Chapter 3. Domain 3.0: Access Control
The concept of security within the network environment includes aspects drawn from all operating systems, application software packages, hardware solutions, and networking configurations present within the network to be secured, and from within any network-sharing connectivity directly or indirectly with the network to be secured. For the Security+ exam, you need to develop the broadest set of skills possible, gaining experience from the most specific to the most general of security concepts. This chapter focuses on access control mechanisms and methods for secure network authentication and physical access. A general knowledge of network terminology will aid in understanding these concepts. As a prospective security professional, you should also take every opportunity you may find to expand your skill base beyond these. The following list identifies the key areas from Domain 3.0 (which counts as 17% of the exam) that you need to master:
Identify and apply industry best practices for access control methods.
Explain common access control models and the differences between each.
Apply appropriate security controls to file and print resources.
Compare and implement logical access control methods.
Summarize the various authentication models and identify the components of each.
Deploy various authentication models and identify the components of each.
Explain the difference between identification and authentication (identity proofing).
Explain and apply physical access security methods.
Practice Questions
Objective 3.1: Identify and apply industry best practices for access control methods.
1. Which of the following security access control methods is best equated to the phrase “less is more?”
A. Implicit deny
B. Least privilege
C. Job rotation
D. Account expiration
Quick Answer: 172
Detailed Answer: 175
2. Which of the following security access control methods is best equated to the principal behind Microsoft’s User Access Control (UAC) technology?
A. Implicit deny
B. Least privilege
C. Job rotation
D. Account expiration
Quick Answer: 172
Detailed Answer: 175
3. Which of the following security access control methods is best described as resource availability restricted to only those logons explicitly granted access?
A. Implicit deny
B. Least privilege
C. Job rotation
D. Account expiration
Quick Answer: 172
Detailed Answer: 175
4. Which of the following security access control methods is best described as the separation of logons as well as the separation of roles?
A. Mandatory vacations
B. Principle of least privilege
C. Separation of duties
D. Rotation of job duties
Quick Answer: 172
Detailed Answer: 176
5. Which of the following security access control methods is best described as the practice of terminating passwords on a regular basis?
A. Rotation
B. Purging
C. Aging
D. Expiration
Quick Answer: 172
Detailed Answer: 176
6. Which of the following security access control methods is best described as the practice of revolving administrative users between roles?
A. Implicit deny
B. Least privilege
C. Job rotation
D. Account expiration
Quick Answer: 172
Detailed Answer: 176
7. An organization is concerned about the proper level of access. Which of the following security access control methods would best mitigate this risk?
A. Implicit deny
B. Least privilege
C. Job rotation
D. Account expiration
Quick Answer: 172
Detailed Answer: 176
8. An organization is concerned about securing resource availability. Which of the following security access control methods would best mitigate this risk?
A. Implicit deny
B. Least privilege
C. Job rotation
D. Account expiration
Quick Answer: 172
Detailed Answer: 176
9. An organization is concerned about the fact that the programmers also test the software they are developing. Which of the following security access control methods would best mitigate this risk?
A. Mandatory vacations
B. Principle of least privilege
C. Separation of duties
D. Rotation of job duties
Quick Answer: 172
Detailed Answer: 177
10. An organization is concerned about fraudulent activity. Which of the following security access control methods would best mitigate this risk?
A. Implicit deny
B. Least privilege
C. Job rotation
D. Account expiration
Quick Answer: 172
Detailed Answer: 177
11. An organization is concerned about software development contractors having access to network resources after the contracted work has been completed. Which of the following security access control methods would best mitigate this risk?
A. Implicit deny
B. Least privilege
C. Job rotation
D. Account expiration
Quick Answer: 172
Detailed Answer: 177
12. Which of the following best describes the security access control method that protects the network by ensuring an inadvertent malware execution during normal daily operations cannot then attack the network with full administrative privileges?
A. Segregation of duties
B. Separation of accounts
C. Separation of roles
D. Segregation of resources
Quick Answer: 172
Detailed Answer: 178
13. Which of the following best describes the control within the Microsoft environment that allows lesser accounts to perform privileged processes?
A. “Run as” option
B. “Send to” option
C. “Gpresult” command
D. “Run” command
Quick Answer: 172
Detailed Answer: 178
14. Which of the following best describes the protection mechanism of using the access control practice to expire passwords on a regular basis?
A. Spoofing attacks
B. Null session attacks
C. ARP poisoning attacks
D. Brute-force attacks
Quick Answer: 172
Detailed Answer: 178
15. Which of the following basic access control methods would be violated when an employee is given roles that include security management procedures and compliance audit procedures?
A. Implicit deny
B. Principle of least privilege
C. Separation of duties
D. Account expiration
Quick Answer: 172
Detailed Answer: 178
Objective 3.2: Explain common access control models and the differences between each.
1. Which of the following access control methods involves the assignment of labels to resources and accounts?
A. Mandatory access control
B. Discretionary access control
C. Role-based access control
D. Rule-based access control
Quick Answer: 172
Detailed Answer: 178
2. Which of the following access control methods involves the explicit specification of access rights for accounts with regards to each particular resource?
A. Mandatory access control
B. Discretionary access control
C. Role-based access control
D. Rule-based access control
Quick Answer: 172
Detailed Answer: 179
3. Which of the following access control methods commonly involves testing against an access control list that details systems and accounts with access rights?
A. Mandatory access control
B. Discretionary access control
C. Role-based access control
D. Rule-based access control
Quick Answer: 172
Detailed Answer: 179
4. Which of the following access control methods commonly involves access rights that may vary by account or by time of day?
A. Mandatory access control
B. Discretionary access control
C. Role-based access control
D. Rule-based access control
Quick Answer: 172
Detailed Answer: 179
5. Which of the following access control methods would most likely be used within governmental systems?
A. Mandatory access control
B. Discretionary access control
C. Role-based access control
D. Rule-based access control
Quick Answer: 172
Detailed Answer: 180
6. Which of the following access control methods would involve assignment of rights to groups for inheritance by group member account?
A. Mandatory access control
B. Discretionary access control
C. Role-based access control
D. Rule-based access control
Quick Answer: 172
Detailed Answer: 180
7. The network administrator is responsible for selecting the access control method that will be used for a new kiosk system. Organization members want to have full access to information about all categories of information, but visitors should have access only to general items about the organization. Which forms of access control are most appropriate to this requirement? (Select all correct answers.)
A. Mandatory access control
B. Discretionary access control
C. Role-based access control
D. Rule-based access control
Quick Answer: 172
Detailed Answer: 180
8. The network administrator is responsible for selecting the access control method that will be used for a new 24-hour employee cafeteria. Members of management must always be granted access, whereas other staff members should be granted access only during their assigned lunch hours. Visitors should be allowed access during normal business hours only. What form of access control is best for this scenario?
A. Mandatory access control
B. Discretionary access control
C. Role-based access control
D. Rule-based access control
Quick Answer: 172
Detailed Answer: 180
9. According to the TCSEC specification, which of the following are divisions of access control? (Select all correct answers.)
A. Minimal
B. Verified
C. Logical
D. Physical
Quick Answer: 172
Detailed Answer: 180
10. According to the TCSEC specification, which of the following is the highest level of access?
A. Minimal
B. Mandatory
C. Verified
D. Discretionary
Quick Answer: 172
Detailed Answer: 180
11. The organization is selecting an access control method where the objective is to assign permissions based on forms of conditional testing. Which form of access control is most appropriate to meet this requirement?
A. Rule-based access model
B. Group-based access model
C. Role-based access model
D. User-based security model
Quick Answer: 172
Detailed Answer: 181
12. The organization is selecting an access control method where the objective is to assign strict permissions where if the labels on the account and resource do not match, the resource remains unavailable. Which form of access control is most appropriate to meet this requirement?
A. Mandatory access control
B. Discretionary access control
C. Role-based access control
D. Rule-based access control
Quick Answer: 172
Detailed Answer: 181
13. The organization is selecting an access control method in which the subject has complete control over the objects that it owns. Which form of access control is most appropriate to meet this requirement?
A. Mandatory access control
B. Discretionary access control
C. Role-based access control
D. Rule-based access control
Quick Answer: 172
Detailed Answer: 181
14. In which of the following forms of access control would access be granted based on the categorical assignment such as classified, secret, or top secret be found?
A. Mandatory access control
B. Discretionary access control
C. Role-based access control
D. Rule-based access control
Quick Answer: 172
Detailed Answer: 181
15. The organization is selecting an access control method of access control where the objective is to provide a great level of scalability within its large enterprise scenarios. Which form of access control is most appropriate to meet this requirement?
A. Rule-based access model
B. Group-based access model
C. Role-based access model
D. User-based security model
Quick Answer: 172
Detailed Answer: 182
Objective 3.3: Organize users and computers into appropriate security groups and roles while distinguishing between appropriate rights and privileges.
1. Which of the following information is held in a user account? (Select all correct answers.)
A. Permissions
B. Password
C. Name
D. Devices
Quick Answer: 172
Detailed Answer: 182
2. Which of the following groups has the greatest access to data and the opportunity to either deliberately sabotage it or accidentally delete it?
A. Partnering vendors
B. Contract workers
C. Internal users
D. External users
Quick Answer: 172
Detailed Answer: 182
3. To which of the following types of groups would a user be assigned for applications such as Microsoft Exchange?
A. Mail
B. Distribution
C. Security
D. Administrator
Quick Answer: 172
Detailed Answer: 182
4. In a Microsoft Windows 2003 network, in which of the following groups could a user be placed? (Select all correct answers.)
A. Local
B. Global
C. Domain
D. Universal
Quick Answer: 172
Detailed Answer: 182
5. Which of the following access control methods would most likely be used to manage the access permissions in a peer-to-peer network or a workgroup?
A. Rule-based access model
B. Group-based access model
C. Role-based access model
D. User-based security model
Quick Answer: 172
Detailed Answer: 182
6. Which of the following access control methods would be used to manage the access permissions on a large numbers of user accounts?
A. Rule-based access model
B. Group-based access model
C. Role-based access model
D. User-based security model
Quick Answer: 172
Detailed Answer: 183
7. To which of the following types of groups would a user be assigned for access to information such as a home directory?
A. Mail
B. Distribution
C. Security
D. Administrator
Quick Answer: 172
Detailed Answer: 183
8. Which of the following best describe the user rights assignment? (Select all correct answers.)
A. Segregates users
B. Grants specific privileges
C. Segregates resources
D. Grants logon rights
Quick Answer: 172
Detailed Answer: 183
9. The organization is selecting an access control method where the objective is to assign permissions uniquely to each account. Which form of access control is most appropriate to meet this requirement?
A. Rule-based access model
B. Group-based access model
C. Role-based access model
D. User-based security model
Quick Answer: 172
Detailed Answer: 183
10. The organization is selecting an access control method where the objective is to assign permissions based on ease of administration. Which form of access control is most appropriate to meet this requirement?
A. Rule-based access model
B. Group-based access model
C. Role-based access model
D. User-based security model
Quick Answer: 172
Detailed Answer: 183
11. Which of the following most accurately describes user rights and user permissions? (Select all correct answers.)
A. Logon rights control who and how users log on to the computer
B. Rights allow users to perform system tasks such as the right to back up files
C. Permissions control who and how users log on to the computer
D. Permissions allow users to perform system tasks such as the right to back up files
Quick Answer: 172
Detailed Answer: 184
12. If an administrator gives a user full access in one group and no access in another group, which of the following is the end result?
A. Full access
B. No access
C. Read access
D. Write access
Quick Answer: 172
Detailed Answer: 184
13. If an administrator gives a user write access in one group and read access in another group, which of the following is the highest level of access the user is granted?
