Networking - Chapter 13: Hardening and Update Management

Match the authentication factor types on the left with the appropriate authentication factor on the right. (You can use each authentication factor type more than once.) Drag: A. Something you know B. Something you have C. Something you are D. Somewhere you are E. Something you do Drop: 1. PIN 2. Smart card 3. Password 4. Retina scan 5. Fingerprint scan 6. Hardware token 7. Voice recognition 8. Wi-Fi triangulation 9. Typing behaviors

A-1 B-2 A-3 C-4 C-5 B-6 C-7 D-8 E-9

A network switch detects a DHCP frame on the LAN that appears to have come from a DHCP server that is not located on the local network. In fact, it appears to have originated from outside the organization's firewall. As a result, the switch drops the DHCP message from that server. Which security feature was enabled on the switch to accomplish this? A. DHCP snooping B. IGMP snooping C. Dynamic ARP inspection D. Port security

A. DHCP snooping

Upon running a security audit in your organization, you discover that several sales employees are using the same domain user account to log in and update the company's customer database. Which action should you take? (Select two. Each response is part of a complete solution.) A. Delete the account that the sales employees are currently using. B. Train sales employees to use their own user accounts to update the customer database. C. Implement a Group Policy Object (GPO) that restricts simultaneous logins to one. D. Apply the Group Policy Object (GPO) to the container where the sales employees' user accounts reside. F. Implement a Group Policy Object (GPO) that implements time-of-day login restrictions.

A. Delete the account that the sales employees are currently using. B. Train sales employees to use their own user accounts to update the customer database.

You are a contractor that has agreed to implement a new remote access solution based on a Windows Server 2016 system for a client. The customer wants to purchase and install a smart card system to provide a high level of security to the implementation. Which of the following authentication protocols are you MOST likely to recommend to the client? A. EAP B. CHAP C. MS-CHAP D. PPP

A. EAP

You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You need to make the change as easily as possible. Which of the following actions should you take? A. Implement a granular password policy for the users in the Directors OU. B. Create a GPO linked to the Directors OU. Configure the password policy in the new GPO. C. Go to Active Directory Users and Computers. Select all user accounts in the Directors OU and then edit the user account properties to require longer password. D. Create a new domain. Then move the contents of the Directors OU to the new domain and configure the necessary password policy on that domain.

A. Implement a granular password policy for the users in the Directors OU.

Which of the following is a feature of MS-CHAPv2 that is not included in CHAP? A. Mutual authentication B. Three-way handshake C. Hashed shared secret D. Certificate-based authentication

A. Mutual authentication

You have a company network with a single switch. All devices connect to the network through the switch. You want to control which devices will be able to connect to your network. For devices that do not have the latest operating system patches, you want to prevent access except to a special server that holds the patches the computers need to download. Which of the following components should be part of your solution? (Select two.) A. Remediation servers B. Screened subnet C. Honeypot D. Extranet E. 802.1x authentication

A. Remediation servers E. 802.1x authentication

Windows Update for Business (WUfB) lets you keep your devices current with the latest security upgrades and features. Which operating system releases does WUfB support? A. Windows 10 B. Windows 8 C. Windows 8 Home D. Windows 10 Home

A. Windows 10

Which of the following utilities could you use to lock a user account? (Select two.) A. passwd B. userdel C. usermod D. useradd E. ulimit

A. passwd C. usermod

An employee named Bob Smith, whose username is bsmith, has left the company. You have been instructed to delete his user account and home directory. Which of the following commands would produce the desired outcome? (Select two.) A. userdel -r bsmith B. userdel -x bsmith C. userdel bsmith;rm -rf /home/bsmith D. userdel bsmith F. userdel -h bsmith

A. userdel -r bsmith C. userdel bsmith;rm -rf /home/bsmith

What is WindowsUpdate.log? A. A log file that allows you to see enforced policies on your Windows 10 machine. B. A log file you can create and save in order to locate errors or problems. C. A log file that deploys updates to device groups over a deployment timeline. D. A log file that analyzes Windows Update Service, BITS, and Windows Network Diagnostics Service.

B. A log file you can create and save in order to locate errors or problems.

You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. Members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You define a new granular password policy with the required settings. All users in the Directors OU are currently members of the DirectorsGG group, which is a global security group in that OU. You apply the new password policy to that group. Matt Barnes is the chief financial officer, and he would like his account to have even stricter password policies than are required for other members in the Directors OU. What should you do? A. Create a granular password policy for Matt. Create a new group, make Matt a member of that group, and then apply the new policy directly to the new group. Make sure the new policy has a higher precedence value than the value for the existing policy. B. Create a granular password policy for Matt. Apply the new policy directly to Matt's user account. C. Create a granular password policy for Matt. Apply the new policy directly to Matt's user account. Remove Matt from the DirectorsGG group. D. Edit the existing password policy. Define exceptions for the required settings. Apply the exceptions to Matt's user account.

