CompTIA SY0-401 - Topic 5, Access Control and Identity Management
QUESTION NO: 945 Sara, a security manager, has decided to force expiration of all company passwords by the close of business day. Which of the following BEST supports this reasoning? A. A recent security breach in which passwords were cracked. B. Implementation of configuration management processes. C. Enforcement of password complexity requirements. D. Implementation of account lockout procedures.
Answer: A Explanation: A password only needs to be changed if it doesn't meet the compliance requirements of the company's password policy, or is evidently insecure. It will also need to be changed if it has been reused, or due to possible compromise as a result of a system intrusion.
QUESTION NO: 867 Which of the following relies on the use of shared secrets to protect communication? A. RADIUS B. Kerberos C. PKI D. LDAP
Answer: A Explanation: Obfuscated passwords are transmitted by the RADIUS protocol via a shared secret and the MD5 hashing algorithm.
QUESTION NO: 960 A password history value of three means which of the following? A. Three different passwords are used before one can be reused. B. A password cannot be reused once changed for three years. C. After three hours a password must be re-entered to continue. D. The server stores passwords in the database for three days.
Answer: A Explanation: Password History defines the number of unique new passwords a user must use before an old password can be reused.
QUESTION NO: 944 The systems administrator notices that many employees are using passwords that can be easily guessed or are susceptible to brute force attacks. Which of the following would BEST mitigate this risk? A. Enforce password rules requiring complexity. B. Shorten the maximum life of account passwords. C. Increase the minimum password length. D. Enforce account lockout policies.
Answer: A Explanation: Password complexity often requires the use of a minimum of three out of four standard character types for a password. The more characters in a password that includes some character complexity, the more resistant it is to brute force attacks.
QUESTION NO: 868 Ann has taken over as the new head of the IT department. One of her first assignments was to implement AAA in preparation for the company's new telecommuting policy. When she takes inventory of the organizations existing network infrastructure, she makes note that it is a mix of several different vendors. Ann knows she needs a method of secure centralized access to the company's network resources. Which of the following is the BEST service for Ann to implement? A. RADIUS B. LDAP C. SAML D. TACACS+
Answer: A Explanation: The Remote Authentication Dial In User Service (RADIUS) networking protocol offers centralized Authentication, Authorization, and Accounting (AAA) management for users who make use of a network service.
QUESTION NO: 921 An organization has introduced token-based authentication to system administrators due to risk of password compromise. The tokens have a set of numbers that automatically change every 30 seconds. Which of the following type of authentication mechanism is this? A. TOTP B. Smart card C. CHAP D. HOTP
Answer: A Explanation: Time-based one-time password (TOTP) tokens are devices or applications that generate passwords at fixed time intervals. In this case, it's every 30 seconds.
QUESTION NO: 912 A Chief Information Security Officer (CISO) wants to implement two-factor authentication within the company. Which of the following would fulfill the CISO's requirements? A. Username and password B. Retina scan and fingerprint scan C. USB token and PIN D. Proximity badge and token
Answer: C Explanation: Multi-factor authentication (MFA) is a method of computer access control which a user can pass by successfully presenting authentication factors from at least two of the three categories: knowledge factors ("things only the user knows"), such as passwords possession factors ("things only the user has"), such as ATM cards inherence factors ("things only the user is"), such as biometrics In this question, a USB token is a possession factor (something the user has) and a PIN is a knowledge factor (something the user knows).
QUESTION NO: 888 A user ID and password together provide which of the following? A. Authorization B. Auditing C. Authentication D. Identification
Answer: C Explanation: Authentication generally requires one or more of the following: Something you know: a password, code, PIN, combination, or secret phrase. Something you have: a smart card, token device, or key. Something you are: a fingerprint, a retina scan, or voice recognition; often referred to as biometrics, discussed later in this chapter. Somewhere you are: a physical or logical location. Something you do: typing rhythm, a secret handshake, or a private knock.
QUESTION NO: 916 A company with a US-based sales force has requested that the VPN system be configured to authenticate the sales team based on their username, password and a client side certificate. Additionally, the security administrator has restricted the VPN to only allow authentication from the US territory. How many authentication factors are in use by the VPN system? A. 1 B. 2 C. 3 D. 4
Answer: C Explanation: Three different types of authentication factors have been used in this question: Something you know - username and password. Something you have - client side certificate. Somewhere you are - authentication to the VPN is only allowed from the U.S. territory.
QUESTION NO: 869 Which of the following is mainly used for remote access into the network? A. XTACACS B. TACACS+ C. Kerberos D. RADIUS
Answer: D Explanation: Most gateways that control access to the network have a RADIUS client component that communicates with the RADIUS server. Therefore, it can be inferred that RADIUS is primarily used for remote access.
QUESTION NO: 923 LDAP and Kerberos are commonly used for which of the following? A. To perform queries on a directory service B. To store usernames and passwords for Federated Identity C. To sign SSL wildcard certificates for subdomains D. To utilize single sign-on capabilities
Answer: D Explanation: Single sign-on is usually achieved via the Lightweight Directory Access Protocol (LDAP), although Kerberos can also be used.
QUESTION NO: 930 HOTSPOT For each of the given items, select the appropriate authentication category from the dropdown choices. Instructions: When you have completed the simulation, please select the Done button to submit.
Answer: Explanation: Select the ppropri:)te authentication type for the following it•ms: Item Response Retina sc.1n Smart c.1rd Hardware Token " Something you hilv• Something you know ISomething you : ..re I All given : .uthentication categories v !Something youhove] Something you know Something you o.re All given authentic; .tion categories " ISomething you h.1ve I Something you know Something vou are All given outhenticotion cotegories P::.ssword v :>omething you hove Something you know I Something you are All given .1uthentic.1tion c.1tegories PIN number Fingerprint scan Something you are includes fingerprints, retina scans, or voice recognition. Something you have includes smart cards, token devices, or keys. Something you know includes a passwords, codes, PINs, combinations, or secret phrases. Somewhere you are includes a physical location s or logical addresses, such as domain name, an IP address, or a MAC address. Something you do includes your typing rhythm, a secret handshake, or a private knock. References: Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 285
QUESTION NO: 908 HOTSPOT For each of the given items, select the appropriate authentication category from the drop down choices. Select the appropriate authentication type for the following items:
Answer: Explanation: Biometrics refers to a collection of physical attributes of the human body that can be used as identification or an authentication factor. Fingerprints and retinas are physical attributes of the human body. Two types of tokens exist, Time-based one-time password (TOTP) tokens and HMAC-based one- time password (HOTP). TOTP tokens generate passwords at fixed time intervals, whereas HOTP tokens generate passwords not based on fixed time intervals but instead based on a non- repeating one-way function, such as a hash or HMAC operation. Smart cards can have Multi-factor and proximity authentication embedded into it. PAP allows for two entities to share a password in advance and use the password as the basis of authentication. The same goes for PIN numbers. References: Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 282, 285 http://en.wikipedia.org/wiki/Password_authentication_protocol#Working_cycle http://en.wikipedia.org/wiki/Smart_card#Security
QUESTION NO: 905 Which of the following security concepts can prevent a user from logging on from home during the weekends? A. Time of day restrictions B. Multifactor authentication C. Implicit deny D. Common access card
Answer: A Explanation: Time of day restrictions limit when users can access specific systems based on the time of day or week. It can limit access to sensitive environments to normal business hours when oversight and monitoring can be performed to prevent fraud, abuse, or intrusion.