A. Full access
B. No access
C. Read access
D. Write access
Quick Answer: 172
Detailed Answer: 184
14. Which of the following is best practice when applying permissions to accounts in a domain environment?
A. Apply to group accounts
B. Apply to individual accounts
C. Apply to local accounts
D. Apply to universal accounts
Quick Answer: 172
Detailed Answer: 184
15. Which of the following is best practice when using the Administrator account?
A. Used for all functions provided the user has administrative privileges
B. Used only for the purpose of logging into the server
C. Used only for the purpose of administering the server
D. Never used because it is a sensitive account
Quick Answer: 172
Detailed Answer: 184
Objective 3.4: Apply appropriate security controls to file and print resources.
1. Which of the following is the most compelling reason to lock down file and print shares?
A. Logic bombs can spread via unprotected shares
B. Unprotected network shares are always easy attack targets
C. Intrusion detections systems cannot detect attacks on unprotected shares
D. Unprotected network shares allow users to access shared information
Quick Answer: 173
Detailed Answer: 184
2. When addressing file and print sharing, which of the following NetBIOS ports should be secured? (Select all correct answers.)
A. 138
B. 135
C. 139
D. 137
Quick Answer: 173
Detailed Answer: 184
3. When addressing file and print sharing that uses SMB directly over TCP/IP, which of the following ports should be secured?
A. 110
B. 445
C. 135
D. 161
Quick Answer: 173
Detailed Answer: 185
4. Which of the following is true of file and print sharing?
A. It increases unauthorized access risk.
B. It decreases unauthorized access risk.
C. It mitigates unauthorized access risk.
D. It protects against unauthorized access risk.
Quick Answer: 173
Detailed Answer: 185
5. Which of the following best describes the areas that should be examined when addressing file and print sharing? (Select all correct answers.)
A. Simple Mail Transfer Protocol
B. Common Gateway Protocol
C. Server Message Block
D. Common Internet File System
Quick Answer: 173
Detailed Answer: 185
6. Which of the following best practices is recommended if file and print sharing is not really needed?
A. Deny access to the default shares
B. Bind NetBIOS to TCP/IP
C. Unbind NetBIOS from TCP/IP
D. Remove the default shares
Quick Answer: 173
Detailed Answer: 185
7. Which of the following is an inherent risk when using a Microsoft Windows 2003 operating system?
A. Hidden shares are created by default.
B. Users can create shares without authorization.
C. Shares automatically grant all users full access.
D. Users can create undetectable hidden shares.
Quick Answer: 173
Detailed Answer: 185
8. Which of the following are recommendations for securing file and print sharing? (Select all correct answers.)
A. Install proper firewalls
B. Filter traffic on port 135
C. Bind NetBIOS to TCP/IP
D. Run intrusion detection tools
Quick Answer: 173
Detailed Answer: 185
9. Which of the following qualities would be pertinent when selecting antivirus software if open shares are a concern?
A. Searching for logic bombs
B. Searching for CIFS worms
C. Searching for adware
D. Searching for SMTP vulnerabilities
Quick Answer: 173
Detailed Answer: 185
10. Which of the following can go a long way toward making sure that file sharing is not enabled unless needed? (Select all correct answers.)
A. Discretionary control
B. User education
C. Written warnings
D. Mandatory settings
Quick Answer: 173
Detailed Answer: 186
Objective 3.5: Compare and implement logical access control methods.
1. Which of the following best describes an access control list?
A. A combination of methods to limit access to data
B. Underlying data that defines access permissions
C. A method to set consistent common security standards
D. A unique value that identifies a security principal
Quick Answer: 173
Detailed Answer: 186
2. Which of the following best describes logical access control?
A. A combination of methods to limit access to data
B. Underlying data that defines access permissions
C. A method to set consistent common security standards
D. A unique value that identifies a security principal
Quick Answer: 173
Detailed Answer: 186
3. Which of the following best describes a security identifier?
A. A combination of methods to limit access to data
B. Underlying data that defines access permissions
C. A method to set consistent common security standards
D. A unique value that identifies a security principal
Quick Answer: 173
Detailed Answer: 186
4. Which of the following best describes group policy?
A. A combination of methods to limit access to data
B. Underlying data that defines access permissions
C. A method to set consistent common security standards
D. A unique value that identifies a security principal
Quick Answer: 173
Detailed Answer: 187
5. Which of the following best describes a decentralized security management model?
A. Less secure but more scalable than a centralized model
B. More secure but less scalable than a centralized model
C. More secure and more scalable than a centralized model
D. Less secure and less scalable than a centralized model
Quick Answer: 173
Detailed Answer: 187
6. Which of the following best describes a centralized security management model?
A. Less secure but more scalable than a decentralized model
B. More secure but less scalable than a decentralized model
C. More secure and more scalable than a decentralized model
D. Less secure and less scalable than a decentralized model
Quick Answer: 173
Detailed Answer: 187
7. Which of the following best describes the general order of Group Policy object application?
A. Group policies get applied from the top down.
B. Group policies get applied based on complexity.
C. Group policies get applied based on alphabetic order.
D. Group policies get applied from the bottom up.
Quick Answer: 173
Detailed Answer: 187
8. Which of the following would conform to best practices with regard to password policy?
A. At least four characters, uppercase and lowercase letters, numbers, and special characters
B. At least six characters, lowercase letters, numbers, and special characters
C. At least eight characters, uppercase and lowercase letters, numbers, and special characters
D. At least twelve characters, uppercase and lowercase letters, numbers, and special characters
Quick Answer: 173
Detailed Answer: 187
9. Which of the following is the correct number of domain password polices that can be set for a Windows 2003 domain?
A. One
B. Three
C. Ten
D. Unlimited
Quick Answer: 173
Detailed Answer: 188
10. Which of the following are best practices when formulating password account policies?? (Select all correct answers.)
A. Set the server to not allow users to use the same password over and over again
B. Require password complexity for all accounts
C. Lock user accounts out after two failed logon attempts
D. Require users to change passwords every 60 to 90 days
Quick Answer: 173
Detailed Answer: 188
11. An organization is implementing a domain policy where the employees are primarily shift workers. Which of the following would be the best solution to implement?
A. Mandatory password changes
B. Increased account lockout time
C. Time-of-day restrictions
D. Reduced failed logon attempts
Quick Answer: 173
Detailed Answer: 188
12. In Microsoft operating systems, which of the following best describes an access control entry?
A. A combination of methods to limit access to data
B. A method to set consistent common security standards
C. A unique value that identifies a security principal
D. A descriptor that contain the name of a user, group, or role
Quick Answer: 173
Detailed Answer: 188
13. An organization is implementing a method of control where the requirements are that employees at different locations are responsible for managing privileges within their administrative areas. Which of the following security management models will they implement?
A. User based
B. Centralized
C. Decentralized
D. Group based
Quick Answer: 173
Detailed Answer: 188
14. An organization is implementing a method of control where the requirements are that employees at one location are responsible for managing privileges for the entire organization. Which of the following security management models can they implement? (Select all correct answers.)
A. User based
B. Centralized
C. Decentralized
D. Group based
Quick Answer: 173
Detailed Answer: 188
15. An administrator is troubleshooting a group policy issue on a computer that is a member of a workgroup rather than a domain member. Which of the following would be the mostly likely reason the policy is not working?
A. Only the local policy is applied.
B. The policy is set to no override.
C. The Block Inheritance setting has been checked.
D. The policy is marked for No Override.
Quick Answer: 173
Detailed Answer: 189
16. GPOs can be associated with or linked to which of the following? (Select all correct answers.)
A. Organizational units
B. Domains
C. Sites
D. Forests
Quick Answer: 173
Detailed Answer: 189
17. Which of the following would be the most likely result of a GPO conflict?
A. The policy lower in the list takes preference.
B. The GPO that was created first takes preference.
C. The conflict will cause neither policy to be applied.
D. The policy higher up in the list will take preference.
Quick Answer: 173
Detailed Answer: 189
18. Which of the following should be implemented if the organization wants to be sure that all users are off of the network each evening when the backup is run?
A. Account expiration
B. Account lockout
C. Time-of-day restrictions
D. Software restriction policies
Quick Answer: 173
Detailed Answer: 189
19. An organization is implementing a domain policy where the employees are temporary and contract workers. Which of the following is the best solution to implement?
A. Account expiration
B. Account lockout
C. Time-of-day restrictions
D. Software restriction policies
Quick Answer: 173
Detailed Answer: 189
20. An organization is implementing a domain policy where primary concern is unauthorized attempted access via active user accounts. Which of the following would be the best solution to implement?
A. Account expiration
B. Account lockout
C. Time-of-day restrictions
D. Software restriction policies
Quick Answer: 173
Detailed Answer: 189
Objective 3.6: Summarize the various authentication models and identify the components of each.
1. Which of the following best describe the general forms that comprise authentication? (Select all correct answers.)
A. Something you touch
B. Something you have
C. Something you know
D. Something you are
Quick Answer: 173
Detailed Answer: 190
2. Which of the following best describes the type of authentication provided by using a logon ID and password?
A. Multifactor authentication
B. Single-factor authentication
C. Mutual authentication
D. On-demand authentication
Quick Answer: 173
Detailed Answer: 190
3. Which of the following best describes the type of authentication provided when the client and server verify that the computer with which they are communicating is the proper system?
A. Multifactor authentication
B. Single-factor authentication
C. Mutual authentication
D. On-demand authentication
Quick Answer: 173
Detailed Answer: 190
4. Which of the following best describes the type of authentication provided within an ongoing data transmission?
A. Multifactor authentication
B. Single-factor authentication
C. Mutual authentication
D. On-demand authentication
Quick Answer: 173
Detailed Answer: 190
5. Which of the following best describes the type of authentication provided by using fingerprint scanning and a password?
A. Multifactor authentication
B. Single-factor authentication
C. Mutual authentication
D. On-demand authentication
Quick Answer: 173
Detailed Answer: 190
6. Which of the following best describes the process of determining the identity of the account attempting to access a resource?
A. Authorization
B. Authentication
C. Identification
D. Validation
Quick Answer: 173
Detailed Answer: 191
7. Which of the following is one of the most widespread examples of the shortcomings of an authentication system?
A. Lost tokens
B. False positives
C. Weak encryption
D. Easily guessed passwords
Quick Answer: 173
Detailed Answer: 191
8. Which of the following authentication methods would most likely be used for access to a library kiosk?
A. A logon identifier and password
B. Anonymous access and password
C. Biometric keys and security token
D. Account logon and security token
Quick Answer: 173
Detailed Answer: 191
9. Which of the following authentication methods would most likely be used for access to a governmental financial network?
A. A logon identifier and password
B. Anonymous access and password
C. Biometric keys and security token
D. Account logon and security token
Quick Answer: 173
Detailed Answer: 191
10. Which of the following authentication methods would most likely be used for access to an airport kiosk?
A. A security token
B. Anonymous access
C. Biometric keys
D. Account logon
Quick Answer: 173
Detailed Answer: 191
11. Which of the following is the correct sequence when a user requests access to a resource?
A. Authentication occurs first and then access is determined.
B. Access rights are determined by authentication method.
C. Authentication and access control occur at the same time.
D. Access must be granted first, and then authentication occurs.
Quick Answer: 173
Detailed Answer: 192
12. Which of the following most accurately describes authentication?
A. The presentation of a unique identity
B. A unique identity with a security principal
C. The presentation of credentials
D. A set of resources available
Quick Answer: 173
Detailed Answer: 192
13. Which of the following are advantages of implementing a single sign-on solution? (Select all correct answers.)
A. Reduced costs
B. Reduced threats
C. Reduced user support
D. Reduced authentication complexity
Quick Answer: 173
Detailed Answer: 192
14. Which of the following authentication methods would most likely be used for access to a corporate network by telecommuters?
