EXAM CHAPTER 6
You are creating a new Active Directory domain user account for the Rachel McGaffey user account. During the account setup process, you assigned a password to the new account. However, you know that the system administrator should not know any user's password for security reasons. Only the user should know his or her own password. Click the option you would use in the New Object - User dialog to remedy this situation.
Use must chang password at next logon
Which of the following are networking models that can be used with the Windows operating system? (Select two.) - Active Directory - Domain controller - Workgroup - Client-server - Organizational unit
Workgroup Client-server
You want to see which primary and secondary groups the dredford user belongs to. Enter the command you would use to display group memberships for dredford.
groups dredford
Which of the following are disadvantages of biometrics? (Select two.) - Biometric factors for identical twins are the same. - When used alone, they are no more secure than a strong password. - They have the potential to produce numerous false negatives. - They require time synchronization. - They can be circumvented using a brute force attack.
- When used alone, they are no more secure than a strong password. - They have the potential to produce numerous false negatives.
Which of the following terms describes the component that is generated following authentication and is used to gain access to resources following login? - Access token - Cookie - Proxy - Account policy
Access token
What is the MOST important aspect of a biometric device? - Enrollment time - Size of the reference profile - Throughput - Accuracy
Accuracy The most important aspect of a biometric device is accuracy. If an access control device is not accurate, it does not offer reliable security. Enrollment time is how long it takes for a new user to be defined in the biometric database. Typically, an enrollment time less than two minutes is preferred. The size of the reference profile is irrelevant in most situations. Throughput is how many users a biometric device can scan and verify within a given time period. Typically, a throughput of 10 users per minute is preferred.
RADIUS is primarily used for what purpose? - Controlling entry-gate access using proximity sensors - Managing access to a network over a VPN - Authenticating remote clients before access to the network is granted - Managing RAID fault-tolerant drive configurations
Authenticating remote clients before access to the network is granted
Which of the following terms is used to describe an event in which a person who should be allowed access is denied access to a system? - False acceptance - Error rate - False negative - False positive
False negative A false negative occurs when a person who should be allowed access is denied access.
Which of the following objects identifies a set of users with similar access needs? - Group - SACL - DACL - Permissions
Group
Marcus White has just been promoted to a manager. To give him access to the files that he needs, you make his user account a member of the Managers group, which has access to a special shared folder. Later that afternoon, Marcus tells you that he is still unable to access the files reserved for the Managers group. What should you do? - Manually refresh Group Policy settings on the file server. - Manually refresh Group Policy settings on his computer. - Add his user account to the ACL for the shared folder. - Have Marcus log off and log back in.
Have Marcus log off and log back in. On a Microsoft system, an access token is only generated during authentication. Changes made to group memberships or user rights do not take effect until the user logs in again and a new access token is created. Use NTFS and share permissions, not Group Policy, to control access to files. In addition, Group Policy is periodically refreshed, and new settings are applied on a regular basis.
Match each Active Directory term on the left with its corresponding definition on the right. - Logical organization of resources - Collection of network resources - Collection of related domain trees - Network resource in the directory - Group of related domains Pick from here - Organizational Unit - Domain - Forest - Object - Tree
Logical organization of resources = Organizational Unit Collection of network resources = Domain Collection of related domain trees = Forest Network resource in the directory = Object Group of related domains = Tree
Which of the following principles is implemented in a mandatory access control model to determine object access by classification level? - Principle of least privilege - Ownership - Need to Know - Separation of duties - Clearance
Need to Know
Which of the following authentication protocols transmits passwords in cleartext and, therefore, is considered too unsecure for modern networks? - CHAP - RADIUS - EAP - PAP
PAP Password Authentication Protocol (PAP) is considered unsecure because it transmits password information in cleartext. Anyone who sniffs PAP traffic from a network can view the password information from a PAP packet with a simple traffic analyzer.
What type of password is maryhadalittlelamb? - Passphrase - Composition - Cognitive - Static
Passphrase
Which of the following identifies the type of access that is allowed or denied for an object? - DACL - User rights - Permissions - SACL
Permissions Permissions define the rights and access users and groups have with objects. Permissions are applied to objects such as files and folders.
