SPSCC_CNA121_Chpt_6_Windows_10_Security_Features

password policy

A collection of settings to control password characteristics such as length and complexity.

account lockout policy

A collection of settings, such as lockout duration, that control account lockouts.

Secedit

A command-line tool that is used to apply, export, or analyze security templates.

BitLocker Drive Encryption

A feature in Windows 10 that can encrypt the operating system partition of a hard drive and protect system files from modification. Other partitions can also be encrypted.

User Account Control (UAC)

A feature in Windows 10 that elevates user privileges only when required.

AppLocker

A feature in Windows 10 that is used to define which programs are allowed to run. This is a replacement for the software restriction policies found in Windows XP and Windows Vista, but it is not available in Windows 10 Pro or lower.

BitLocker To Go

A new feature in Windows 10 that allows you to encrypt removable storage.

hashing algorithm

A one-way encryption algorithm that creates a unique identifier that can be used to determine whether data has been changed.

local security policy

A set of security configuration options in Windows 10. These options are used to control user rights, auditing, password settings, and more.

hash encryption

A(n) ____ algorithm is one-way encryption, which means that it encrypts data, but the data cannot be decrypted.

symmetric encryption

A(n) ____ algorithm uses the same key to encrypt data and decrypt data.

security template

An .inf file that contains security settings that can be applied to a computer or analyzed against a computer's existing configuration.

Security Configuration and Analysis tool

An MMC snap-in that is used to apply, export, or analyze security templates.

application manifest

An XML file that describes the structure of an application, including required DLL files and privilege requirements.

application manifest

An ____ is used to describe the structure of an application and trigger UAC when required.

symmetric encryption algorithm

An encryption algorithm that uses the same key to encrypt and decrypt data.

asymmetric encryption algorithm

An encryption algorithm that uses two keys to encrypt and decrypt data. Data encrypted with one key is decrypted by the other key.

Encrypting File System (EFS)

An encryption technology for individual files and folders that can be enabled by users.

Windows Defender

Anti-malware software included with Windows 10.

Restore the user certificate from a backup copy. Another user that has access to open the file can decrypt it. Decrypt the file by using the recovery certificate.

How can you recover EFS-encrypted files if the user profile holding the digital certificate is accidentally deleted? Choose all that apply. a. Restore the file from backup. b. Restore the user certificate from a backup copy. c. Another user that has access to open the file can decrypt it. d. Decrypt the file by using the recovery certificate. e. Decrypt the file by using the EFS recovery snap-in.

Create default rules

How would you create AppLocker rules if you wanted to avoid updating the rules when most software is already installed? a. Manually create rules for each application b. Automatically generate rules c. Create default rules d. Download rule templates

malware

Malicious software designed to perform unauthorized acts on your computer. It includes viruses, worms, and spyware.

manifest

Newer Windows applications use an application ____ to describe the structure of an application.

Group Policy

The Local Security Policy is part of a larger Windows management system called _______ _______, which can be implemented on a local computer, but is typically part of a domain-based net- work.

user rights assignment

The _____ local policy controls the tasks users are allowed to perform.

Volume Master Key (VMK)

The key used to encrypt hard drive data when BitLocker Drive Encryption is enabled.

Full Volume Encryption Key (FVEK)

The key used to encrypt the Volume Master Key (VMK) when BitLocker Drive Encryption is enabled.

auditing

The security process that records the occurrence of specific operating system events in the Security log.

audit policy

The settings that define which operating system events are audited.

Windows Server Update Services (WSUS)

The standard Windows Update process can be modified to use ____.

Current Branch Business

This branch installs new builds four months after they are released to Current Branch and provides updates an additional four months after that. This branch is available only on Windows 10 Pro, Enterprise, and Education editions.

Long Term Servicing Branch

This branch is a specific edition of Windows 10 that does not receive feature updates. Windows Updates are provided for this branch for 10 years. This is meant for controlled environments, such as equipment controllers, where changes cannot be tolerated.

Current Branch

This servicing branch is maintained with updates for four months. Any computer configured to use this installs new builds immediately when released by Microsoft.

Windows Insider Preview Branch

This servicing branch is updated irregularly, but can be updated as often as once per week. Consider this branch beta software. It should be used only on test computers if you want an early look at new features.

Password must meet complexity requirements

This setting applies a number of tests to a new password to ensure that it is not too easy to guess or hack. This setting is enforced when a password change is made, but is not applied to existing passwords. The default value is Disabled.

Store passwords using reversible encryption

This setting controls how passwords are encrypted in the Security Accounts Manager (SAM) database that stores user credentials. By default, this setting is Disabled, and passwords are encrypted in a non-reversible format. Storing passwords by using reversible encryption is required only for compatibility with specific applications.

Account lockout duration

This setting determines how many minutes an account remains locked. The default value is 30 minutes; however, this value is not configured until the Account lockout threshold has been configured.

Account lockout threshold

This setting determines the number of incorrect sign-in attempts that must be performed before an account is locked. The default value is 0 invalid sign-in attempts, which means that account lockouts are disabled.

Reset account lockout counter after

This setting determines within what time frame the incorrect sign-in attempts must occur to trigger a lockout. The default value is 30 minutes; however, this value is not configured until the Account lockout threshold has been configured.

