TestOut Network Pro 13.3 Hardening Authentication
You are configuring the Local Security Policy on a Windows system. You want to require users to create passwords that are at least 10 characters in length. You also want to prevent login after three unsuccessful login attempts. Which policies should you configure? (Select two.)
Account lockout threshold Minimum password length - Set the Minimum password length policy to require a password equal to or longer than the specified length. Set the Account lockout threshold policy to lock an account after the specified number of incorrect login attempts. The following lists explains the incorrect policy choices for this scenario: Enforce password history requires users to input a unique (previously unused) password when changing their password. This prevents users from reusing previous passwords. Maximum password age forces users to change the password after the specified time interval. Password must meet complexity requirements prevents using passwords that are easy to guess or crack. It forces passwords to include letters, symbols, and numbers and also requires passwords of at least seven characters. However, you cannot configure a longer password length requirement with this policy. Account lockout duration determines the length of time the account is disabled (in minutes). When the time period expires, the account is unlocked automatically.
For users on your network, you want to automatically lock user accounts if four incorrect passwords are used within 10 minutes. What should you do?
Configure account lockout policies in Group Policy - Account lockout disables a user account after a specified number of incorrect login attempts. The account lockout threshold identifies the allowed number of incorrect login attempts. The account lockout counter identifies a time period for keeping track of incorrect attempts (such as 10 minutes). If account lockout locks a user account, use the unlock feature to allow login. Use the enable/disable feature to prevent or allow login with that user account. Configure account (password) policies in Group Policy to enforce rules about password composition, such as minimum length, complexity, and history requirements. Use account expiration to disable an account after a specific day. Use day/time restrictions to prevent login during certain days or hours.
You want to make sure that all users have passwords over eight characters in length and that passwords must be changed every 30 days. What should you do?
Configure account policies in Group Policy. - Configure account (password) policies in Group Policy to enforce rules about password composition, such as minimum length, complexity, and history requirements. Use account expiration to disable an account after a specific day. Use day/time restrictions to prevent login during certain days or hours. Account lockout disables a user account after a specified number of incorrect login attempts.
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. Members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You define a new granular password policy with the required settings. All users in the Directors OU are currently members of the DirectorsGG group, which is a global security group in that OU. You apply the new password policy to that group. Matt Barnes is the chief financial officer, and he would like his account to have even stricter password policies than are required for other members in the Directors OU. What should you do?
Create a granular password policy for Matt. Apply the new policy directly to Matt's user account. -
Upon running a security audit in your organization, you discover that several sales employees are using the same domain user account to log in and update the company's customer database. Which action should you take? (Select two. Each response is part of a complete solution.)
Delete the account that the sales employees are currently using. Train sales employees to use their own user accounts to update the customer database. - You should prohibit the use of shared user accounts. Allowing multiple users to share an account increases the likelihood of the account being compromised. Because the account is shared, users tend to take security for the account less seriously. In the scenario, the following tasks need to be completed: The existing shared user account needs to be deleted. Until you delete the account, users can continue to use it for authentication. You could just change the password on the account, but there is a high chance that the new password would be shared again. Train sales employees to use their own user accounts to update the customer database. Ensure that these accounts have the level of access required to access the database. Applying time-of-day login restrictions to a Group Policy Object does not address the issue in this scenario.
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You need to make the change as easily as possible. Which of the following actions should you take?
Implement a granular password policy for the users in the Directors OU. - Use granular password policies to force different password policy requirements for different users. Password and account lockout policies are enforced only in GPOs linked to the domain, not to individual OUs. Prior to Windows Server 2008, the only way to configure different password policies was to create a different domain.
You have just configured the password policy and set the minimum password age to 10. What is the effect of this configuration?
Users cannot change the password for 10 days. - The minimum password age setting prevents users from changing the password too frequently. After the password is changed, it cannot be changed again for at least 10 days. The maximum password age setting determines how frequently a password must be changed. The minimum password length setting controls the minimum number of characters that must be in the password. Password history is used to prevent previous passwords from being reused.
Which of the following utilities could you use to lock a user account? (Select two.)
passwd usermod - Use the following utilities to lock a user account: passwd -l disables (locks) an account. This command inserts !! before the password in the /etc/shadow file. usermod -L disables (locks) an account. This command inserts ! before the password in the /etc/shadow file. The useradd command creates new user accounts, and userdel deletes user accounts from the system. The ulimit command limits computer resources.
An employee named Bob Smith, whose username is bsmith, has left the company. You have been instructed to delete his user account and home directory. Which of the following commands would produce the desired outcome? (Select two.)
userdel -r bsmith userdel bsmith;rm -rf /home/bsmith - The userdel -r command deletes a user's home directory and user account. The userdel command by itself does not delete a user's home directory and user account. Executing rm -rf on the user's home directory after executing userdel removes the home directory. The userdel -h command displays the syntax and options for the userdel command.
You have performed an audit and found an active account for an employee with the username joer. This user no longer works for the company. Which command can you use to disable this account?
usermod -L joer - Use usermod -L joer to lock a user's password. Doing so disables the account. The usermod -l joer command changes the account's login name. The -d flag changes the account's home directory. The -u flag changes the account's numeric ID.
