CAU302 Real Questions To Pass CyberArk Defender + Sentry

CyberArk when brings out CAU302 product, introduces a Defender – Sentry (Combined) certification along with that Defender + Sentry product. CAU302 exam is a combined exam of Level 2: Defender and Level 3: Sentry exams. PassQuestion provides CAU302 Real Questions to help you pass CyberArk Defender + Sentry certification exam easily. You can practice in the following sample test to check its quality.

CAU302 Real Questions To Pass CyberArk Defender + Sentry

1. The vault does not support Role Based Access Control.

TRUE

FALSE

2. The Remote Desktop Services role must be properly licensed by Microsoft.

TRUE

FALSE

3. One can create exceptions to the Master Policy based on ____________.

Safes

Platforms

Policies

Accounts

4. Which of the following statements are NOT true when enabling PSM recording for a target Windows server?

The PSM software must be installed on the target server.

PSM must be enabled in the Master Policy (either directly, or through exception).

PSM Connect must be added as a local user on the target server.

RDP must be enabled on the target server.

5. It is possible to disable the Show and Copy buttons without removing the Retrieve permission on a safe.

TRUE

FALSE

6. During LDAP/S integration you should specify the Fully Qualified Domain Name (FQDN) of the Domain Controller.

TRUE

FALSE

7. Which of the following options is not set in the Master Policy?

Password Expiration Time

Enabling and Disabling of the Connection Through the PSM

Password Complexity

The use of “One-Time Passwords”

8. When on-boarding accounts using Accounts Feed, which of the following is true?

You must specify an existing Safe where the account will be stored when it is on-boarded to the Vault.

You can specify the name of a new safe that will be created where the account will be stored when it is on-boarded to the Vault.

You can specify the name of a new Platform that will be created and associated with the account.

Any account that is on-boarded can be automatically reconciled regardless of the platform it is associated with.

9. The Vault Internal safe contains the configuration for an LDAP integration.

TRUE

FALSE

10. PSM captures a record of each command that was issued in SQL Plus.

TRUE

FALSE

11. What is the purpose of the Allowed Safes parameter in a CPM policy? Select all that apply.

To improve performance by reducing CPM workload.

To prevent accidental use of a policy in the wrong safe.

To allow users to access only the passwords they should be able to access.

To enforce Least Privilege in CyberArk.

12. The Vault Internal safe contains all of the configuration for the vault.

TRUE

FALSE

13. One time passwords reduce the risk of Pass the Hash vulnerabilities in Windows.

TRUE

FALSE

14. What are the operating system prerequisites for installing CPM?

.NET 3.51 Framework Feature

Web Services Role

Remote Desktop Services Role

Windows 2008 R2 or higher

15. The vault provides a tamper-proof audit trail.

TRUE

FALSE

16. It is possible to restrict the time of day, or day of week that a verify process can occur.

TRUE

FALSE

17. When managing SSH keys, CPM automatically pushes the Private Key to all systems that use it.

TRUE

FALSE

18. It is possible to restrict the time of day, or day of week that a change process can occur.

TRUE

FALSE

19. Which one of the built-in Vault users is not automatically added to the safe when it is first created in PWA?

Master

Administrator

Auditor

Operator

20. What conditions must be met in order to log into the vault as the Master user? Select all that apply.

Logon must be originated from the console of the Vault server or an EmergencyStation defined in DBParm.ini

User must provide the correct master password.

Logon requires the Recovery Private Key to be accessible to the vault.

Logon must satisfy a challenge response request.

21. To support a fault tolerant and high-availability architecture, the Password Vault Web Access (PVWA) servers need to be configured to communicate with the Primary Vault and Satellite Vaults.

What file needs to be changed on the PVWA to enable this setup?

Vault.ini

dbparm.ini

pvwa.ini

Satellite.ini

22. Auto-Detection can be configured to leverage LDAP/S.

TRUE

FALSE

23. Vault admins must manually add the auditors group to newly created safes so auditors will have sufficient access to run reports.

