To change the safe where recordings are kept for a specific platform, which setting must you update in the platform configuration?

1. A. SessionRecorderSafe Most Voted
2. B. SessionSafe
3. C. RecordingsPath
4. D. RecordingLocation

Correct Answer: A
To change the safe where recordings are kept for a specific platform, you must update the SessionRecorderSafe setting in the platform configuration. This setting specifies the name of the safe where the Privileged Session Manager (PSM) recordings will be stored. After updating the SessionRecorderSafe setting, you need to restart the PSM service or wait for the new settings to be applied, which typically takes about 10 minutes. Once the new settings are in effect, any new PSM sessions initiated will have their recordings stored in the newly specified safe1.
References:
✑ CyberArk Docs - How to Create/Change/Configure PSM Recording Safes

Refer to the exhibit.

Why is user "EMEALevel2Support" unable to change the password for user "Operator"?

1. A. EMEALevel2Support’s hierarchy level is not the same or higher than Operator.
2. B. EMEALevel2Support does not have the "Manage Directory Mapping" role.
3. C. Operator can only be reset by the Master user.
4. D. EMEALevel2Support does not have rights to reset passwords for other users.

Correct Answer: D
The image description indicates that “EMEALevel2Support” has the following rights: Add/Update Users, Manage Server File Categories, Manage Directory Mapping, Backup All Files, Restore All Files. Since there is no mention of the right to reset passwords for other users, this suggests that “EMEALevel2Support” lacks the necessary permission to change the password for “Operator”.

A Reconcile Account can be specified in the Master Policy.

1. A. TRUE
2. B. FALSE

Correct Answer: B
A Reconcile Account is not specified in the Master Policy, but in the Platform settings. The Master Policy defines the general password management settings for all the accounts in the Vault, such as the frequency of password rotation and verification. The Platform settings define the specific password management settings for each type of target system, such as the password complexity and the Reconcile Account. References:
✑ Defender PAM course, Module 2: Password Management, Lesson 2: Master Policy and Platforms, slide 8
✑ Defender PAM course, Module 2: Password Management, Lesson 3: Reconcile and Logon Accounts, slide 2
✑ Defender PAM Sample Items Study Guide, Question 37
✑ CyberArk Privileged Access Security Documentation, Password Management - Master Policy
✑ CyberArk Privileged Access Security Documentation, Password Management - Platforms

Which of the following statements are NOT true when enabling PSM recording for a target Windows server? (Choose all that apply)

1. A. The PSM software must be instated on the target server
2. B. PSM must be enabled in the Master Policy (either directly, or through exception)
3. C. PSMConnect must be added as a local user on the target server
4. D. RDP must be enabled on the target server

Correct Answer: AC
The following statements are not true when enabling PSM recording for a target Windows server:
✑ A. The PSM software must be instated on the target server. This is not true, because the PSM software is installed on a dedicated server that acts as a proxy between the user and the target server. The PSM server intercepts the user’s connection request, initiates the connection to the target server, and records the privileged session. The target server does not need to have the PSM software installed on it1.
✑ C. PSMConnect must be added as a local user on the target server. This is not true, because PSMConnect is a predefined user that is created on the PSM server during the installation. This user is used to establish the connection between the PSM server and the target server, and to run the PSM processes. The target server does not need to have a local user named PSMConnect on it2.
The following statements are true when enabling PSM recording for a target Windows server:
✑ B. PSM must be enabled in the Master Policy (either directly, or through exception). This is true, because the Master Policy is a centralized overview of the security and compliance policy of privileged accounts in the organization. It allows the administrator to configure compliance driven rules that are defined as the baseline for the enterprise. One of the rules in the Master Policy is the Session Isolation rule, which determines whether or not privileged sessions are isolated and recorded by PSM. This rule can be enabled either directly in the Master Policy, or through an exception for a specific scope of accounts3.
✑ D. RDP must be enabled on the target server. This is true, because RDP is the protocol that is used by PSM to connect to Windows servers. The target server must have RDP enabled and configured properly to allow the PSM server to access it. The PSM server must also have the RDP client installed on it4.
References:
✑ 1: Privileged Session Manager
✑ 2: PSMConnect and PSMAdminConnect
✑ 3: Session Isolation
✑ 4: Configure RDP for PSM

Time of day or day of week restrictions on when password verifications can occur configured in .

1. A. The Master Policy
2. B. The Platform settings
3. C. The Safe settings
4. D. The Account Details

Correct Answer: C
Time of day or day of week restrictions on when password verifications can occur are configured in the Safe settings. This is a security feature that prevents Safes from being opened except at certain times (e.g., 8 a.m. to 5 p.m.). If a user tries to enter at a time that has not been designated for access, they will receive a message that informs them that the Safe is unavailable. References: Advanced Safe Management