines whether users can use the ''click to connect'' button to initiate a privileged session from the PVWA. If the parameter is set to Active, the button is enabled and users can connect to target systems with one click. If the parameter is set to Inactive, the button is disabled and users need to copy the credentials and paste them in the target system login screen.Reference:Connect and configure - CyberArk,How to enable/disable Connect button in PVWA console - force.com