Use VCE Exam Simulator to open VCE files
PAM-CDE-RECERT CyberArk Practice Test Questions and Exam Dumps
Question 1
Your organization is preparing to harden the Privileged Session Manager (PSM) component as part of the CyberArk deployment. Prior to beginning the hardening process, a required executable for the PSM Universal Connector was identified. To ensure this executable can run without being blocked during or after the hardening,
Which configuration file must you modify?
A. PSMConfigureAppLocker.xml
B. PSMHardening.xml
C. PSMAppConfig.xml
D. PSMConfigureHardening.xml
Correct Answer: A. PSMConfigureAppLocker.xml
Explanation:
The correct file to update in this scenario is PSMConfigureAppLocker.xml. This XML file is specifically used to manage application whitelisting rules via Microsoft AppLocker, which is part of the CyberArk PSM hardening process. AppLocker controls which executables are allowed to run on the PSM machine. If your organization needs a custom or third-party executable (like the PSM Universal Connector) to run on the PSM, it must be explicitly allowed by modifying this configuration file.
Here's a breakdown of the options:
Option A - PSMConfigureAppLocker.xml:
This is the correct file used during the PSM hardening process to define exceptions for executable files. You would add the custom executable’s path here to ensure it is whitelisted and allowed by AppLocker.Option B - PSMHardening.xml:
This is a broader configuration file that outlines general hardening rules, but it does not specifically handle AppLocker settings or executable permissions.Option C - PSMAppConfig.xml:
This file contains PSM configuration settings such as session behavior and connection parameters. It does not control execution permissions or AppLocker rules.Option D - PSMConfigureHardening.xml:
While this sounds related, it’s not a valid or standard CyberArk file involved in configuring AppLocker or hardening processes.
Question 2
You are serving as the Vault Administrator in your organization and have been asked to set up LDAP-based authentication to allow CyberArk users to log in using their corporate credentials.
Which set of administrative permissions is required to carry out the LDAP directory integration and mapping process?
A. Audit Users and Add Network Areas
B. Audit Users and Manage Directory Mapping
C. Audit Users and Add/Update Users
D. Audit Users and Activate Users
Correct Answer: B. Audit Users and Manage Directory Mapping
Explanation:
To configure LDAP (Lightweight Directory Access Protocol) authentication in CyberArk, the administrator must have the necessary permissions to manage directory mappings. This involves linking LDAP users and groups to corresponding CyberArk roles and permissions.
Let’s break down the options:
Option A - Audit Users and Add Network Areas:
This combination is not relevant to LDAP configuration. “Add Network Areas” pertains more to PSM and session monitoring scopes, not authentication settings.Option B - Audit Users and Manage Directory Mapping:
Correct choice. This permission set allows the administrator to audit user activities and directly manage the mapping of LDAP users/groups to CyberArk accounts. Managing directory mappings is a crucial step when integrating with an external LDAP system for authentication.Option C - Audit Users and Add/Update Users:
While adding and updating users is part of user management, this option doesn’t include the critical "Manage Directory Mapping" permission needed for LDAP configuration.Option D - Audit Users and Activate Users:
Activation is related to enabling user accounts, but it doesn’t give the necessary access to configure directory mappings for LDAP.
Key Concepts in LDAP Integration:
LDAP integration allows users to authenticate to the CyberArk Vault using existing Active Directory credentials.
This requires setting up a connection to the directory service and defining how external users map to internal CyberArk roles.
Managing directory mappings ensures that the correct users and groups receive appropriate permissions in the Vault.
Without the “Manage Directory Mapping” right, even an administrator would not be able to complete the LDAP setup.
Question 3
To enable secure LDAP communication over SSL (LDAPS) between your CyberArk Vault and an external directory service,
Which type of digital certificate must be installed on the Vault server?
A. The root CA certificate that issued the LDAP server's certificate
B. A certificate for the Vault server, signed by a Certificate Authority (CA)
C. A CA-signed SSL certificate for the PVWA (Password Vault Web Access) server
D. A self-signed certificate generated for the Vault server
Correct Answer: A. The root CA certificate that issued the LDAP server's certificate
Explanation:
When configuring LDAP over SSL (LDAPS) in CyberArk, the Vault must trust the certificate presented by the LDAP server (such as Active Directory). For this trust to be established, the Vault server needs to trust the Certificate Authority (CA) that issued the LDAP server’s SSL certificate. This is accomplished by installing the CA's root certificate on the Vault server.