QUESTION NO: 883 An information bank has been established to store contacts, phone numbers and other records. An application running on UNIX would like to connect to this index server using port 88. Which of the following authentication services would this use this port by default? A. Kerberos B. TACACS+ C. Radius D. LDAP
Answer: A Explanation: Kerberos makes use of port 88.
QUESTION NO: 872 A security administrator has been tasked to ensure access to all network equipment is controlled by a central server such as TACACS+. This type of implementation supports which of the following risk mitigation strategies? A. User rights and permissions review B. Change management C. Data loss prevention D. Implement procedures to prevent data theft
Answer: A Explanation: Terminal Access Controller Access-Control System (TACACS, and variations like XTACACS and TACACS+) is a client/server-oriented environment, and it operates in a manner similar to RADIUS. Furthermore TACACS+ allows for credential to be accepted from multiple methods. Thus you can perform user rights and permission reviews with TACACS+.
QUESTION NO: 941 When Ann an employee returns to work and logs into her workstation she notices that, several desktop configuration settings have changed. Upon a review of the CCTV logs, it is determined that someone logged into Ann's workstation. Which of the following could have prevented this from happening? A. Password complexity policy B. User access reviews C. Shared account prohibition policy D. User assigned permissions policy
Answer: A Explanation: The most important countermeasure against password crackers is to use long, complex passwords, which are changed regularly. Since changes were made to Ann's desktop configuration settings while she was not at work, means that her password was compromised.
QUESTION NO: 914 Which of the following is an example of multifactor authentication? A. Credit card and PIN B. Username and password C. Password and PIN D. Fingerprint and retina scan
Answer: A Explanation: A credit card is a memory card that functions a type of two-factor authentication. The card is something you have, and its PIN is something you know. Multifactor authentication requires a user to provide two or more different types of authentication factors to prove their identity.
QUESTION NO: 894 Which of the following presents the STRONGEST access control? A. MAC B. TACACS C. DAC D. RBAC
Answer: A Explanation: A: With Mandatory Access Control (MAC) all access is predefined. This makes it the strongest access control of the options presented in the question.
QUESTION NO: 873 Which of the following services are used to support authentication services for several local devices from a central location without the use of tokens? A. TACACS+ B. Smartcards C. Biometrics D. Kerberos
Answer: A Explanation: ACACS allows a client to accept a username and password and send a query to a TACACS authentication server. It would determine whether to accept or deny the authentication request and send a response back. The TIP would then allow access or not based upon the response, not tokens.
QUESTION NO: 955 Which of the following security benefits would be gained by disabling a terminated user account rather than deleting it? A. Retention of user keys B. Increased logging on access attempts C. Retention of user directories and files D. Access to quarantined files
Answer: A Explanation: Account Disablement should be implemented when a user will be gone from a company whether they leave temporary or permanently. In the case of permanently leaving the company the account should be disabled. Disablement means that the account will no longer be an active account and that the user keys for that account are retained which would not be the case if the account was deleted from the system.
QUESTION NO: 954 Which of the following controls mitigates the risk of Matt, an attacker, gaining access to a company network by using a former employee's credential? A. Account expiration B. Password complexity C. Account lockout D. Dual factor authentication
Answer: A Explanation: Account expiration is a secure feature to employ on user accounts for temporary workers, interns, or consultants. It automatically disables a user account or causes the account to expire at a specific time and on a specific day.
QUESTION NO: 928 Which of the following is best practice to put at the end of an ACL? A. Implicit deny B. Time of day restrictions C. Implicit allow D. SNMP string
Answer: A Explanation: An implicit deny clause is implied at the end of each ACL. This implies that if you aren't specifically granted access or privileges for a resource, you're denied access by default. The implicit deny clause is set by the system.
QUESTION NO: 927 Which of the following allows a network administrator to implement an access control policy based on individual user characteristics and NOT on job function? A. Attributes based B. Implicit deny C. Role based D. Rule based
Answer: A Explanation: Attribute-based access control allows access rights to be granted to users via policies, which combine attributes together. The policies can make use of any type of attributes, which includes user attributes, resource attributes and environment attributes.
QUESTION NO: 936 A network inventory discovery application requires non-privileged access to all hosts on a network for inventory of installed applications. A service account is created by the network inventory discovery application for accessing all hosts. Which of the following is the MOST efficient method for granting the account non-privileged access to the hosts? A. Implement Group Policy to add the account to the users group on the hosts B. Add the account to the Domain Administrator group C. Add the account to the Users group on the hosts D. Implement Group Policy to add the account to the Power Users group on the hosts.
Answer: A Explanation: Group Policy is an infrastructure that allows you to implement specific configurations for users and computers. Group Policy settings are contained in Group Policy objects (GPOs), which are linked to the following Active Directory directory service containers: sites, domains, or organizational units (OUs). This means that if the GPO is linked to the domain, all Users groups in the domain will include the service account.
QUESTION NO: 897 Which of the following access controls enforces permissions based on data labeling at specific levels? A. Mandatory access control B. Separation of duties access control C. Discretionary access control D. Role based access control
Answer: A Explanation: In a MAC environment everything is assigned a classification marker. Subjects are assigned a clearance level and objects are assigned a sensitivity label.
QUESTION NO: 880 Jane, a security administrator, has been tasked with explaining authentication services to the company's management team. The company runs an active directory infrastructure. Which of the following solutions BEST relates to the host authentication protocol within the company's environment? A. Kerberos B. Least privilege C. TACACS+ D. LDAP
Answer: A Explanation: Kerberos was accepted by Microsoft as the chosen authentication protocol for Windows 2000 and Active Directory domains that followed.
QUESTION NO: 895 A user reports being unable to access a file on a network share. The security administrator determines that the file is marked as confidential and that the user does not have the appropriate access level for that file. Which of the following is being implemented? A. Mandatory access control B. Discretionary access control C. Rule based access control D. Role based access control
Answer: A Explanation: Mandatory Access Control (MAC) allows access to be granted or restricted based on the rules of classification. MAC in corporate business environments involve the following four sensitivity levels Public Sensitive Private Confidential MAC assigns subjects a clearance level and assigns objects a sensitivity label. The name of the clearance level must be the same as the name of the sensitivity label assigned to objects or resources. In this case the file is marked confidential, and the user does not have that clearance level and cannot access the file.
