ch 13
Match the authentication factor types on the left with the appropriate authentication factor on the right. (You can use each authentication factor type more than once.)
PIN Something you know Smart card Something you have Password Something you know Retina scan Something you are Fingerprint scan Something you are Hardware token Something you have Username Something you know Voice recognition Something you are Wi-Fi triangulation Somewhere you are Typing behaviors Something you do
Which of the following is a mechanism for granting and validating certificates?
PKI
An employee named Bob Smith, whose username is bsmith, has left the company. You have been instructed to delete his user account and home directory. Which of the following commands would produce the desired outcome? (Select two.)
userdel bsmith;rm -rf /home/bsmith userdel -r bsmith
You have performed an audit and found an active account for an employee with the username joer. This user no longer works for the company. Which command can you use to disable this account?
usermod -L joer
What is WindowsUpdate.log?
A log file you can create and save in order to locate errors or problems.
Which of the following is the strongest form of multi-factor authentication?
A password, a biometric scan, and a token device
Which of the following is an example of two-factor authentication?
A token device and a PIN
Which of the following are best practices for hardening a server? (Select three.)
Apply the latest patches and service packs. Disable or uninstall unnecessary software. Ensure that a host-based firewall is running.
For users on your network, you want to automatically lock user accounts if four incorrect passwords are used within 10 minutes. What should you do?
Configure account lockout policies in Group Policy
You want to make sure that all users have passwords over eight characters in length and that passwords must be changed every 30 days. What should you do?
Configure account policies in Group Policy.
Which of the following actions typically involve the use of 802.1x authentication? (Select two.)
Controlling access through a switch. Controlling access through a wireless access point.
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. Members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You define a new granular password policy with the required settings. All users in the Directors OU are currently members of the DirectorsGG group, which is a global security group in that OU. You apply the new password policy to that group. Matt Barnes is the chief financial officer, and he would like his account to have even stricter password policies than are required for other members in the Directors OU. What should you do?
Create a granular password policy for Matt. Apply the new policy directly to Matt's user account.
A network switch detects a DHCP frame on the LAN that appears to have come from a DHCP server that is not located on the local network. In fact, it appears to have originated from outside the organization's firewall. As a result, the switch drops the DHCP message from that server. Which security feature was enabled on the switch to accomplish this?
DHCP snooping
Upon running a security audit in your organization, you discover that several sales employees are using the same domain user account to log in and update the company's customer database. Which action should you take? (Select two. Each response is part of a complete solution.)
Delete the account that the sales employees are currently using Train sales employees to use their own user accounts to update the customer database.
What does the Windows Update Delivery Optimization function do?
Delivery Optimization provides you with Windows and Store app updates and other Microsoft products.
Which of the following is a best practice for router security?
Disable unused protocols, services, and ports.
A network switch is configured to perform the following validation checks on its ports: All ARP requests and responses are intercepted. Each intercepted request is verified to ensure that it has a valid IP-to-MAC address binding. If the packet has a valid binding, the switch forwards the packet to the appropriate destination. If the packet has an invalid binding, the switch drops the ARP packet. Which security feature was enabled on the switch to accomplish this task?
Dynamic ARP inspection
You are a contractor that has agreed to implement a new remote access solution based on a Windows Server 2016 system for a client. The customer wants to purchase and install a smart card system to provide a high level of security to the implementation. Which of the following authentication protocols are you MOST likely to recommend to the client?
EAP
Your Windows system is a member of a domain. Windows Update settings are being controlled through Group Policy. How can you determine whether a specific security update from Windows Update is installed on the computer?
Go to Programs and Features in Control Panel.
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You need to make the change as easily as possible. Which of the following actions should you take?
Implement a granular password policy for the users in the Directors OU.
Dan wants to implement reconnaissance countermeasures to help protect his DNS service. Which of the following actions should he take?
Install patches against known vulnerabilities and clean up out-of-date zones, files, users, and groups.
You are configuring the Local Security Policy on a Windows system. You want to require users to create passwords that are at least 10 characters in length. You also want to prevent login after three unsuccessful login attempts. Which policies should you configure? (Select two.)
Minimum password length Account lockout threshold
Which of the following is a feature of MS-CHAPv2 that is not included in CHAP?
Mutual authentication
Match the Network Access Protection (NAP) component on the left with its description on the right.
NAP client Generates a Statement of Health (SoH) that reports the client configuration for health requirements. NAP server Runs the System Health Validator (SHV) program. Enforcement server (ES) Is clients' connection point to the network. Remediation server Contains resources accessible to non-compliant computers on a limited-access network.
Which of the following is a platform-independent authentication system that maintains a database of user accounts and passwords to centralize the maintenance of those accounts?
RADIUS
With Kerberos authentication, which of the following terms describes the token that verifies the user's identity to the target system?
Ticket
While deploying Windows updates, when would you use the critical update ring?
When deploying updates to important systems (only after the update has been vetted).
When deploying Windows updates, when would you use the preview update ring?
When deploying updates to users that want to stay on top of changes.
Windows Update for Business (WUfB) lets you keep your devices current with the latest security upgrades and features. Which operating system releases does WUfB support?
Windows 10
Which of the following are true about Windows Update for Business? (Select three.)
Windows Update for Business can be configured with Group Policy, Mobile Device Management, or Systems Center Configuration Manager. Windows Update for Business provides the latest features for your Windows 10 devices, including security upgrades. Windows Update for Business works with all versions of Windows 10 except Windows 10 Home.
You have a Windows 10 system. You have used the Settings app to access Windows Update. From this location, how long can you pause updates?
7 days
You have a company network with a single switch. All devices connect to the network through the switch. You want to control which devices will be able to connect to your network. For devices that do not have the latest operating system patches, you want to prevent access except to a special server that holds the patches the computers need to download. Which of the following components should be part of your solution? (Select two.)
802.1x authentication Remediation servers
Match the port security MAC address type on the left with its description on the right.
A MAC address that is manually identified as an allowed address. SecureConfigured A MAC address that has been learned and allowed by the switch. SecureDynamic A MAC address that is manually configured or dynamically learned and is saved in the config file. SecureSticky
Which EAP implementation is MOST secure?
EAP-TLS
You are in the process of implementing a Network Access Protection (NAP) infrastructure to increase your network's security. You are currently configuring the remediation network that non-compliant clients will connect to in order to become compliant. The remediation network needs to be isolated from the secure network. Which technology should you implement to accomplish this task?
Network segmentation
You manage a network that uses switches. In the lobby of your building are three RJ45 ports connected to a switch. You want to make sure that visitors cannot plug their computers in to the free network jacks and connect to the network, but you want employees who plug in to those same jacks to be able to connect to the network. Which feature should you configure?
Port authentication
Which type of security uses MAC addresses to identity devices that are allowed or denied a connection to a switch?
Port security
Which of the following tools can you use to troubleshoot and validate Windows updates? (Select three.)
PowerShell Windows Update Troubleshooter Windows Server Update Service (WSUS)
You have just configured the password policy and set the minimum password age to 10. What is the effect of this configuration?
Users cannot change the password for 10 days.
Which of the following utilities could you use to lock a user account? (Select two.)
passwd usermod