PAM-DEF CyberArk Defender - PAM Free Practice Exam Questions (2025 Updated)

The inability to “Fast Forward” within a video recording in the PVWA and the restriction to only skip between commands suggests that the recording is of a PSM for SSH session. PSM for SSH sessions are typically recorded as text-based logs that capture command-level activities, which allows for skipping between commands but not fast-forwarding through a video timeline. Additionally, the lack of an option to download the video is consistent with the behavior of text-based session recordings, which do not provide a video file for download1.

References:

CyberArk’s official documentation on Recorded Sessions, which explains the playback functionalities and limitations of different types of session recordings1.

Information on configuring video and text recordings in PSM, which details how recordings are managed and the options available for different session types2.

When a new domain controller is added to a domain, it is necessary to update the CyberArk infrastructure to ensure it can use the new domain controller for authentication. This involves updating the hosts file on the Vault server located at Windows\System32\Etc\Hosts to include the new domain controller’s details. Additionally, within the PVWA Application, you need to navigate to Administration > LDAP Integration > Directories > Hosts and update the information there as well. This ensures that both the Vault server and the PVWA Application are aware of the new domain controller and can authenticate against it1.

References:

CyberArk’s official documentation on configuring Active Directory integration, which includes details on setting up domain controllers for authentication2.

Information on adding Active Directory as a directory service in CyberArk Identity, which discusses the integration of domain controllers3.

 The newly configured directory mapping can be tested by searching for members that exist only in the mapping group to grant them safe permissions through the PVWA (Privileged Vault Web Access). This process allows you to verify that the directory mapping is functioning correctly by ensuring that only the intended users, who are part of the specific Active Directory group, are granted access to the safes in the CyberArk Vault12.

References:

CyberArk Docs - Create directory mapping1

CyberArk Docs - Edit directory mapping3

CyberArk Docs - LDAP Integration in PVWA

 To ensure that a user group can connect through the Privileged Session Manager (PSM) without seeing the password, you must grant the Use Accounts and Retrieve Files permissions to the group for the safe. The Use Accounts permission allows users to initiate sessions using accounts without viewing the account details or passwords. The Retrieve Files permission enables users to retrieve files during PSM sessions without having access to the passwords1.

References:

CyberArk Docs - Safe Permissions

 The Use Accounts permission enables Safe members to log in to a remote machine through a PSM connection from the Accounts List or the Account Details page. The List Accounts permission enables Safe members to view the Accounts list. However, to show or copy the password, the Safe members also need the Retrieve Accounts permission, which allows them to view and copy the account value in the Account Details page or the Accounts list. Therefore, the combination of Use Accounts and List Accounts will allow end users to log in to a remote machine transparently but not show or copy the password. References:

Safe Members - CyberArk1, section “Permissions”

Safes and Safe members - CyberArk2, section “Safe members overview”

Password Complexity is not set in the Master Policy, but in the Platform Management settings for each platform. The Master Policy is a set of rules that define the security and compliance policy of privileged accounts in the organization, such as access workflows, password management, session monitoring, and auditing1. The Master Policy does not include any technical settings that determine how the system manages accounts on various platforms1. Password Complexity is a technical setting that defines the minimum requirements for the length and composition of the passwords that are generated by the CPM for the accounts associated with the platform2. Password Complexity can be configured in the Platform Management settings, which are independent of the Master Policy and can be customized according to the organization’s environment and security policies1.

The other options are set in the Master Policy, as follows:

A. Password Expiration Time: This is a policy rule that determines how often passwords are changed. It can be set in the Master Policy under the Password Management section1.

B. Enabling and Disabling of the Connection Through the PSM: This is a policy rule that determines whether users can connect to target systems through the PSM. It can be set in the Master Policy under the Session Management section1.

D. The use of “One-Time-Passwords”: This is a policy rule that determines whether passwords are changed every time they are retrieved by a user. It can be set in the Master Policy under the Password Management section1. References:

1: The Master Policy

2: Platform Management, Password Complexity subsection

BackupFilesDeletion=No

PARestore vault.ini operator /FullVaultRestore

CAVaultManager RecoverBackupFiles

CAVaultManager RestoreDB

BackupFilesDeletion=Yes,24,1,5,7d

https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Restoring-Safes-or-the-Vault.htm

To ensure that Windows Domain password changes occur outside of business hours, the settings that must be updated are found in the Master Policy under the Account Change Window section. Here, you can specify the ToHour and FromHour to define the time frame outside of which the passwords should be rotated. This setting allows you to control when password changes can occur, ensuring that they do not interfere with business operations by taking place during non-business hours1.