QUESTION NO: 910 Use of a smart card to authenticate remote servers remains MOST susceptible to which of the following attacks? A. Malicious code on the local system B. Shoulder surfing C. Brute force certificate cracking D. Distributed dictionary attacks
Answer: A Explanation: Once a user authenticates to a remote server, malicious code on the user's workstation could then infect the server.
QUESTION NO: 864 Pete, a security auditor, has detected clear text passwords between the RADIUS server and the authenticator. Which of the following is configured in the RADIUS server and what technologies should the authentication protocol be changed to? A. PAP, MSCHAPv2 B. CHAP, PAP C. MSCHAPv2, NTLMv2 D. NTLM, NTLMv2
Answer: A Explanation: PAP transmits the username and password to the authentication server in plain text. MSCHAPv2 is utilized as an authentication option for RADIUS servers that are used for Wi-Fi security using the WPA-Enterprise protocol.
QUESTION NO: 900 A security technician is working with the network firewall team to implement access controls at the company's demarc as part of the initiation of configuration management processes. One of the network technicians asks the security technician to explain the access control type found in a firewall. With which of the following should the security technician respond? A. Rule based access control B. Role based access control C. Discretionary access control D. Mandatory access control
Answer: A Explanation: Rule-based access control is used for network devices, such as firewalls and routers, which filter traffic based on filtering rules.
QUESTION NO: 911 Employee badges are encoded with a private encryption key and specific personal information. The encoding is then used to provide access to the network. Which of the following describes this access control type? A. Smartcard B. Token C. Discretionary access control D. Mandatory access control
Answer: A Explanation: Smart cards are credit-card-sized IDs, badges, or security passes with an embedded integrated circuit chip that can include data regarding the authorized bearer. This data can then be used for identification and/or authentication purposes.
QUESTION NO: 877 Which of the following types of authentication packages user credentials in a ticket? A. Kerberos B. LDAP C. TACACS+ D. RADIUS
Answer: A Explanation: The basic process of Kerberos authentication is as follows: The subject provides logon credentials. The Kerberos client system encrypts the password and transmits the protected credentials to the KDC. The KDC verifies the credentials and then creates a ticket-granting ticket (TGT—a hashed form of the subject's password with the addition of a time stamp that indicates a valid lifetime). The TGT is encrypted and sent to the client. The client receives the TGT. At this point, the subject is an authenticated principle in the Kerberos realm. The subject requests access to resources on a network server. This causes the client to request a service ticket (ST) from the KDC. The KDC verifies that the client has a valid TGT and then issues an ST to the client. The ST includes a time stamp that indicates its valid lifetime. The client receives the ST. The client sends the ST to the network server that hosts the desired resource. The network server verifies the ST. If it's verified, it initiates a communication session with the client. From this point forward, Kerberos is no longer involved.
QUESTION NO: 913 A technician wants to implement a dual factor authentication system that will enable the organization to authorize access to sensitive systems on a need-to-know basis. Which of the following should be implemented during the authorization stage? A. Biometrics B. Mandatory access control C. Single sign-on D. Role-based access control
Answer: A Explanation: This question is asking about "authorization", not authentication. Mandatory access control (MAC) is a form of access control commonly employed by government and military environments. MAC specifies that access is granted based on a set of rules rather than at the discretion of a user. The rules that govern MAC are hierarchical in nature and are often called sensitivity labels, security domains, or classifications. MAC can also be deployed in private sector or corporate business environments. Such cases typically involve the following four security domain levels (in order from least sensitive to most sensitive): Public Sensitive Private Confidential A MAC environment works by assigning subjects a clearance level and assigning objects a sensitivity label—in other words, everything is assigned a classification marker. Subjects or users are assigned clearance levels. The name of the clearance level is the same as the name of the sensitivity label assigned to objects or resources. A person (or other subject, such as a program or a computer system) must have the same or greater assigned clearance level as the resources they wish to access. In this manner, access is granted or restricted based on the rules of classification (that is, sensitivity labels and clearance levels). MAC is named as it is because the access control it imposes on an environment is mandatory. Its assigned classifications and the resulting granting and restriction of access can't be altered by users. Instead, the rules that define the environment and judge the assignment of sensitivity labels and clearance levels control authorization. MAC isn't a very granularly controlled security environment. An improvement to MAC includes the use of need to know: a security restriction where some objects (resources or data) are restricted unless the subject has a need to know them. The objects that require a specific need to know are assigned a sensitivity label, but they're compartmentalized from the rest of the objects with the same sensitivity label (in the same security domain). The need to know is a rule in and of itself, which states that access is granted only to users who have been assigned work tasks that require access to the cordoned-off object. Even if users have the proper level of clearance, without need to know, they're denied access. Need to know is the MAC equivalent of the principle of least privilege from DAC
QUESTION NO: 919 Speaking a passphrase into a voice print analyzer is an example of which of the following security concepts? A. Two factor authentication B. Identification and authorization C. Single sign-on D. Single factor authentication
Answer: A Explanation: Two-factor authentication is when two different authentication factors are provided for authentication purposes. Speaking (Voice) - something they are. Passphrase - something they know. Which of the following BEST describes using a smart card and typing in a PIN to gain access to a system? A. Biometrics B. PKI C. Single factor authentication D. Multifactor authentication UnicornAnswer: D Explanation: Multifactor authentication requires a user to provide two or more authentication factors for authentication purposes. In this case, a smart card (something they have) is one and a PIN (something they know) is the second.
QUESTION NO: 959 A recent audit has discovered that at the time of password expiration clients are able to recycle the previous credentials for authentication. Which of the following controls should be used together to prevent this from occurring? (Select TWO). A. Password age B. Password hashing C. Password complexity D. Password history E. Password length
Answer: A,D Explanation: D: Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords. A: When a user is forced to change his password due to a maximum password age period expiring, he could change his password to a previously used password. Or if a password history value of 5 is configured, the user could change his password six times to cycle back round to his original password. This is where the minimum password age comes in. This is the period that a password must be used for. For example, a minimum password age of 30 would determine that when a user changes his password, he must continue to use the same password for at least 30 days.
QUESTION NO: 938 An auditing team has found that passwords do not meet best business practices. Which of the following will MOST increase the security of the passwords? (Select TWO). A. Password Complexity B. Password Expiration C. Password Age D. Password Length E. Password History
Answer: A,D Explanation: Passwords should have the strength to avoid discovery through attack, but it should also be easy enough for the user to remember. The length and complexity of a password combined are vital factors in defining a password's strength.
