Chapter 2 - Access control and Identity
In the /etc/shadow file, which character in the password field indicates that a standard user account is locked?
!
RADIUS is primarily used for what purpose?
Authenticating remote clients before access to the network is granted
Which of the following is the term for the process of validating a subject's identity?
Authentication
Need to know is required to access which types or resources?
Compartmentalized resources
For users on your network, you want to automatically lock their user accounts if four incorrect passwords are used within 10 minutes. What should you do?
Configure account lockout policies in Group Policy
Which of the following is not an important aspect of password management?
Enable account lockout
You suspect that the gshant user account is locked. Which command will show the status of the user account? (Tip: Enter the command as if at the command prompt.)
passwd -S gshant
Which of the following advantages can Single Sign-On (SSO) provide? (Select two).
- Access to all authorized resources with a single instance of authentication - The elimination of multiple user accounts and passwords for an individual
Which of the following are characteristics of TACACS+? (Select two.)
- Allows for a possible of three different servers, one each for authentication, authorization, and accounting - Uses TCP
You are configuring the local security policy of a Windows 7 system. You want to prevent users from reusing old passwords. You also want to force them to use a new password for at least 5 days before changing it again. Which policies should you configure? (Select two.)
- Minimum password age - Enforce password history
You are configuring the local security policy of a Windows 7 system. You want to require users to create passwords that are at least 10 characters long. You also want to prevent logon after three unsuccessful logon attempts. Which policies should you configure? (Select two.)
- Minimum password length - Account lockout threshold
Match the authentication factor types on the left with the appropriate authentication factor on the right. Each authentication factor type can be used more than once.
- PIN: Something you know - Smart Card: Something you have - Password: Something you know - Retina Scan: Something you are - Fingerprint scan: Something you are - Hardware token: Something you have - Passphrase: Something you know - Voice recognition: Something you are - Wi-Fi triangulation: Somewhere you are - Typing behaviors: Something you do
Which of the following are examples of Type II authentication credentials? (Select two).
- Photo ID - Smart card
Which of the following are methods for providing centralized authentication, authorization, and accounting for remote access? (Select two.)
- RADIUS - TACACS+
Which of the following are examples of single sign-on authentication solutions? (Select two.)
- SESAME - Kerberos
The mathematical algorithm used by HMAC-based One-Time Passwords (HOTP) relies on two types of information to generate a new password based on the previously generated password. Which information is used to generate the new password? (Select two.)
- Shared secret - Counter
Upon running a security audit in your organization, you discover that several sales employees are using the same domain user account to log in and update the company's customer database. Which action should you take? (Select two. each response is a part of a complete solution.)
- Train sales employees to use their own user accounts to update the customer database. - Delete the account that the sales employees are currently using.
An employee named Bob Smith, with a user name of bsmith, has left the company. You have been instructed by your supervisor to delete his user account along with his home directory. Which of the following commands would produce the required outcome? (Choose all that apply)
- userdel -r bsmith - userdel bsmith;rm -rf /home/bsmith
Which of the following utilities would you typically use to lock a user account? ( Select two. Each answer represents an independent solution.)
- usermod - passwd
Which chage option keeps a user from changing password every two weeks?
-m 33
Which file should you edit to limit the amount of concurrent logins for a specific user? (Tip: Enter the full path to the file.)
/etc/security/limits.conf
1. Software Attacks 2. Eavesdropping 3. Fault Generation 4. Microprobing
1. Exploiting vulnerabilities in the card's protocols or encryption methods 2. Capturing transmission data produced by the card as it is used 3. Deliberately inducing malfunctions in the card 4. Accessing the chip surface directly to observe, manipulate, and interfere with the circuit
Which of the following ports are used with TACACS?
49
Which of the following is the strongest form of multi-factor authentication?
A password, a biometric scan, and a token device
Which of the following is an example of two-factor authentication?
A token device and a PIN
Which of the following is stronger than any biometric authentication factor?
A two-factor authentication
Which of the following is the best example of remote access authentication?
A user establishes a dialup connection to a server to gain access to shared resources
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. Users and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You would like to define a granular password policy for these users. Which tool should you use?
ADSI Edit
Which of the following terms describes the component that is generated following authentication and which is used to gain access to resources following logon?
Access token
Tom Plask's user account has been locked because he entered too many incorrect passwords. You need to unlock the account. Click the tab in the properties of the Tom Plask user object you would use to unlock his account.
Account
A remote access user needs to gain access to resources on the server. Which of the processes are performed by the remote access server to control access to resources?