TRUE

FALSE

24. When a group is granted the ‘Authorize Account Requests’ permission on a safe Dual Control requests must be approved by:

Any one person from that group

Every person from that group

The number of persons specified by the Master Policy

That access cannot be granted to groups

25. When creating an onboarding rule, it will be executed upon.

All accounts in the pending accounts list.

Any future accounts discovered by a discovery process.

All accounts in the pending accounts list and any future accounts discovered by a discovery process.

26. You are successfully managing passwords in the alpha.cyberark com domain; however when you attempt to manage a password in the beta.cyberark.com domain, you receive the ‘network path not found* error.

What should you check first?

That the username and password are correct.

That the CPM can successfully resolve addresses in the beta cyberark com domain

That the end user has the correct permissions on the safe

That an appropriate trust relationship exists between alphaxyberark.com and beta.cyberark.com

27. Which service should NOT be running on the DR Vault when the primary production Vault is up?

PrivateArk Database

PrivateArk Server

CyberArk Vault Disaster Recovery Service

CyberArk Logical Container

28. Which of the following statements are NOT true when enabling PSM recording for a target Windows server? Choose all that apply

The PSM software must be installed on the target server

PSM must be enabled in the Master Policy {either directly, or through exception).

PSMConnect must be added as a local user on the target server

RDP must be enabled on the target server

29. What is the primary purpose of Exclusive Accounts?

Reduced risk of credential theft

More frequent password changes

Non-repudiation (individual accountability)

To force a ‘collusion to commit’ fraud ensuring no single actor may use a password without authorization

30. Which of the following are prerequisites for installing PVWA Check all that Apply

Web Services Role

NET 4.5.1 Framework Feature

Remote Desktop Services Role

Windows BitLocker

31. To support a fault tolerant and high-availability architecture, the Password Vault Web Access (PVWA) servers must to be configured to communicate with the Primary Vault and Satellite Vaults.

Which file needs to be changed on the PVWA to enable this setup?

Vault.ini

dbparm.ini

pvwa.ini

Satellite.ini

32. PSM captures a record of each command that was issues in SQL Plus.

TRUE

FALSE

33. In Accounts Discovery, you can configure a Windows discovery to scan______________.

as many OUs as you wish

up to three OUs.

only one O

a number of OUs determined by the OUstoScan setting under the Accounts Feed section in the Administration tab

34. One of your users is receiving the error message “ITATS006E Station is suspended for User jsmith” when attempting to sign in to the pvwa.

Which utility would you use to correct this problem?

createcredfile.exe

cavaultmanager.exe

PrivateArk

PVWA

35. Which of the following is NOT a use case for installing multiple CPMS?

A single CPM cannot accommodate the total number of accounts managed

Accounts are managed in multiple sites or VLANs protected by firewall

Reduce network traffic across WAN links

Provide load balancing capabilities when managing passwords on target devices

36. Which service should NOT be running on the DR Vault when the primary Production Vault is up?

PrivateArk Database

PrivateArk Server

CyberArk Vault Disaster Recovery (DR) service

CyberArk Logical Container

37. Where does the Vault administrator configure in Password Vault Web Access (PVWA) the Fully Qualified Domain Name (FQDN) of the domain controller during LDAP/S integration?

PVWA > Platform Management > LDAP Integration

PVWA > Administration > LDAP Integration

PVWA > Administration > Options > LDAP Integration

PVWA > LDAP Integration

38. What is the purpose of the password Change process?

To test that CyberArk is storing accurate credentials for accounts

To change the password of an account according to organizationally defined password rules

To allow CyberArk to manage unknown or lost credentials

To generate a new complex password

39. Which keys are required to be present in order to start the PrivateArk Server Service? Select all that apply.

Server Key

Recovery Public Key

Recovery Private Key

Safe Key

40. Which utilities could you use to change debugging levels on the vault without having to restart the vault Select all that apply.

