SPSCC_CNA121_Chpt_6_Windows_10_Security_Features
password policy
A collection of settings to control password characteristics such as length and complexity.
account lockout policy
A collection of settings, such as lockout duration, that control account lockouts.
Secedit
A command-line tool that is used to apply, export, or analyze security templates.
BitLocker Drive Encryption
A feature in Windows 10 that can encrypt the operating system partition of a hard drive and protect system files from modification. Other partitions can also be encrypted.
User Account Control (UAC)
A feature in Windows 10 that elevates user privileges only when required.
AppLocker
A feature in Windows 10 that is used to define which programs are allowed to run. This is a replacement for the software restriction policies found in Windows XP and Windows Vista, but it is not available in Windows 10 Pro or lower.
BitLocker To Go
A new feature in Windows 10 that allows you to encrypt removable storage.
hashing algorithm
A one-way encryption algorithm that creates a unique identifier that can be used to determine whether data has been changed.
local security policy
A set of security configuration options in Windows 10. These options are used to control user rights, auditing, password settings, and more.
hash encryption
A(n) ____ algorithm is one-way encryption, which means that it encrypts data, but the data cannot be decrypted.
symmetric encryption
A(n) ____ algorithm uses the same key to encrypt data and decrypt data.
security template
An .inf file that contains security settings that can be applied to a computer or analyzed against a computer's existing configuration.
Security Configuration and Analysis tool
An MMC snap-in that is used to apply, export, or analyze security templates.
application manifest
An XML file that describes the structure of an application, including required DLL files and privilege requirements.
application manifest
An ____ is used to describe the structure of an application and trigger UAC when required.
symmetric encryption algorithm
An encryption algorithm that uses the same key to encrypt and decrypt data.
asymmetric encryption algorithm
An encryption algorithm that uses two keys to encrypt and decrypt data. Data encrypted with one key is decrypted by the other key.
Encrypting File System (EFS)
An encryption technology for individual files and folders that can be enabled by users.
Windows Defender
Anti-malware software included with Windows 10.
Restore the user certificate from a backup copy. Another user that has access to open the file can decrypt it. Decrypt the file by using the recovery certificate.
How can you recover EFS-encrypted files if the user profile holding the digital certificate is accidentally deleted? Choose all that apply. a. Restore the file from backup. b. Restore the user certificate from a backup copy. c. Another user that has access to open the file can decrypt it. d. Decrypt the file by using the recovery certificate. e. Decrypt the file by using the EFS recovery snap-in.
Create default rules
How would you create AppLocker rules if you wanted to avoid updating the rules when most software is already installed? a. Manually create rules for each application b. Automatically generate rules c. Create default rules d. Download rule templates
malware
Malicious software designed to perform unauthorized acts on your computer. It includes viruses, worms, and spyware.
manifest
Newer Windows applications use an application ____ to describe the structure of an application.
Group Policy
The Local Security Policy is part of a larger Windows management system called _______ _______, which can be implemented on a local computer, but is typically part of a domain-based net- work.
user rights assignment
The _____ local policy controls the tasks users are allowed to perform.
Volume Master Key (VMK)
The key used to encrypt hard drive data when BitLocker Drive Encryption is enabled.
Full Volume Encryption Key (FVEK)
The key used to encrypt the Volume Master Key (VMK) when BitLocker Drive Encryption is enabled.
auditing
The security process that records the occurrence of specific operating system events in the Security log.
audit policy
The settings that define which operating system events are audited.
Windows Server Update Services (WSUS)
The standard Windows Update process can be modified to use ____.
Current Branch Business
This branch installs new builds four months after they are released to Current Branch and provides updates an additional four months after that. This branch is available only on Windows 10 Pro, Enterprise, and Education editions.
Long Term Servicing Branch
This branch is a specific edition of Windows 10 that does not receive feature updates. Windows Updates are provided for this branch for 10 years. This is meant for controlled environments, such as equipment controllers, where changes cannot be tolerated.
Current Branch
This servicing branch is maintained with updates for four months. Any computer configured to use this installs new builds immediately when released by Microsoft.
Windows Insider Preview Branch
This servicing branch is updated irregularly, but can be updated as often as once per week. Consider this branch beta software. It should be used only on test computers if you want an early look at new features.
Password must meet complexity requirements
This setting applies a number of tests to a new password to ensure that it is not too easy to guess or hack. This setting is enforced when a password change is made, but is not applied to existing passwords. The default value is Disabled.
Store passwords using reversible encryption
This setting controls how passwords are encrypted in the Security Accounts Manager (SAM) database that stores user credentials. By default, this setting is Disabled, and passwords are encrypted in a non-reversible format. Storing passwords by using reversible encryption is required only for compatibility with specific applications.
Account lockout duration
This setting determines how many minutes an account remains locked. The default value is 30 minutes; however, this value is not configured until the Account lockout threshold has been configured.
Account lockout threshold
This setting determines the number of incorrect sign-in attempts that must be performed before an account is locked. The default value is 0 invalid sign-in attempts, which means that account lockouts are disabled.
Reset account lockout counter after
This setting determines within what time frame the incorrect sign-in attempts must occur to trigger a lockout. The default value is 30 minutes; however, this value is not configured until the Account lockout threshold has been configured.
