Which report provides a list of account stored in the vault.
A
Explanation:
The report that provides a list of accounts stored in the vault is the Privileged Accounts Inventory
report.
This report can be generated in the Reports page in the PVWA by users who belong to the
group that is specified in the ManageReportsGroup parameter in the Reports section of the Web
Access Options in the System Configuration page1
.
The Privileged Accounts Inventory report contains
information such as the safe, folder, name, platform ID, username, address, group, last accessed
date, last accessed by, last modified date, last modified by, verification date, checkout date, checked
out by, age, change failure, verification failure, master pass folder, master pass name, disabled by,
and disabled reason of each account stored in the vault2
. Reference:
:
Reports in PVWA
:
Users List Report
When on-boarding account using Accounts Feed, Which of the following is true?
B
Explanation:
When on-boarding accounts using Accounts Feed, you can either select an existing safe or create a
new one to store the accounts. You can also specify the platform, policy, and owner for each account.
However, you cannot create a new platform using Accounts Feed, and not all platforms support
automatic reconciliation. Reference:
Accounts Feed - CyberArk
CyberArk University
[Defender-PAM Sample Items Study Guide]
Target account platforms can be restricted to accounts that are stored m specific Safes using the
Allowed Safes property.
A
Explanation:
Target account platforms can be restricted to accounts that are stored in specific Safes using the
Allowed Safes property. This property is a parameter that can be configured in the Platform
Management settings for each platform. The Allowed Safes property specifies the name or names of
the Safes where the platform can be applied. The default value is .*, which means that the platform
can be used in any Safe. However, if you want to limit the platform to certain Safes, you can enter the
name or names of the Safes, separated by a pipe (|) character. For example, if you want to restrict
the platform to Safes called WindowsPasswords and LinuxPasswords, you can
enter AllowedSafes=(WindowsPasswords)|(LinuxPasswords). This feature is useful for preventing
unauthorized users from accessing passwords, especially if you implement the reconciliation
functionality.
It also helps the CPM to focus its search operations on specific Safes, instead of
scanning all Safes it can see in the Vault1
. Reference:
:
Limit Platforms to Specific Safes
Which one the following reports is NOT generated by using the PVWA?
C
Explanation:
The PVWA can generate various reports on the privileged accounts and applications in the system,
based on different filters and criteria. However, the Safes List report is not one of them. The Safes List
report is generated by using the PrivateArk Client, and it provides a list of Safes and their properties
according to location. Reference:
Defender-PAM Study Guide
,
Reports and Audits
PSM captures a record of each command that was executed in Unix.
A
Explanation:
PSM captures a record of each command that was executed in Unix by using the SSH text recorder.
This is a feature that enables PSM to record all the keystrokes that are typed during privileged
sessions on SSH connections, including Unix systems. The SSH text recorder can be configured in the
Platform Management settings for each platform that uses the SSH protocol. The text recordings are
stored and protected in the Vault server and are accessible to authorized auditors.
The text
recordings can also be used for auditing and compliance purposes, as they provide a detailed trace of
the actions performed by the users on the target systems1
. Reference:
:
Introduction to PSM for SSH
, How it works subsection, Text recordings paragraph
Platform settings are applied to _________.
D
Explanation:
Platform settings are applied to individual accounts. A platform is a set of parameters that defines
how the Vault manages the passwords of accounts that belong to a certain operating system or
application. Each account in the Vault is attached to a platform that determines how the account
password is changed, verified, reconciled, and accessed. Platform settings can be customized to meet
the specific requirements of each account type. For example, you can define the password
complexity, rotation frequency, verification method, and access policy for each platform. Reference:
[Defender PAM Sample Items Study Guide], page 15; [CyberArk Privileged Access Security
Documentation], Platforms Overview.
Customers who have the ‘Access Safe without confirmation’ safe permission on a safe where
accounts are configured for Dual control, still need to request approval to use the account.
B
Explanation:
Customers who have the ‘Access Safe without confirmation’ safe permission on a safe where
accounts are configured for Dual control, do not need to request approval to use the account.