A. A logon identifier and password
B. Anonymous access and password
C. Biometric keys and security token
D. Account logon and security token
Quick Answer: 173
Detailed Answer: 192
15. Which of the following most accurately describes single sign-on?
A. One account granting access to all services
B. Separate accounts granting access to each service
C. Administrative login granting access to all services
D. Anonymous login granting access to all services
Quick Answer: 173
Detailed Answer: 192
Objective 3.7: Deploy various authentication models and identify the components of each.
1. Which of the following are strengths of Kerberos authentication? (Select all correct answers.)
A. Remote-access connections
B. Time-synchronized connections
C. The use of registered clients
D. The use of registered service keys
Quick Answer: 174
Detailed Answer: 192
2. Over which of the following connection types does CHAP function?
A. LDAP
B. HTTP
C. FTP
D. PPP
Quick Answer: 174
Detailed Answer: 192
3. Which of the following best describes TACACS+?
A. A symmetric-key authentication protocol used to protect the sending of logon information
B. A remote-access control system providing authentication, authorization, and accounting
C. A centralized authentication and access control for credentials to resources within an enterprise
D. An on-demand authentication used at random intervals within an ongoing data transmission
Quick Answer: 174
Detailed Answer: 193
4. Which of the following best describes RADIUS?
A. A symmetric-key authentication protocol used to protect the sending of logon information
B. A remote-access control system providing authentication, authorization, and accounting
C. A centralized authentication and access control for credentials to resources within an enterprise
D. An on-demand authentication used at random intervals within an ongoing data transmission
Quick Answer: 174
Detailed Answer: 193
5. Which of the following best describes CHAP?
A. A symmetric-key authentication protocol used to protect the sending of logon information
B. A remote-access control system providing authentication, authorization, and accounting
C. A centralized authentication and access control for credentials to resources within an enterprise
D. An on-demand authentication used at random intervals within an ongoing data transmission
Quick Answer: 174
Detailed Answer: 193
6. Which of the following best describes Kerberos?
A. A symmetric-key authentication protocol used to protect the sending of logon information
B. A remote-access control system providing authentication, authorization, and accounting
C. A centralized authentication and access control for credentials to resources within an enterprise
D. An on-demand authentication used at random intervals within an ongoing data transmission
Quick Answer: 174
Detailed Answer: 193
7. Wireless, port-based access control is often paired with which of the following?
A. Kerberos
B. RADIUS
C. TACACS+
D. CHAP
Quick Answer: 174
Detailed Answer: 193
8. Which of the following type of authentication involves comparison of two values calculated using the message digest (MD5) hashing algorithm?
A. Kerberos
B. RADIUS
C. TACACS+
D. CHAP
Quick Answer: 174
Detailed Answer: 194
9. Which of the following should an organization deploy if the use of an asymmetric encryption method is required?
A. Kerberos
B. TACACS
C. PKI
D. CHAP
Quick Answer: 174
Detailed Answer: 194
10. An organization wants to implement multifactor authentication, which of the following could be used? (Select all correct answers.)
A. Smart cards
B. Kerberos authentication
C. Anonymous access
D. Biometric authentication
Quick Answer: 174
Detailed Answer: 194
11. An organization is looking for a biometric method that identifies an individual by using the colored part of the eye surrounding the pupil. Which of the following solutions should they implement?
A. Signature
B. Iris profile
C. Facial geometry
D. Retinal scan
Quick Answer: 174
Detailed Answer: 194
12. Which of the following are issues associated with the implementation of biometric authentication methods?
A. Error ratios
B. Invasiveness
C. Account lockouts
D. Cross-contamination
Quick Answer: 174
Detailed Answer: 194
13. Which of the following technologies provides a mechanism for the creation of a secured tunnel through a public network?
A. VPN
B. RAS
C. LDAP
D. RADIUS
Quick Answer: 174
Detailed Answer: 194
14. Which of the following technologies functions as a gateway through which the remote user may access local resources?
A. VPN
B. RAS
C. LDAP
D. RADIUS
Quick Answer: 174
Detailed Answer: 194
15. Which of the following technologies allows authentication of logon identities over TCP/IP connectivity against a hierarchical directory?
A. VPN
B. RAS
C. LDAP
D. RADIUS
Quick Answer: 174
Detailed Answer: 195
16. In which of the following technologies is a centralized authentication solution managed through a client/server configuration?
A. VPN
B. RAS
C. LDAP
D. RADIUS
Quick Answer: 174
Detailed Answer: 195
17. Which of the following would be implemented if the organization requires a solution for both authentication and authorization? (Select all correct answers.)
A. RADIUS
B. TACACS+
C. LDAP
D. RAS
Quick Answer: 174
Detailed Answer: 195
18. Which of the following ports would have to be open if the organization wants to implement a solution that includes LDAP?
A. 161
B. 110
C. 389
D. 162
Quick Answer: 174
Detailed Answer: 195
19. Which of the following best describes the part of a packet that is encrypted by RADIUS?
A. The datagram only
B. The entire packet
C. Only the password
D. Only the header
Quick Answer: 174
Detailed Answer: 195
20. Which of the following protocols does RADIUS use?
A. TCP
B. UDP
C. FTP
D. SNMP
Quick Answer: 174
Detailed Answer: 195
21. Which of the following protocols does TACACS+ use?
A. TCP
B. UDP
C. FTP
D. SNMP
Quick Answer: 174
Detailed Answer: 196
22. An organization is implementing a technology that only uses CHAP for authentication. Which of the following protocols will be used with CHAP?
A. FTP
B. SPAP
C. PPTP
D. PPP
Quick Answer: 174
Detailed Answer: 196
23. Which of the following best describes the difference between RADIUS and TACACS?
A. TACACS is an actual Internet standard; RADIUS is not.
B. RADIUS is an encryption protocol; TACACS is an authentication protocol.
C. RADIUS is an actual Internet standard; TACACS is not.
D. RADIUS is an authentication protocol; TACACS is an encryption protocol.
Quick Answer: 174
Detailed Answer: 196
24. To which of the following are biometric devices susceptible? (Select all correct answers.)
A. False acceptance
B. False positives
C. False negatives
D. False rejection
Quick Answer: 174
Detailed Answer: 196
25. Which of the following best describes false rejection?
A. The system allows an intrusive action to pass as normal.
B. Allows access to an unauthorized user.
C. Denies access to an authorized user.
D. The system deems a legitimate action a possible intrusion.
Quick Answer: 174
Detailed Answer: 196
Objective 3.8: Explain the difference between identification and authentication (identity proofing).
1. Which of the following best describes identity proofing?
A. Controls access to shared computer’s processors and memory
B. Model where permissions are uniquely assigned to each account
C. A type of access attempt that causes a security event log record
D. Organizational process that binds users to authentication methods
Quick Answer: 174
Detailed Answer: 196
2. Which of the following is true about identity proofing?
A. It is the main component of authentication life cycle management.
B. It must be used in a manner other than online database validation.
C. It is the main component of accounting life cycle management.
D. It is completely separate from any type of integrated biometrics.
Quick Answer: 174
Detailed Answer: 197
3. An organization is concerned about secure identification when users forget their hardware token. Which of the following is the primary method to mitigate the vulnerabilities associated with improper authentication?
A. Security guards
B. Identity proofing
C. RADIUS authentication
D. Video surveillance
Quick Answer: 174
Detailed Answer: 197
4. Which of the following are authentication forms that can be used with identity proofing? (Select all correct answers.)
A. Smart cards
B. Mantraps
C. Biometrics
D. One-time password devices
Quick Answer: 174
Detailed Answer: 197
5. Which of the best describes the purpose of identity proofing?
A. Functions as a gateway for remote users to access local resources or Internet connectivity
B. Allows authentication of logon identities over TCP/IP connectivity against a hierarchical directory
C. Gives the organization assurance that the user performing an authentication is the legitimate user
D. Provides for authentication, accounting, and access control for resources for organizational users
Quick Answer: 174
Detailed Answer: 197
Objective 3.9: Explain and apply physical access security methods.
1. Physically unsecured equipment is vulnerable to which of the following type of attacks?
A. Brute force
B. Social engineering
C. Malware
D. Rootkits
Quick Answer: 174
Detailed Answer: 197
2. In which of the following types of environments are mandatory physical access controls are commonly found? (Select all correct answers.)
A. Academic institutions
B. Corporate environments
C. Government facilities
D. Military installations
Quick Answer: 174
Detailed Answer: 197
3. Which of the following is the primary goal of a physical security plan?
A. To deny access to most users allowing only corporate officers
B. To allow access to all visitors without causing undue duress
C. To allow only trusted use of resources via positive identification
D. To deny access to all except users deemed credible
Quick Answer: 174
Detailed Answer: 198
4. Which of the following may be used to prevent an intruder from monitoring users in very high-security areas? (Select all correct answers.)
A. Picket fencing
B. Painted glass
C. Frosted glass
D. Chain-link fencing
Quick Answer: 174
Detailed Answer: 198
5. Which of the best describes the physical area known as no-man’s land?
A. An area of cleared land surrounding a building
B. An area of bushes surrounding a building
C. A holding area between two entry points
D. A receiver mechanism that reads an access card
Quick Answer: 174
Detailed Answer: 198
6. Which of the following best describes a mantrap?
A. An area of cleared land surrounding a building
B. An area of bushes surrounding a building
C. A holding area between two entry points
D. A receiver mechanism that reads an access card
Quick Answer: 174
Detailed Answer: 198
7. Which of the following best describes the difference between a cipher lock and a wireless lock?
A. A cipher lock is opened by a receiver mechanism, whereas a wireless lock has a punch code entry
B. A cipher lock is opened with a key, whereas a wireless lock has a remote control mechanism
C. A cipher lock is opened with a remote control mechanism, whereas a wireless lock is opened with a key
D. A cipher lock has a punch code entry, whereas a wireless lock is opened by a receiver mechanism
Quick Answer: 174
Detailed Answer: 198
8. Which of the following type of surveillance would the organization implement if it was required that the parking lot be constantly monitored?
A. CCTV cameras
B. Security guards
C. Keycard gate
D. Motion detectors
Quick Answer: 174
Detailed Answer: 198
9. Which of the following technologies are used in external motion detectors? (Select all correct answers.)
A. Infrared
B. Sound
C. RFID
D. Ultrasonic
Quick Answer: 174
Detailed Answer: 198
10. Which of the following best describes discretionary physical control?
A. User access is closely monitored and very restricted with no exceptions.
B. Common needs are predetermined and access is allowed with the same key.
C. Access is delegated to parties responsible for that building or room.
D. Each individual has a unique key that corresponds to his or her access needs.
Quick Answer: 174
Detailed Answer: 198
11. Which of the following best describes mandatory physical control?
A. User access is closely monitored and very restricted with no exceptions.
B. Common needs are predetermined and access is allowed with the same key.
C. Access is delegated to parties responsible for that building or room.
D. Each individual has a unique key that corresponds to his or her access needs.
Quick Answer: 174
Detailed Answer: 199
12. Which of the following best describes role-based physical control?
A. User access is closely monitored and very restricted with no exceptions.
B. Common needs are predetermined and access is allowed with the same key.
C. Access is delegated to parties responsible for that building or room.
D. Each individual has a unique key that corresponds to his or her access need.
Quick Answer: 174
Detailed Answer: 199
13. Which of the following physical safeguards would provide the best protection for a building that houses top-secret sensitive information and systems?
A. Mantrap
B. No-man’s land
C. Wooden fence
D. Door access system
Quick Answer: 174
Detailed Answer: 199
14. Which of the following physical safeguards would be most commonly implemented in security for banks?
A. Mantraps
B. Security dogs
C. Painted glass
D. Video surveillance
Quick Answer: 174
Detailed Answer: 199
15. Which of the following is the main security concern of implementing motion detectors?
A. They can easily be deactivated.
B. They can easily be fooled.
C. They are extremely sensitive.
D. They are extremely expensive.
Quick Answer: 174
Detailed Answer: 199
Quick-Check Answer Key
Objective 3.1: Identify and apply industry best practices for access control methods.
