EMT Practice Test

1. Question Content...


Question List

Question1: You are logging into CyberArk as the Master user to recover an orphaned safe.
Which items are required to log in as Master?

Question2: A Logon Account can be specified in the Master Policy.

Question3: Users can be resulted to using certain CyberArk interfaces (e.g.PVWA or PACLI).

Question4: VAULT authorizations may be granted to_____.

Question5: Which processes reduce the risk of credential theft? (Choose two.)

Question6: Which parameter controls how often the CPM looks for Soon-to-be-expired Passwords that need to be changed.

Question7: Which of these accounts onboarding methods is considered proactive?

Question8: For a safe with Object Level Access enabled you can turn off Object Level Access Control when it no longer needed on the safe.

Question9: Select the best practice for storing the Master CD.

Question10: Which statement is true about setting the reconcile account at the platform level?

Question11: Your organization requires all passwords be rotated every 90 days.
Where can you set this regulatory requirement?

Question12: Which command generates a full backup of the Vault?

Question13: Before failing back to the production infrastructure after a DR exercise, what must you do to maintain audit history during the DR event?

Question14: The vault supports Role Based Access Control.

Question15: You created a new safe and need to ensure the user group cannot see the password, but can connect through the PSM.
Which safe permissions must you grant to the group? (Choose two.)

Question16: In accordance with best practice, SSH access is denied for root accounts on UNIX/LINUX system. What is the BEST way to allow CPM to manage root accounts.

Question17: You are onboarding 5,000 UNIX root accounts for rotation by the CPM. You discover that the CPM is unable to log in directly with the root account and will need to use a secondary account.
How should this be configured to allow for password management using least privilege?

Question18: When onboarding multiple accounts from the Pending Accounts list, which associated setting must be the same across the selected accounts?

Question19: What is the primary purpose of Dual Control?

Question20: What can you do to ensure each component server is operational?

Question21: What do you need on the Vault to support LDAP over SSL?

Question22: When are external vault users and groups synchronized by default?

Question23: The password upload utility must run from the CPM server

Question24: What is the purpose of the Interval setting in a CPM policy?

Question25: You need to enable the PSM for all platforms.
Where do you perform this task?

Question26: What is the configuration file used by the CPM scanner when scanning UNIX/Linux devices?

Question27: You have been asked to turn off the time access restrictions for a safe.
Where is this setting found?

Question28: Due to network activity, ACME Corp's PrivateArk Server became active on the OR Vault while the Primary Vault was also running normally. All the components continued to point to the Primary Vault.
Which steps should you perform to restore DR replication to normal?

Question29: If PTA is integrated with a supported SIEM solution, which detection becomes available?

Question30: Your organization has a requirement to allow users to "check out passwords" and connect to targets with the same account through the PSM.
What needs to be configured in the Master policy to ensure this will happen?

Question31: What is the purpose of the PrivateArk Server service?

Question32: You created a new platform by duplicating the out-of-box Linux through the SSH platform.
Without any change, which Text Recorder Type(s) will the new platform support? (Choose two.)

Question33: Which utilities could you use to change debugging levels on the vault without having to restart the vault.
Select all that apply.

Question34: To ensure all sessions are being recorded, a CyberArk administrator goes to the master policy and makes configuration changes.
Which configuration is correct?

Question35: You have been given the requirement that certain accounts cannot have their passwords updated during business hours.
How can you set up a configuration to meet this requirement?

Question36: Within the Vault each password is encrypted by:

Question37: An auditor needs to login to the PSM in order to live monitor an active session. Which user ID is used to establish the RDP connection to the PSM server?

Question38: Which combination of Safe member permissions will allow end users to log in to a remote machine transparently but NOT show or copy the password?

Question39: Which of the following PTA detections require the deployment of a Network Sensor or installing the PTA Agent on the domain controller?

Question40: SAFE Authorizations may be granted to____________.
Select all that apply.

Question41: Where can a user with the appropriate permissions generate a report? (Choose two.)

Question42: You want to create a new onboarding rule.
Where do you accomplish this?

Question43: Your customer, ACME Corp, wants to store the Safes Data in Drive D instead of Drive C.
Which file should you edit?

Question44: You are onboarding an account that is not supported out of the box.
What should you do first to obtain a platform to import?

Question45: Which certificate type do you need to configure the vault for LDAP over SSL?

Question46: A user with administrative privileges to the vault can only grant other users privileges that he himself has.

Question47: Which of the following components can be used to create a tape backup of the Vault?

Question48: Which service should NOT be running on the DR Vault when the primary Production Vault is up?

Question49: You are configuring a Vault HA cluster.
Which file should you check to confirm the correct drives have been assigned for the location of the Quorum and Safes data disks?

