A system administrator needs to ensure that certain departments have more restrictive controls to their shared folders than other departments. Which of the following security controls would be implemented to restrict those departments?
A. User assigned privileges
B. Password disablement
C. Multiple account creation
D. Group based privileges
Correct Answer: D
Group-based privileges assign privileges or access to a resource to all members of a group. Group-based access control grants every member of the group the same level of access to a specific object.
Incorrect Answers:
A: These are permissions that are granted or denied on a specific individual user basis. This would not allow for a more restrictive control over the department's shared folders.
B: Disabling a password would allow for a less restrictive control over the department's shared folders.
C: Each user should only have one standard user account. Administrators can have more than one administrative account for different roles.
A new intern was assigned to the system engineering department, which consists of the system architect and system software developer's teams. These two teams have separate privileges. The intern requires privileges to view the system
architectural drawings and comment on some software development projects.
Which of the following methods should the system administrator implement?
A. Group based privileges
B. Generic account prohibition
C. User access review
D. Credential management
Correct Answer: A
You can assign permissions to access resources either to a user or a group. The most efficient way is to assign permissions to a group (group based privileges). By assigning the intern's user account to both groups, the intern will inherit the permissions assigned to those groups.
Incorrect Answers:
B: Generic account prohibition is a rule that states no generic, shared, or anonymous accounts should be allowed in private networks or on any system where security is important. This will not allow the intern to view the system architectural drawings and comment on some software development projects.
C: User access reviews are performed to conclude whether users have been performing their work tasks correctly or if there have been failed and/or successful attempts at violating company policies or the law. This will not allow the intern to view the system architectural drawings and comment on some software development projects.
D: Credential management is a service or software product that is designed to store and manage user credentials. It allows users to specify longer and more random credentials for their different accounts without having to remember or writing them down. This will not allow the intern to view the system architectural drawings and comment on some software development projects.
A new network administrator is setting up a new file server for the company. Which of the following would be the BEST way to manage folder security?
A. Assign users manually and perform regular user access reviews
B. Allow read only access to all folders and require users to request permission
C. Assign data owners to each folder and allow them to add individual users to each folder
D. Create security groups for each folder and assign appropriate users to each group
Correct Answer: D
Creating a security group for each folder and assigning necessary users to each group would only allow users belonging to the folder's security group access to the folder. It will make assigning folder privileges much easier, while also being more secure.
Incorrect Answers:
A: Assigning users manually and performing regular user access reviews would take longer than option `D'. The question asks for the best way to achieve the goal.
B: Allowing read only access to all folders and requiring users to request permission would require a lot of administrative effort. The question asks for the best way to achieve the goal.
C: Assigning data owners to each folder and allowing them to add individual users to each folder could defeat the principle of least privileges.
References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p 294.
Question 554:
A network administrator is configuring access control for the sales department which has high employee turnover. Which of the following is BEST suited when assigning user rights to individuals in the sales department?
A. Time of day restrictions
B. Group based privileges
C. User assigned privileges
D. Domain admin restrictions
Correct Answer: B
The question states that the sales department has a high employee turnover. You can assign permissions to access resources either to a user or a group. The most efficient way is to assign permissions to a group (group based privileges). Then when a new employee starts, you simply add the new user account to the appropriate groups. The user then inherits all the permissions assigned to the groups.
Incorrect Answers:
A: Time of day restrictions refers to restricting access to resources to certain times of days. For example, in Windows Active Directory, you can configure user accounts to permit logging in only during office hours. Time of day restrictions is not used to assign user rights to users.
C: You can assign permissions to access resources either to a user or a group. The most efficient way is to assign permissions to a group (group based privileges). If you assign permissions/privileges directly to a user, you need to assign the permissions/privileges to a new user account every time a new user starts. It's much simpler to add the new user account to a group that already has the appropriate permissions/privileges assigned.
D: Domain admin restrictions refer to applying restrictions to the Domain Administrator user account or accounts in the Domain Admins group to increase security. It is not used to assign permissions or privileges to new sales users.
Human Resources suspect an employee is accessing the employee salary database. The administrator is asked to find out who it is. In order to complete this task, which of the following is a security control that should be in place?
A. Shared accounts should be prohibited.
B. Account lockout should be enabled
C. Privileges should be assigned to groups rather than individuals
D. Time of day restrictions should be in use
Correct Answer: A
Since distinguishing between the actions of one person and another isn't possible if they both use a shared account, shared accounts should not be allowed. If shared accounts are being used, the administrator will find the account, but have more than one suspect. To nullify this occurrence, Shared accounts should be prohibited.
Incorrect Answers:
B: When a user repeatedly enters an incorrect password at logon, Account lockout automatically disables their account someone attempts. Repeated incorrect logon attempts are not the issue in this instance.