1. B
2. B
3. A
4. C
5. D
6. C
7. B
8. A
9. C
10. C
11. D
12. B
13. A
14. D
15. C
Objective 3.2: Explain common access control models and the differences between each.
1. A
2. B
3. D
4. D
5. A
6. C
7. A, C
8. D
9. A, B
10. C
11. A
12. A
13. B
14. A
15. C
Objective 3.3: Organize users and computers into appropriate security groups and roles while distinguishing between appropriate rights and privileges.
1. A, B, C
2. C
3. B
4. A, B, C, D
5. D
6. B
7. C
8. B, D
9. D
10. B
11. A, D
12. B
13. D
14. A
15. C
Objective 3.4: Apply appropriate security controls to file and print resources.
1. B
2. A, C, D
3. B
4. A
5. D
6. C
7. A
8. A, D
9. B
10. B, D
Objective 3.5: Compare and implement logical access control methods.
1. B
2. A
3. D
4. C
5. A
6. B
7. D
8. C
9. A
10. A, B, D
11. C
12. D
13. C
14. B, D
15. A
16. A, B, C
17. D
18. C
19. A
20. B
Objective 3.6: Summarize the various authentication models and identify the components of each.
1. B, C, D
2. B
3. C
4. D
5. A
6. B
7. D
8. A
9. C
10. B
11. A
12. B
13. C, D
14. D
15. A
Objective 3.7: Deploy various authentication models and identify the components of each.
1. B, C, D
2. D
3. B
4. C
5. D
6. A
7. B
8. D
9. C
10. A, B, D
11. B
12. B
13. A
14. B
15. C
16. D
17. A, B
18. C
19. C
20. B
21. A
22. D
23. C
24. A, D
25. C
Objective 3.8: Explain the difference between identification and authentication (identity proofing).
1. D
2. A
3. B
4. A, C, D
5. C
Objective 3.9: Explain and apply physical access security methods.
1. B
2. C, D
3. C
4. B, C
5. A
6. C
7. D
8. A
9. A, B, D
10. C
11. A
12. B
13. B
14. D
15. C
Answers and Explanations
Objective 3.1: Identify and apply industry best practices for access control methods.
1. Answer: B. The phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer A is incorrect because implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access. Answer C is incorrect because job rotation is an extension of the separation of duties. Rotating administrative users between roles both improves awareness of the mandates of each role and, while also ensuring that fraudulent activity cannot be sustained. Answer D is incorrect; expiration is an access control practice to expire passwords on a regular basis, protecting against brute-force password-guessing attacks, and to expire accounts not used after a certain period of time.
2. Answer: B. The User Access Control (UAC) technology used by the Microsoft Vista operating system ensures that software applications cannot perform privileged access without additional authorization from the user. Within the Microsoft environment, lesser accounts may perform privileged processes using the “run as” option to specify the explicit use of a privileged account. Answer A is incorrect because implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access. Answer C is incorrect because job rotation is an extension of the separation of duties. Rotating administrative users between roles both improves awareness of the mandates of each role and, while also ensuring that fraudulent activity cannot be sustained. Answer D is incorrect; expiration is an access control practice to expire passwords on a regular basis, protecting against brute-force password-guessing attacks, and to expire accounts not used after a certain period of time.
3. Answer: A. Implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access. Answer B is incorrect; the phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer C is incorrect because job rotation is an extension of the separation of duties. Rotating administrative users between roles both improves awareness of the mandates of each role and, while also ensuring that fraudulent activity cannot be sustained. Answer D is incorrect; expiration is an access control practice to expire passwords on a regular basis, protecting against brute-force password-guessing attacks, and to expire accounts not used after a certain period of time.
4. Answer: C. Separation of duties is an access control practice involving both the separation of logons, such as day-to-day and admin accounts both assigned to the same network admin, as well as the separation of roles, such as security assignment and compliance audit procedures. Answer A is incorrect. Rotating administrative users between roles both improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained. This is also the reason that users with administrative access may be required take vacations, allowing other administrators to review standard operating practices in place. Answer B is incorrect; the phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer D is incorrect. Rotating administrative users between roles both improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained.
5. Answer: D. Expiration is an access control practice to expire passwords on a regular basis, protecting against brute-force password-guessing attacks, and to expire accounts not used after a certain period of time. Answer A is incorrect because rotation refers to alternating administrative users between roles to improve awareness of the mandates of each role, and ensure that fraudulent activity cannot be sustained. Answer B is incorrect because purging is an action used to get rid of records. Answer C is incorrect because aging is associated with the length of time a password can be used.
6. Answer: C. Job rotation is an extension of the separation of duties. Rotating administrative users between roles both improves awareness of the mandates of each role and, while also ensuring that fraudulent activity cannot be sustained. Answer A is incorrect. Implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access. Answer B is incorrect; the phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer D is incorrect; expiration is an access control practice to expire passwords on a regular basis, protecting against brute-force password-guessing attacks, and to expire accounts not used after a certain period of time.
7. Answer: B. The phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer A is incorrect because implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access. Answer C is incorrect because job rotation is an extension of the separation of duties. Rotating administrative users between roles both improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained. Answer D is incorrect; expiration is an access control practice to expire passwords on a regular basis, protecting against brute-force password-guessing attacks, and to expire accounts not used after a certain period of time.
8. Answer: A. Implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access, remaining unavailable even when access is not explicitly denied. Answer B is incorrect; the phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer C is incorrect because job rotation is an extension of the separation of duties. Rotating administrative users between roles both improves awareness of the mandates of each role and ensures also that fraudulent activity cannot be sustained. Answer D is incorrect; expiration is an access control practice used for allowing passwords to expire on all accounts on a regular basis. This includes accounts not used after a certain period of time such as contractor accounts. It is also used for protecting against brute-force password-guessing attacks.
9. Answer: C. Separation of duties is an access control practice involving both the separation of logons, such as day-to-day and admin accounts both assigned to the same network admin, as well as the separation of roles, such as security assignment and compliance audit procedures. Answer A is incorrect. Rotating administrative users between roles both improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained. This is also the reason that users with administrative access may be required take vacations, allowing other administrators to review standard operating practices in place. Answer B is incorrect; the phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer D is incorrect. Rotating administrative users between roles both improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained.
10. Answer: C. Job rotation is an extension of the separation of duties. Rotating administrative users between roles both improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained. Answer A is incorrect. Implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access. Answer B is incorrect; the phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer D is incorrect; expiration is an access control practice to expire passwords on a regular basis, protecting against brute-force password-guessing attacks, and to expire accounts not used after a certain period of time.
11. Answer: D. Expiration is an access control practice to expire passwords on a regular basis, protecting against brute-force password-guessing attacks, and to expire accounts not used after a certain period of time. Unused accounts often retain weak passwords used in initial assignment, and may be more susceptible to password-guessing routines. Answer A is incorrect. Implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access. Answer B is incorrect; the phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer C is incorrect because job rotation is an extension of the separation of duties. Rotating administrative users between roles both improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained.
12. Answer: B. Separation of account functionality protects the network by ensuring that an inadvertent malware execution during normal daily operations cannot then attack the network with full administrative privileges. Answer A is incorrect because segregation of duties is an access control practice involving both the separation of logons, such as day-to-day and admin accounts both assigned to the same network admin, and the separation of roles. Answer C is incorrect. Separation of role duties ensures that validation is maintained apart from execution, protecting the network against fraudulent actions or incomplete execution of security mandates. Answer D is incorrect. Segregation of resources would be a separate subnet or a segment separated by a firewall.
13. Answer: A. The User Access Control (UAC) technology used by the Microsoft Vista operating system ensures that software applications cannot perform privileged access without additional authorization from the user. Within the Microsoft environment, lesser accounts may perform privileged processes using the “run as” option to specify the explicit use of a privileged account. Answer B is incorrect because the “send to” option is a right-click function used to export files. Answer C is incorrect. Gpresult is used to the see the resultant set of group policies. Answer D is incorrect. The run command is a start menu item option used to run programs.
14. Answer: D. Unused accounts often retain weak passwords used in initial assignment, and may be more susceptible to password-guessing routines. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. Answer B is incorrect. A null session is a connection without specifying a username or password. Null sessions are a possible security risk because the connection is not really authenticated. Answer C is incorrect because ARP poisoning allows a perpetrator to trick a device into thinking any IP is related to any MAC address.
15. Answer: C. Job rotation is an extension of the separation of duties. Rotating administrative users between roles both improves awareness of the mandates of each role and, while also ensuring that fraudulent activity cannot be sustained. Answer A is incorrect. Implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access. Answer B is incorrect; the phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer D is incorrect; expiration is an access control practice to expire passwords on a regular basis, protecting against brute-force password-guessing attacks, and to expire accounts not used after a certain period of time.
Objective 3.2: Explain common access control models and the differences between each.
1. Answer: A. Mandatory access control is the most basic form of access control involves the assignment of labels to resources and accounts. If the labels on the account and resource do not match, the resource remains unavailable in a nondiscretionary manner. Answer B is incorrect. In discretionary access control, a subject has complete control over the objects that it owns. The owner assigns security levels based on objects and subjects. Answer C is incorrect because in a role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights. Answer D is incorrect. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing.
2. Answer: B. In discretionary access control, a subject has complete control over the objects that it owns. The owner assigns security levels based on objects and subjects. Answer A is incorrect. Mandatory access control is the most basic form of access control involves the assignment of labels to resources and accounts. If the labels on the account and resource do not match, the resource remains unavailable in a nondiscretionary manner. Answer C is incorrect because in a role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights. Answer D is incorrect. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing.
3. Answer: D. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. The most common form of rule-based access control involves testing against an access control list (ACL) that details systems and accounts with access rights and the limits of its access for the resource. Answer A is incorrect. Mandatory access control is the most basic form of access control involves the assignment of labels to resources and accounts. If the labels on the account and resource do not match, the resource remains unavailable in a nondiscretionary manner. Answer B is incorrect. In discretionary access control, a subject has complete control over the objects that it owns. The owner assigns security levels based on objects and subjects. Answer C is incorrect because in a role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights.
4. Answer: D. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. The most common form of rule-based access control involves testing against an access control list (ACL) that details systems and accounts with access rights and the limits of its access for the resource. Answer A is incorrect. Mandatory access control is the most basic form of access control involves the assignment of labels to resources and accounts. If the labels on the account and resource do not match, the resource remains unavailable in a nondiscretionary manner. Answer B is incorrect. In discretionary access control, a subject has complete control over the objects that it owns. The owner assigns security levels based on objects and subjects. Answer C is incorrect because in a role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights.
5. Answer: A. Mandatory access control is the most basic form of access control involves the assignment of labels to resources and accounts. This type of access control is often used within governmental systems where resources and access may be granted based on categorical assignment such as classified, secret, or top secret. Answer B is incorrect. In discretionary access control, a subject has complete control over the objects that it owns. The owner assigns security levels based on objects and subjects. Answer C is incorrect because in a role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights. Answer D is incorrect. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing.
6. Answer: C. Role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights. This type of access is used with groups for inheritance by group member account. Answer A is incorrect because mandatory access control involves the assignment of labels to resources and accounts. If the labels on the account and resource do not match, the resource remains unavailable in a nondiscretionary manner. Answer B is incorrect. In discretionary access control, a subject has complete control over the objects that it owns. The owner assigns security levels based on objects and subjects. Answer D is incorrect. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing.