Option Analysis:
Option A - The root CA certificate that issued the LDAP server's certificate
Correct. This ensures that the Vault can validate the authenticity of the LDAP server’s SSL certificate during the LDAPS handshake. Without this trust, secure connections will fail.Option B - A CA-signed certificate for the Vault server
This is useful for clients connecting to the Vault securely but not required for LDAP over SSL. The Vault acts as a client in this case, not the server.Option C - A CA-signed certificate for the PVWA server
Irrelevant to LDAP over SSL. PVWA may use certificates for HTTPS, but it’s not part of the LDAPS trust chain between the Vault and LDAP server.Option D - A self-signed certificate for the Vault
Self-signed certificates do not establish trust between systems unless manually installed and trusted, which is not recommended for production use.
Question 4
You are tasked with creating a new user in CyberArk who will authenticate using CyberArk's built-in authentication (not LDAP or SAML). This user needs access to the REST API.
What is the correct way to provision this user account?
A. Use the PrivateArk Client > Navigate to Tools > Administrative Tools > Users and Groups > Create New User
B. Use the PrivateArk Client > Go to Tools > Administrative Tools > Directory Mapping > Add a Mapping
C. Use the PVWA Web Interface > Go to User Provisioning > LDAP Integration > Add a Mapping
D. Use the PVWA Web Interface > Go to User Provisioning > Users and Groups > Create New User
Correct Answer: A. Use the PrivateArk Client > Navigate to Tools > Administrative Tools > Users and Groups > Create New User
Explanation:
REST API users who authenticate using CyberArk’s internal authentication must be created directly in the Vault. This type of user is not associated with external authentication methods like LDAP, SAML, or RADIUS. To provision such users, you use the PrivateArk Client, which provides administrative access directly to the Vault.
Option Analysis:
Option A - PrivateArk Client > Tools > Administrative Tools > Users and Groups > New > User
Correct. This method allows the Vault administrator to create a Vault-internal user who can authenticate using CyberArk credentials. Once created, you can assign them the appropriate Vault-level permissions and set them up for API usage.Option B - PrivateArk Client > Directory Mapping > Add
This is used for LDAP or directory-based user integration, not for CyberArk-authenticated users.Option C - PVWA > LDAP Integration > Add Mapping
Similar to Option B, this is used when integrating users via LDAP, which isn’t applicable here.Option D - PVWA > Users and Groups > New > User
The PVWA allows some user management but creating internal CyberArk users must be done via the PrivateArk client, not the web interface.
Question 5 (Rephrased)
During the setup process of the CyberArk Password Vault Web Access (PVWA) component, which of the following steps is considered mandatory for a successful installation?
A. You must configure a DNS (Domain Name System) entry for the PVWA web address.
B. You must install a TLS/SSL certificate signed by your organization's Certificate Authority on the server.
C. You must register the PVWA using a Vault account with administrative privileges.
D. You must disable Data Execution Prevention (DEP) on the PVWA host.
Correct Answer: C. You must register the PVWA using a Vault account with administrative privileges.
Explanation:
Installing the Password Vault Web Access (PVWA) component is a critical part of the CyberArk ecosystem that provides web-based access for users and administrators. During the installation process, registering the PVWA with the Vault is a mandatory step, and it must be done using a Vault Administrative user account. This process enables the PVWA to establish a secure connection and integrate with the Vault's backend securely.
Option Analysis:
Option A - DNS entry for PVWA URL
Not mandatory. While having a DNS entry is helpful for usability and certificate configuration, it is not strictly required. PVWA can still be accessed using an IP address or hostname.Option B - Company-signed TLS certificate
Optional during initial setup. You can use a self-signed certificate temporarily, especially in test environments. Although a CA-signed certificate is recommended for production, it’s not mandatory for installation.Option C - Vault Admin account for PVWA registration
Correct. This is a required step. Without registering PVWA using a Vault Admin account, PVWA cannot function correctly or securely communicate with the Vault.Option D - Disabling Data Execution Prevention
This is not required. Modern CyberArk installations are compatible with DEP settings. Modifying this security feature is unnecessary and not recommended unless advised by CyberArk Support in very specific cases.
Question 6
Your organization enforces a security policy requiring all privileged account passwords to be rotated every 90 days.
In which part of the CyberArk system should you define this rotation frequency to ensure compliance?
A. In the Master Policy configuration to set global password rotation rules.
B. In Safe Templates to automatically apply policies to new Safes.
C. In the PVWA configuration XML file to control application behavior.
D. In the Platform settings for each account type to set specific rotation intervals.
Correct Answer: D. In the Platform settings for each account type to set specific rotation intervals.
Explanation:
Password rotation frequency is configured at the Platform level in CyberArk. Each platform represents a category of accounts (e.g., Windows, Unix, Oracle, etc.), and defines operational rules, including how often passwords must be changed.
You can specify that passwords are rotated every 90 days by modifying the platform’s password management properties. This gives you precise control over policies tailored to each account type.