QUESTION NO: 889 The fundamental information security principals include confidentiality, availability and which of the following? A. The ability to secure data against unauthorized disclosure to external sources B. The capacity of a system to resist unauthorized changes to stored information C. The confidence with which a system can attest to the identity of a user D. The characteristic of a system to provide uninterrupted service to authorized users
Answer: B Explanation: Confidentiality, integrity, and availability, which make up the CIA triad, are the three most important concepts in security. In this instance, the answer describes the Integrity part of the CIA triad.
QUESTION NO: 922 A security technician has been asked to recommend an authentication mechanism that will allow users to authenticate using a password that will only be valid for a predefined time interval. Which of the following should the security technician recommend? A. CHAP B. TOTP C. HOTP D. PAP
Answer: B Explanation: Time-based one-time password (TOTP) tokens are devices or applications that generate passwords at fixed time intervals. Therefore, the password will only be valid for a predefined time interval.
QUESTION NO: 907 Ann, the security administrator, wishes to implement multifactor security. Which of the following should be implemented in order to compliment password usage and smart cards? A. Hard tokens B. Fingerprint readers C. Swipe badge readers D. Passphrases
Answer: B Explanation: A multifactor authentication method uses two or more processes for logon. A twofactor method might use smart cards and biometrics for logon. For obvious reasons, the two or more factors employed should not be from the same category.
QUESTION NO: 956 During an audit, the security administrator discovers that there are several users that are no longer employed with the company but still have active user accounts. Which of the following should be performed? A. Account recovery B. Account disablement C. Account lockouts D. Account expiration
Answer: B Explanation: Account Disablement should be implemented when a user will be gone from a company whether they leave temporary or permanently. In the case of permanently leaving the company the account should be disabled. Disablement means that the account will no longer be an active account.
QUESTION NO: 953 ABC company has a lot of contractors working for them. The provisioning team does not always get notified that a contractor has left the company. Which of the following policies would prevent contractors from having access to systems in the event a contractor has left? A. Annual account review B. Account expiration policy C. Account lockout policy D. Account disablement
Answer: B Explanation: Account expiration is a secure feature to employ on user accounts for temporary workers, interns, or consultants. It automatically disables a user account or causes the account to expire at a specific time and on a specific day.
QUESTION NO: 957 A hacker has discovered a simple way to disrupt business for the day in a small company which relies on staff working remotely. In a matter of minutes the hacker was able to deny remotely working staff access to company systems with a script. Which of the following security controls is the hacker exploiting? A. DoS B. Account lockout C. Password recovery D. Password complexity
Answer: B Explanation: B: Account lockout automatically disables an account due to repeated failed log on attempts. The hacker must have executed a script to repeatedly try logging on to the remote accounts, forcing the account lockout policy to activate.
QUESTION NO: 952 Which of the following is a BEST practice when dealing with user accounts that will only need to be active for a limited time period? A. When creating the account, set the account to not remember password history. B. When creating the account, set an expiration date on the account. C. When creating the account, set a password expiration date on the account. D. When creating the account, set the account to have time of day restrictions.
Answer: B Explanation: Disablement is a secure feature to employ on user accounts for temporary workers, interns, or consultants. It automatically disables a user account or causes the account to expire at a specific time and on a specific day.
QUESTION NO: 943 An internal auditing team would like to strengthen the password policy to support special characters. Which of the following types of password controls would achieve this goal? A. Add reverse encryption B. Password complexity C. Increase password length D. Allow single sign on
Answer: B Explanation: Generally, the minimum password length is considered to be 8 upper and lowercase characters. The use of at least one non-alpha character like punctuation, special characters, or numbers, combined with the password length produces strong passwords. Strong passwords are produced by the combination of a password's length and complexity.
QUESTION NO: 935 The system administrator is tasked with changing the administrator password across all 2000 computers in the organization. Which of the following should the system administrator implement to accomplish this task? A. A security group B. A group policy C. Key escrow D. Certificate revocation
Answer: B Explanation: Group policy is used to manage Windows systems in a Windows network domain environment by means of a Group Policy Object (GPO). GPO's include a number of settings related to credentials, such as password complexity requirements, password history, password length, account lockout settings.
QUESTION NO: 890 Which of the following is the difference between identification and authentication of a user? A. Identification tells who the user is and authentication tells whether the user is allowed to logon to a system. B. Identification tells who the user is and authentication proves it. C. Identification proves who the user is and authentication is used to keep the users data secure. D. Identification proves who the user is and authentication tells the user what they are allowed to do.
Answer: B Explanation: Identification is described as the claiming of an identity, and authentication is described as the act of verifying or proving the claimed identity.
QUESTION NO: 896 Which of the following common access control models is commonly used on systems to ensure a "need to know" based on classification levels? A. Role Based Access Controls B. Mandatory Access Controls C. Discretionary Access Controls D. Access Control List
Answer: B Explanation: Mandatory Access Control allows access to be granted or restricted based on the rules of classification. MAC also includes the use of need to know. Need to know is a security restriction where some objects are restricted unless the subject has a need to know them.
QUESTION NO: 939 Which of the following passwords is the LEAST complex? A. MyTrain!45 B. Mytr@in!! C. MyTr@in12 D. MyTr@in#8
Answer: B Explanation: Password policies often enforce a minimum of three out of four standard character types, which includes uppercase and lowercase letters, numbers, and symbols. Although this option includes three of the four character types, it does not include numbers, which makes it less complex than the other options.
QUESTION NO: 903 Users require access to a certain server depending on their job function. Which of the following would be the MOST appropriate strategy for securing the server? A. Common access card B. Role based access control C. Discretionary access control D. Mandatory access control
Answer: B Explanation: Role-based Access Control is basically based on a user's job description. When a user is assigned a specific role in an environment, that user's access to objects is granted based on the required tasks of that role.
QUESTION NO: 902 A company hired Joe, an accountant. The IT administrator will need to create a new account for Joe. The company uses groups for ease of management and administration of user accounts. Joe will need network access to all directories, folders and files within the accounting department. Which of the following configurations will meet the requirements? A. Create a user account and assign the user account to the accounting group. B. Create an account with role-based access control for accounting. C. Create a user account with password reset and notify Joe of the account creation. D. Create two accounts: a user account and an account with full network administration rights.
Answer: B Explanation: Role-based Access Control is basically based on a user's job description. When a user is assigned a specific role in an environment, that user's access to objects is granted based on the required tasks of that role. The IT administrator should, therefore, create an account with role- based access control for accounting for Joe.
QUESTION NO: 901 During the information gathering stage of a deploying role-based access control model, which of the following information is MOST likely required? A. Conditional rules under which certain systems may be accessed B. Matrix of job titles with required access privileges C. Clearance levels of all company personnel D. Normal hours of business operation
Answer: B Explanation: Role-based access control is a model where access to resources is determines by job role rather than by user account. Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular computer-system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user, or changing a user's department. To configure role-based access control, you need a list (or matrix) of job titles (roles) and the access privileges that should be assigned to each role.