The
‘Access Safe without confirmation’ safe permission allows users to access accounts without
confirmation from authorized users, even if the Master Policy or an exception enforces Dual
Control1
. This means that users who have this permission can bypass the workflow process and
access the account password or connect to the target system immediately.
This permission can be
granted to users or groups on a safe level by the safe owner or another user with the Manage Safe
authorization2
. Reference:
:
Dual Control
, Advanced Settings subsection
:
CyberArk Privileged Access Security Implementation Guide
, Chapter 3: Managing Safes, Section:
Safe Authorizations, Table 2-1: Safe Authorizations
What is the name of the Platform parameters that controls how long a password will stay valid when
One Time Passwords are enabled via the Master Policy?
A
Explanation:
The name of the Platform parameter that controls how long a password will stay valid when One
Time Passwords are enabled via the Master Policy is Min Validity Period. This parameter defines the
number of minutes to wait from the last retrieval of the account until it is replaced. This gives the
user a minimum period to be able to use the password before it is changed by the CPM. The Min
Validity Period parameter can be configured in the Platform Management settings for each platform
that supports One Time Passwords.
The default value is 60 minutes, but it can be modified according
to the organization’s security policy1
.
The Min Validity Period parameter is also used to release
exclusive accounts automatically1
. Reference:
:
Privileged Account Management
, Min Validity Period subsection
It is possible to leverage DNA to provide discovery functions that are not available with auto-
detection.
A
Explanation:
It is possible to leverage DNA to provide discovery functions that are not available with auto-
detection. Auto-detection is a feature that enables the CPM to automatically discover and onboard
accounts on target systems that are associated with a specific platform. Auto-detection can be
configured in the Platform Management settings for each platform that supports this
functionality.
However, auto-detection has some limitations, such as requiring the CPM to have
access to the target system, not supporting all platforms, and not providing comprehensive
information about the accounts and their security risks1
. DNA, on the other hand, is a standalone
scanning tool that can discover and audit privileged accounts across the network, regardless of the
platform or the CPM access.
DNA can provide additional discovery functions, such as identifying
machines vulnerable to Pass-the-Hash attacks, collecting reliable and comprehensive audit
information, and generating reports and visual maps that evaluate the privileged account security
status in the organization2
.
DNA can also be used before or independently of the CyberArk PAM
solution, as it does not require agents to be installed on target systems2
. Reference:
:
Auto-detection
:
CyberArk DNA Overview
Which of the following files must be created or configured m order to run Password Upload Utility?
Select all that apply.
A, C, D
Explanation:
: To run the Password Upload Utility, you need to create or configure the following files:
A comma delimited upload file: This is a text file that contains the passwords and their properties
that will be uploaded to the Vault. The file must have a .csv extension and follow a specific format.
The first line in the file defines the names of the password properties as specified in the Password
Vault.
Every other line represents a single password object and its property values, according to the
properties specified in the first line1
.
PACli.ini: This is a configuration file that stores the parameters for the PACli, which is a command-line
interface that enables communication between the Password Upload Utility and the Vault. The
PACli.ini file must be located in the same folder as the Password Upload Utility executable file.
The
file must contain the following parameters: Vault, User, Password, and LogFile2
.
conf.ini: This is a configuration file that stores the parameters for the Password Upload Utility. The
conf.ini file must be located in the same folder as the Password Upload Utility executable file.
The file
must contain the following parameters: InputFile, LogFile, and ErrorFile3
.
You do not need to create or configure the following file to run the Password Upload Utility:
Vault.ini: This is a configuration file that stores the parameters for the Vault server, such as the
database name, port, and password. This file is not used by the Password Upload Utility, and it is not
located in the same folder as the Password Upload Utility executable file.
The Vault.ini file is located
in the Vault installation folder, and it is used by the Vault service and the PrivateArk
Client4
. Reference:
:
Create the Password File
:
PACli.ini
:
Password Upload Utility Parameter File (conf.ini)
: [CyberArk Privileged Access Security Implementation Guide], Chapter 2: Installing the Vault,
Section: Configuring the Vault, Subsection: Vault.ini