@ GW_SYO 501- 4.0 Identity and Access Management
A. Generate an X.509-compliant certificate that is signed by a trusted CA. D. Ensure port 636 is open between the clients and the servers using the communication. Lightweight Directory Access Protocol (LDAP) Protocol for reading and writing directories over an IP network. Since LDAPS uses tls so it requires certificates. The X.509 standard is the most widely used standard for digital certificates. The default port for LDAP is port 389, but LDAPS uses port 636 and establishes TLS/SSL upon connecting with a client.
QUESTION 11 A security analyst is hardening a server with the directory services role installed. The analyst must ensure LDAP traffic cannot be monitored or sniffed and maintains compatibility with LDAP clients. Which of the following should the analyst implement to meet these requirements? (Select two.) A. Generate an X.509-compliant certificate that is signed by a trusted CA. B. Install and configure an SSH tunnel on the LDAP server. C. Ensure port 389 is open between the clients and the servers using the communication. D. Ensure port 636 is open between the clients and the servers using the communication. E. Remote the LDAP directory service role from the server.
B. TACACS+ Terminal Access Controller Access-Control System Plus. An authentication service that provides central authentication for remote access clients. It can be used as an alternative to RADIUS. One of the key differentiators of TACACS+ is its ability to separate authentication, authorization and accounting as separate and independent functions. This is why TACACS+ is so commonly used for device administration, even though RADIUS is still certainly capable of providing device administration AAA.
QUESTION 114 Joe, a security administrator, needs to extend the organization's remote access functionality to be used by staff while travelling. Joe needs to maintain separate access control functionalities for internal, external, and VOIP services. Which of the following represents the BEST access technology for Joe to use? A. RADIUS B. TACACS+ C. Diameter D. Kerberos
C. Deny the former employee's request, as a password reset would give the employee access to all network resources.
QUESTION 136 An organization uses SSO authentication for employee access to network resources. When an employee resigns, as per the organization's security policy, the employee's access to all network resources is terminated immediately. Two weeks later, the former employee sends an email to the help desk for a password reset to access payroll information from the human resources server. Which of the following represents the BEST course of action? A. Approve the former employee's request, as a password reset would give the former employee access to only the human resources server. B. Deny the former employee's request, since the password reset request came from an external email address. C. Deny the former employee's request, as a password reset would give the employee access to all network resources. D. Approve the former employee's request, as there would not be a security issue with the former employee gaining access to network resources.
A. RADIUS RADIUS (remote authentication dial-in user service) server uses a protocol called 802.1X, which governs the sequence of authentication-related messages that go between the user's device, the wireless access point (AP), and the RADIUS server. You see 802.1X and RADIUS together, choose RADIUS
QUESTION 234 A system administrator needs to implement 802.1x whereby when a user logs into the network, the authentication server communicates to the network switch and assigns the user to the proper VLAN. Which of the following protocols should be used? A. RADIUS B. Kerberos C. LDAP D. MSCHAP
A. PAP Password Authentication Protocol C. MSCHAP the Microsoft version of the Challenge-Handshake Authentication Protocol, company is currently using the following configuration: ✑ IAS server with certificate-based EAP-PEAP and MSCHAP <------ ✑ Unencrypted authentication via PAP <------ Look at the arrows above and then to the question it is asking. --> Which of the following forms of auth ARE BEING USED? (Current Tense) ANSWER: PAP and MSCHAP as stated initially.
