chapter 6
Listen to exam instructions In the /etc/shadow file, which character in the password field indicates that a standard user account is locked?
!
Which chage option keeps a user from changing their password every two weeks?
-m 33
Using the groupadd -p command overrides the settings found in which file?
/etc/login.defs
Which of the following ports are used with TACACS?
49
You want to deploy SSL to protect authentication traffic with your LDAP-based directory service. Which port does this action use?
636
Which ports does LDAP use by default? (Select two.)
636 389
What is mutual authentication?
A process by which each party in an online communication verifies the identity of the other party.
Which of the following terms describes the component that is generated following authentication and is used to gain access to resources following login?
Access token
What is the MOST important aspect of a biometric device?
Accuracy
What is the name of the service included with the Windows Server operating system that manages a centralized database containing user account and security information?
Active Directory
There are registry-based settings that can be configured within a GPO to control the computer and the overall user experience, such as: Use Windows features such as BitLocker, Offline Files, and Parental Controls Customize the Start menu, taskbar, or desktop environment Control notifications Restrict access to Control Panel features Configure Internet Explorer features and options What are these settings known as?
Administrative templates
Which access control model is based on assigning attributes to objects and using Boolean logic to grant access based on the attributes of the subject?
Attribute-Based Access Control (ABAC)
RADIUS is primarily used for what purpose?
Authenticating remote clients before access to the network is granted
A remote access user needs to gain access to resources on the server. Which of the following processes are performed by the remote access server to control access to resources?
Authentication and authorization
What is the process of controlling access to resources such as computers, files, or printers called?
Authorization
Which of the following account types is a cloud-based identity and access management service that provides access to both internal and external resources?
Azure AD
A smart card can be used to store all but which of the following items?
Biometric template original
Listen to exam instructions KWalletManager is a Linux-based credential management system that stores encrypted account credentials for network resources. Which encryption methods can KWalletManager use to secure account credentials? (Select two.)
Blowfish GPG
Click on the object in the TESTOUTDEMO.com Active Directory domain that is used to manage individual desktop workstation access.
CORPWS7
You manage a group of 20 Windows workstations that are currently configured as a workgroup. You have been thinking about switching to an Active Directory configuration. Which advantages would there be to switching to Active Directory? (Select two.)
Centralized authentication Centralized configuration control
You are consulting a small startup company that needs to know which kind of Windows computer network model they should implement. The company intends to start small with only 12 employees, but they plan to double or triple in size within 12 months. The company founders want to make sure they are prepared for growth. Which networking model should they implement?
Client-server
Which of the following are networking models that can be used with the Windows operating system? (Select two.)
Client-server Workgroup
Which of the following is a password that relates to things that people know, such as a mother's maiden name or a pet's name?
Cognitive
For users on your network, you want to automatically lock user accounts if four incorrect passwords are used within ten minutes. What should you do?
Configure account lockout policies in Group Policy
You want to make sure that all users have passwords over eight characters in length and that passwords must be changed every 30 days. What should you do?
Configure account policies in Group Policy
You have hired ten new temporary employees to be with the company for three months. How can you make sure that these users can only log on during regular business hours?
Configure day/time restrictions in user accounts
You want to ensure that all users in the Development OU have a common set of network communication security settings applied. Which action should you take?
Create a GPO computer policy for the computers in the Development OU.
You manage an Active Directory domain. All users in the domain have a standard set of internet options configured by a GPO linked to the domain, but you want users in the Administrators OU to have a different set of internet options. What should you do?
Create a GPO user policy for the Administrators OU.
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. Members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You define a new granular password policy with the required settings. All users in the Directors OU are currently members of the DirectorsGG group, which is a global security group in that OU. You apply the new password policy to that group. Matt Barnes is the chief financial officer, and he would like his account to have even more strict password policies than are required for other members in the Directors OU. What should you do?
Create a granular password policy for Matt. Apply the new policy directly to Matt's user account
A manager has told you she is concerned about her employees writing their passwords for websites, network files, and database resources on sticky notes. Your office runs exclusively in a Windows environment. Which tool could you use to prevent this behavior?
Credential Manager
Audit trails produced by auditing activities are which type of security control?
Detective
What should you do to a user account if the user goes on an extended vacation?
Disable the account
Which of the following is a characteristic of TACACS+?
Encrypts the entire packet, not just authentication packets
You want to implement an access control list in which only the users you specifically authorize have access to the resource. Anyone not on the list should be prevented from having access. Which of the following methods of access control should the access list use?