Option Analysis:
Option A - Master Policy
The Master Policy provides high-level control over password behavior, such as whether automatic management is enabled. However, it does not set the specific rotation interval.Option B - Safe Templates
These help streamline Safe creation but don’t define account management rules like password rotation.Option C - PVWAConfig.xml
This XML file configures the web interface behavior and integrations (e.g., timeouts, themes) — it has nothing to do with password rotation logic.Option D - Platform Configuration
Correct. This is the proper location to set password change frequency. Each platform has customizable settings, including rules for how often passwords should be changed, complexity requirements, and verification methods.
Question 7
You are using the CyberArk Password Vault Web Access (PVWA) interface to generate a "Privileged Accounts Inventory" report for a specific Safe. In order for the report to display complete and accurate account details from that Safe,
Which Safe permissions must the user running the report have?
A. "List Accounts" and "View Safe Members" permissions must be granted.
B. The user must have the "Manage Safe Owners" permission.
C. The user must have "List Accounts" and "Access Safe without Confirmation" permissions.
D. The user must be assigned both "Manage Safe" and "View Audit" permissions.
Correct Answer: C. The user must have "List Accounts" and "Access Safe without Confirmation" permissions.
Explanation:
The "Privileged Accounts Inventory" report in CyberArk provides detailed visibility into the accounts stored within a specific Safe. For the report to be complete, the user generating the report needs to have sufficient permissions to see all the accounts in that Safe, along with their associated metadata (e.g., username, platform type, last modified date, password status).
Two specific Safe-level permissions are essential for this:
List Accounts – This permission allows the user to see a list of the accounts stored in the Safe.
Access Safe without Confirmation – This enables the user to access accounts without needing approval, allowing full visibility into account details that are otherwise hidden if access confirmation is required.
Without both of these permissions, CyberArk will restrict visibility and the report will omit some or all information, leading to an incomplete or blank report.
Option-by-Option Analysis:
Option A - "List Accounts" and "View Safe Members"
Incorrect.
"List Accounts" allows visibility of accounts, but "View Safe Members" is used to view who has permissions on the Safe — not account data. This combination would not provide full access to generate a complete inventory report.Option B - "Manage Safe Owners"
Incorrect.
This is a powerful administrative permission used to manage who has ownership-level control over the Safe. It does not grant visibility into account inventories directly. Also, it is excessive for a user who only needs to generate a report.Option C - "List Accounts" and "Access Safe without Confirmation"
Correct.
This is the minimum required permission set for running a full Privileged Accounts Inventory report. "List Accounts" gives the user access to see account entries, and "Access Safe without Confirmation" allows them to retrieve full details without requiring manual approval or workflow. Together, these allow the report to pull and display complete account information.Option D - "Manage Safe" and "View Audit"
Incorrect.
"Manage Safe" allows modifying Safe properties, and "View Audit" allows viewing activity logs, such as who accessed what. While these are useful for auditing and managing the Safe itself, they do not directly allow access to account data necessary for generating the inventory report.
Summary:
For a user to successfully generate a complete and accurate "Privileged Accounts Inventory" report from a specific Safe in PVWA, they must have "List Accounts" to view the stored credentials, and "Access Safe without Confirmation" to fully access account details without needing approval. These permissions ensure the report contains all account metadata, such as last password change, account platform, and usage status.
These permissions are carefully scoped so users can generate reports without needing full administrative control, supporting the principle of least privilege while maintaining transparency and audit readiness.
Question 8
What are two best practices for securing privileged accounts when using CyberArk’s Privileged Access Management (PAM) solution?
A. Rotate privileged account passwords at regular intervals
B. Allow manual management of privileged passwords to maintain flexibility
C. Configure multi-factor authentication (MFA) for accessing privileged accounts
D. Keep the privileged account passwords stored in plaintext for easy retrieval
E. Grant users full access to all privileged accounts in the organization for convenience
Answer: A, C
Explanation:
CyberArk’s Privileged Access Management (PAM) solution is designed to protect and manage privileged accounts, which are among the most sensitive and targeted assets in any organization. To maintain strong security, it is critical to implement best practices that minimize the risk of unauthorized access, privilege misuse, or credential compromise. Two such key actions are rotating privileged passwords regularly and enforcing multi-factor authentication (MFA).
Option A, rotating privileged account passwords at regular intervals, is a foundational security practice in PAM. Static credentials that do not change are vulnerable to theft, misuse, and exploitation over time. By automatically rotating passwords after a defined period or after each use, CyberArk ensures that even if a password is compromised, it has a limited window of usability. This reduces the chance of lateral movement or unauthorized access by attackers. CyberArk can automate this rotation process, enhancing both security and compliance with audit requirements.
