매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
CyberArk Defender – PAM 온라인 연습
최종 업데이트 시간: 2025년05월04일
당신은 온라인 연습 문제를 통해 CyberArk PAM-DEF 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 PAM-DEF 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 177개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
When a DR Vault Server becomes an active vault, it will automatically fail back to the original state once the Primary Vault comes back online, if the AllowFailback setting is set to “yes” in the padr.ini file. The padr.ini file is the configuration file for the Disaster Recovery application, which enables the DR Vault to replicate data from the Primary Vault and take over its role in case of a failure. The AllowFailback setting determines whether the DR Vault will automatically switch back to the passive mode when the Primary Vault is restored. The default value of this setting is “no”, which means that the DR Vault will remain active until a manual failback is performed1. To enable the automatic failback, the setting must be changed to “yes” and the padr service must be restarted1. The dbparm.ini file is not relevant to this setting, as it is the main configuration file for the Vault database2.
Reference: Configure the DR Vault - CyberArk, section “AllowFailback” DBParm.ini - CyberArk, section “Main parameters”
정답:
Explanation:
A Rest API integration with account provisioning software is considered a proactive account onboarding method, because it enables the automatic creation and management of accounts in the Vault as soon as they are provisioned in the target systems. This way, the accounts are secured from the start and do not need to be discovered or onboarded manually later. A Rest API integration with account provisioning software can be achieved by using the CyberArk Accounts Feed REST API, which allows external applications to send account information to the Vault1.
The other options are not proactive account onboarding methods, because they rely on the discovery
of existing accounts that may have been exposed or compromised before being onboarded to the
Vault. Accounts Discovery is a feature that enables the Vault to scan target systems and identify
privileged accounts that are not managed by the Vault2. Detecting accounts with PTA is a feature that
enables the Privileged Threat Analytics (PTA) component to detect and alert on suspicious account
activities and credential thefts3. A DNA scan is a feature that enables the Discovery and Audit (DNA)
tool to scan Windows and Unix machines and generate a report on the privileged accounts and
vulnerabilities found4.
Reference: CyberArk Accounts Feed REST API - CyberArk, section “CyberArk Accounts Feed REST API” Accounts Discovery - CyberArk, section “Accounts Discovery”
Detect and Respond to Privileged Account Threats - CyberArk, section “Detect and Respond to Privileged Account Threats”
CyberArk DNA - CyberArk, section “CyberArk DNA”
정답:
Explanation:
A. Store the CD in a physical safe and mount the CD every time Vault maintenance is performed. This option ensures that the CD is kept in a secure location when not in use, and that the keys are available when needed. This is the default option suggested by CyberArk1.
B. Copy the entire contents of the CD to the system Safe on the Vault. This option allows the Vault to access the keys from the system Safe, which is a special Safe that stores the Vault configuration files and keys. The system Safe is encrypted and protected by the Vault, and can only be accessed by authorized users2.
D. Store the server key in a Hardware Security Module (HSM) and copy the rest the keys from the CD
to a folder on the Vault Server and secure it with NTFS permissions. This option provides an additional layer of security for the server key, which is the most critical key for the Vault. An HSM is a physical device that stores and manages cryptographic keys in a tamper-resistant and isolated environment. The Vault can integrate with an HSM to store and retrieve the server key3. The rest of the keys can be stored in a folder on the Vault Server and secured with NTFS permissions, which restrict access to authorized users and groups.
The following option is not secure and should be avoided:
C. Copy the entire contents of the CD to a folder on the Vault Server and secure it with NTFS permissions. This option exposes the keys to potential risks, such as unauthorized access, data corruption, or deletion. NTFS permissions are not sufficient to protect the keys from malicious or accidental actions. Moreover, this option does not comply with the CyberArk best practices, which recommend to store the keys on a removable media or an HSM
정답:
Explanation:
The Replicate component can be used to create a tape backup of the Vault. The Replicate component is a utility that exports the encrypted contents of the Safes and the Vault metadata to a computer outside the Vault environment. A global backup system can then access the replicated files and copy them to a tape or any other backup media. The Replicate component is part of the CyberArk Backup Process, which provides a secure and easy method of backing up and restoring the Vault data12. The other components are not related to the tape backup of the Vault. Disaster Recovery is a feature that enables the Vault to recover from a catastrophic failure by using a standby Vault server3. Distributed Vaults is a feature that enables the Vault to synchronize data with other Vaults in different locations4. High Availability is a feature that enables the Vault to maintain continuous operation by using a primary and a secondary Vault server.