What is the primary purpose of separation of duties? - Increase the difficulty of performing administrative duties - Grant a greater range of control to senior management - Prevent conflicts of interest - Inform managers that they are not trusted
Prevent conflicts of interest
Which account type in Linux can modify hard limits using the ulimit command? - Standard - Administrator - Root - User
Root Only the root user in Linux can modify hard limits using the ulimit command. Standard and administrator are Windows user types. Users can modify soft limits but not hard limits using the ulimit command.
Which of the following are examples of Something You Have authentication controls? (Select two.) - Smart card - Voice recognition - PIN - Handwriting analysis - Photo ID - Cognitive question
Smart card Photo ID
You manage a group of 20 Windows workstations that are currently configured as a workgroup. You have been thinking about switching to an Active Directory configuration. Which advantages would there be to switching to Active Directory? (Select two.) - Centralized configuration control - Centralized authentication - Increased local control of workstation settings - Decreased implementation cost - Reduced need for specialized hardware
- Centralized configuration control - Centralized authentication
What is the name of the service included with the Windows Server operating system that manages a centralized database containing user account and security information?
Active Directory Active Directory (AD) is a centralized database that is included with the Windows Server operating system. Active Directory is used to store information about a network. It stores such things as user accounts, computers, printers, and security policies.
Which access control model is based on assigning attributes to objects and using Boolean logic to grant access based on the attributes of the subject? - Role-Based Access Control (RBAC) - Mandatory Access Control (MAC) - Rule-Based Access Control - Attribute-Based Access Control (ABAC)
Attribute-Based Access Control (ABAC) The ABAC model is based on assigning attributes to objects and using Boolean logic to grant access based on the attributes of the subject. The MAC model is based on classification labels being assigned to objects and clearance labels being assigned to subjects. When a subject's clearance lines up with an objects classification, the subject is granted access. The RBAC model grants access based on the subject's role in an organization. The Rule-Based Access Control model grants access based on a set of rules or policies.
A remote access user needs to gain access to resources on the server. Which of the following processes are performed by the remote access server to control access to resources? - Identity proofing and authorization - Authorization and accounting - Authentication and accounting - Identity proofing and authentication - Authentication and authorization
Authentication and authorization
What is the process of controlling access to resources such as computers, files, or printers called? - Authorization - Conditional access - Mandatory access control - Authentication
Authorization Authorization is the process of controlling access to resources such as computers, files, or printers.
You want to make sure that all users have passwords over eight characters in length and that passwords must be changed every 30 days. What should you do? - Configure expiration settings in user accounts - Configure day/time settings in user accounts - Configure account lockout policies in Group Policy - Configure account policies in Group Policy
Configure account policies in Group Policy
You want to ensure that all users in the Development OU have a common set of network communication security settings applied. Which action should you take? - Create a GPO computer policy for the Computers container. - Create a GPO user policy for the Development OU. - Create a GPO computer policy for the computers in the Development OU. - Create a GPO folder policy for the folders containing the files.
Create a GPO computer policy for the computers in the Development OU. Network communication security settings are configured in the Computer Policies section of a GPO. Built-in containers (such as the Computers container) and folders cannot be linked to a GPO.
What should you do to a user account if the user goes on an extended vacation? - Remove all rights from the account - Disable the account - Monitor the account more closely - Delete the account
Disable the account
Which of the following is a characteristic of TACACS+? - Encrypts the entire packet, not just authentication packets - Requires that authentication and authorization are combined in a single server - Uses UDP ports 1812 and 1813 - Supports only TCP/IP
Encrypts the entire packet, not just authentication packets
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You need to make the change as easily as possible. Which of the following actions should you take? - Create a GPO linked to the Directors OU. Configure the password policy in the new GPO. - Implement a granular password policy for the users in the Directors OU. - Create a new domain. Move the contents of the Directors OU to the new domain and then configure the necessary password policy on the domain. - Go to Active Directory Users and Computers. Select all user accounts in the Directors OU, and then edit the user account properties to require the longer password.
Implement a granular password policy for the users in the Directors OU. Use granular password policies to force different password policy requirements for different users.
You are configuring a small workgroup. You open System Properties on each computer that will be part of the workgroup. Click the System Properties options you can use to configure each computer's workgroup association. (Select two. Each option is part of a complete solution.