7. Answer: A, C. A mandatory access control solution involving labels such as DONOR and DISPLAY would suffice for the user access assignment. A role-based access control solution involving the roles of User and Donor would also be appropriate. Answer B is incorrect because the complexity of assigning by-user access rights over each item’s files would involve a large amount of administrative overhead. Answer D is incorrect because the complexity of the requirement is not great enough to involve detailed conditional testing.
8. Answer: D. A rule-based access control solution would allow detailed conditional testing of the user’s account type and the time of day and day of the week to allow or deny access. Answers A and B are incorrect because both solutions do not allow for conditional testing. Answer C is also incorrect because role-based access control involves testing against role-assigned access rights, rather than by other qualities such as a test for normal working hours.
9. Answer: A, B. The TCSEC specification identifies levels of security based on the minimum level of access control used in a network environment by divisions and classes. The four divisions of access control are division D, which is Minimal; division C, which is Discretionary; division B, which is Mandatory; and division A, which is Verified. Category A is the highest level, essentially encompassing all elements of Category B, in addition to formal design and verification techniques. Answers C and D are incorrect; they describe network design methods.
10. Answer: C. The TCSEC specification identifies levels of security based on the minimum level of access control used in a network environment. The four divisions of access control are division D, which is Minimal; division C, which is Discretionary; division B, which is Mandatory; and division A, which is Verified. Category A is the highest level, essentially encompassing all elements of Category B, in addition to formal design and verification techniques. Based in the preceding statement, answers A, B, and D are incorrect.
11. Answer: A. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. The most common form of rule-based access control involves testing against an access control list (ACL) that details systems and accounts with access rights and the limits of its access for the resource. Answer B is incorrect. In group-based access control, permissions are assigned to groups, and user accounts become members of the groups. Answer C is incorrect because in a role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights. Answer D is incorrect. In a user-based model, permissions are uniquely assigned to each account.
12. Answer: A. Mandatory access control is the most basic form of access control involves the assignment of labels to resources and accounts. If the labels on the account and resource do not match, the resource remains unavailable in a nondiscretionary manner. Answer B is incorrect. In discretionary access control, a subject has complete control over the objects that it owns. The owner assigns security levels based on objects and subjects. Answer C is incorrect because in a role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights. Answer D is incorrect. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing.
13. Answer: B. In discretionary access control, a subject has complete control over the objects that it owns. The owner assigns security levels based on objects and subjects. Answer A is incorrect. Mandatory access control is the most basic form of access control involves the assignment of labels to resources and accounts. If the labels on the account and resource do not match, the resource remains unavailable in a nondiscretionary manner. Answer C is incorrect because in a role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights. Answer D is incorrect. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing.
14. Answer: A. Mandatory access control is the most basic form of access control involves the assignment of labels to resources and accounts. This type of access control is often used within governmental systems where resources and access may be granted based on categorical assignment such as classified, secret, or top secret. Answer B is incorrect. In discretionary access control, a subject has complete control over the objects that it owns. The owner assigns security levels based on objects and subjects. Answer C is incorrect because in a role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights. Answer D is incorrect. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing.
15. Answer: C. In role-based access control, rather than providing a mechanism for direct assignment of rights to an account, access rights are assigned to roles, and accounts are then assigned these roles. This solution provides the greatest level of scalability within large enterprise scenarios, where the explicit of rights grant would rapidly incur a significant level of administrative overhead, and the potential for accidental grant of permissions beyond those needed becomes very high. Answer A is incorrect. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. The most common form of rule-based access control involves testing against an access control list (ACL) that details systems and accounts with access rights and the limits of its access for the resource. Answer B is incorrect. In group-based access control, permissions are assigned to groups, and user accounts become members of the groups. Answer D is incorrect. In a user-based model, permissions are uniquely assigned to each account.
Objective 3.3: Organize users and computers into appropriate security groups and roles while distinguishing between appropriate rights and privileges.
1. Answer: A, B, C. A user account holds information about the specific user. It can contain basic information such as name, password, and the level of permission the user has. Answer D is incorrect because devices are not included in user account information. Device information is more closely associated with SNMP tracking.
2. Answer: C. The internal user has the greatest access to data and the opportunity to either deliberately sabotage it or accidentally delete it. Although partnering vendors, contract workers and external users have the opportunity to damage data, they do not have enough permission to accidentally delete data nor do they have access to data as readily as internal users. Based on this information, answers A, B, and D are incorrect.
3. Answer: B. Active Directory Services provides flexibility by allowing two types of groups: security groups and distribution groups. Security groups are used to assign rights and permissions to groups for resource access. Distribution groups are assigned to a user list for applications or non-security-related functions. For example, a distribution group can be used by Microsoft Exchange to distribute mail. Answers A and D are incorrect because these groups do not exist. Answer C is incorrect because security groups are used to assign rights and permissions to groups for resource access.
4. Answer: A, B, C, D. Users can be placed in universal, global, domain, or local groups.
5. Answer: D. Within a user-based model, permissions are uniquely assigned to each account. One example of this is a peer-to-peer network or a workgroup where access is granted based on individual needs. Answer A is incorrect; in a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. Answer B is incorrect; in group-based access control, permissions are assigned to groups, and user accounts become members of the groups. Answer C is incorrect because in role-based access control, rather than providing a mechanism for direct assignment of rights to an account, access rights are assigned to roles, and accounts are then assigned these roles.
6. Answer: B. In group-based access control, permissions are assigned to groups, and user accounts become members of the groups. Access control over large numbers of user accounts can be more easily accomplished by managing the access permissions on each group, which are then inherited by the group’s members. Answer A is incorrect; in a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. Answer C is incorrect because in role-based access control, rather than providing a mechanism for direct assignment of rights to an account, access rights are assigned to roles, and accounts are then assigned these roles. Answer D is incorrect; within a user-based model, permissions are uniquely assigned to each account. One example of this is a peer-to-peer network or a workgroup where access is granted based on individual needs.
7. Answer: C. Active Directory Services provides flexibility by allowing two types of groups: security groups and distribution groups. Security groups are used to assign rights and permissions to groups for resource access. Answers A and D are incorrect because these groups do not exist. Answer B is incorrect because distribution groups are assigned to a user list for applications or non-security-related functions.
8. Answer: B, D. The user rights assignment is twofold: It can grant specific privileges, and it can grant logon rights to users and groups in your computing environment. Logon rights control who and how users log on to the computer, such as the right to log on to a system locally, whereas privileges allow users to perform system tasks such as the right to back up files and directories. Answers A and C are incorrect because the user rights assignment has nothing to do with segregation of users or resources; that is more of an access control function.
9. Answer: D. Within a user-based model, permissions are uniquely assigned to each account. One example of this is a peer-to-peer network or a workgroup where access is granted based on individual needs. Answer A is incorrect; in a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. Answer B is incorrect; in group-based access control, permissions are assigned to groups, and user accounts become members of the groups. Answer C is incorrect because in role-based access control, rather than providing a mechanism for direct assignment of rights to an account, access rights are assigned to roles, and accounts are then assigned these roles.
10. Answer: B. In group-based access control, permissions are assigned to groups, and user accounts become members of the groups. Access control over large numbers of user accounts can be more easily accomplished by managing the access permissions on each group, which are then inherited by the group’s members. Answer A is incorrect; in a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. Answer C is incorrect because in role-based access control, rather than providing a mechanism for direct assignment of rights to an account, access rights are assigned to roles, and accounts are then assigned these roles. Answer D is incorrect; within a user-based model, permissions are uniquely assigned to each account. One example of this is a peer-to-peer network or a workgroup where access is granted based on individual needs.
11. Answer: A, D. The user rights assignment is twofold: It can grant specific privileges, and it can grant logon rights to users and groups in your computing environment. Logon rights control who and how users log on to the computer, such as the right to log on to a system locally, whereas permissions allow users to perform system tasks such as the right to back up files and directories. Answers B and C are incorrect because they state the exact opposite of what is true.
12. Answer: B. When working with groups, remember a few key items. No matter what OS you are working with, if you are giving a user full access in one group and no access in another group, the result will be no access. However, group permissions are cumulative, so if a user belongs to two groups and one has more liberal access, the user will have the more liberal access, except where the no access right is involved. Therefore, answer A is incorrect. Answers C and D are incorrect because the user would either have full access or no access, read and write are not mentioned in the question.
13. Answer: D. Group permissions are cumulative, so if a user belongs to two groups and one has more liberal access, the user will have the more liberal access, except where the no access right is involved. For example, write access has more privileges than just read access. No matter what OS you are working with, if you are giving a user full access in one group and no access in another group, the result will be no access. Therefore, answers A and B are incorrect. Answer C is incorrect because permissions are cumulative.
14. Answer: A. Although permissions can apply to individual user accounts, they are best administered by using group accounts. Answer B is incorrect because applying permissions to individual accounts creates administrative overhead and is not good practice. Answers C and D are incorrect because in a domain environment, users are placed in groups, and then permissions are set.
15. Answer: C. The administrative account should be used only for the purpose of administering the server. Based on the previous statement, answers A, B, and D are incorrect.
Objective 3.4: Apply appropriate security controls to file and print resources.
1. Answer: B. Print and file sharing increases the risk of intruders being able to access any of the files on a computer’s hard drive. Locking down these shares is imperative because unprotected network shares are always easy targets and rank high in the list of top security exploits. Answer A is incorrect because logic bombs are based on time or events. Answer C is incorrect because unprotected shares can be detected. Answer D is incorrect because the question asks for the most compelling reason, which is answer B.
2. Answer: A, C, D. Recommendations for securing file and print sharing include filter traffic on UDP/TCP ports 137, 138, 139, and 445. Answer B is incorrect; port 135 is used for DCOM-related server/service. Any machines placed behind a NAT router will be inherently safe from attacks on port 135.
3. Answer: B. In Windows 2000 and later, Microsoft added the possibility to run SMB directly over TCP/IP. This uses TCP port 445. Recommendations for securing file and print sharing include filter traffic on UDP/TCP ports 137, 138, 139, and 445. Answer A is incorrect because port 110 is used for POP3 mail. Answer C is incorrect; port 135 is used for DCOM-related server/service. Answer D is incorrect; SNMP servers communicate on port 161. They listen for and respond to incoming client requests and commands and are also able to issue alerts, called “traps.”
4. Answer: A. Print and file sharing increases the risk of intruders being able to access any of the files on a computer’s hard drive. Locking down these shares is imperative because unprotected network shares are always easy targets and rank high in the list of top security exploits. Answers B, C, and D are incorrect because they portray just the opposite. Unprotected shares will not mitigate, decrease, or protect against attacks.
5. Answer: C, D. Print and file sharing increases the risk of intruders being able to access any of the files on a computer’s hard drive. Locking down these shares is imperative because unprotected network shares are always easy targets and rank high in the list of top security exploits. Depending on your operating systems in use, there are two areas to look at: Server Message Block (SMB) file-sharing protocol and Common Internet File System (CIFS). Answer A is incorrect; SMTP is used for email services. Answer B is incorrect; Common Gateway Protocol is used by Citrix. The ICA Client tunnels its ICA traffic inside the Common Gateway Protocol and sends the traffic to port 2598.
6. Answer: C. Determine whether file and print sharing is really needed. If it isn’t, unbind NetBIOS from TCP/IP. By doing so, you effectively disable Windows SMB file and print sharing. Answer A is incorrect because services may use the default shares to communicate such as the IPC share. Answer B is incorrect because binding NetBIOS to TCP/IP would enable file and print sharing services. Answer D is incorrect because the shares are created by default, and if you remove them, they will be automatically recreated the next time the machine is rebooted.
7. Answer: A. As Microsoft operating systems are installed, a number of hidden shares are created by default. An intruder would be aware of this and can map to them if given the chance. Answer B is incorrect because you can restrict user access to read only. Answer C is incorrect because full access has to be granted; it is not automatic. Answer D is incorrect; hidden shares can be detected and users can be restricted from creating shares.