Explicit allow, implicit deny
Software attacks Eavesdropping Fault generation Microprobing
Exploits vulnerabilities in a card's protocols or encryption methods Captures transmission data produced by a card as it is used Deliberately induces malfunctions in a card Accesses the chip's surface directly to observe, manipulate, and interfere with a circuit
Which of the following terms is used to describe an event in which a person who should be allowed access is denied access to a system?
False negative
Which of the following objects identifies a set of users with similar access needs?
Group
Marcus White has just been promoted to a manager. To give him access to the files that he needs, you make his user account a member of the Managers group, which has access to a special shared folder. Later that afternoon, Marcus tells you that he is still unable to access the files reserved for the Managers group. What should you do?
Have Marcus log off and log back in.
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You need to make the change as easily as possible. Which of the following actions should you take?
Implement a granular password policy for the users in the Directors OU.
John, a user, is attempting to install an application but receives an error that he has insufficient privileges. Which of the following is the MOST likely cause?
John has a local standard user account.
Group Policy Objects (GPOs) are applied in which of the following orders?
Local Group Policy, GPO linked to site, GPO linked to domain, GPO linked to organizational unit (highest to lowest).
Mary, a user, is attempting to access her OneDrive from within Windows and is unable to. Which of the following would be the MOST likely cause?
Mary needs to log in with a Microsoft account.
Which of the following account types uses a single sign-on system that lets you access Windows, Office 365, Xbox Live, and more?
Microsoft
You are configuring the Local Security Policy of a Windows system. You want to prevent users from reusing old passwords. You also want to force them to use a new password for at least five days before changing it again. Which policies should you configure? (Select two.)
Minimum password age Enforce password history
Which of the following is a feature of MS-CHAP v2 that is not included in CHAP?
Mutual authentication
Which of the following principles is implemented in a mandatory access control model to determine object access by classification level?
Need to Know
Logical organization of resources Collection of network resources Collection of related domain trees Network resource in the directory Group of related domains
Organizational unit domain forest object tree
Which of the following authentication protocols transmits passwords in cleartext and, therefore, is considered too unsecure for modern networks?
PAP
What type of password is maryhadalittlelamb?
Passphrase
Which of the following identifies the type of access that is allowed or denied for an object?
Permissions
Which of the following are examples of Something You Have authentication controls? (Select two.)
Photo ID Smart card
What is the primary purpose of separation of duties?
Prevent conflicts of interest
You assign access permissions so that users can only access the resources required to accomplish their specific work tasks. Which security principle are you complying with?
Principle of least privilege
Which of the following is an example of privilege escalation?
Privilege creep
Which of the following are methods for providing centralized authentication, authorization, and accounting for remote access? (Select two.)
RADIUS TACACS+
Which of the following are differences between RADIUS and TACACS+?
RADIUS combines authentication and authorization into a single function; TACACS+ allows these services to be split between different servers.
You have implemented an access control method that only allows users who are managers to access specific data. Which type of access control model is being used?
RBAC
You often travel away from the office. While traveling, you would like to use your laptop computer to connect directly to a server in your office and access files. You want the connection to be as secure as possible. Which type of connection do you need?
Remote access
What does a remote access server use for authorization?
Remote access policies
Which account type in Linux can modify hard limits using the ulimit command?
Root
Which of the following is an example of rule-based access control?
Router access control lists that allow or deny traffic based on the characteristics of an IP packet.
Which of the following is used by Microsoft for auditing in order to identify past actions performed by users on an object?
SACL
You want to use Kerberos to protect LDAP authentication. Which authentication mode should you choose?
SASL
Which type of group can be used for controlling access to objects?
Security
What is the effect of the following command? chage -M 60 -W 10 jsmith
Sets the password for jsmith to expire after 60 days and gives a warning 10 days before expiration.
Lori Redford, who has been a member of the Project Management group, was recently promoted to manager of the team. She has been added as a member of the Managers group. Several days after being promoted, Lori needs to have performance reviews with the team she manages. However, she cannot access the performance management system. As a member of the Managers group, she should have the Allow permission to access this system. What is MOST likely preventing her from accessing this system?
She is still a member of the Project Management group, which has been denied permission to this system. Deny permissions always override Allow permissions.
PIN Smart card Password Retina scan Fingerprint scan Hardware token Passphrase Voice recognition Wi-Fi triangulation Typing behaviors
Something You Know Something You Have Something You Know Something You Are Something You Are Something You have Something You Know Something You Are Somewhere You Are Something You do
You are teaching new users about security and passwords. Which of the following is the BEST example of a secure password?