PAR Agent

PrivateArk Server Central Administration

Edit DBParm.ini in a text editor.

Setup exe

41. What is the purpose of the CyberArk Event Notification Engine service.

It sends email messages from the CPM

It sends email messages from the Vault.

It processes audit report messages

It makes vault data available to components.

42. The Vault does not support dual factor authentication.

True

False

43. Any user can monitor live sessions in real time when users initiate RDP connection via Secure Connect through PSM?

TRUE

FALSE

44. A safe was recently created by a user who is a member of the LDAP Vault Administrators group.

Which of the following users does not have access to the newly created safe by default?

Master

Administrator

Auditor

Backup

45. Which file is used to configure the ENE service?

ini

ENEConfig.ini

dbparm.ini

paragent.ini

46. All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of the accounts in that safe The members of the AD group UnixAdmms need to be able to use the show, copy, and connect buttons on those passwords at any time without confirmation The members of the AD group OperationsStaff need to be able to use the show, copy and connect buttons on those passwords on an emergency basis, but only with the approval of a member of OperationsManagers The members of OperationsManagers never need to be able to use the show, copy or connect buttons themselves.

Which safe permissions do you need to grant to UnixAdmins? Check all that apply

Use Accounts

Retrieve Accounts

List Accounts

Authorize Password Requests

Access Safe without Authorization

47. The Application Inventory report is related to AIM.

TRUE

FALSE

48. When managing SSH keys, the CPM stores the Public Key ________________.

In the Vault

On the target server

A & B

Nowhere because the public key can always be generated from the private key

49. The ACME Company has been a CyberArk customer for many years. ACME Management has asked you to perform a “Health Check" review of the CyberArk deployment. During your analysis you discover that the PSM Component server is fully functional. The RDP SSL certificate is self-signed and the CyberArk Privileged Session Management Service is running under the Local Service. SSL 3.0 is enabled in the Registry.

The PSM Component Server is configured as defined in PAS Installation Guide.

The PSM Component Server has been installed correctly but PSM Hardening procedures have not been followed and must be rebuilt.

The PSM Component Server has been installed correctly but PSM Hardening procedures have not been followed. Hardening procedures must be applied manually to the existing configuration.

The PSM Component Server has been installed correctly but PVWA Hardening procedures have not been followed. Hardening procedures can be applied via the Installation Automation script or manually to the existing configuration.

50. All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of the accounts in that safe. The members of the AD group UnixAdmins need to be able to use the show, copy, and connect buttons on those passwords at any time without confirmation. The members of the AD group OperationsStaff need to be able to use the show, copy and connect buttons on those passwords on an emergency basis, but only with the approval of a member of OperationsManagers. The members of OperationsManagers never need to be able to use the show, copy or connect buttons themselves.

Which safe permissions do you need to grant to OperationsManagers? (Choose all that apply.)

Use Accounts

Retrieve Accounts

List Accounts

Authorize Password Requests

Access Safe without Authorization

51. tsparm.ini is the main configuration file for the vault.

TRUE

FALSE

52. What is the proper way to allow the Vault to resolve host names?

Define a DNS server.

Define a WINS server.

Define the local hosts file.

The Vault cannot resolve host names due to security standards.

53. Which one of the following reports is NOT generated by using the PVWA?

Accounts Inventory

Application Inventory

Active/Non-Active Users

Compliance Status

54. When working with the CyberArk Disaster Recovery (DR) solution, which services should be running on the DR Vault?

CyberArk Vault Disaster Recovery (DR), PrivateArk Database

CyberArk Vault Disaster Recovery

CyberArk Vault Disaster Recovery, PrivateArk Database, PrivateArk Server

CyberArk Vault Disaster Recovery, PrivateArk Database, CyberArk Event Notification Engine

55. Which parameter controls how often the CPM looks for accounts that need to be changed from recently completed Dual control requests?