8. Answer: A, D. Here are some recommendations for securing file and print sharing: Use an antivirus product that searches for CIFS worms, run intrusion testing tools, filter traffic on UDP/TCP ports 137, 138, 139, 445, and install proper firewalls. Answer B is incorrect because port 135 is used or DCOM services. Answer C is incorrect because binding NetBIOS to TCP/IP would enable file and print sharing services.
9. Answer: B. Here are some recommendations for securing file and print sharing: Use an antivirus product that searches for CIFS worms, run intrusion testing tools, filter traffic on UDP/TCP ports 137, 138, 139, 445, and install proper firewalls. Answers A, C, and D are incorrect; securing file and print sharing has nothing to do with SMTP, adware, or logic bombs.
10. Answer: B, C. User education and mandatory settings can go a long way toward making sure that file sharing is not enabled unless needed. Answer A is incorrect. Discretionary access control allows the user to control access. Answer D is incorrect. Although written warnings are a method of addressing violations, preventative measures are recommended over reactive measures.
Objective 3.5: Compare and implement logical access control methods.
1. Answer: B. In its broadest sense, an access control list (ACL) is the underlying data associated with a network resource that defines the access permissions. The most common privileges include the ability to read, write to, delete, and execute a file. Answer A is incorrect because it describes logical access control. Logical access controls are used in addition to physical security controls to limit access to data. This helps ensure the integrity of information, preserve the confidentiality of data, and maintain the availability of information. Answer C is incorrect because it describes Group Policy. Group Policy enables you to set consistent common security standards for a certain group of computers, enforce common computer and user configurations, simplify computer configuration by distributing applications, and restrict the distribution of applications that may have limited licenses. Answer D is incorrect because it describes a security identifier. A security identifier (SID) is a unique value that identifies a security principal. A SID is issued to every security principal when it is created.
2. Answer: A. Logical access controls are used in addition to physical security controls to limit access to data. This helps ensure the integrity of information, preserve the confidentiality of data, and maintain the availability of information. Answer B is incorrect because it describes an access control list. In its broadest sense, an access control list (ACL) is the underlying data associated with a network resource that defines the access permissions. The most common privileges include the ability to read, write to, delete, and execute a file. Answer C is incorrect because it describes Group Policy. Group Policy enables you to set consistent common security standards for a certain group of computers, enforce common computer and user configurations, simplify computer configuration by distributing applications, and restrict the distribution of applications that may have limited licenses. Answer D is incorrect because it describes a security identifier. A security identifier (SID) is a unique value that identifies a security principal. A SID is issued to every security principal when it is created.
3. Answer: D. A security identifier (SID) is a unique value that identifies a security principal. A SID is issued to every security principal when it is created. A user’s access token includes SIDs of all groups to which the user is a member. When a user logs on and authentication is successful, the logon process returns an SID for the user and a list of SIDs for the user’s security groups, and these comprise the access token. Answer A is incorrect because it describes logical access control. Logical access controls are used in addition to physical security controls to limit access to data. This helps ensure the integrity of information, preserve the confidentiality of data, and maintain the availability of information. Answer B is incorrect because it describes an access control list. In its broadest sense, an access control list (ACL) is the underlying data associated with a network resource that defines the access permissions. The most common privileges include the ability to read, write to, delete, and execute a file. Answer C is incorrect because it describes Group Policy. Group Policy enables you to set consistent common security standards for a certain group of computers, enforce common computer and user configurations, simplify computer configuration by distributing applications, and restrict the distribution of applications that may have limited licenses.
4. Answer: C. Group Policy enables you to set consistent common security standards for a certain group of computers, enforce common computer and user configurations, simplify computer configuration by distributing applications, and restrict the distribution of applications that may have limited licenses. Answer A is incorrect because it describes logical access control. Logical access controls are used in addition to physical security controls to limit access to data. This helps ensure the integrity of information, preserve the confidentiality of data, and maintain the availability of information. Answer B is incorrect because it describes an access control list. In its broadest sense, an access control list (ACL) is the underlying data associated with a network resource that defines the access permissions. The most common privileges include the ability to read, write to, delete, and execute a file. Answer D is incorrect because it describes a security identifier. A security identifier (SID) is a unique value that identifies a security principal. A SID is issued to every security principal when it is created
5. Answer: A. Implementation of access management is based on one of two models: centralized or decentralized. Both the group-based and role-based methods of access control have a centralized database of accounts and roles or groups to which the accounts are assigned. Decentralized security management is less secure but more scalable. Responsibilities are delegated and employees at different locations are made responsible for managing privileges within their administrative areas. Answers B and C are incorrect; a decentralized solution is less secure than a centralized model. Answer D is incorrect; a decentralized model is more scalable, not less scalable.
6. Answer: B. Implementation of access management is based on one of two models: centralized or decentralized. Both the group-based and role-based methods of access control have a centralized database of accounts and roles or groups to which the accounts are assigned. Decentralized security management is less secure but more scalable. Responsibilities are delegated and employees at different locations are made responsible for managing privileges within their administrative areas. Answers A and D are incorrect; a centralized solution is more secure than a decentralized model. Answer C is incorrect; a centralized model is less scalable, not more scalable.
7. Answer: D. The order of GPO processing is important because a policy applied later overwrites a policy applied earlier. Group policies get applied from the bottom up, so if there is a conflict, the policy higher up in the list will prevail, unless it meets one of the exceptions such as block inheritance and loopback. Based on the previous statement, answers A, B, and C are incorrect.
8. Answer: C. Recommendations for setting a good password policy include making the password length at least eight characters, and require the use of uppercase and lowercase letters, numbers, and special characters. Answers A and B are incorrect because the length is too short and they can easily be compromised. Answer D is incorrect because although it would create a secure password, the length is too long for the average user to remember, causing them to write them down.
9. Answer: A. When Group Policy configures these settings, keep in mind that you can have only one domain account policy. The policy is applied at the root of the domain and becomes the policy for any system that is a member of the domain in Windows Server 2003 and earlier server versions. Domain passwords policies affect all users in the domain. The effectiveness of these policies depends on how and where they are applied. Based on this information, answers B, C, and D are incorrect.
10. Answer: A, B, D. Good password policies include making the password length at least eight characters; requiring the use of uppercase and lowercase letters, numbers, and special characters; requiring users to change passwords every 60 to 90 days; and setting the server to not allow users to use the same password over and over again. Answer C is incorrect because locking out user accounts after two failed logon attempts will cause undue stress on the help desk staff. Best practices for failed logon attempts is to lock out after three to five bad logon attempts.
11. Answer: C. You can assign time-of-day restrictions as a means to ensure that employees are using computers only during specified hours. This setting is useful for organizations where users require supervision, security certification requires it, or employees are mainly temporary or shift workers. Answers A, B, and D are incorrect because all these options affect all employees, not shift workers exclusively.
12. Answer: D. In Microsoft operating systems, each ACL has one or more access control entries (ACEs). These are descriptors that contain the name of a user, group, or role. The access privileges are stated in a string of bits called an access mask. Generally, the object owner or the system administrator creates the ACL for an object. Answer A is incorrect because it describes logical access control. Logical access controls are used in addition to physical security controls to limit access to data. This helps ensure the integrity of information, preserve the confidentiality of data, and maintain the availability of information. Answer B is incorrect because it describes Group Policy. Group Policy enables you to set consistent common security standards for a certain group of computers, enforce common computer and user configurations, simplify computer configuration by distributing applications, and restrict the distribution of applications that may have limited licenses. Answer C is incorrect because it describes a security identifier. A security identifier (SID) is a unique value that identifies a security principal. A SID is issued to every security principal when it is created.
13. Answer: C. Implementation of access management is based on one of two models: centralized or decentralized. Both the group-based and role-based methods of access control have a centralized database of accounts and roles or groups to which the accounts are assigned. Decentralized security management is less secure but more scalable. Responsibilities are delegated and employees at different locations are made responsible for managing privileges within their administrative areas. Answer A is incorrect because in a user-based model, permissions are uniquely assigned to each account. Answer B is incorrect because in a centralized model, there is one central database of accounts and roles or groups to which the accounts are assigned. Answer D is incorrect because a group-based access method of access control is centralized.
14. Answer: B, D. Implementation of access management is based on one of two models: centralized or decentralized. Both the group-based and role-based methods of access control have a centralized database of accounts and roles or groups to which the accounts are assigned. Decentralized security management is less secure but more scalable. Responsibilities are delegated and employees at different locations are made responsible for managing privileges within their administrative areas. Answer A is incorrect because in a user-based model, permissions are uniquely assigned to each account. Answer C is incorrect because in a decentralized model, responsibilities are delegated and employees at different locations are made responsible for managing privileges within their administrative areas.
15. Answer: A. If the computer is a workgroup member rather than a domain member, only the local policy is applied. Based on the previous statement, answers B, C, and D are incorrect. If the computer is a workgroup member, it does not matter what policies are set; only the local policy will apply.
16. Answer: A, B, C. GPOs can be associated with or linked to sites, domains, or organizational units. Because Group Policy is so powerful, various levels of administrative roles can be appointed. These include creating, modifying, and linking policies. Answer D is incorrect; forests transverse across domains, and Group Policy is not linked to a forest.
17. Answer: D. The order of GPO processing is important because a policy applied later overwrites a policy applied earlier. Group policies get applied from the bottom up; however, if there is a conflict, the policy higher up in the list will prevail. Based on the previous statements, answers A, B, and C are incorrect.
18. Answer: C. You can assign time-of-day restrictions as a means to ensure that employees are using computers only during specified hours. This setting is useful for organizations where users require supervision, security certification requires it, or employees are mainly temporary or shift workers. Answer A is incorrect because the account expiration attribute specifies when an account expires. This setting may be used under the same conditions as the time-of-day restrictions. Answer B is incorrect because the account lockout policy can be used to secure the system against attacks by disabling the account after a certain number of attempts, for a certain period of time. Answer D is incorrect because the software restriction policy has to do with application installations.
19. Answer: A. The account expiration attribute specifies when an account expires. This setting may be used under the same conditions as the time-of-day restrictions. Answer B is incorrect because the account lockout policy can be used to secure the system against attacks by disabling the account after a certain number of attempts, for a certain period of time. Answer C is incorrect. You can assign time-of-day restrictions as a means to ensure that employees are using computers only during specified hours. This setting is useful for organizations where users require supervision, security certification requires it, or employees are mainly temporary or shift workers. Answer D is incorrect because the software restriction policy has to do with application installations.
20. Answer: B. The account lockout policy can be used to secure the system against attacks by disabling the account after a certain number of attempts, for a certain period of time. Answer A is incorrect. The account expiration attribute specifies when an account expires. This setting may be used under the same conditions as the time-of-day restrictions. Answer C is incorrect. You can assign time-of-day restrictions as a means to ensure that employees are using computers only during specified hours. This setting is useful for organizations where users require supervision, security certification requires it, or employees are mainly temporary or shift workers. Answer D is incorrect because the software restriction policy has to do with application installations.
Objective 3.6: Summarize the various authentication models and identify the components of each.
1. Answer: B, C, D. Authentication can be generally broken into three basic forms, depending on what is required to authorize access: something you know, something you have, or something you are. Answer A is incorrect because something you touch may be a method used for validation, not a basic form.
2. Answer: B. Using a login and password is single-factor because it consists of only what you know. Therefore, it is not considered multifactor authentication. Multifactor authentication involves the use of two or more different forms of authentication. Different forms include what you know (logon, password, PIN), what you have (keycard, SecureID number generator), or what you are (biometrics). Therefore, answer A is incorrect. Answer C is incorrect; Kerberos v5 includes support for a process known as mutual authentication, where both the identity of the client that is requesting authentication and the server that is providing authentication are verified. Answer D is incorrect; Challenge-Handshake Authentication Protocol (CHAP) provides on-demand authentication.
