14.1.5 Practice Questions
Which Windows feature can you use to encrypt a hard drive volume?
> BitLocker Explanation: BitLocker was introduced in Windows Vista and is used to encrypt an entire volume (not just individual files and folders). BitLocker is designed to protect all data on a volume, even if the hard drive is moved to another computer. BitLocker to Go is used to encrypt USB drives (not a hard drive volume). Encrypting File System (EFS) is a component of the NTFS file system that allows file encryption. EFS is not a Windows feature that is used to encrypt a hard drive volume. NTFS is the file system that is used in modern Windows operating systems. It is not a Windows feature that is used to encrypt a hard drive volume.
One of the Windows workstations you manage has three user accounts defined on it. Two of the users are Limited users, while the third (your account) is an Administrative user. Each Limited and Administrative user has been assigned a strong password. File and folder permissions have been assigned to prevent users from accessing each other's files. Which of the following would MOST likely increase this system's security? (Select two.)
> Disable Autorun on the system. > Set a screen saver password. Explanation: You could increase this system's overall security by disabling Autorun and setting a screen saver password. Enabling the Guest user account would decrease the system's security, as would assigning simple passwords to user accounts. There is no such thing as a Restricted user on Windows operating systems.
One of the Windows workstations you manage has four user accounts defined on it. Two of the users are Limited users, while the third (your account) is an Administrative user. The fourth account is the Guest user account, which has been enabled to allow management employees convenient workstation access. Each Limited and Administrative user has been assigned a strong password. File and folder permissions have been assigned to prevent users from accessing each other's files. Autorun has also been disabled on the system. Which of the following actions is MOST likely to increase this system's security?
> Disable the Guest account. Explanation: The Guest user account has no password and provides too much access to the system. Unless its use is absolutely required, the Guest user account should remain disabled. Changing your Administrative user account to a Limited user would prevent you from completing management tasks on the workstation. Changing the two Limited user accounts to Administrative users would decrease the system's security, as would enabling Autorun.
You are establishing a new security policy for user authentication and want to implement multi-factor authentication. Which of the following would BEST accomplish this?
> Fingerprint and one-time code text message Explanation: Multi-factor authentication requires that a user demonstrate two of the following: - Something you are - Something you know - Something you have The only answer that satisfies this requirement is a fingerprint (something you are) and a one-time code text message (something you have, as the user must have their cell phone to receive the text message). Fingerprint and iris scans are both something you are. Usernames and passwords are both something you know. A smart card and one-time code text message are both something you have.
You are working at the local hospital in the IT department. You have just received a promotion to junior network technician. Part of your new role involves troubleshooting network communication issues. Which of the following user groups should your account be added to?
> Network Configuration Operator Explanation: In this scenario, your user account should be added to the Network Configuration Operator user group. Members of this group can manage a system's IP configuration, which would allow you to troubleshoot network communication issues. Your user account should not be added to the Administrator user group, as this would give you too much unnecessary access. Adding your user account to the Remote Desktop Users group would not be correct. Members of this group can remotely access a workstation's desktop, but you would still not have access to troubleshoot network connectivity issues. Members of the Cryptographic Operator group can perform cryptographic operations. This would not give you access to troubleshoot network configuration issues.
A technician assists Joe, an employee in the sales department who needs access to the client database, by granting him Administrator privileges. Later, Joe discovers that he has access to the salaries in the payroll database. Which of the following security practices was violated?
> Principle of least privilege Explanation: The technician violated the principle of least privilege, which is the practice of limiting user access rights to be the bare minimum that a user needs to perform their work. Strong passwords are recommended to prevent unauthorized access, but in this scenario, the database was not password-protected. Multi-factor authentication is the process of authenticating a user by validating two or more claims presented by them, each from a different category. This could include such things as a password and mobile phone possession or a password and a fingerprint. Security personnel can grant access to a physical area using the entry control roster. A database is not normally protected by physical security.
During an airline flight, a laptop user makes last-minute changes to a presentation that contains sensitive company information. Which of the following would make it difficult for other passengers to view this information on the laptop display?
> Privacy filter Explanation: A privacy filter narrows a laptop display's viewing angle so that only the person directly in front can see the display. A cable lock secures valuable items that could be easily removed from the workplace, like laptops. A cable lock would do nothing to prevent others from viewing the laptop display. Smart cards can provide authentication, but they do nothing to prevent others from viewing the laptop display. A mantrap is used to control access between two areas that have different security levels. It helps prevent tailgating by requiring that entry from one area closes before entry to the second area is possible.
You are assisting the security administrator and discover that a user was logged in to their workstation after hours. After further investigation, you discover that the user's account was compromised, and someone used the account to steal sensitive data. Which of the following could have BEST prevented this from happening?
> Restrict the user's login times to work hours only. Explanation: Because the user account was accessed after work hours, the best solution would have been to restrict the user's login times to work hours only. If this policy were in place, the account could not have been used after hours Requiring a stronger password would not have been the best option to prevent this from happening, as the password could still have been compromised. A password reset policy should not be implemented, as this can actually reduce the security of passwords. Implementing a screen saver lock would not have been the best option in this scenario, as the user was done for the work day and had already logged off of the computer. The attacker still knew the user's password.
Which database encryption method can you use to encrypt data at rest?
> Transparent data encryption Explanation: Transparent data encryption (TDE) encrypts the entire database and all backups. TDE encrypts data at rest, which is data that is not currently being used. Column-level encryption allows the administrator to encrypt each column separately. This method does not encrypt data at rest. With application-level encryption, the program that was used to create or modify the data is responsible for encrypting the data as well. This method does not encrypt data at rest. A Trusted Platform Module (TPM) chip is built onto a motherboard and generates and stores encryption keys to protect boot files. The TPM chip does not encrypt data at rest.
Which of the following are examples of a strong password? (Select two.)
> il0ve2EatIceCr3am! > I love the Linux P3ngu!n Tux Explanation: A strong password is one that: - Is at least eight characters long (longer is better). - Is not based on a word found in a dictionary. - Contains both uppercase and lowercase characters. - Contains numbers. - Contains special characters. - Does not contain words that could be associated with you personally. Could be considered a passphrase. The passwords il0ve2EatIceCr3am! and I love the Linux P3ngu!n Tux both meet the above criteria. The password NewYorkCity is long enough and includes upper and lowercase letters, but it does not contain numbers or special characters and could be easily dissected into a dictionary word. The password skippy is probably a pet name. The password Morganstern is probably someone's last name (perhaps a spouse's name or a maiden name).