QUESTION 25 A company is currently using the following configuration: - IAS server with certificate-based EAP-PEAP and MSCHAP - Unencrypted authentication via PAP A security administrator needs to configure a new wireless setup with the following configurations: - PAP authentication method - PEAP and EAP provide two-factor authentication Which of the following forms of authentication are being used? (Select two.) A. PAP B. PEAP C. MSCHAP D. PEAP- MSCHAP E. EAP F. EAP-PEAP Correct Answer: AC
D. Authentication Single-Sign-On or Passive Authentication provides seamless authentication to a user for network resources and internet access without entering user credential multiple times
QUESTION 264 During an application design, the development team specifics a LDAP module for single sign-on communication with the company's access control database. This is an example of which of the following? A. Application control B. Data in-transit C. Identification D. Authentication
A. SAML
QUESTION 296 Which of the following is commonly used for federated identity management across multiple organizations? A. SAML B. Active Directory C. Kerberos D. LDAP
B. It uses tickets to identify authenticated users Kerberos is a network authentication protocol using tickets issued by a KDC or TGT server. If a ticket-granting ticket expires, the user might not be able to access resources. Microsoft Active Directory domains and Unix realms use Kerberos for authentication.
QUESTION 299 A security administrator is evaluating three different services: radius, diameter, and Kerberos. Which of the following is a feature that is UNIQUE to Kerberos? A. It provides authentication services B. It uses tickets to identify authenticated users C. It provides single sign-on capability D. It uses XML for cross-platform interoperability
B. CN=company, CN=com, OU=netadmin, DC=192.32.10.233 Lightweight Directory Access Protocol or LDAP is used to authenticate and authorize users. Lightweight Directory Access Protocol (LDAP) is an X.500- based authentication service used to identify objects. The following is an example of an LDAP string: LDAP:// CN=Homer,CN=Users,DC=GetCertifiedGetAhead,DC=com The well-known port for LDAP is TCP 389. Both UDP and TCP transmission can be used for this port. TCP and UDP 636 Secure or SSL LDAP
QUESTION 308 A security administrator is tasked with implementing centralized management of all network devices. Network administrators will be required to logon to network devices using their LDAP credentials. All command executed by network administrators on network devices must fall within a preset list of authorized commands and must be logged to a central facility. Which of the following configuration commands should be implemented to enforce this requirement? A. LDAP server 10.55.199.3 B. CN=company, CN=com, OU=netadmin, DC=192.32.10.233 C. SYSLOG SERVER 172.16.23.50 D. TACAS server 192.168.1.100 Correct
D. TACACS+ Terminal Access Controller Access-Control System Plus Authentication and Authorization is separate in TACACS+. It also supports two methods to control the authorization of router commands on a per-user or per-group basis. In Radius Authentication and Authorization is combined and Radius also doesn't support Access to Router CLI Commands.
QUESTION 326 Which of the following can be used to control specific commands that can be executed on a network infrastructure device? A. LDAP B. Kerberos C. SAML D. TACACS+
B. Use of active directory federation between the company and the cloud-based service Active Directory Federation Services is a feature and web service in the Windows Server Operating System that allows sharing of identity information outside a company's network. It authenticates users with their usernames and passwords. These applications can be local, on the cloud, or even hosted by other companies. Microsoft Active Directory uses Kerberos for authentication.
QUESTION 327 Company XYZ has decided to make use of a cloud-based service that requires mutual, certificate- based authentication with its users. The company uses SSL-inspecting IDS at its network boundary and is concerned about the confidentiality of the mutual authentication. Which of the following model prevents the IDS from capturing credentials used to authenticate users to the new service or keys to decrypt that communication? A. Use of OATH between the user and the service and attestation from the company domain B. Use of active directory federation between the company and the cloud-based service C. Use of smartcards that store x.509 keys, signed by a global CA D. Use of a third-party, SAML-based authentication service for attestation
B. SAML authentication D. Multifactor authentication authenticating securely to the platform. It's authorization that deals with which data you will have access once you get authenticated. The question clearly states secure access to "data stored in the cloud" Not securing the data on the platform or the data in transit.