HeadStartInterval

Interval

ImmediateInterval

The CPM does not change the password under this circumstance

56. Which of the following PTA detections are included in the Core PAS offering? (Choose all that apply.)

Suspected Credential Theft

Over-Pass-The-Hash

Golden Ticket

Unmanaged Privileged Access

57. Name two ways of viewing the ITAlog:

Log into the vault locally and navigate to the Server folder under the PrivateArk install location.

Log into the PVWA and go to the Reports tab.

Access the System Safe from the PrivateArk client.

Go to the Thirdpary log directory on the CPM

58. Which utility can be used to copy a server key to an HSM?

PrivateArk Client

A proprietary utility provided by the HSM Vendor

ChangeServerKeys.exe

CAVaultManager.exe

59. What is the name of the Platform parameter that controls how long a password will stay valid when One Time Passwords are enabled via the Master Policy?

MinValidityPeriod

Interval

Immediatelnterval

Timeout

60. Which combination of safe member permissions will allow End Users to log in to a remote machine transparently but NOT show or copy the password?

Use Accounts, Retrieve Accounts, List Accounts

Use Accounts, List Accounts

Use Accounts

List Accounts, Retrieve Accounts

61. A SIEM integration allows you to forward ITALOG records to a monitoring solution.

TRUE

FALSE

62. You have associated a logon account to one of your UNIX root accounts in the vault When attempting to verify the root account’s password the CPM will…

Ignore the logon account and attempt to log in as root.

Prompt the end user with a dialog box asking for the login account to use.

None of these.

63. Which of the following sends out Simple Network Management Protocol (SNMP) traps?

PrivateArk Remote Control Agent

PrivateArk Server

CyberArk Event Notification Engine

CyberArk SNMP agent

64. The Vault Internal safe contains all of the configuration for the vault.

TRUE

FALSE

65. What is the purpose of a password group?

To ensure that a particular collection of accounts all have the same password

To ensure a particular set of accounts all change at the same time

To connect the CPM to a target system

To allow more than one account to work together as part of a password management process

66. Which credentials does CyberArk use when managing a target account?

Those of the service account for the CyberArk Password Manager service

A Domain Administrator account created for this purpose

The credentials of the target account

An account assigned by the Master Policy

67. What is the proper way to allow the Vault to resolve host names?

Define a DNS server

Define a WINS server

Defining the local hosts file

The Vault cannot resolve host names due to security standards

68. Time of day of week restrictions on when password changes can occur are configured in ________________.

The Master Policy

The Platform settings

The Safe settings

The Account Details

69. In a Disaster Recovery (DR) environment, which of the following should NEVER be configured for automatic failover due to the possibility of split-brain phenomenon?

Password Vault Web Access (PVWA)

PSM

CPM

PTA

70. A SIEM integration allows you to forward audit records to a monitoring solution.

TRUE

FALSE

71. A Reconcile Account can be specified in the Master Policy.

TRUE

FALSE

72. What is the chief benefit of PSM?

Privileged session isolation

Automatic password management

Privileged session recording

Privileged session isolation and privileged session recording

73. Which of the Following can be configured in the Master Policy? Choose all that apply

Dual Control

One Time Passwords

Exclusive Passwords

Password Reconciliation

Ticketing Integration

Required Properties

Custom Connection Components

Password Aging Rules

74. What is the primary purpose of Dual Control?

Reduced risk of credential theft

More frequent password changes

Non-repudiation (individual accountability)

To force a ‘collusion to commit’ fraud ensuring no single actor may use a password without authorization

75. It is possible to restrict the time of day. or day of week that a verify process can occur

TRUE

FALSE

76. The Vault supports multiple instances of the following components Choose all that Apply

PVWA

CPM

PSM

AIM Provider

77. A user has successfully conducted a short PSM session and logged off. However, the user cannot access the Monitoring tab to view the recordings.

What is the issue?

The user must login as PSMAdminConnect.

The PSM service is not running.

The user is not a member of the PVWAMonitor group.

The user is not a member of the Auditors group.