Authentication and authorization
Click on the object in the TESTOUTDEMO.com Active Directory domain that is used to manage desktop workstation access.
CORPWS7
You want to make sure that all users have passwords over 8 characters and that passwords must be changed every 30 days. What should you do?
Configure account policies in Group Policy
You have hired 10 new temporary workers who will be with the company for 3 months. You want to make sure that these users can only log on during regular business hours. What should you do?
Configure day/time restrictions in the user accounts
You have decided to implement a remote access solution that uses multiple remote access servers. You want to implement RADIUS to centralize remote access authentication and authorization. Which of the following would be a required part of your configuration?
Configure the remote access servers as RADIUS clients.
The Brewer-Nash model is designed primarily to prevent?
Conflicts of interest
The Clark-Wilson model is primarily based on?
Controlled intermediary access applications
You want to ensure that all users in the Development OU have a common set of network communication security settings applied. Which should you do?
Create a GPO computer policy for the computers in the Development OU.
You manage a single domain named widgets.com. Organization units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. Members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You define a new granular password policy with the required settings. All users in the Directors OU are currently members of the DirectorsGG group, a global security group in that OU. You apply the new password policy to that group. Matt Barnes is the chief financial officer. He would like his account to have even more strict password policies than is required for other members in the Directors OU. Which should you do?
Create a granular password policy for Matt. Apply the new policy directly to Matt's user account.
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. Users and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You need to make the change as easily as possible. Which should you do?
Create a granular password policy. Apply the policy to all users in the Directors OU.
Which of the following is an example of privilege escalation?
Creeping privileges
Which form of access control enforces security based on user identities and allows individual users to define access controls over ownded resources?
DAC
You have a system that allows the owner of a file to identify users and their permissions to the file. Which type of access control model is implemented?
DAC
Which of the following defines an object as used in access control?
Data, applications, systems, networks, and physical space.
What should be done to a user account if the user goes on an extended vacation?
Disable the account
Which of the following is a characteristic of TACACS+?
Encrypts the entire packet, not just authentication packets
You want to implement an access control list where only the users you specifically authorize have access to the resource. Anyone not on the list should be prevented from having access. Which of the following will the access list use?
Explicit allow, implicit deny
Which of the following terms is used to describe an event in which a person is denied access to a system when they should be allowed to enter?
False negative
Marcus White has just been promoted to a manager. To give him access to the files that he needs, you make his user account a member of the Managers group which has access to a special shared folder. Later that afternoon, Marcus tells you that he is still unable to access the files reserved for the Managers group. What should you do?
Have Marcus log off and log back on
Computer policies include a special category called user rights. Which action do they allow an administrator to perform?
Identify users who can perform maintenance tasks on computers in an OU.
Discretionary Access Control (DAC) manages access to resources using what primary element or aspect?
Identity
Which statement is true regarding application of GPO settings?
If a setting is defined in the Local Group Policy on the computer and not defined in the GPO linked to the OU, the setting will be applied.
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. Users and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You need to make the change as easily as possible. Which should you do?
Implement a granular password policy for the users in the Directors OU.
An access control list (ACL) contains a list of users and allowed permissions. What is it called if the ACL automatically prevents access to anyone not on the list?
Implicit deny
You are concerned that the accountant in your organization might have the chance to modify the books and steal from the company. You want to periodically have another person take over all accounting responsibilities to catch any ireegularities. Which solution should you implement?
Job rotation
Which of the following authentication methods uses tickets to provide single sign-on?
Kerberos
Within the /etc/security/limits.conf file, you notice the following entry: @guests hard maxlogins 3 What effect does the line have on the Linux system?
Limits the number of max logins from the guest group to three.
Which of the following is the single best rule to enforce when designing complex passwords?
Longer passwords
In which form of access control environment is access controlled by rules rather than by identity?
MAC
Which type of access control focuses on assigning privileges based on security clearance and data sensitivity?
MAC
Tom Plask was recently transferred to the Technical Support department. He now needs access to the network resources used by Support employees. To do this, you need to add Tom Plask's user account to the Support group in the Active Directory domain. Click the tab in the properties of the Tom Plask user object you would use to accomplish this.
Member of
Which of the following is a feature of MS-CHAP v2 that is not included in CHAP?
Mutual authentication
Which of the following principles is implemented in a mandatory access control model to determine access to an object using classification levels?
Need to know
Which is the star property of Bell-LaPadula?