B. Create a granular password policy for Matt. Apply the new policy directly to Matt's user account.

Which of the following are best practices for hardening a server? (Select three.) A. Set the account lockout threshold. B. Ensure that a host-based firewall is running. C. Disable inactive accounts. D. Apply the latest patches and service packs. E. Disable or uninstall unnecessary software. F. Require multiple authentication factors. G. Establish time-of-day restrictions.

B. Ensure that a host-based firewall is running. D. Apply the latest patches and service packs. E. Disable or uninstall unnecessary software.

Which of the following tools can you use to troubleshoot and validate Windows updates? (Select three.) A. Windows Server Troubleshooter B. Windows Update Troubleshooter C. Windows Server Update Service (WSUS) D. Device Manager E. Windows Transfer Service F. Windows Defender G. PowerShell

B. Windows Update Troubleshooter C. Windows Server Update Service (WSUS) G. PowerShell

Which of the following are true about Windows Update for Business? (Select three.) A. Windows Update for Business is a Group Policy management tool. B. Windows Update for Business works with all versions of Windows 10 except Windows 10 Home. C. Windows Update for Business can only be configured with Group Policy. D. Windows Update for Business provides the latest features for your Windows 10 devices, including security upgrades. E. Windows Update for Business can be configured with Group Policy, Mobile Device Management, or Systems Center Configuration Manager. F. Windows Update for Business provides the latest features for your Windows 10 devices, but it does not include security upgrades. G. Windows Update for Business works with all versions of Windows 10.

B. Windows Update for Business works with all versions of Windows 10 except Windows 10 Home. D. Windows Update for Business provides the latest features for your Windows 10 devices, including security upgrades. E. Windows Update for Business can be configured with Group Policy, Mobile Device Management, or Systems Center Configuration Manager.

For users on your network, you want to automatically lock user accounts if four incorrect passwords are used within 10 minutes. What should you do? A. Configure day/time restrictions in user accounts B. Configure password policies in Group Policy C. Configure account lockout policies in Group Policy D. Configure the enable/disable feature in user accounts E. Configure account expiration in user accounts

C. Configure account lockout policies in Group Policy

You want to make sure that all users have passwords over eight characters in length and that passwords must be changed every 30 days. What should you do? A. Configure day/time settings in user accounts. B. Configure expiration settings in user accounts. C. Configure account policies in Group Policy. D. Configure account lockout policies in Group Policy.

C. Configure account policies in Group Policy.

Which of the following is a best practice for router security? A. Ensure that a host-based firewall is running. B. Install only the required software on the system. C. Disable unused protocols, services, and ports. D. Apply the latest patches and service packs.

C. Disable unused protocols, services, and ports.

Dan wants to implement reconnaissance countermeasures to help protect his DNS service. Which of the following actions should he take? A. Review company websites to see which type of sensitive information is being shared. B. Implement policies that restrict the sharing of sensitive company information on employees' personal social media pages. C. Install patches against known vulnerabilities and clean up out-of-date zones, files, users, and groups. D. Limit the sharing of critical information in press releases, annual reports, product catalogs, or marketing materials.

C. Install patches against known vulnerabilities and clean up out-of-date zones, files, users, and groups.

You are configuring the Local Security Policy on a Windows system. You want to require users to create passwords that are at least 10 characters in length. You also want to prevent login after three unsuccessful login attempts. Which policies should you configure? (Select two.) A. Enforce password history B. Maximum password age C. Minimum password length D. Account lockout duration E. Account lockout threshold F. Password must meet complexity requirements

C. Minimum password length E. Account lockout threshold

Which of the following is a platform-independent authentication system that maintains a database of user accounts and passwords to centralize the maintenance of those accounts? A. RRAS B. NAS C. RADIUS D. EAP

C. RADIUS

Your Windows system is a member of a domain. Windows Update settings are being controlled through Group Policy. How can you determine whether a specific security update from Windows Update is installed on the computer? A. Check the Local Security Policy. B. Run the wuauclt.exe /listupdates command. C. Run the netsh winhttp import proxy source command. D. Go to Programs and Features in Control Panel.