Reference: Use the CyberArk Backup Process - CyberArk, section “Use the CyberArk Backup Process” Install the Vault Backup Utility - CyberArk, section “Backup utilities”
Disaster Recovery - CyberArk, section “Disaster Recovery” Distributed Vaults - CyberArk, section “Distributed Vaults” [High Availability - CyberArk], section “High Availability”
정답:
Explanation:
To access the Monitoring tab and view the recordings of the PSM sessions, the user must have membership in the Auditors group or membership in the relevant Account Safes and Recording Safes with the appropriate permissions1. The user must also use the same connection method (RDP file or HTML5 Gateway) as the end user who conducted the session1. The other options are not relevant to the issue, as the user does not need to login as PSMAdminConnect, the PSM service is running if the user was able to conduct a session, and the PVWAMonitor group is not a valid group in CyberArk.
Reference: Monitor Privileged Sessions - CyberArk, section “The MONITORING page”
정답:
Explanation:
dbparm.ini is not the main configuration file for the Vault. It is one of the several configuration files
that control the initial settings and method of operation of the Server. The main configuration file for
the Vault is DBParm.ini, which contains the general parameters of the database, such as the Vault
name, the Vault IP address, the Vault port, the encryption algorithm, the log retention, and the
debug mode1.
Reference: DBParm.ini - CyberArk, section “Main parameters”
정답:
Explanation:
The PTA can perform automatic password change as a type of remediation in case of a suspected credential theft security event. According to the CyberArk documentation1, "Rotate credentials - for OverPass the Hash attack and Suspected credentials theft events."1 This means that the PTA can initiate a password change request to the CPM for the affected account, which will generate a new random password and update it on the target system and the Vault. This way, the PTA can prevent the attacker from using the stolen credentials to access the target system or launch further attacks.
Reference: Configure PTA Remediations - CyberArk, section “Remediation Initiation”
정답:
Explanation:
A logon account can be specified in the platform settings of CyberArk, a security software that manages privileged accounts and credentials. According to the CyberArk documentation1, "In the Account Details window, in the CPM pane, in the accounts section, you can associate either a logon account or a reconciliation account. If a default logon account has been configured for the platform that manages this account, that account is listed. You can associate another logon account or leave the default account as it is."1 A logon account is an account that is used to log on to a target system and perform password management operations on other accounts. A reconciliation account is an account that is used to restore access to a target system when the logon account fails.
정답:
Explanation:
The Use Accounts permission enables Safe members to log in to a remote machine through a PSM connection from the Accounts List or the Account Details page. The List Accounts permission enables Safe members to view the Accounts list. However, to show or copy the password, the Safe members also need the Retrieve Accounts permission, which allows them to view and copy the account value in the Account Details page or the Accounts list. Therefore, the combination of Use Accounts and List Accounts will allow end users to log in to a remote machine transparently but not show or copy the password.
Reference: Safe Members - CyberArk1, section “Permissions”
Safes and Safe members - CyberArk2, section “Safe members overview”
정답:
Explanation:
tsparm.ini is not the main configuration file for the Vault. It is one of the several configuration files that control the initial settings and method of operation of the Server. The main configuration file for the Vault is DBParm.ini, which contains the general parameters of the database, such as the Vault name, the Vault IP address, the Vault port, the encryption algorithm, the log retention, and the debug mode.