QUESTION NO: 886 Which of the following is an XML based open standard used in the exchange of authentication and authorization information between different parties? A. LDAP B. SAML C. TACACS+ D. Kerberos
Answer: B Explanation: Security Assertion Markup Language (SAML) is an open-standard data format centred on XML. It is used for supporting the exchange of authentication and authorization details between systems, services, and devices.
QUESTION NO: 909 A network administrator uses an RFID card to enter the datacenter, a key to open the server rack, and a username and password to logon to a server. These are examples of which of the following? A. Multifactor authentication B. Single factor authentication C. Separation of duties D. Identification
Answer: B Explanation: Single-factor authentication (SFA) is a process for securing access to a given system by identifying the party requesting access via a single category of credentials. In this case, the network administrator makes use of an RFID card to access the datacenter, a key to access the server rack, and a username and password to access a server.
QUESTION NO: 931 In order for Sara, a client, to logon to her desktop computer, she must provide her username, password, and a four digit PIN. Which of the following authentication methods is Sara using? A. Three factor B. Single factor C. Two factor D. Four factor
Answer: B Explanation: Single-factor authentication is when only one authentication factor is used. In this case, Something you know is being used as an authentication factor. Username, password, and PIN form part of Something you know.
QUESTION NO: 870 A system administrator is using a packet sniffer to troubleshoot remote authentication. The administrator detects a device trying to communicate to TCP port 49. Which of the following authentication methods is MOST likely being attempted? A. RADIUS B. TACACS+ C. Kerberos D. LDAP
Answer: B Explanation: TACACS makes use of TCP port 49 by default.
QUESTION NO: 875 Which of the following authentication services should be replaced with a more secure alternative? A. RADIUS B. TACACS C. TACACS+ D. XTACACS
Answer: B Explanation: Terminal Access Controller Access-Control System (TACACS) is less secure than XTACACS, which is a proprietary extension of TACACS, and less secure than TACACS+, which replaced TACACS and XTACACS.
QUESTION NO: 933 Which of the following is a measure of biometrics performance which rates the ability of a system to correctly authenticate an authorized user? A. Failure to capture B. Type II C. Mean time to register D. Template capacity
Answer: B Explanation: Type II, or false acceptance rate (FAR), is the measure of the likelihood that the biometric security system will incorrectly accept an access attempt by an unauthorized user.
QUESTION NO: 947 Which of the following should be done before resetting a user's password due to expiration? A. Verify the user's domain membership. B. Verify the user's identity. C. Advise the user of new policies. D. Verify the proper group membership.
Answer: B Explanation: When resetting a password, users have to establish their identity by answering a series of personal questions, using a hardware authentication token, or responding to a password notification e-mail. Users can then either specify a new, unlocked password, or ask that a randomly generated one be provided. This can be done from their workstation login prompt, or through a telephone call.
QUESTION NO: 887 Which of the following is an authentication method that can be secured by using SSL? A. RADIUS B. LDAP C. TACACS+ D. Kerberos
Answer: B Explanation: With secure LDAP (LDAPS), all LDAP communications are encrypted with SSL/TLS
QUESTION NO: 961 An administrator discovers that many users have used their same passwords for years even though the network requires that the passwords be changed every six weeks. Which of the following, when used together, would BEST prevent users from reusing their existing password? (Select TWO). A. Length of password B. Password history C. Minimum password age D. Password expiration E. Password complexity F. Non-dictionary words
Answer: B,C Explanation: In this question, users are forced to change their passwords every six weeks. However, they are able to change their password and enter the same password as the new password. Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords. When a user is forced to change his password due to a maximum password age period expiring, (the question states that the network requires that the passwords be changed every six weeks) he could change his password to a previously used password. Or if a password history value of 5 is configured, the user could change his password six times to cycle back round to his original password. This is where the minimum password age comes in. This is the period that a password must be used for. For example, a minimum password age of 30 would determine that when a user changes his password, he must continue to use the same password for at least 30 days.
QUESTION NO: 906 A technician is reviewing the logical access control method an organization uses. One of the senior managers requests that the technician prevent staff members from logging on during nonworking days. Which of the following should the technician implement to meet managements request? A. Enforce Kerberos B. Deploy smart cards C. Time of day restrictions D. Access control lists
Answer: C Explanation: Time of day restrictions limit when users can access specific systems based on the time of day or week. It can limit access to sensitive environments to normal business hours.
QUESTION NO: 918 One of the most basic ways to protect the confidentiality of data on a laptop in the event the device is physically stolen is to implement which of the following? A. File level encryption with alphanumeric passwords B. Biometric authentication and cloud storage C. Whole disk encryption with two-factor authentication D. BIOS passwords and two-factor authentication
Answer: C Explanation: Whole-disk encryption only provides reasonable protection when the system is fully powered off. to make the most of the defensive strength of whole-disk encryption, a long, complex passphrase should be used to unlock the system on bootup. Combining whole-disk encryption with two factor authentication would further increase protection.
QUESTION NO: 876 In Kerberos, the Ticket Granting Ticket (TGT) is used for which of the following? A. Identification B. Authorization C. Authentication D. Multifactor authentication
Answer: C Explanation: An authentication ticket, also known as a ticket-granting ticket (TGT), is a small amount of encrypted data that is issued by a server in the Kerberos authentication model to begin the authentication process. When the client receives an authentication ticket, the client sends the ticket back to the server along with additional information verifying the client's identity. The server then issues a service ticket and a session key (which includes a form of password), completing the authorization process for that session. In the Kerberos model, all tickets are time-stamped and have limited lifetimes. This minimizes the danger that hackers will be able to steal or crack the encrypted data and use it to compromise the system. Ideally, no authentication ticket remains valid for longer than the time an expert hacker would need to crack the encryption. Authentication tickets are session-specific, further improving the security of the system by ensuring that no authentication ticket remains valid after a given session is complete.
QUESTION NO: 915 Which of the following protocols provides for mutual authentication of the client and server? A. Two-factor authentication B. Radius C. Secure LDAP D. Biometrics
Answer: C Explanation: C: The LDAP directory service is based on a client-server model. The function of LDAP is to enable access to an existing directory. Because it is a client-server model it makes provision for mutual authentication between the two parties.
QUESTION NO: 937 A group policy requires users in an organization to use strong passwords that must be changed every 15 days. Joe and Ann were hired 16 days ago. When Joe logs into the network, he is prompted to change his password; when Ann logs into the network, she is not prompted to change her password. Which of the following BEST explains why Ann is not required to change her password? A. Ann's user account has administrator privileges. B. Joe's user account was not added to the group policy. C. Ann's user account was not added to the group policy. D. Joe's user account was inadvertently disabled and must be re-created.