No write down
You are the network administrator in a small nonprofit organization. Currently, an employee named Craig Jenkins handles all help desk calls for the organization. In recent months, the volume of help desk calls has exceeded what Craig can manage alone, so an additional help desk employee has been hired to carry some of the load. Currently, permissions to network resources are assigned directly to Craig's user object. Because the new employee needs exactly the same level of access, you decide to simply copy Craig's Active Directory domain user object and rename it with the new employee's name. Will this strategy work?
No, permissions are not copied when a user account is copied.
CHAP performs which of the following security functions?
Periodically verifies the identity of a peep using a three-way handshake
What is the primary purpose of separation of duties?
Prevent conflicts of interest
Separation of duties is an example of which type of access control?
Preventive
By assigning access permissions so that users can only access those resources which are required to accomplish their specific work tasks, you would be in compliance with?
Principle of least privilege
Which of the following are differneces between RADIUS and TACACS+?
RADIUS combines authentication and authorization into a single function; TACACS+ allows these services to be split between different servers.
You have implemented an access control method that allows only users who are managers to access specific data. Which type of access control model is used?
RBAC
What does a remote access server use for authorization?
Remote access policies
Which access control model manages rights and permissions based on job descriptions and responsibilities?
Role Based Access Control (RBAC)
What form of access control is based on job descriptions?
Role-based access control (RBAC)
Which type of media reparation is sufficient for media that will be reused in a different security context within your organization?
Sanitization
Which security principle prevents any one administrator from having sufficient access to compromise the security of the overall IT solution?
Separation of duties
You want to make sure that any reimbursement checks issued by your company cannot be issued by a single person. Which principle should you implement to accomplish this goal?
Separation of duties
What is the effect of the following command? chage -M 60 -W 10 jsmith
Sets the password for jsmith to expire after 60 days and gives a warning 10 days before it expires.
Which of the following is a hardware device that contains identification information and which can be used to control building access or computer logon?
Smart card
A device which is synchronized to an authentication server uses which type of authentication?
Synchronous token
You are teaching new users about security and passwords. Which example of the passwords would be the most secure password?
T1a73gZ9!
Which of the following protocols can be used to centralize remote access authentication?
TACACS
You have implemented account lockout with a clipping level of 4. What will be the effect of this setting?
The account will be locked after 4 attempts.
The mathematical algorithm used to generate Time-based One-Time Passwords (TOTP) uses a shared secret and a counter to generate unique, one-time passwords. Which event causes the counter to increment when creating TOTP passwords?
The passage of time
Which of the following defines the crossover rate for evaluating biometric systems?
The point where the number of false positive matches the number of false negatives in a biometric system.
Which of the following is an example of three-factor authentication?
Token device, keystroke analysis, cognitive question
Which security mechanism uses a unique list for each object embedded directly in the object itself that defines which subjects have access to certain objects and the level or type of access allowed?
User ACL
Which of the following is typically not included in an access token?
User account password
You are creating a new Active Directory domain user account for the Robert Tracy user account. During the account setup process, you assigned a password to the new account. However, you know that for security reasons the system administrator should not know any user's password. Only the user should know his or her own password - no one else. Click the option you would use in the New Object - User dialog to remedy this situation.
User must change password at next logon
Which of the following is used for identification?
Username
You have just configured the password policy and set the minimum password age to 10. What will be the effect of this configuration?
Users cannot change the password for 10 days.
Which of the following is an example of a decentralized privilege management solution?
Workgroup
What chage command should you use to set the password for jsmith to expire after 60 days and give a warning 10 days before it expires? (Tip: Enter the command as if at the command prompt.)
chage -M 60 -W 10 jsmith
You are the adminstrator for a small company. You need to add a new group of users, named sales, to the system. Which command will accomplish this?
groupadd sales
You have a group named temp_sales on your system. The group is no longer needed, and you should remove the group. Which of the following commands should you use?
groupdel temp_sales
Due to a merger with another company, standardization is now being imposed throughout the company. As a result of this, the sales group must be renamed marketing. Which of the following commands will accomplish this?
groupmod -n marketing sales
A user with an account name of larry has just been terminated from the company. There is a good reason to believe that the user will attempt to access and damage the files in the system in the very near future. Which command below will disable or remove the user account from the system and remove his home directory?
userdel -r larry
One of your users, Karen Scott, has recently married and is now Karen Jones. She has requested that her username be changed from kscott to kjones, but no other values change. Which of the following commands will accomplish this?
usermod -I kjones kscott
You have performed an audit and have found active accounts for employees who no longer work for the company. You want to disable those accounts. What command example will disable a user accounts?
usermod -L joer