3. Answer: C. Kerberos v5 includes support for a process known as mutual authentication, where both the identity of the client that is requesting authentication and the server that is providing authentication are verified. Multifactor authentication involves the use of two or more different forms of authentication. Different forms include what you know (logon, password, PIN), what you have (keycard, SecureID number generator), or what you are (biometrics). Therefore, answer A is incorrect. Answer B is incorrect. Using a login and password is not considered multifactor authentication. It is single-factor because it consists of only what you know. Answer D is incorrect; Challenge-Handshake Authentication Protocol (CHAP) provides on-demand authentication.
4. Answer: D. Challenge-Handshake Authentication Protocol (CHAP) provides on-demand authentication. Multifactor authentication involves the use of two or more different forms of authentication. Different forms include what you know (logon, password, PIN), what you have (keycard, SecureID number generator), or what you are (biometrics). Therefore, answer A is incorrect. Answer B is incorrect. Using a login and password is not considered multifactor authentication. It is single-factor because it consists of only what you know. Answer C is incorrect; Kerberos v5 includes support for a process known as mutual authentication, where both the identity of the client that is requesting authentication and the server that is providing authentication are verified.
5. Answer: A. Multifactor authentication involves the use of two or more different forms of authentication. Different forms include what you know (logon, password, PIN), what you have (keycard, SecureID number generator), or what you are (biometrics). Answer B is incorrect. Using a login and password is not considered multifactor authentication. It is single-factor because it consists of only what you know. Answer C is incorrect; Kerberos v5 includes support for a process known as mutual authentication, where both the identity of the client that is requesting authentication and the server that is providing authentication are verified. Answer D is incorrect; Challenge-Handshake Authentication Protocol (CHAP) provides on-demand authentication.
6. Answer: B. Before authorization may occur for anything other than anonymous access to wholly public resources, the identity of the account attempting to access a resource must first be determined. This process is known as authentication. The most well-known form of authentication is the use of a logon account identifier and password combination to access controlled resources. Access is not possible without both parts required for account authentication, so a level of protection is provided. Therefore, answers A, C, and D are incorrect.
7. Answer: D. The shortcoming of any authentication system is that the keys used may be easily falsified and access rights may be granted to an unauthorized access attempt. Null or easily guessed passwords are one of the most widespread examples of the potential for this weakness. Answer A is incorrect because lost tokens are associated with biometric methods or multifactor authentication. Answer B is incorrect; false positives are associated with intrusion detection systems. Answer C is incorrect because weak encryption is most closely associated with wireless networks.
8. Answer: A. Most libraries require the creation of an account or a library card to use the computers and kiosks. Anonymous or open access represents the weakest possible form of authentication, whereas the requirement for both a logon identifier and password combination may be considered the most basic of actual account verification. The highest levels of authentication may involve not only account logon, but also when the logon is occurring from specific network addresses or whether a security token such as an access smart card is present. Answer B is incorrect because although anonymous access is a possibility, as a publicly funded institution, the library should have some due diligence to prevent the use of the computer for illegal purposes. Answers C and D are incorrect; these types of authentication are extremely expensive and restrictive for access to library resources.
9. Answer: C. The highest levels of authentication may involve not only account logon, but also when the logon is occurring from specific network addresses or whether a security token such as an access smart card is present. Most governmental financial systems would require some type of biometric verification a security token. Answers A, B, and D are incorrect; they are not restrictive enough. Anonymous or open access represents the weakest possible form of authentication, whereas the requirement for both a logon identifier and password combination may be considered the most basic of actual account verification.
10. Answer: B. Millions of travelers access kiosks at airports daily. Although anonymous access is the weakest possible form of authentication, it is the only solution due to the volume of traffic. Whereas the requirement for both a logon identifier and password combination may be considered the most basic of actual account verification, requiring each traveler to use a login and password, would create an unbearable backlog of travelers. Answer A is incorrect. Issuing security tokens is not cost-effective or administratively manageable in a kiosk environment. Answers C and D are incorrect; these types of authentication are extremely expensive and restrictive for access to airport kiosks.
11. Answer: A. Before access rights can be determined a user must first be authenticated. Answer B is incorrect because the processes of authentication and access rights determination are not explicitly dependent on one another. Answers C and D are incorrect; authentication must precede access rights determination to avoid granting an unauthorized account access rights.
12. Answer: B. Authentication is the mechanism by which the unique identity is associated with a security principal (a specific user or service). Answer A is incorrect because it describes identification, which is the presentation of a unique identity. Answer C is incorrect; it is a description of identification. Identification presents credentials. Answer D is incorrect because it describes access control. Access control provides a set of resources available to the authenticated identity.
13. Answer: C, D. To reduce user support and authentication complexity, a single sign-on (SSO) capable of granting access to all services is desirable. SSO solutions may employ a central directory service like Microsoft’s Active Directory or Novell’s eDirectory service, or may sequester services behind a series of proxy applications as in the Service-Oriented Architecture approach. Answer A is incorrect because implementing single sign-on solutions is can be costly. Answer B is incorrect. When single sign-on is used, if an account is compromised, there are more resources at risk.
14. Answer: D. Most access for telecommuters will involve not only account logon, but also when the logon is occurring from specific network addresses or whether a security token such as an access smart card is present. Answer A is incorrect; the requirement for both a logon identifier and password combination may be considered the most basic of actual account verification and not strong enough for home users with always on network connections. Answer B is incorrect. Anonymous access is a very weak solution for home users with always on network connectors and should not be used. Answers C is incorrect; this type of authentication is extremely expensive and does make sense for the users.
15. Answer: A. To reduce user support and authentication complexity, a single sign-on (SSO) capable of granting access to all services is desirable. Based on the previous information, answer B is incorrect. Answer B is incorrect. Anonymous access is a very weak solutions for home users with always on network connectors and should not be used. Answers C and D are incorrect because neither administrative nor anonymous access should be used.
Objective 3.7: Deploy various authentication models and identify the components of each.
1. Answer: B, C, D. The strengths of Kerberos authentication come from its time-synchronized connections and the use of registered client and service keys within the Key Distribution Center (KDC). The Key Distribution Center (KDC) is a trusted third party that consists of two logically separate parts: an Authentication Server (AS) and a Ticket-Granting Server (TGS). Answer A is incorrect because Kerberos is not used with remote-access connections.
2. Answer: D. Challenge-Handshake Authentication Protocol (CHAP) functions over Point-to-Point Protocol (PPP) connections. CHAP can be used to provide on-demand authentication within an ongoing data transmission. Based on the previous information, answers A, B, and C are incorrect.
3. Answer: B. TACACS+ is a remote-access control system providing authentication, authorization, and accounting (AAA). Answer A is incorrect; it describes Kerberos. Kerberos is a symmetric-key authentication protocol used to protect sending actual logon information across an unsecured network. Answer C is incorrect; it describes RADIUS. RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise. Answer D is incorrect; it describes CHAP. The Challenge-Handshake Authentication Protocol (CHAP) can be used to provide on-demand authentication within an ongoing data transmission.
4. Answer: C. RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise Answer A is incorrect; it describes Kerberos. Kerberos is a symmetric-key authentication protocol used to protect sending actual logon information across an unsecured network. Answer B is incorrect; it describes TACACS+. TACACS+ is a remote-access control system providing authentication, authorization, and accounting (AAA). Answer D is incorrect; it describes CHAP. The Challenge-Handshake Authentication Protocol (CHAP) can be used to provide on-demand authentication within an ongoing data transmission.
5. Answer: D. The Challenge-Handshake Authentication Protocol (CHAP) can be used to provide on-demand authentication within an ongoing data transmission. Answer A is incorrect; it describes Kerberos. Kerberos is a symmetric-key authentication protocol used to protect sending actual logon information across an unsecured network. Answer B is incorrect; it describes TACACS+. TACACS+ is a remote-access control system providing authentication, authorization, and accounting (AAA). Answer C is incorrect; it describes RADIUS. RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise.
6. Answer: A. Kerberos is a symmetric-key authentication protocol used to protect sending actual logon information across an unsecured network. Answer B is incorrect; it describes TACACS+. TACACS+ is a remote-access control system providing authentication, authorization, and accounting (AAA). Answer C is incorrect; it describes RADIUS. RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise. Answer D is incorrect; it describes CHAP. The Challenge-Handshake Authentication Protocol (CHAP) can be used to provide on-demand authentication within an ongoing data transmission.
7. Answer: B. The IEEE 802.1x standard for wireless port-based access control can be used to provide authentication as well as access control, but is often paired with a RADIUS server to facilitate enterprise-wide access management. Answer A is incorrect; Kerberos is a symmetric-key authentication protocol used to protect sending actual logon information across an unsecured network. Answer C is incorrect; RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise. Answer D is incorrect; it describes CHAP. The Challenge-Handshake Authentication Protocol (CHAP) can be used to provide on-demand authentication within an ongoing data transmission.
8. Answer: D. The Challenge-Handshake Authentication Protocol uses two compared values created using the MD5 hashing algorithm. Answer A is incorrect; Kerberos is a symmetric-key authentication protocol used to protect sending actual logon information across an unsecured network. Answer B is incorrect; TACACS+ is a remote-access control system providing authentication, authorization, and accounting (AAA). Answer C is incorrect; RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise.
9. Answer: C. A Public Key Infrastructure (PKI) solution involves an asymmetric encryption scheme in which a public key is used to encrypt data and a separate private key is used to decrypt the data. Answer A is incorrect; Kerberos is a symmetric-key authentication protocol used to protect sending actual logon information across an unsecured network. Answer B is incorrect; TACACS is a remote-access control system providing authentication, authorization, and accounting (AAA). Answer D is incorrect; RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise.
10. Answer: A, B, D. Any combination of authentication methods may be used in a multifactor solution. Multifactor authentication just refers to solutions including more than a single type of authentication. Answer C is incorrect. Anonymous access is the weakest form of authentication and is not combined with other authentication methods.
11. Answer: B. Iris profile biometric devices identify an individual by using the colored part of the eye that surrounds the pupil. Answer A is incorrect because signature matches an individual’s electronic signature to a database by comparing electronic signals created by the speed and manner in which a document is signed. Answer C is incorrect because facial geometry Identifies a user based on the profile and characteristics of his face. Answer D is incorrect because a retina scan identifies an individual by using the blood-vessel pattern at the back of the eyeball.
12. Answer: A, B. When using biometrics, remember that each method has its own degree of error ratios, and some methods may seem invasive to the users and may not be accepted gracefully. Answer C is incorrect because account lockouts have to do with passwords. Answer D is incorrect because cross-contamination is a physical concern not associated with biometric solutions.
13. Answer: A. Virtual private network (VPN) connections provide a mechanism for the creation of a secured “tunnel” through a public network such as the Internet, which then encapsulates data packets to prevent sniffing over the public network. Answer B is incorrect because a remote-access service (RAS) server functions as a gateway through which the remote user may access local resources or gain connectivity to the Internet. Answer C is incorrect because the Lightweight Directory Access Protocol (LDAP) allows authentication of logon identities over TCP/IP connectivity against a hierarchical directory. Answer D is incorrect; RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise.
14. Answer: B. Client systems equipped with a modem can connect using normal dial-up acoustic connections to a properly equipped remote-access service (RAS) server, which functions as a gateway through which the remote user may access local resources or gain connectivity to the Internet. Answer A is incorrect; virtual private network (VPN) connections provide a mechanism for the creation of a secured “tunnel” through a public network such as the Internet, which then encapsulates data packets to prevent sniffing over the public network. Answer C is incorrect because the Lightweight Directory Access Protocol (LDAP) allows authentication of logon identities over TCP/IP connectivity against a hierarchical directory. Answer D is incorrect; RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise.