Answer: C Explanation: Group policy is used to manage Windows systems in a Windows network domain environment by means of a Group Policy Object (GPO). GPO's include a number of settings related to credentials, which includes password expiration. Because Anne was not prompted to change her password, it could only mean that her user account was not added to the group policy.
QUESTION NO: 893 A security administrator implements access controls based on the security classification of the data and need-to-know information. Which of the following BEST describes this level of access control? A. Implicit deny B. Role-based Access Control C. Mandatory Access Controls D. Least privilege
Answer: C Explanation: Mandatory Access Control allows access to be granted or restricted based on the rules of classification. MAC also includes the use of need to know. Need to know is a security restriction where some objects are restricted unless the subject has a need to know them.
QUESTION NO: 926 A user attempting to log on to a workstation for the first time is prompted for the following information before being granted access: username, password, and a four-digit security pin that was mailed to him during account registration. This is an example of which of the following? A. Dual-factor authentication B. Multifactor authentication C. Single factor authentication D. Biometric authentication
Answer: C Explanation: Multi-factor authentication (MFA) is a method of computer access control which a user can pass by successfully presenting authentication factors from at least two of the three categories: knowledge factors ("things only the user knows"), such as passwords possession factors ("things only the user has"), such as ATM cards inherence factors ("things only the user is"), such as biometrics In this question a username, password, and a four-digit security pin knowledge are all knowledge factors (something the user knows). Therefore, this is single-factor authentication.
QUESTION NO: 866 Which of the following types of security services are used to support authentication for remote users and devices? A. Biometrics B. HSM C. RADIUS D. TACACS
Answer: C Explanation: RADIUS authentication phase takes place when a network client connects to a network access server (NAS) and provides authentication credentials. The NAS will then make use of the authentication credentials to issue a RADIUS authentication request to the RADIUS server, which will then exchange RADIUS authentication messages with the NAS.
QUESTION NO: 946 A security administrator is concerned about the strength of user's passwords. The company does not want to implement a password complexity policy. Which of the following can the security Administrator implement to mitigate the risk of an online password attack against users with weak passwords? A. Increase the password length requirements B. Increase the password history C. Shorten the password expiration period D. Decrease the account lockout time
Answer: C Explanation: Reducing the password expiration period will require passwords to be changed at the end of that period. A password needs to be changed if it doesn't meet the compliance requirements of the company's password policy, or is evidently insecure. It will also need to be changed if it has been reused, or due to possible compromise as a result of a system intrusion. This will give online password attackers less time to crack the weak passwords.
QUESTION NO: 949 An insurance company requires an account recovery process so that information created by an employee can be accessed after that employee is no longer with the firm. Which of the following is the BEST approach to implement this process? A. Employee is required to share their password with authorized staff prior to leaving the firm B. Passwords are stored in a reversible form so that they can be recovered when needed C. Authorized employees have the ability to reset passwords so that the data is accessible D. All employee data is exported and imported by the employee prior to them leaving the firm
Answer: C Explanation: Since a user's password isn't stored on most operating systems (only a hash value is kept), most operating systems allow the administrator (or authorized person in this case) to change the value then the information/files/documents can be accessed. This is the safest way of recovery by an authorized person and is not dependent on those who leave the firm.
QUESTION NO: 951 A user has forgotten their account password. Which of the following is the BEST recovery strategy? A. Upgrade the authentication system to use biometrics instead. B. Temporarily disable password complexity requirements. C. Set a temporary password that expires upon first use. D. Retrieve the user password from the credentials database.
Answer: C Explanation: Since a user's password isn't stored on most operating systems (only a hash value is kept), most operating systems allow the administrator to change the value for a user who has forgotten theirs. This new value allows the user to log in and then immediately change it to another value that they can (ideally) remember. Also setting a temporary password to expire upon first use will not allow a hacker the opportunity or time to use it.
QUESTION NO: 871 Which of the following is an authentication and accounting service that uses TCP for connecting to routers and switches? A. DIAMETER B. RADIUS C. TACACS+ D. Kerberos
Answer: C Explanation: TACACS+ is an authentication, authorization, and accounting (AAA) service that makes us of TCP only.
QUESTION NO: 879 A security administrator has installed a new KDC for the corporate environment. Which of the following authentication protocols is the security administrator planning to implement across the organization? A. LDAP B. RADIUS C. Kerberos D. XTACACS
Answer: C Explanation: The fundamental component of a Kerberos solution is the key distribution centre (KDC), which is responsible for verifying the identity of principles and granting and controlling access within a network environment through the use of secure cryptographic keys and tickets.
QUESTION NO: 940 A security administrator wants to check user password complexity. Which of the following is the BEST tool to use? A. Password history B. Password logging C. Password cracker D. Password hashing
Answer: C Explanation: The most important countermeasure against password crackers is to use long, complex passwords, which are changed regularly. Password-cracking tools compare hashes from potential passwords with the hashes stored in the accounts database. Each potential password is hashed, and that hash value is compared with the accounts database. If a match is found, the password- cracker tool has discovered a password for a user account.
QUESTION NO: 904 The company's sales team plans to work late to provide the Chief Executive Officer (CEO) with a special report of sales before the quarter ends. After working for several hours, the team finds they cannot save or print the reports. Which of the following controls is preventing them from completing their work? A. Discretionary access control B. Role-based access control C. Time of Day access control D. Mandatory access control
Answer: C Explanation: Time of day restrictions limit when users can access specific systems based on the time of day or week. It can limit access to sensitive environments to normal business hours when oversight and monitoring can be performed to prevent fraud, abuse, or intrusion. In this case, the sales team is prevented from saving or printing reports after a certain time.
QUESTION NO: 958 Account lockout is a mitigation strategy used by Jane, the administrator, to combat which of the following attacks? (Select TWO). A. Spoofing B. Man-in-the-middle C. Dictionary D. Brute force E. Privilege escalation
Answer: C,D Explanation: Account lockout is a useful method for slowing down online password-guessing attacks. A dictionary attack performs password guessing by making use of a pre-existing list of likely passwords. A brute-force attack is intended to try every possible valid combination of characters to create possible passwords in the attempt to discover the specific passwords used by user accounts.
QUESTION NO: 863 Which of the following is an authentication service that uses UDP as a transport medium? A. TACACS+ B. LDAP C. Kerberos D. RADIUS
Answer: D Explanation: RADIUS runs in the application layer and makes use of UDP as transport.
QUESTION NO: 917 A company requires that a user's credentials include providing something they know and something they are in order to gain access to the network. Which of the following types of authentication is being described? A. Biometrics B. Kerberos C. Token D. Two-factor
Answer: D Explanation: Two-factor authentication is when two different authentication factors are provided for authentication purposes. In this case, "something they know and something they are".