D. Go to Programs and Features in Control Panel.

With Kerberos authentication, which of the following terms describes the token that verifies the user's identity to the target system? A. Coupon B. Hashkey C. Voucher D. Ticket

D. Ticket

You have a Windows 10 system. You have used the Settings app to access Windows Update. From this location, how long can you pause updates? A. 7 days B. 365 days C. 14 days D. 30 days

A. 7 days

Which of the following is a mechanism for granting and validating certificates? A. RADIUS B. PKI C. Kerberos D. AAA

B. PKI

Which of the following is an example of two-factor authentication? A. A token device and a PIN B. A fingerprint and a retina scan C. A passphrase and a PIN D. A username and a password

A. A token device and a PIN

Which type of security uses MAC addresses to identity devices that are allowed or denied a connection to a switch? A. Traffic shaping B. Secure Sockets Layer C. Port security D. MAC spoofing

C. Port security

Match the Network Access Protection (NAP) component on the left with its description on the right. Drag: A. NAP client B. NAP server C. Enforcement server (ES) D. Remediation server Drop: 1. Generates a Statement of Health (SoH) that reports the client configuration for health requirements. 2. Runs the System Health Validator (SHV) program. 3. Is clients' connection point to the network. 4. Contains resources accessible to non-compliant computers on a limited-access network.

1-A 2-B 3-C 4-D

You are in the process of implementing a Network Access Protection (NAP) infrastructure to increase your network security. You are currently configuring the remediation network that non-compliant clients will connect to in order to become compliant. The remediation network needs to be isolated from the secured network. Which technology should you implement to accomplish this task. A. Port security B. Network segmentation C. Virtual private network (VPN) D. Data encryption using PKI

B. Network segmentation

You have just configured the password policy and set the minimum password age to 10. What is the effect of this configuration? A. Users must change the password at least every 10 days. B. Users cannot change the password for 10 days. C. The password must be entered within 10 minutes of the login prompt being displayed. D. The password must contain 10 or more characters. E. The previous 10 passwords cannot be reused.

B. Users cannot change the password for 10 days.

While deploying Windows updates, when would you use the critical update ring? A. When deploying updates to users that want to stay on top of changes. B. When deploying updates to important systems (only after the update has been vetted). C. When deploying updates for any general user within the organization. D. When deploying updates to most of the organization in order to monitor for feedback.

B. When deploying updates to important systems (only after the update has been vetted).

When deploying Windows updates, when would you use the preview update ring? A. When deploying updates to most of the organization in order to monitor for feedback. B. When deploying updates to users that want to stay on top of changes. C. When deploying updates to important machines (only after the update has been vetted). D. When deploying updates for any general user within the organization.

B. When deploying updates to users that want to stay on top of changes.

Which EAP implementation is MOST secure? A. EAP-MD5 B. EAP-FAST C. LEAP D. EAP-TLS

D. EAP-TLS

You manage a network that uses switches. In the lobby of your building are three RJ45 ports connected to a switch. You want to make sure that visitors cannot plug their computers in to the free network jacks and connect to the network, but you want employees who plug in to those same jacks to be able to connect to the network. Which feature should you configure? A. Spanning Tree B. Bonding C. Mirroring D. VLANs E. Port authentication

E. Port authentication

Match the port security MAC address type on the left with its description on the right. Drag: A. SecureConfigured B. SecureDynamic C. SecureSticky Drop: 1. A MAC address that is manually identified as an allowed address. 2. A MAC address that has been learned and allowed by the switch. 3. A MAC address that is manually configured or dynamically learned and is saved in the config file.

1-A 2-B 3-c

What does the Windows Update Delivery Optimization function do? A. Delivery Optimization provides you with Windows and Store app updates and other Microsoft products. B. Delivery Optimization lets you know when and if there are any urgent updates for your system and provides you with an option to download and install them. C. Delivery Optimization lets you set active hours to indicate normal use for your device. The device will not reboot to install updates during this time. D. Delivery Optimization lets you view the updates you have installed. It also lets you uninstall an update if needed.

A. Delivery Optimization provides you with Windows and Store app updates and other Microsoft products.

You have performed an audit and found an active account for an employee with the username joer. This user no longer works for the company. Which command can you use to disable this account? A. usermod -u joer B. usermod -L joer C. usermod -l joer D. usermod -d joer

B. usermod -L joer

Which of the following is the strongest form of multi-factor authentication? A. A password and a biometric scan B. Two-factor authentication C. Two passwords D. A password, a biometric scan, and a token device

D. A password, a biometric scan, and a token device

Which of the following actions typically involve the use of 802.1x authentication? (Select two.) A. Authenticating VPN users through the internet. B. Controlling access through a router. C. Authenticating remote access clients. D. Controlling access through a wireless access point. E. Controlling access through a switch.

D. Controlling access through a wireless access point. E. Controlling access through a switch.

A network switch is configured to perform the following validation checks on its port: * All Arp requests and responses are intercepted. * Each intercepted request is verified to ensure that it has a valid IP-to-MAC address binding. * If the packet has a valid binding, the switch forwards the packet to the appropriate destination. * If the packet has an invalid binding, the switch drops the ARP packet. Which security feature was enabled on the switch to accomplish this task? A. IGMP snooping B. DHCP snooping C. Port security D. Dynamic ARP inspection

D. Dynamic ARP inspection