Option C, configuring multi-factor authentication (MFA) for accessing privileged accounts, adds an extra layer of security by requiring users to verify their identity using more than just a password. MFA helps prevent unauthorized access, especially in scenarios where credentials might be stolen through phishing or other attack vectors. Integrating MFA into CyberArk’s workflow ensures that even if someone manages to obtain a password, they still cannot gain access without an additional authentication factor, such as a one-time code, biometric scan, or smart card.
Option B, allowing manual management of privileged passwords, is not recommended. Manual processes are prone to human error, inconsistency, and security lapses. CyberArk’s value lies in its ability to automate password management, enforce policy, and log access activities, all of which would be undermined by manual intervention.
Option D, keeping privileged account passwords in plaintext for easy retrieval, is extremely insecure. Storing passwords in plaintext leaves them open to unauthorized viewing or exfiltration, especially in the event of a breach. CyberArk stores passwords in an encrypted digital vault, ensuring they remain confidential and protected at rest and in transit.
Option E, granting users full access to all privileged accounts, violates the principle of least privilege. Users should be given access only to the specific accounts and systems required for their roles. Broad access increases the attack surface and the potential damage in case of credential misuse.
Thus, rotating passwords regularly and enabling MFA are two critical steps in securing privileged accounts effectively within CyberArk's PAM framework. These actions collectively reduce the risk of unauthorized access, simplify compliance, and reinforce overall cybersecurity posture.
Question 9
Which two parts of CyberArk's Privileged Access Security solution are responsible for recording and monitoring privileged user sessions?
A. CyberArk Privileged Session Manager (PSM)
B. CyberArk Vault
C. CyberArk Central Policy Manager (CPM)
D. CyberArk Identity Manager
E. CyberArk Privileged Threat Analytics (PTA)
Answer: A, E
Explanation:
CyberArk’s Privileged Access Security (PAS) solution includes a number of specialized components, each designed to address different aspects of privileged account management, security, and monitoring. When it comes to session recording and monitoring, two components stand out: Privileged Session Manager (PSM) and Privileged Threat Analytics (PTA).
Option A, CyberArk Privileged Session Manager (PSM), is a core component designed to control, isolate, and monitor privileged sessions. It acts as a proxy between the user and the target system (e.g., server, network device), enabling secure connections while recording every keystroke, screen interaction, and command execution. These session recordings can be reviewed for auditing, forensic investigations, or compliance purposes. PSM ensures that administrators do not directly access credentials and that all their activities are logged and traceable.
In addition to providing visibility, PSM can enforce policies such as blocking file transfers, preventing clipboard use, and enforcing time-based restrictions. This makes it a powerful tool not only for monitoring but also for actively controlling privileged sessions in real time.
Option E, CyberArk Privileged Threat Analytics (PTA), complements PSM by providing behavioral analysis and real-time threat detection. PTA monitors session metadata, user behavior, and access patterns to detect anomalies that may indicate malicious activity. While PTA does not record sessions in the same way PSM does, it provides a monitoring capability by analyzing events generated during sessions to identify suspicious actions. When unusual behavior is detected—such as accessing sensitive systems at odd hours or executing uncommon commands—PTA can alert security teams or trigger automated responses. Therefore, it is also considered part of the monitoring framework within CyberArk’s PAS.
Option B, CyberArk Vault, is primarily a secure repository for storing privileged credentials, secrets, and files. While it ensures the protection of credentials, it does not have the capability to monitor or record sessions.
Option C, CyberArk Central Policy Manager (CPM), is used for managing and rotating passwords according to policy. It automates password changes and ensures that credentials are updated without manual intervention. CPM is crucial for security, but it does not handle session monitoring or recording.
Option D, CyberArk Identity Manager, is part of the broader identity and access management ecosystem and may provide role-based access and identity governance, but it is not focused on privileged session recording or real-time monitoring within the PAS solution.
In summary, CyberArk Privileged Session Manager (PSM) is responsible for recording and controlling sessions, while Privileged Threat Analytics (PTA) enhances monitoring by detecting suspicious behavior within those sessions. Together, they provide a robust framework for securing and overseeing privileged user activities.
Top Training Courses
SY0-701
CompTIA Security+
$14.99
AZ-104
Microsoft Azure Administrator
$14.99
200-301
Cisco Certified Network Associate (CCNA)
$14.99
AWS Certified Solutions Architect - Associate SAA-C03
AWS Certified Solutions Architect - Associate SAA-C03
$14.99
AZ-305
Designing Microsoft Azure Infrastructure Solutions
$14.99
PL-300
Microsoft Power BI Data Analyst
$14.99
350-401
Implementing Cisco Enterprise Network Core Technologies (ENCOR)
$14.99
AZ-900
Microsoft Azure Fundamentals
$14.99
CS0-003
CompTIA CySA+ (CS0-003)
$14.99
CISSP
Certified Information Systems Security Professional
$14.99