QUESTION NO: 861 Jane, a security administrator, needs to implement a secure wireless authentication method that uses a remote RADIUS server for authentication. Which of the following is an authentication method Jane should use? A. WPA2-PSK B. WEP-PSK C. CCMP D. LEAP
Answer: D Explanation: A RADIUS server is a server with a database of user accounts and passwords used as a central authentication database for users requiring network access. The Lightweight Extensible Authentication Protocol (LEAP) is a proprietary wireless LAN authentication method developed by Cisco Systems. Important features of LEAP are dynamic WEP keys and mutual authentication (between a wireless client and a RADIUS server). LEAP allows for clients to reauthenticate frequently; upon each successful authentication, the clients acquire a new WEP key (with the hope that the WEP keys don't live long enough to be cracked). LEAP may be configured to use TKIP instead of dynamic WEP.
QUESTION NO: 891 A network administrator has a separate user account with rights to the domain administrator group. However, they cannot remember the password to this account and are not able to login to the server when needed. Which of the following is MOST accurate in describing the type of issue the administrator is experiencing? A. Single sign-on B. Authorization C. Access control D. Authentication
Answer: D Explanation: Authentication generally requires one or more of the following: Something you know: a password, code, PIN, combination, or secret phrase. Something you have: a smart card, token device, or key. Something you are: a fingerprint, a retina scan, or voice recognition; often referred to as biometrics, discussed later in this chapter. Somewhere you are: a physical or logical location. Something you do: typing rhythm, a secret handshake, or a private knock.
QUESTION NO: 862 Ann, a security administrator, wishes to replace their RADIUS authentication with a more secure protocol, which can utilize EAP. Which of the following would BEST fit her objective? A. CHAP B. SAML C. Kerberos D. Diameter
Answer: D Explanation: Diameter is an authentication, authorization, and accounting protocol that replaces the RADIUS protocol. Diameter Applications extend the base protocol by including new commands and/or attributes, such as those for use of the Extensible Authentication Protocol (EAP).
QUESTION NO: 898 Joe Has read and write access to his own home directory. Joe and Ann are collaborating on a project, and Joe would like to give Ann write access to one particular file in this home directory. Which of the following types of access control would this reflect? A. Role-based access control B. Rule-based access control C. Mandatory access control D. Discretionary access control
Answer: D Explanation: Discretionary access control (DAC) allows access to be granted or restricted by an object's owner based on user identity and on the discretion of the object owner.
QUESTION NO: 899 The IT department has setup a share point site to be used on the intranet. Security has established the groups and permissions on the site. No one may modify the permissions and all requests for access are centrally managed by the security team. This is an example of which of the following control types? A. Rule based access control B. Mandatory access control C. User assigned privilege D. Discretionary access control
Answer: D Explanation: Discretionary access control (DAC) allows access to be granted or restricted by an object's owner based on user identity and on the discretion of the object owner.
QUESTION NO: 934 Use of group accounts should be minimized to ensure which of the following? A. Password security B. Regular auditing C. Baseline management D. Individual accountability
Answer: D Explanation: Holding users accountable for their actions is part of security, and can only be achieved by users having their own user accounts. To adequately provide accountability, the use of shared or group accounts should be discouraged.
QUESTION NO: 929 Users report that they are unable to access network printing services. The security technician checks the router access list and sees that web, email, and secure shell are allowed. Which of the following is blocking network printing? A. Port security B. Flood guards C. Loop protection D. Implicit deny
Answer: D Explanation: Implicit deny says that if you aren't explicitly granted access or privileges for a resource, you're denied access by default. The scenario does not state that network printing is allowed in the router access list, therefore, it must be denied by default.
QUESTION NO: 948 The IT department has setup a website with a series of questions to allow end users to reset their own accounts. Which of the following account management practices does this help? A. Account Disablements B. Password Expiration C. Password Complexity D. Password Recovery
Answer: D Explanation: People tend to forget their own passwords and because a user's password in not stored on the operating system, only a hash value is kept and most operating systems allows the administrator to change the value meaning that the password can then be recovered. If you allow end users to reset their own accounts then the password recovery process is helped along.
QUESTION NO: 950 A small company has a website that provides online customer support. The company requires an account recovery process so that customers who forget their passwords can regain access. Which of the following is the BEST approach to implement this process? A. Replace passwords with hardware tokens which provide two-factor authentication to the online customer support site. B. Require the customer to physically come into the company's main office so that the customer can be authenticated prior to their password being reset. C. Web-based form that identifies customer by another mechanism and then emails the customer their forgotten password. D. Web-based form that identifies customer by another mechanism, sets a temporary password and forces a password change upon first login.
Answer: D Explanation: People tend to forget their passwords, thus you should have a password recovery system for them that will not increase risk exposure. Setting a temporary password will restrict the time that the password is valid and thus decrease risk; and in addition forcing the customer to change it upon first login will make the password more secure for the customer.
QUESTION NO: 892 Ann works at a small company and she is concerned that there is no oversight in the finance department; specifically, that Joe writes, signs and distributes paycheques, as well as other expenditures. Which of the following controls can she implement to address this concern? A. Mandatory vacations B. Time of day restrictions C. Least privilege D. Separation of duties
Answer: D Explanation: Separation of duties divides administrator or privileged tasks into separate groupings, which in turn, is individually assigned to unique administrators. This helps in fraud prevention, error reduction, as well as conflict of interest prevention. For example, those who configure security should not be the same people who test security. In this case, Joe should not be allowed to write and sign paycheques.
QUESTION NO: 925 A company wants to ensure that all credentials for various systems are saved within a central database so that users only have to login once for access to all systems. Which of the following would accomplish this? A. Multi-factor authentication B. Smart card access C. Same Sign-On D. Single Sign-On
Answer: D Explanation: Single sign-on means that once a user (or other subject) is authenticated into a realm, re- authentication is not required for access to resources on any realm entity. Single sign-on is able to internally translate and store credentials for the various mechanisms, from the credential used for original authentication.
QUESTION NO: 924 After Ann, a user, logs into her banking websites she has access to her financial institution mortgage, credit card, and brokerage websites as well. Which of the following is being described? A. Trusted OS B. Mandatory access control C. Separation of duties D. Single sign-on
Answer: D Explanation: Single sign-on means that once a user (or other subject) is authenticated into a realm, re- authentication is not required for access to resources on any realm entity. The question states that when Ann logs into her banking websites she has access to her financial institution mortgage, credit card, and brokerage websites as well. This describes an SSO scenario.
QUESTION NO: 932 The security department has implemented a new laptop encryption product in the environment. The product requires one user name and password at the time of boot up and also another password after the operating system has finished loading. This setup is using which of the following authentication types? A. Two-factor authentication B. Single sign-on C. Multifactor authentication D. Single factor authentication
Answer: D Explanation: Single-factor authentication is when only one authentication factor is used. In this case, Something you know is being used as an authentication factor. Username, password, and PIN form part of Something you know.