QUESTION 336 Which of the following would enhance the security of accessing data stored in the cloud? (Select TWO) A. Block level encryption B. SAML authentication C. Transport encryption D. Multifactor authentication E. Predefined challenge questions F. Hashing Answer: BD
A. Open ID Connect OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. SAML is independent of OAuth, relying on an exchange of messages to authenticate in XML SAML format,
QUESTION 374 An organization wants to utilize a common, Internet-based third-party provider for authorization and authentication. The provider uses a technology based on OAuth 2.0 to provide required services. To which of the following technologies is the provider referring? A. Open ID Connect B. SAML C. XACML D. LDAP
A. SAML OAUTH authorizes through tokens and does not authenticate at all. The user usually authenticates via OpenID. SAML is an authentication .
QUESTION 378 A web developer improves client access to the company's REST API. Authentication needs to be tokenized but not expose the client's password. Which of the following methods would BEST meet the developer's requirements? A. SAML B. LDAP C. OAuth D. Shibboleth
A. Implement SAML so the company's services may accept assertions from the customers' authentication servers. A: SAML—Security Assertion Markup Language. An XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web- based applications.
QUESTION 412 A company offers SaaS, maintaining all customers' credentials and authenticating locally. Many large customers have requested the company offer some form of federation with their existing authentication infrastructures. Which of the following would allow customers to manage authentication and authorizations from within their existing organizations? A. Implement SAML so the company's services may accept assertions from the customers' authentication servers. B. Provide customers with a constrained interface to manage only their users' accounts in the company's active directory server. C. Provide a system for customers to replicate their users' passwords from their authentication service to the company's. D. Use SOAP calls to support authentication between the company's product and the customers' authentication servers.
A. TACACS+ D. RADIUS
QUESTION 458 An organization is expanding its network team. Currently, it has local accounts on all network devices, but with growth, it wants to move to centrally managed authentication. Which of the following are the BEST solutions for the organization? (Select TWO) A. TACACS+ B. CHAP C. LDAP D. RADIUS E. MSCHAPv2
D. RADIUS federation RADIUS generally includes 802.1X that pre-authenticates devices.
QUESTION 461 A systems administrator wants to implement a wireless protocol that will allow the organization to authenticate mobile devices prior to providing the user with a captive portal login. Which of the following should the systems administrator configure? A. L2TP with MAC filtering B. EAP-TTLS C. WPA2-CCMP with PSK D. RADIUS federation
C. Implement SSO.
QUESTION 47 An organization finds that most help desk calls are regarding account lockout due to a variety of applications running on different systems. Management is looking for a solution to reduce the number of account lockouts while improving security. Which of the following is the BEST solution for this organization? A. Create multiple application accounts for each user. B. Provide secure tokens. C. Implement SSO. D. Utilize role-based access control.
B. Disable NTLM NTLM—New Technology LAN Manager. A suite of protocols that provide confidentiality, integrity, and authentication within Windows systems. Versions include NTLM, NTLMv2, and NTLM2 Session.\\ They use a Message Digest hashing algorithm to challenge users and check their credentials.Microsoft specifically recommends that developers don't select one of these protocols NTLM remains vulnerable to the pass the hash attack, which is a variant on the reflection attack The NTLM protocol uses one or both of two hashed password values, both of which are also stored on the server (or domain controller), and which through a lack of salting are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password.