Maximum password age
This setting is the maximum amount of time that a user can keep the same password without changing it. Forcing password changes reduces the risk of a shared or hacked password being used over an extended period of time. The default value is 42 days.
Minimum password length
This setting is the minimum number of characters that must be in a password. In general, longer passwords are more secure. A minimum pass- word length of 6 or 8 characters is typical for most organizations. The default value is 0 characters.
Enforce password history
This setting is the number of password changes that must occur before a password can be reused. For example, if the setting is 3, a password can only be reused every third time. The default value is 0 passwords remembered and the maximum is 24 passwords remembered.
Minimum password age
This setting is the shortest amount of time that a user can use a password before changing it. A minimum password age is often used to ensure that users do not change their password several times in quick succession to continue using a single password. The default value is 0 days.
real-time scanning
To prevent malware installation, you should configure Windows Defender to perform _____.
Security
To which event log are audit events written? a. Application b. Security c. System d. Audit e. Advanced Audit
False
True or False: BitLocker Drive Encryption is user aware and can be used to protect individual files on a shared computer.
False
True or False: Evaluating DLL files for software restrictions has a minimal impact on performance because of caching.
True
True or False: To encrypt a file by using EFS, the file must be stored on an NTFS-formatted partition.
False
True or False: Windows Update can be configured to automatically update Windows Store apps.
Windows Insider Preview Branch, Current Branch, Current Branch for Business, and Long Term Servicing Branch
What are the four distinct servicing branches available with Windows 10?
• Cannot contain part of the user's account name • Must be at least six characters long • Must contain characters meeting three of the following characteristics: uppercase characters, lowercase characters, numerals (0-9), nonalphanumeric characters e.g., !, @, #, $
What are the password must meet complexity requirements?
Account lockout duration, account lockout threshold, and reset account lockout counter after.
What are the settings available in the Account Lockout Policy?
secure desktop
What are you disabling when you configure UAC to not dim the desktop? a. Admin Approval Mode b. file and registry virtualization c. user-initiated prompts d. secure desktop
You get an access-denied error.
What happens if you do not have access to decrypt an encrypted file if you attempt to copy or move the file to a FAT partition, FAT32 partition, or floppy disk.
It becomes unencrypted if you have access to decrypt the file.
What happens to an encrypted file copied or moved to a FAT partition, FAT32 partition, or floppy disk?
It remains encrypted.
What happens to an encrypted file copied or moved to an unencrypted folder?
It becomes encrypted.
What happens to an unencrypted file copied or moved to an encrypted folder?
Defer Upgrades and Updates
What is the name of the Group Policy setting that configures Windows Update for Business? a. Defer Upgrades and Updates b. Windows Update for Business c. Windows Update Delay d. Enterprise Windows Update e. Windows Update Deployment
The Password Policy and the Account Lockout Policy
What two policies are contained in the Account Policies category of the Local Security Policy?
Reset account lockout counter after
Which account lockout policy setting is used to configure the time frame in which incorrect logon attempts must be conducted before an account is locked out? a. Account lockout duration b. Account lockout threshold c. Reset account lockout counter after d. Account lockout release period
You must use a USB drive to store the startup PIN.
Which of the following is not true about BitLocker Drive Encryption? a. BitLocker Drive Encryption requires at least two disk partitions. b. BitLocker Drive Encryption is designed to be used with a TPM. c. Two encryption keys are used to protect data. d. Data is still encrypted when BitLocker Drive Encryption is disabled. e. You must use a USB drive to store the startup PIN.
passw0rd$ and a1batr0$$
Which of the following passwords meet complexity requirements? Choose all that apply. a. passw0rd$ b. ##$$@@ c. ake1vyue d. a1batr0$$ e. A%5j
Minimum password age
Which password policy setting should you use to prevent users from reusing their passwords too quickly? a. Maximum password age b. Minimum password age c. Minimum password length d. Password must meet complexity requirements e. Store passwords using reversible encryption
User Account Control (UAC)
Which security feature in Windows 10 prevents malware by limiting user privilege levels? a. Windows Defender b. User Account Control (UAC) c. Microsoft Security Essentials d. Service SIDs
Long Term Servicing Branch
Which servicing branch for Windows Update should be used for computers where changes cannot be tolerated? a. Windows Insider Preview Branch b. Current Branch c. Current Branch for Business d. Long Term Servicing Branch e. Stable Service Branch
Hash
Which type of AppLocker rule condition can uniquely identify any file regardless of its location? a. Publisher b. Hash c. Network zone d. Path
Symmetric
Which type of encryption is the fastest, strongest, and best suited to encrypting large amounts of information? a. Symmetric b. 128 bit c. Asymmetric d. Hash e. Public key
Secedit and Security Configuration and Analysis tool
Which utilities can be used to compare the settings in a security template against a computer configuration? Choose all that apply. a. Secedit b. Windows Defender c. Security Templates snap-in d. Group Policy Object Editor e. Security Configuration and Analysis tool
Security templates
____ are .inf files that contain settings that correspond with the Account Policies and Local Policies in the local security policy.
Software restriction policies
____ are used to define which programs are allowed or disallowed in the system.
Auditing
____ is the security process that records the occurrence of specific operating system events in the Security log.