15. Answer: C. The Lightweight Directory Access Protocol (LDAP) allows authentication of logon identities over TCP/IP connectivity against a hierarchical directory. Answer A is incorrect; virtual private network (VPN) connections provide a mechanism for the creation of a secured “tunnel” through a public network such as the Internet, which then encapsulates data packets to prevent sniffing over the public network. Answer B is incorrect because a remote-access service (RAS) server functions as a gateway through which the remote user may access local resources or gain connectivity to the Internet. Answer D is incorrect; RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise.
16. Answer: D. RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise. Answer A is incorrect; virtual private network (VPN) connections provide a mechanism for the creation of a secured “tunnel” through a public network such as the Internet, which then encapsulates data packets to prevent sniffing over the public network. Answer B is incorrect because a remote-access service (RAS) server functions as a gateway through which the remote user may access local resources or gain connectivity to the Internet. Answer C is incorrect because the Lightweight Directory Access Protocol (LDAP) allows authentication of logon identities over TCP/IP connectivity against a hierarchical directory.
17. Answer: A, B. Modern solutions provide for both user authentication and authorization, including the Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access-Control System Plus (TACACS+) protocols. Answer C is incorrect because the Lightweight Directory Access Protocol (LDAP) allows authentication of logon identities over TCP/IP connectivity against a hierarchical directory. Answer D is incorrect because remote-access service (RAS) functions as a gateway through which the remote user may access local resources or gain connectivity to the Internet.
18. Answer: C. Remember that LDAP is a TCP/IP-based protocol connecting by default to TCP port 389. Answers A and D are incorrect; ports 161 and 162 are used by SNMP. Answer B is incorrect because port 110 is used by POP3 for email.
19. Answer: C. RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Based on this information, answers A, B, and D are incorrect.
20. Answer: B. RADIUS, which was developed originally for modem-based connectivity access control uses User Datagram Protocol (UDP) transport. Answer A is incorrect; RADIUS uses UDP, which is connectionless oriented, whereas TCP is a connection-oriented protocol. Answer C is incorrect. File Transfer Protocol is not connected with the use of RADIUS. Answer D is incorrect. SMTP is used for email communication.
21. Answer: A. TACACS+ is similar to Remote Authentication Dial-In User Service (RADIUS), but relies on Transmission Control Protocol (TCP) rather than RADIUS’s User Datagram Protocol (UDP) transport developed originally for modem-based connectivity access control. Therefore, answer B is incorrect. Answer C is incorrect. File Transfer Protocol is not connected with the use of TACACS+. Answer D is incorrect. SMTP is used for email communication.
22. Answer: D. CHAP functions over Point-to-Point Protocol (PPP) connections. PPP is a protocol for communicating between two points using a serial interface, provides service at the second layer of the OSI model: the data link layer. PPP can handle both synchronous and asynchronous connections. Answer A is incorrect. File Transfer Protocol is not connected with the use of CHAP. Answer B is incorrect; PPTP is not used as a connection protocol for CHAP. Answer C is incorrect; Shiva Password Authentication Protocol (SPAP) was designed by Shiva and is an older, two-way reversible encryption protocol that encrypts the password data sent between client and server.
23. Answer: C. TACACS is a client/server protocol that provides the same functionality as RADIUS, except that RADIUS is an actual Internet standard; therefore, answer A is incorrect. Answers B and D are incorrect because both RADIUS and TACACS are authentication protocols.
24. Answer: A, D. Biometric devices are susceptible to false acceptance and false rejection rates. The false acceptance rate (FAR) is a measure of the likelihood that the access system will wrongly accept an access attempt. In other words, it will allow access to an unauthorized user. The false rejection rate (FRR) is the percentage of identification instances in which false rejection occurs. In false rejection, the system fails to recognize an authorized person and rejects that person as unauthorized. Answers B and C are incorrect because false positives and negatives are associated with intrusion detection systems.
25. Answer: C. Biometric devices are susceptible to false acceptance and false rejection rates. The false rejection rate (FRR) is the percentage of identification instances in which false rejection occurs. In false rejection, the system fails to recognize an authorized person and rejects that person as an authorized. Answer A is incorrect because it describes false negative. The false acceptance rate (FAR) is a measure of the likelihood that the access system will wrongly accept an access attempt. In other words, it will allow access to an unauthorized user. Therefore, answer B is incorrect. Answer D is incorrect because it describes a false positive.
Objective 3.8: Explain the difference between identification and authentication (identity proofing).
1. Answer: D. Identity proofing gives the organization assurance that the user performing an authentication is the legitimate user. Answer A is incorrect because a hypervisor controls how access to a computer’s processors and memory is shared. Answer B is incorrect because in a user-based model, permissions are uniquely assigned to each account. Answer C is incorrect because access control entries specify the types of access attempts that cause the system to generate a record in the security event log.
2. Answer: A. Identity proofing is the main component of authentication life cycle management. The first link in the chain of trust is established when a person is issued a credential establishing identity or privileges. It must provide a firm assurance that persons are who they say they are. This technique can include integrated biometrics or online database validation. Identity proofing comes in a variety of forms. Answers B and D are incorrect; when establishing identity or privileges, the method must provide a firm assurance that the person is who they say they are. This can include integrated biometrics or online database validation. Answer C is incorrect because identity proofing is based on authentication, not accounting. Accounting is associated with TACACS+.
3. Answer: B. Identity proofing is an organizational process that binds users to authentication methods. Identity proofing gives the organization assurance that the user performing an authentication is the legitimate user. Identity proofing is especially important in emergency access (for example, when users accidentally leave their hardware tokens at home). Answers A, C, and D are incorrect because these methods will not provide adequate identification if a hardware token is forgotten.
4. Answer: A, C, D. Authenticators for identity proofing include smart cards, biometrics, and one-time password (OTP) devices. Answer B is incorrect because a mantrap is a physical security device.
5. Answer: C. Identity proofing is an organizational process that binds users to authentication methods. Identity proofing gives the organization assurance that the user performing an authentication is the legitimate user. Identity proofing is the main component of authentication lifecycle management. Answer A is incorrect because it describes RAS. Answer B is incorrect because it describes LDAP. Answer D is incorrect because it describes TACACS+.
Objective 3.9: Explain and apply physical access security methods.
1. Answer: B. Unsecured equipment is vulnerable to social-engineering attacks. It is much easier for an attacker to walk into a reception area, say she is here to do some work on the server, and get access server than to get into a physically secured area with a guest sign-in and sign-out sheet. Brute-force attacks, malware, and rootkits can be installed or launched without physical access. Therefore, answers A, C, and D are incorrect.
2. Answer: C, D. Mandatory physical access controls are commonly found in government facilities and military installations where users are closely monitored and very restricted. Answers A and B are incorrect because academic institutions and most corporate environments use a discretionary or role-based access control method.
3. Answer: C. The goal of a physical security policy is to allow only trusted use of resources via positive identification that the entity accessing the systems is someone or something that has permission to do so based on the security model the organization has chosen. Answers A, B, and D are incorrect because only allowing officers, only what is deemed to be credible users is discretionary, while allowing all visitors will create an unsecure environment.
4. Answer: B, C. In very high-security areas, frosted or painted glass can be used to eliminate direct visual observation of user actions, and very high-security scenarios may mandate the use of electromagnetic shielding to prevent remote monitoring of emissions generated by video monitors, network switching, and system operation. Answers A and D are incorrect; picket and chain-link fencing should not be used in high-security areas.
5. Answer: A. Buildings that house sensitive information and systems usually have an area of cleared land surrounding them. This area is referred to as no-man’s land. The purpose of this area is to eliminate the possibility of an intruder hiding in the bushes or behind another building. Answer B is incorrect because it increases the chances of an intruder hiding. Answer C is incorrect; it describes a mantrap. Answer D is incorrect because it describes a wireless lock entry.
6. Answer: C. A mantrap is a holding area between two entry points that gives security personnel time to view a person before allowing him into the internal building. Answer A is incorrect because it describes no-man’s land. The purpose of this area is to eliminate the possibility of an intruder hiding in the bushes or behind another building. Answer B is incorrect because it increases the chances of an intruder hiding. Answer D is incorrect because it describes a wireless lock entry.
7. Answer: D. A cipher lock has a punch code entry system. A wireless lock is opened by a receiver mechanism that reads the card when it is held close to the receiver. Based on this information, answers A, B, and C are incorrect.
8. Answer: A. Video or CCTV cameras should be posted in key locations so that the entire area is covered. Place cameras near entrances and exits to capture each visitor who comes in and out of the parking lot. Place cameras strategically so that every area of the parking lot can be seen by a camera’s field of vision. Answer B is incorrect. If the parking lot covers a large area, security guard coverage may not be enough. Answer C is incorrect because a keycard entry point can easily be compromised. Answer D incorrect because motion detection is not feasible for a parking lot.
9. Answer: A, B, D. External motion detectors can be based on light, sound, infrared, or ultrasonic technology. Answer C is incorrect because radio-frequency identification (RFID) is an automatic identification method.
10. Answer: C. Discretionary physical control to a building or room is delegated to parties responsible for that building or room. Answer A is incorrect. Mandatory physical access controls are commonly found in government facilities and military installations, where users are closely monitored and very restricted. Because they are being monitored by security personnel and devices, users cannot modify entry methods or let others in. Answer B is incorrect. In role-based access methods for physical control, groups of people who have common access needs are predetermined, and access to different locations is allowed with the same key or swipe card. Answer D is incorrect. Allowing access based on individual needs is both costly and causes extensive administrative overhead.
11. Answer: A. Mandatory physical access controls are commonly found in government facilities and military installations, where users are closely monitored and very restricted. Because they are being monitored by security personnel and devices, users cannot modify entry methods or let others in. Answer B is incorrect. In role-based access methods for physical control, groups of people who have common access needs are predetermined, and access to different locations is allowed with the same key or swipe card. Answer C is incorrect. Discretionary physical control to a building or room is delegated to parties responsible for that building or room. Answer D is incorrect. Allowing access based on individual needs is both costly and causes extensive administrative overhead.
12. Answer: B. In role-based access methods for physical control, groups of people who have common access needs are predetermined, and access to different locations is allowed with the same key or swipe card. Answer A is incorrect. Mandatory physical access controls are commonly found in government facilities and military installations, where users are closely monitored and very restricted. Because they are being monitored by security personnel and devices, users cannot modify entry methods or let others in. Answer C is incorrect. Discretionary physical control to a building or room is delegated to parties responsible for that building or room. Answer D is incorrect. Allowing access based on individual needs is both costly and causes extensive administrative overhead.
13. Answer: B. Buildings that house sensitive information and systems usually have an area of cleared land surrounding them. This area is referred to as no-man’s land. Answer A is incorrect because a mantrap is a holding area between two entry points that gives security personnel time to view a person before allowing him into the internal building. Answer C is incorrect because a fence keeps out unwanted vehicles and people. Answer D is incorrect because door access systems include biometric access, proximity access, and coded access systems, and modular door entry systems.
14. Answer: D. Video surveillance such as closed-circuit television (CCTV) is the most common method of surveillance. The picture is viewed or recorded, but not broadcast. It was originally developed as a means of security for banks. Answer A is incorrect because a mantrap is a holding area between two entry points that gives security personnel time to view a person before allowing him into the internal building. Answer B is incorrect security dogs are not a good solution for a bank. Answer C is incorrect because painted glass is used a method of obscuring views. This it is not a sufficient method of security for a bank.
15. Answer: C. Motion detectors can alert security personnel of intruders or suspicious activity on the company’s premises. They can be based on light, sound, infrared, or ultrasonic technology. These devices must be properly configured because they are extremely sensitive and can issue false alarms if set too stringently. Answers A and B are incorrect because they are false statements. Answer D is incorrect; although motion detectors may be a more expensive solution, the question asks for the main security concern.