78. Which is the purpose of the HeadStartInterval setting in a platform?

It determines how far in advance audit data is collected for reports.

It instructs the CPM to initiate the password change process certain number of days before expiration.

It instructs the AIM provider to ‘skip the cache’ during the defined time period.

It alerts users of upcoming password changes a certain number of days before expiration.

79. The Vault server requires WINS services to work properly.

True

False

80. When managing SSH keys. CPM automatically pushes the Public Key to the target system.

TRUE

FALSE

81. What is the purpose of the Interval setting in a CPM policy?

To control how often the CPM looks for System Initiated CPM work

To control how often the CPM looks for User Initiated CPM work.

To control how long the CPM rests between password changes

To control the maximum amount of time the CPM will wait for a password change to complete

82. Multiple PVWA servers provide automatic load balancing.

TRUE

FALSE

83. Is it possible to modify the CyberArk Vault Audit Log?

Yes, a Vault administrator can modify the Audit log

No, the audit trail is tamper proof and cannot be edited, not even by Master

Yes, but only the Master user can modify the Audit log

Yes, a Vault administrator can edit the Audit log but only with explicit permission from CyberArk

84. Which of the following logs contain information about errors related to PTA?

ITAlog.log

diamond.log

pm_error.log

WebApplication.log

85. PSM captures a record of each command that was executed in Unix.

TRUE

FALSE

86. The System safe allows access to the Vault configuration files.

TRUE

FALSE

87. Which of these accounts onboarding methods is considered proactive?

Accounts Discovery

Detecting accounts with PTA

A Rest API integration with account provisioning software

A DNA scan

88. Which onboarding method would you use to integrate CyberArk with your accounts provisioning process?

Accounts Discovery

Auto Detection

Onboarding RestAPI functions

PTA Rules

89. A logon account can be specified in the platform settings.

True

False

90. When the PSM Gateway (also known as the HTML5 ( End Point in order to launch connections via the PSM

True

False, when the PSM Gateway is implemented, the user only requires a browser in order launch a connection via the PSM

91. What is the purpose of the password verify process?

To test that CyberArk is storing accurate credentials for accounts.

To change the password of an account according to organizationally defined password rules.

To allow CyberArk to manage unknown or lost credentials.

To generate a new complex password.

92. Accounts Discovery allows secure connections to domain controllers.

TRU

FALSE

93. Access Control to passwords is implemented by ________________.

Virtual Authorizations

Safe Authorizations

Master Policy

Platform Settings

94. It is possible to control the hours of the day during which a safe may be used.

TRUE

FALSE

95. In a Distributed Vaults environment, which of the following components will NOT be communicating with the Satellite Vaults?

AAM Credential Provider (previously known as AIM Credential Provider)

ExportVaultData utility

PAReplicate utility

Central Policy Manager

96. Which Master Policy?

Password Expiration Time

Enabling and Disabling of the Connection Through the PSM

Password Complexity

The use of "One-Time-Passwords"

97. One can create exceptions to the Master Policy based on_________.

Safes

Platforms

Policies

Accounts

98. It is possible to disable the Show and Copy buttons without removing the Retrieve permission on a safe.

TRUE

FALSE

99. In accordance with best practice. SSH access is denied for root accounts on UNIX/LINUX systems.

What is the BEST way to allow CPM to manage root accounts?

Create a privileged account on the target server Allow this account the ability to SSH directly from the CPM machine Configure this account as the Reconcile account of the target server’s root account.

Create a non-privileged account on the target server Allow this account the ability to SSH directly from the CPM machine. Configure this account as the Logon account of the target server’s root account

Configure the Unix system to allow SSH logins.

Configure the CPM to allow SSH logins

100. According to the default web options settings, which group grants access to the reports page?

PVWAMonitor

PVWAUsers

Auditors

Vault administrators

CAU302 Real Questions To Pass CyberArk Defender + Sentry

CAU302 Real Questions To Pass CyberArk Defender + Sentry

Leave a Reply Cancel reply