T1a73gZ9!
The Hide Programs and Features page setting is configured for a specific user as follows: Policy Setting Local Group Policy Enabled Default Domain Policy GPO Not configured GPO linked to the user's organizational unit Disabled After logging in, the user is able to see the Programs and Features page. Why does this happen?
The GPO linked to the user's organizational unit is applied last, so this setting takes precedence.
Which of the following defines the crossover error rate for evaluating biometric systems?
The point where the number of false positives matches the number of false negatives in a biometric system.
You are attempting to delete the temp group but are unable to. Which of the following is the MOST likely cause?
The primary group of an existing user cannot be deleted.
When using Kerberos authentication, which of the following terms is used to describe the token that verifies the user's identity to the target system?
Ticket
A user has just authenticated using Kerberos. Which object is issued to the user immediately following login?
Ticket-granting ticket
Upon running a security audit in your organization, you discover that several sales employees are using the same domain user account to log in and update the company's customer database. Which action should you take? (Select two. Each response is part of a complete solution.)
Train sales employees to use their own user accounts to update the customer database. Delete the account that the sales employees are currently using.
Your LDAP directory-services solution uses simple authentication. What should you always do when using simple authentication?
Use SSL
Which security mechanism uses a unique list that meets the following specifications: The list is embedded directly in the object itself. The list defines which subjects have access to certain objects. The list specifies the level or type of access allowed to certain objects.
User ACL
Which of the following is a privilege or action that can be taken on a system?
User rights
Which of the following identification and authentication factors are often well known or easily discovered by others on the same network or system?
Username
Which of the following is used for identification?
Username
You have just configured the password policy and set the minimum password age to 10. What is the effect of this configuration?
Users cannot change the password for 10 days
Which of the following are characteristics of TACACS+? (Select two.)
Uses TCP Allows three different servers (one each for authentication, authorization, and accounting)
Which of the following are disadvantages of biometrics? (Select two.)
When used alone, they are no more secure than a strong password. They have the potential to produce numerous false negatives.
Which networking model is based on peer-to-peer networking?
Workgroup
You are a contract support specialist managing the computers in a small office. You see that all the computers are only using local user accounts. Which of the following models could this office be using? (Select two.)
Workgroup Standalone
You have a group named Research on your system that needs a new password because a member of the group has left the company. Which of the following commands should you use?
gpasswd Research
Which of the following commands creates a new group and defines the group password?
groupadd -p
You are the administrator for a small company, and you need to add a new group of users to the system. The group's name is sales. Which command accomplishes this task?
groupadd sales
You have a group named temp_sales on your system. The group is no longer needed, so you should remove it. Which of the following commands should you use?
groupdel temp_sales
You want to see which primary and secondary groups the dredford user belongs to. Enter the command you would use to display group memberships for dredford.
groups dredford
You are configuring a small workgroup. You open System Properties on each computer that will be part of the workgroup. Click the System Properties options you can use to configure each computer's workgroup association. (Select two. Each option is part of a complete solution.)
network id change
Which of the following commands is used to change the current group ID during a login session?
newgrp
You suspect that the gshant user account is locked. Enter the command you would use in a shell to show the status of the user account.
passwd -S gshant
Which of the following commands would you use to view the current soft limits on a Linux machine?
ulimit -a
You are creating a new Active Directory domain user account for the Rachel McGaffey user account. During the account setup process, you assigned a password to the new account. However, you know that the system administrator should not know any user's password for security reasons. Only the user should know his or her own password. Click the option you would use in the New Object - User dialog to remedy this situation.
user must change password at next login
An employee named Bob Smith, whose username is bsmith, has left the company. You have been instructed to delete his user account and home directory. Which of the following commands would produce the required outcome? (Select two.)
userdel bsmith;rm -rf /home/bsmith userdel -r bsmith
Which of the following utilities could you use to lock a user account? (Select two.)
usermod passwd
Which of the following commands removes a user from all secondary group memberships?
usermod -G ""
You have performed an audit and found an active account for an employee with the username joer. This user no longer works for the company. Which command can you use to disable this account?
usermod -L joer
Which of the following commands assigns a user to a primary group?
usermod -g
One of your users, Karen Scott, has recently married and is now Karen Jones. She has requested that her username be changed from kscott to kjones with no other values changed. Which of the following commands would accomplish this?
usermod -l kjones kscott