Question50: According to the DEFAULT Web Options settings, which group grants access to the REPORTS page?

Question51: Which CyberArk group does a user need to be part of to view recordings or live monitor sessions?

Question52: You receive this error:
"Error in changepass to user domain\user on domain server(\domain.(winRc=5) Access is denied." Which root cause should you investigate?

Question53: When a group is granted the 'Authorize Account Requests' permission on a safe Dual Control requests must be approved by

Question54: It is possible to leverage DNA to provide discovery functions that are not available with auto-detection.

Question55: To enable the Automatic response "Add to Pending" within PTA when unmanaged credentials are found, what are the minimum permissions required by PTAUser for the PasswordManager_pending safe?

Question56: What must you specify when configuring a discovery scan for UNIX? (Choose two.)

Question57: For each listed prerequisite, identify if it is mandatory or not mandatory to run the PSM Health Check.

Question58: You are creating a new Rest API user that utilizes CyberArk Authentication.
What is a correct process to provision this user?

Question59: In the screenshot displayed, you just configured the usage in CyberArk and want to update its password.
What is the least intrusive way to accomplish this?

Question60: You are creating a shared safe for the help desk.
What must be considered regarding the naming convention?

Question61: All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of the accounts in that safe. The members of the AD group UnixAdmins need to be able to use the show, copy, and connect buttons on those passwords at any time without confirmation. The members of the AD group Operations Staff need to be able to use the show, copy and connect buttons on those passwords on an emergency basis, but only with the approval of a member of Operations Managers never need to be able to use the show, copy or connect buttons themselves.
Which safe permission do you need to grant Operations Staff? Check all that apply.

Question62: By default, members of which built-in groups will be able to view and configure Automatic Remediation and Session Analysis and Response in the PVWA?

Question63: What is the correct process to install a custom platform from the CyberArk Marketplace?

Question64: In your organization the "click to connect" button is not active by default.
How can this feature be activated?

Question65: What are the mandatory fields when onboarding from Pending Accounts? (Choose two.)

Question66: In a rule using "Privileged Session Analysis and Response" in PTA, which session options are available to configure as responses to activities?

Question67: Which of the following PTA detections are included in the Core PAS offering?

Question68: Which report could show all accounts that are past their expiration dates?

Question69: A user needs to view recorded sessions through the PVWA.
Without giving auditor access, which safes does a user need access to view PSM recordings? (Choose two.)

Question70: A Vault Administrator team member can log in to CyberArk, but for some reason, is not given Vault Admin rights.
Where can you check to verify that the Vault Admins directory mapping points to the correct AD group?

Question71: A user has successfully conducted a short PSM session and logged off. However, the user cannot access the Monitoring tab to view the recordings.
What is the issue?

Question72: When managing SSH keys, the CPM stored the Private Key

Question73: Which statement about the Master Policy best describes the differences between one-time password and exclusive access functionality?

Question74: When managing SSH keys, the CPM stores the Public Key

Question75: Which keys are required to be present in order to start the PrivateArk Server service?

Question76: You are configuring CyberArk to use HTML5 gateways exclusively for PSM connections.
In the PVWA, where do you set DefaultConnectionMethod to HTML5?

Question77: What is the primary purpose of One Time Passwords?

Question78: A new HTML5 Gateway has been deployed in your organization.
From the PVWA, arrange the steps to configure a PSM host to use the HTML5 Gateway in the correct sequence.

Question79: Ad-Hoc Access (formerly Secure Connect) provides the following features. Choose all that apply.

Question80: Match the log file name with the CyberArk Component that generates the log.

Question81: Which type of automatic remediation can be performed by the PTA in case of a suspected credential theft security event?

Question82: CyberArk recommends implementing object level access control on all Safes.

Question83: PSM captures a record of each command that was executed in Unix.

Question84: Where can reconcile and/or logon accounts be linked to an account? (Choose two.)

Question85: You want to create a new onboarding rule.
Where do you accomplish this?

Question86: Where can you check that the LDAP binding is using TCP/636?

Question87: In a default CyberArk installation, which group must a user be a member of to view the "reports" page in PVWA?

Question88: Match each key to its recommended storage location.

Question89: As long as you are a member of the Vault Admins group, you can grant any permission on any safe that you have access to.

Question90: Target account platforms can be restricted to accounts that are stored m specific Safes using the Allowed Safes property.

Question91: Which of the following options is not set in the Master Policy?

Question92: When an account is unable to change its own password, how can you ensure that password reset with the reconcile account is performed each time instead of a change?

Question93: You want to build a connector that connects to a website through the Web applications for PSM framework.
Which default connector do you duplicate and modify?

Question94: It is possible to control the hours of the day during which a user may log into the vault.

Question95: What is the easiest way to duplicate an existing platform?