Reference: Defender PAM Sample Items Study Guide, page 9, question 92
CyberArk Privileged Access Security Implementation Guide, page 75, section “DBParm.ini” CyberArk Vault Server Parameter Files, page 1, section “TSParm.ini”
정답:
Explanation:
The address field of an Account is used to identify the target system where the Account is located. The CPM uses this address to connect to the target system and perform password management operations. Therefore, the address field can be any name that is resolvable on the CPM server, such as a FQDN, an IP address, a NetBIOS name, or a custom name defined in the hosts file of the CPM server.
Reference: Defender PAM Sample Items Study Guide, page 9, question 91
CyberArk Privileged Access Security Implementation Guide, page 75, section “Address”
정답:
Explanation:
The Privileged Account Compliance Status report shows the compliance status of all privileged accounts in the Vault, based on the expiration date and password change policy. This report can help identify accounts that are past their expiration dates and need to be updated or removed.
Reference: [Defender PAM Sample Items Study Guide], page 18, question 90
[CyberArk Privileged Access Security Documentation], version 12.3, Reports Guide, page 27, Privileged Account Compliance Status report
정답:
Explanation:
According to the CyberArk Defender PAM documentation1, the Master user is the only user that can access all passwords in the Vault. The Master user is a special user that is created during the initial installation of the Vault and has full permissions on all Safes and accounts in the Vault. The Master user can also perform administrative tasks, such as backup and restore the Vault, change the Vault license, and manage the recovery key. The Master user is the only user that can log on to the Vault in case of a disaster using the recovery key. The Master user’s password is not stored in the Vault and cannot be changed or retrieved by any other user.
The Administrator user is a predefined user that is created during the initial installation of the Vault and has the Vault Admin authorization. The Administrator user can perform administrative tasks, such as create and manage users and groups, define platforms and policies, and monitor Vault activity. However, the Administrator user cannot access any passwords in the Vault unless they are explicitly added as a member of a Safe that contains the passwords2.
The Vault administrators group is a predefined group that is created during the initial installation of the Vault and has the Vault Admin authorization. The members of the Vault administrators group can perform the same administrative tasks as the Administrator user, but they cannot access any passwords in the Vault unless they are explicitly added as a member of a Safe that contains the passwords2.
The auditors group is a predefined group that is created during the initial installation of the Vault and has the Audit Users authorization. The members of the auditors group can view and generate reports on the Vault activity, but they cannot access any passwords in the Vault unless they are explicitly added as a member of a Safe that contains the passwords2.
Reference: Master User - CyberArk
Predefined users and groups - CyberArk
정답:
Explanation:
According to the web search results, when a DR Vault Server becomes an active vault, it will not automatically revert back to DR mode once the Primary Vault comes back online. The Vault administrator must manually set the DR Vault to DR mode by setting “FailoverMode=no” in the padr.ini file1. This file is located in the /opt/CARKaim/conf directory on the DR Vault machine2. The Vault administrator must also stop the replication process on the DR Vault and restart the PrivateArk Server service1. This procedure is known as a DR failback, which restores the original roles of the Primary Vault and the DR Vault after a failover1. The AllowFailback setting in the padr.ini file does not affect the DR failback process, as it only determines whether the DR Vault can be used as a backup for another DR Vault in a cascading DR scenario3. The dbparm.ini file is not relevant for the DR
failback process, as it contains the database parameters for the Vault server.
Reference: Initiate a DR failback to the Production Vault - CyberArk
Install the Disaster Recovery application - CyberArk
Cascading DR - CyberArk
[dbparm.ini file - CyberArk]
정답:
Explanation:
According to the web search results, within the Vault each password is encrypted by its own unique key. This key is generated by the Vault when the password is added to the Vault and is stored in the Vault’s database. The password key is encrypted by the safe key, which is the key of the safe that contains the password. The safe key is encrypted by the server key, which is the key that opens the Vault. The server key is encrypted by the public recovery key, which is part of the asymmetric recovery key that enables the Master User to log on to the Vault in case of a disaster. This layered encryption scheme ensures that each password is protected by multiple keys and that no single key can compromise the security of the Vault