C: Group-based privileges assign all members of a group a privilege or access to a resource as a collective. Assigning privileges to groups won't help the administrator find the suspect.
D: Time of day restrictions limits when a specific user account can log on to the network according to the time of day. Time of day restrictions won't help the administrator find the suspect.
Several employee accounts appear to have been cracked by an attacker. Which of the following should the security administrator implement to mitigate password cracking attacks? (Select TWO).
A. Increase password complexity
B. Deploy an IDS to capture suspicious logins
C. Implement password history
D. Implement monitoring of logins
E. Implement password expiration
F. Increase password length
Correct Answer: AF
The more difficult a password is the more difficult it is to be cracked by an attacker. By increasing the password complexity you make it more difficult. Passwords that are too short can easily be cracked. The more characters used in a password, combined with the increased complexity will mitigate password cracking attacks.
Incorrect Answers:
B: IDS (intrusion detection systems) can be implemented to capture suspicious logins, but that assumes that the passwords are already cracked.
C: Password history implementation is used to prevent users changing their password to the same value as the old one, or to one that they used the last time around, this might also be used by some crackers to hack passwords and thus is not mitigating password attacks.
D: Monitoring the logins is part of auditing and does not mitigate the password cracking attacks.
E: Password expiration refers to the period of validity of passwords. Some crackers will even make use of these expiry periods to crack passwords.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 139-140
Question 557:
A security administrator is reviewing the below output from a password auditing tool:
P@ss. @pW1. S3cU4
Which of the following additional policies should be implemented based on the tool's output?
A. Password age
B. Password history
C. Password length
D. Password complexity
Correct Answer: C
The output shows that all the passwords are either 4 or 5 characters long. This is way too short, 8 characters are shown to be the minimum for password length.
Incorrect Answers:
A: The output does not show how long the passwords have been in use.
B: The output does not show the password history.
D: The output shows that the password is indeed making use of complexity when it comes to the types of characters used.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 139-140
Question 558:
Which of the following is an important implementation consideration when deploying a wireless network that uses a shared password?
A. Authentication server
B. Server certificate
C. Key length
D. EAP method
Correct Answer: C
Key length is the main issue of concern since the wireless network uses a shared password. With risks of shared passwords makes the length of the password a crucial factor to risk mitigation.
Incorrect Answers:
A: An authentication server is used to authenticate access points and switches on 802.1X. This is the norm.
B: Server certificates are used when authentication and trust relationships are established. This is normal.
D: EAP (Extensible Authentication protocol) method being used is normal.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 139-140, 158
Question 559:
A system administrator has noticed that users change their password many times to cycle back to the original password when their passwords expire. Which of the following would BEST prevent this behavior?
A. Assign users passwords based upon job role.
B. Enforce a minimum password age policy.
C. Prevent users from choosing their own passwords.
D. Increase the password expiration time frame.
Correct Answer: B
A minimum password age policy defines the period that a password must be used for before it can be changed.
Incorrect Answers:
A: Assigning users passwords based upon job role is not a secure password solution.
C: Preventing users from choosing their own passwords could make remembering passwords difficult. This could lead to a user having to record a generated password somewhere that is not secure.
D: This will cause a password to be retained for a longer period.
An administrator discovers that many users have used their same passwords for years even though the network requires that the passwords be changed every six weeks. Which of the following, when used together, would BEST prevent users from reusing their existing password? (Select TWO).
A. Length of password
B. Password history
C. Minimum password age
D. Password expiration
E. Password complexity
F. Non-dictionary words
Correct Answer: BC
In this question, users are forced to change their passwords every six weeks. However, they are able to change their password and enter the same password as the new password. Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords.
When a user is forced to change his password due to a maximum password age period expiring, (the question states that the network requires that the passwords be changed every six weeks) he could change his password to a previously used password. Or if a password history value of 5 is configured, the user could change his password six times to cycle back round to his original password. This is where the minimum password age comes in. This is the period that a password must be used for. For example, a minimum password age of 30 would determine that when a user changes his password, he must continue to use the same password for at least 30 days.
Incorrect Answers:
A: The length of password determines how many characters a password must contain. It will not prevent users from changing their passwords multiple times to cycle back to their original passwords.
D: Password expiration determines how long a password can be used for before it must be changed. In this question, the password expiration is 6 weeks. Password expiration will force users to change their passwords but it will not prevent users from changing their passwords multiple times to cycle back to their original passwords.
E: Password complexity determines what a password should include. For example, you could require a password to contain uppercase and lowercase letters and numbers. . It will not prevent users from changing their passwords multiple times to cycle back to their original passwords.
F: Non-dictionary words is a setting that determines that a password should not be a word that can be found in a dictionary. This is to prevent a "dictionary attack" where software can be used to attempt to access a system by using the words of a dictionary as the password.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your JK0-022 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.