References:

CyberArk Docs - Set password policies

According to the CyberArk Defender PAM documentation, the Master Policy setting that must be active in order to have an account checked-out by one user for a pre-determined amount of time is Enforce check-in/check-out exclusive access. This setting enables organizations to permit users to check out a ‘one-time’ password and lock it so that no other users can retrieve it at the same time. After the user has used the password, the user checks the password back into the Vault. This ensures exclusive usage of the privileged account, enabling full control and tracking for the password. The duration of the check-out period can be configured in the platform settings for each account. References:

Account check-out and check-in - CyberArk

Master Policy - CyberArk

Customers who have the ‘Access Safe without confirmation’ safe permission on a safe where accounts are configured for Dual control, do not need to request approval to use the account. The ‘Access Safe without confirmation’ safe permission allows users to access accounts without confirmation from authorized users, even if the Master Policy or an exception enforces Dual Control1. This means that users who have this permission can bypass the workflow process and access the account password or connect to the target system immediately. This permission can be granted to users or groups on a safe level by the safe owner or another user with the Manage Safe authorization2. References:

1: Dual Control, Advanced Settings subsection

2: CyberArk Privileged Access Security Implementation Guide, Chapter 3: Managing Safes, Section: Safe Authorizations, Table 2-1: Safe Authorizations

 When a group is granted the ‘Authorize Account Requests’ permission on a safe, dual control requests must be approved by the number of persons specified by the Master Policy. This means that the request will be sent to all the members of the group, but only a certain number of them need to confirm it for the request to be authorized. The Master Policy defines the number of required approvers for each level of confirmation, as well as the number of levels. For example, if the Master Policy requires two approvers at the first level and one approver at the second level, then the request will be sent to the group and two members of the group must confirm it before it is sent to the second level of confirmation, where one more approver is needed. References:

Request access

Safe Members

CyberArk Defender - PAM Exam Practice Test

The command PAReplicate.exe with the /FullBackup option is used to generate a full backup of the CyberArk Vault. This command requires the Vault configuration file (typically Vault.ini) and a credential file (specified with /LogonFromFile) that contains the user’s encrypted logon credentials. The /FullBackup option indicates that a full backup of the Vault is to be performed, as opposed to an incremental backup1.

References:

CyberArk Docs: Install the Vault Backup Utility2

CyberArk Knowledge Article: PAReplicate Configuration and Usage

According to the CyberArk documentation1, once Object Level Access Control is enabled for a Safe, it cannot be disabled. This feature allows granular control over user access to passwords and files in the Safe, regardless of their Safe level member authorizations2. To enable Object Level Access Control, users need to have the Manage Safe authorization in the Vault1.

According to the CyberArk Defender PAM documentation1, when Dual Control is enabled, a user must first submit a request in the Password Vault Web Access (PVWA) and receive approval before being able to launch a secure connection via PSM for Windows (previously known as RDP Proxy). This is a security feature that ensures that passwords can only be retrieved after permission or ‘confirmation’ has been granted from an authorized Safe Owner(s). The user must specify the reason for accessing the account, whether they will access it once or multiple times, and the time period during which they will access it. The request is then sent to the authorized Safe Owners, who can either confirm or reject it. The number of confirmations required is defined in the Master Policy. Only after the user receives the required confirmations, they can activate the request and access the account through PSM for Windows. This way, Dual Control adds an additional measure of protection and accountability for accessing sensitive accounts.

The purpose of the password change process is to change the password of an account according to organizationally defined password rules. The password change process is a feature of CyberArk that enables the Central Policy Manager (CPM) to manage the passwords of privileged accounts that are stored in the Vault. The CPM can change the passwords automatically or manually, based on predefined policies, schedules, or user requests. The password change process ensures that the passwords are secure, compliant, and synchronized with the target systems and the Vault. The password change process also supports different types of accounts, such as one-time passwords, exclusive accounts, and dual accounts1.

The other options are not the main purpose of the password change process, although they may be related to some aspects of it. The password change process does not test that CyberArk is storing accurate credentials for accounts, although it may verify the password validity before changing it. The password change process does not allow CyberArk to manage unknown or lost credentials, although it may reconcile the passwords if they are out of sync with the target systems. The password change process does not generate a new complex password, although it may use a random password generation mechanism to create a new password that meets the password policy requirements. References:

Change Passwords - CyberArk, section “Change Passwords”

 The PTA can automatically suspend sessions if suspicious activities are detected in a privileged session, regardless of the session method. The PTA can suspend sessions that are made via the PSM, the PVWA, or directly to the target system. The PTA can also suspend sessions that are made via SSH, RDP, or other protocols. References:

Defender PAM Sample Items Study Guide, page 24

PTA User Guide, page 17

 The Master Policy in CyberArk defines the behavior of one-time passwords and exclusive accessExclusive access ensures that only one user can check out an account at any given time, effectively locking the account during its use to prevent simultaneous access1. On the other hand, one-time password functionality is designed to change the account’s password after it is used, based on a timer set by the MinValidityPeriod parameter in the policy file. This means that once the password is checked out and the timer expires, the Central Policy Manager (CPM) will change the password2. These settings are often used together to maintain accountability and security for the usage of shared privileged accounts. References:

CyberArk Docs: One-time passwords and exclusive accounts1

CyberArk Knowledge Article: CPM: What is the difference between “One Time” and “Exclusive” passwords?2

According to the CyberArk documentation1, the prerequisites for running the PSM Health Check are:

PSM service installed on Windows 2016 or Windows 2019

Web Server (IIS 8.5) role is installed

A valid SSL certificate is installed on the Web Server

Therefore, these prerequisites are mandatory for the PSM Health Check to work properly. The PSM service installed on Windows 2008 R2 is not mandatory, as it is not supported by the PSM Health Check2.

References: PSM Health Check, PSM Health Check - CyberArk

The image description indicates that “EMEALevel2Support” has the following rights: Add/Update Users, Manage Server File Categories, Manage Directory Mapping, Backup All Files, Restore All Files. Since there is no mention of the right to reset passwords for other users, this suggests that “EMEALevel2Support” lacks the necessary permission to change the password for “Operator”.