Network ID Change
You assign access permissions so that users can only access the resources required to accomplish their specific work tasks. Which security principle are you complying with? - Job rotation - Need to know - Cross-training - Principle of least privilege
Principle of least privilege
Which of the following are methods for providing centralized authentication, authorization, and accounting for remote access? (Select two.) - AAA - PKI - RADIUS - EAP - TACACS+
RADIUS TACACS+
You have implemented an access control method that only allows users who are managers to access specific data. Which type of access control model is being used? - DAC - DACL - RBAC - MAC
RBAC Role-based access control (RBAC) allows access based on a role in an organization, not individual users. Roles are defined based on job description or a security-access level. Users are made members of a role and receive the permissions assigned to the role.
Which of the following is an example of rule-based access control? - Router access control lists that allow or deny traffic based on the characteristics of an IP packet. - A computer file owner who grants access to the file by adding other users to an access control list. - A subject with a government clearance that allows access to government classification labels of Confidential, Secret, and Top Secret. - A member of the accounting team that is given access to the accounting department documents.
Router access control lists that allow or deny traffic based on the characteristics of an IP packet.
Which type of group can be used for controlling access to objects? - Authorization - Distribution - DACL - Security
Security Only security groups can be used for controlling access to objects. A discretionary access control list (DACL) is an implementation of discretionary access control (DAC). Distribution groups cannot be used for controlling access to objects. Authorization is the process of controlling access to resources such as computers, files, or printers.
Lori Redford, who has been a member of the Project Management group, was recently promoted to manager of the team. She has been added as a member of the Managers group. Several days after being promoted, Lori needs to have performance reviews with the team she manages. However, she cannot access the performance management system. As a member of the Managers group, she should have the Allow permission to access this system. What is MOST likely preventing her from accessing this system? - She is still a member of the Project Management group, which has been denied permission to this system. Deny permissions always override Allow permissions. - Her user object has been assigned an explicit Deny permission to the performance management system. - Her user object has been assigned an explicit Allow permission to the performance management system, but she inherited the Deny permission assigned to the Project Management group (which she still belongs to). Inherited Deny permissions override explicit Allow permissions. - She is still a member of the Project Management group, which has been denied permission to this system. However, being a member of the Managers group should allow her to access this system. Allow permissions always override Deny permissions. There must be an explicit permission entry that is preventing her from accessing the management system.
She is still a member of the Project Management group, which has been denied permission to this system. Deny permissions always override Allow permissions.
You are teaching new users about security and passwords. Which of the following is the BEST example of a secure password? - JoHnSmITh - 8181952 - T1a73gZ9! - Stiles_2031
T1a73gZ9!
You are attempting to delete the temp group but are unable to. Which of the following is the MOST likely cause? - The secondary group of an existing user cannot be deleted. - All users have already been deleted. - The primary group of an existing user cannot be deleted. - Groups cannot be deleted.
The primary group of an existing user cannot be deleted.
Which of the following is a privilege or action that can be taken on a system? - SACL - Permissions - User rights - DACL
User Rights On a Microsoft system, a user right is a privilege or action that can be taken on a system, such as logging on, shutting down, backing up the system, or modifying the system date and time. User rights apply to the entire system.
Which of the following is used for identification? - Password - Username - Cognitive question - PIN
Username
Which of the following identification and authentication factors are often well known or easily discovered by others on the same network or system? - PGP secret key - Username - Biometric reference profile - Password
Username The username is typically the least protected identification and authentication factor. Therefore, usernames are often well known or easy to discover, especially by others on the same network or system. The key to maintaining a secure environment is to keep authentication factors secret. Often, usernames are constructed using a standard naming convention, such as first and middle initials plus the full last name, or the first name and last name separated by a period. If these simple construction conventions are known, building usernames from an employee list is very simple.
Which of the following are characteristics of TACACS+? (Select two.) - Allows two different servers (one for authentication and authorization and another for accounting) - Uses TCP - Allows three different servers (one each for authentication, authorization, and accounting) - Can be vulnerable to buffer overflow attacks - Uses UDP
Uses TCP Allows three different servers (one each for authentication, authorization, and accounting)
You are the administrator for a small company, and you need to add a new group of users to the system. The group's name is sales. Which command accomplishes this task? - addgroup -x sales - addgroup sales - groupadd -r sales - groupadd sales
groupadd sales Use the groupadd utility to add a group to the system. By default, the group is added with an incrementing number above those reserved for system accounts.