Maximum password age

This setting is the maximum amount of time that a user can keep the same password without changing it. Forcing password changes reduces the risk of a shared or hacked password being used over an extended period of time. The default value is 42 days.

Minimum password length

This setting is the minimum number of characters that must be in a password. In general, longer passwords are more secure. A minimum pass- word length of 6 or 8 characters is typical for most organizations. The default value is 0 characters.

Enforce password history

This setting is the number of password changes that must occur before a password can be reused. For example, if the setting is 3, a password can only be reused every third time. The default value is 0 passwords remembered and the maximum is 24 passwords remembered.

Minimum password age

This setting is the shortest amount of time that a user can use a password before changing it. A minimum password age is often used to ensure that users do not change their password several times in quick succession to continue using a single password. The default value is 0 days.

real-time scanning

To prevent malware installation, you should configure Windows Defender to perform _____.

Security

To which event log are audit events written? a. Application b. Security c. System d. Audit e. Advanced Audit

False

True or False: BitLocker Drive Encryption is user aware and can be used to protect individual files on a shared computer.

False

True or False: Evaluating DLL files for software restrictions has a minimal impact on performance because of caching.

True

True or False: To encrypt a file by using EFS, the file must be stored on an NTFS-formatted partition.

False

True or False: Windows Update can be configured to automatically update Windows Store apps.

Windows Insider Preview Branch, Current Branch, Current Branch for Business, and Long Term Servicing Branch

What are the four distinct servicing branches available with Windows 10?

• Cannot contain part of the user's account name • Must be at least six characters long • Must contain characters meeting three of the following characteristics: uppercase characters, lowercase characters, numerals (0-9), nonalphanumeric characters e.g., !, @, #, $

What are the password must meet complexity requirements?

Account lockout duration, account lockout threshold, and reset account lockout counter after.

What are the settings available in the Account Lockout Policy?

secure desktop

What are you disabling when you configure UAC to not dim the desktop? a. Admin Approval Mode b. file and registry virtualization c. user-initiated prompts d. secure desktop

You get an access-denied error.

What happens if you do not have access to decrypt an encrypted file if you attempt to copy or move the file to a FAT partition, FAT32 partition, or floppy disk.

It becomes unencrypted if you have access to decrypt the file.

What happens to an encrypted file copied or moved to a FAT partition, FAT32 partition, or floppy disk?

It remains encrypted.

What happens to an encrypted file copied or moved to an unencrypted folder?

It becomes encrypted.

What happens to an unencrypted file copied or moved to an encrypted folder?

Defer Upgrades and Updates

What is the name of the Group Policy setting that configures Windows Update for Business? a. Defer Upgrades and Updates b. Windows Update for Business c. Windows Update Delay d. Enterprise Windows Update e. Windows Update Deployment

The Password Policy and the Account Lockout Policy

What two policies are contained in the Account Policies category of the Local Security Policy?

Reset account lockout counter after

Which account lockout policy setting is used to configure the time frame in which incorrect logon attempts must be conducted before an account is locked out? a. Account lockout duration b. Account lockout threshold c. Reset account lockout counter after d. Account lockout release period

You must use a USB drive to store the startup PIN.

Which of the following is not true about BitLocker Drive Encryption? a. BitLocker Drive Encryption requires at least two disk partitions. b. BitLocker Drive Encryption is designed to be used with a TPM. c. Two encryption keys are used to protect data. d. Data is still encrypted when BitLocker Drive Encryption is disabled. e. You must use a USB drive to store the startup PIN.

passw0rd$ and a1batr0$$

Which of the following passwords meet complexity requirements? Choose all that apply. a. passw0rd$ b. ##$$@@ c. ake1vyue d. a1batr0$$ e. A%5j

Minimum password age

Which password policy setting should you use to prevent users from reusing their passwords too quickly? a. Maximum password age b. Minimum password age c. Minimum password length d. Password must meet complexity requirements e. Store passwords using reversible encryption

User Account Control (UAC)

Which security feature in Windows 10 prevents malware by limiting user privilege levels? a. Windows Defender b. User Account Control (UAC) c. Microsoft Security Essentials d. Service SIDs

Long Term Servicing Branch

Which servicing branch for Windows Update should be used for computers where changes cannot be tolerated? a. Windows Insider Preview Branch b. Current Branch c. Current Branch for Business d. Long Term Servicing Branch e. Stable Service Branch

Hash

Which type of AppLocker rule condition can uniquely identify any file regardless of its location? a. Publisher b. Hash c. Network zone d. Path

Symmetric

Which type of encryption is the fastest, strongest, and best suited to encrypting large amounts of information? a. Symmetric b. 128 bit c. Asymmetric d. Hash e. Public key

Secedit and Security Configuration and Analysis tool

Which utilities can be used to compare the settings in a security template against a computer configuration? Choose all that apply. a. Secedit b. Windows Defender c. Security Templates snap-in d. Group Policy Object Editor e. Security Configuration and Analysis tool

Security templates

____ are .inf files that contain settings that correspond with the Account Policies and Local Policies in the local security policy.

Software restriction policies

____ are used to define which programs are allowed or disallowed in the system.

Auditing

____ is the security process that records the occurrence of specific operating system events in the Security log.