QUESTION NO: 874 Which of the following protocols uses TCP instead of UDP and is incompatible with all previous versions? A. TACACS B. XTACACS C. RADIUS D. TACACS+
Answer: D Explanation: TACACS+ is not compatible with TACACS and XTACACS, and makes use of TCP.
QUESTION NO: 884 Which of the following was based on a previous X.500 specification and allows either unencrypted authentication or encrypted authentication through the use of TLS? A. Kerberos B. TACACS+ C. RADIUS D. LDAP
Answer: D Explanation: The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number. A common usage of LDAP is to provide a "single sign on" where one password for a user is shared between many services, such as applying a company login code to web pages (so that staff log in only once to company computers, and then are automatically logged into the company intranet). LDAP is based on a simpler subset of the standards contained within the X.500 standard. Because of this relationship, LDAP is sometimes called X.500-lite. A client starts an LDAP session by connecting to an LDAP server, called a Directory System Agent (DSA), by default on TCP and UDP port 389, or on port 636 for LDAPS. Global Catalog is available by default on ports 3268, and 3269 for LDAPS. The client then sends an operation request to the server, and the server sends responses in return. The client may request the following operations: StartTLS — use the LDAPv3 Transport Layer Security (TLS) extension for a secure connection
QUESTION NO: 885 A system administrator is configuring UNIX accounts to authenticate against an external server. The configuration file asks for the following information DC=ServerName and DC=COM. Which of the following authentication services is being used? A. RADIUS B. SAML C. TACACS+ D. LDAP
Answer: D Explanation: The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number. An entry can look like this when represented in LDAP Data Interchange Format (LDIF) (LDAP itself is a binary protocol): dn: cn=John Doe,dc=example,dc=com cn: John Doe givenName: John sn: Doe telephoneNumber: +1 888 555 6789 telephoneNumber: +1 888 555 1232 mail: [email protected] manager: cn=Barbara Doe,dc=example,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top "dn" is the distinguished name of the entry; it is neither an attribute nor a part of the entry. "cn=John Doe" is the entry's RDN (Relative Distinguished Name), and "dc=example,dc=com" is the DN of the parent entry, where "dc" denotes 'Domain Component'. The other lines show the attributes in the entry. Attribute names are typically mnemonic strings, like "cn" for common name, "dc" for domain component, "mail" for e-mail address, and "sn" for surname.
QUESTION NO: 865 RADIUS provides which of the following? A. Authentication, Authorization, Availability B. Authentication, Authorization, Auditing C. Authentication, Accounting, Auditing D. Authentication, Authorization, Accounting
Answer: D Explanation: The Remote Authentication Dial In User Service (RADIUS) networking protocol offers centralized Authentication, Authorization, and Accounting (AAA) management for users who make use of a network service. It is for this reason that A, B, and C: are incorrect. References: http://en.wikipedia.org/wiki/RADIUS
QUESTION NO: 878 Which of the following authentication services requires the use of a ticket-granting ticket (TGT) server in order to complete the authentication process? A. TACACS+ B. Secure LDAP C. RADIUS D. Kerberos
Answer: D Explanation: The basic process of Kerberos authentication is as follows: The subject provides logon credentials. The Kerberos client system encrypts the password and transmits the protected credentials to the KDC. The KDC verifies the credentials and then creates a ticket-granting ticket (TGT—a hashed form of the subject's password with the addition of a time stamp that indicates a valid lifetime). The TGT is encrypted and sent to the client. The client receives the TGT. At this point, the subject is an authenticated principle in the Kerberos realm. The subject requests access to resources on a network server. This causes the client to request a service ticket (ST) from the KDC. The KDC verifies that the client has a valid TGT and then issues an ST to the client. The ST includes a time stamp that indicates its valid lifetime. The client receives the ST. The client sends the ST to the network server that hosts the desired resource. The network server verifies the ST. If it's verified, it initiates a communication session with the client. From this point forward, Kerberos is no longer involved.
QUESTION NO: 881 Which of the following types of authentication solutions use tickets to provide access to various resources from a central location? A. Biometrics B. PKI C. ACLs D. Kerberos
Answer: D Explanation: The basic process of Kerberos authentication is as follows: The subject provides logon credentials. The Kerberos client system encrypts the password and transmits the protected credentials to the KDC. The KDC verifies the credentials and then creates a ticket-granting ticket (TGT—a hashed form of the subject's password with the addition of a time stamp that indicates a valid lifetime). The TGT is encrypted and sent to the client. The client receives the TGT. At this point, the subject is an authenticated principle in the Kerberos realm. The subject requests access to resources on a network server. This causes the client to request a service ticket (ST) from the KDC. The KDC verifies that the client has a valid TGT and then issues an ST to the client. The ST includes a time stamp that indicates its valid lifetime. The client receives the ST. The client sends the ST to the network server that hosts the desired resource. The network server verifies the ST. If it's verified, it initiates a communication session with the client. From this point forward, Kerberos is no longer involved. Which of the following authentication services uses a ticket granting system to provide access? A. RADIUS B. LDAP C. TACACS+ D. Kerberos UnicornAnswer: D Explanation: The basic process of Kerberos authentication is as follows: The subject provides logon credentials. The Kerberos client system encrypts the password and transmits the protected credentials to the KDC. The KDC verifies the credentials and then creates a ticket-granting ticket (TGT—a hashed form of the subject's password with the addition of a time stamp that indicates a valid lifetime). The TGT is encrypted and sent to the client. The client receives the TGT. At this point, the subject is an authenticated principle in the Kerberos realm. The subject requests access to resources on a network server. This causes the client to request a service ticket (ST) from the KDC. The KDC verifies that the client has a valid TGT and then issues an ST to the client. The ST includes a time stamp that indicates its valid lifetime. The client receives the ST. The client sends the ST to the network server that hosts the desired resource. The network server verifies the ST. If it's verified, it initiates a communication session with the client. From this point forward, Kerberos is no longer involved.
QUESTION NO: 942 After a recent internal audit, the security administrator was tasked to ensure that all credentials must be changed within 90 days, cannot be repeated, and cannot contain any dictionary words or patterns. All credentials will remain enabled regardless of the number of attempts made. Which of the following types of user account options were enforced? (Select TWO). A. Recovery B. User assigned privileges C. Lockout D. Disablement E. Group based privileges F. Password expiration G. Password complexity
Answer: F,G Explanation: Password complexity often requires the use of a minimum of three out of four standard character types for a password. The more characters in a password that includes some character type complexity, the more resistant it is to password-cracking techniques. In most cases, passwords are set to expire every 90 days.