QUESTION 473 A security analyst is mitigating a pass-the-hash vulnerability on a Windows infrastructure. Given the requirement, which of the following should the security analyst do to MINIMIZE the risk? A. Enable CHAP B. Disable NTLM C. Enable Kerebos D. Disable PAP
B. Federation
QUESTION 495 Company A has acquired Company B. Company A has different domains spread globally, and typically migrates its acquisitions infrastructure under its own domain infrastructure. Company B, however, cannot be merged into Company A's domain infrastructure. Which of the following methods would allow the two companies to access one another's resources? A. Attestation B. Federation C. Single sign-on D. Kerberos
B. Single sign-on
QUESTION 497 An organization's employees currently use three different sets of credentials to access multiple internal resources. Management wants to make this process less complex. Which of the following would be the BEST option to meet this goal? A. Transitive trust B. Single sign-on C. Federation D. Secure token
B. SSO
QUESTION 526 A company wants to implement an access management solution that allows employees to use the same usernames and passwords for multiple applications without having to keep multiple credentials synchronized. Which of the following solutions would BEST meet these requirements? A. Multifactor authentication B. SSO C. Biometrics D. PKI E. Federation
C. Implement Kerberos
QUESTION 598 A company is deploying a file-sharing protocol access a network and needs to select a protocol for authenticating clients. Management requests that the service be configured in the most secure way possible. The protocol must also be capable of mutual authentication, and support SSO and smart card logons. Which of the following would BEST accomplish this task? A. Store credentials in LDAP B. Use NTLM authentication C. Implement Kerberos D. Use MSCHAP authentication
B. RADIUS federation
QUESTION 6 Multiple organizations operating in the same vertical want to provide seamless wireless access for their employees as they visit the other organizations. Which of the following should be implemented if all the organizations use the native 802.1x client on their mobile devices? A. Shibboleth B. RADIUS federation C. SAML D. OAuth E. OpenID connect
B. RADIUS RADIUS (remote authentication dial-in user service) server uses a protocol called 802.1X, which governs the sequence of authentication-related messages that go between the user's device, the wireless access point (AP), and the RADIUS server. Identity and Access Management = IAM
QUESTION 616 A company has purchased a new SaaS application and is in the process of configuring it to meet the company's needs. The director of security has requested that the SaaS application be integrated into the company's IAM processes. Which of the following configurations should the security administrator set up in order to complete this request? A. LDAP B. RADIUS C. SAML D. NTLM
C. OAuth OAuth is an open standard for authorization many companies use to provide secure access to protected resources. Instead of creating a different account for each web site you access, you can often use the same account that you've created with Google, Facebook, PayPal, Microsoft, or Twitter.
QUESTION 635 Which of the following uses tokens between the identity provider and the service provider to authenticate and authorize users to resources? A. RADIUS B. SSH C. OAuth D. MSCHAP
B. MSCHAP C. PEAP MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol, Two of the most common EAP methods, EAP-TLS and PEAP-MSCHAPv2, are commonly used and accepted as secure authentication methods, With PEAP-MSCHAPv2, the user must enter their credentials to be sent to the RADIUS Server that verifies the credentials and authenticates them for network access.
QUESTION 650 A security administrator is configuring a RADIUS server for wireless authentication. The configuration must ensure client credentials are encrypted end-to-end between the client and the authenticator. Which of the following protocols should be configured on the RADIUS server? (Choose two.) A. PAP B. MSCHAP C. PEAP D. NTLM E. SAML
A. Single sign-on B. Federation
QUESTION 75 Which of the following technologies employ the use of SAML? ( Select two.) A. Single sign-on B. Federation C. LDAP D. Secure token E. RADIUS
C. The portal will request an authentication ticket from each network that is transitively trusted. D. The back-end networks will function as an identity provider and issue an authentication assertion.
QUESTION 81 A company has three divisions, each with its own networks and services. The company decides to make its secure web portal accessible to all employees utilizing their existing usernames and passwords. The security administrator has elected to use SAML to support authentication. In this scenario, which of the following will occur when users try to authenticate to the portal? (Select two.) A. The portal will function as a service provider and request an authentication assertion. B. The portal will function as an identity provider and issue an authentication assertion. C. The portal will request an authentication ticket from each network that is transitively trusted. D. The back-end networks will function as an identity provider and issue an authentication assertion. E. The back-end networks will request authentication tickets from the portal, which will act as the third-party service provider authentication store. F. The back-end networks will verify the assertion token issued by the portal functioning as the identity provider.
D. EAP The RADIUS client prompts the user for their authentication details, such as a username and password or digital certificate. Certificate based authentication is available if the RADIUS product supports EAP.
QUESTION 815 A systems engineer is setting up a RADIUS server to support a wireless network that uses certificate authentication. Which of the following protocols must be supported by both the RADIUS server and the WAPs? A. CCMP B. TKIP C. WPS D. EAP