CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 641:

  Which of the following authentication services requires the use of a ticket-granting ticket (TGT) server in order to complete the authentication process?

  A. TACACS+

  B. Secure LDAP

  C. RADIUS

  D. Kerberos

  Correct Answer: D

  The basic process of Kerberos authentication is as follows:

  The subject provides logon credentials.

  The Kerberos client system encrypts the password and transmits the protected credentials to the KDC. The KDC verifies the credentials and then creates a ticket-granting ticket (TGT--a hashed form of the subject's password with the addition

  of a time stamp that indicates a valid lifetime). The TGT is encrypted and sent to the client.

  The client receives the TGT. At this point, the subject is an authenticated principle in the Kerberos realm. The subject requests access to resources on a network server. This causes the client to request a service ticket (ST) from the KDC. The

  KDC verifies that the client has a valid TGT and then issues an ST to the client. The ST includes a time stamp that indicates its valid lifetime.

  The client receives the ST.

  The client sends the ST to the network server that hosts the desired resource. The network server verifies the ST. If it's verified, it initiates a communication session with the client. From this point forward, Kerberos is no longer involved.

  Incorrect Answers:

  A: TACACS+ makes use of Kerberos as an authentication mechanism.

  B: Lightweight Directory Access Protocol is used to allow clients to interact with directory service resources. Secure LDAP is the implementation of LDAP using security, such as protected authentication and encrypted data exchanges, specifically provided by SASL.

  C: Radius does not make use of tickets.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 270- 275.

• Question 642:

  Which of the following types of authentication packages user credentials in a ticket?

  A. Kerberos

  B. LDAP

  C. TACACS+

  D. RADIUS

  Correct Answer: A

  The basic process of Kerberos authentication is as follows:

  The subject provides logon credentials.

  The Kerberos client system encrypts the password and transmits the protected credentials to the KDC. The KDC verifies the credentials and then creates a ticket-granting ticket (TGT--a hashed form of the subject's password with the addition

  of a time stamp that indicates a valid lifetime). The TGT is encrypted and sent to the client.

  The client receives the TGT. At this point, the subject is an authenticated principle in the Kerberos realm. The subject requests access to resources on a network server. This causes the client to request a service ticket (ST) from the KDC. The

  KDC verifies that the client has a valid TGT and then issues an ST to the client. The ST includes a time stamp that indicates its valid lifetime.

  The client receives the ST.

  The client sends the ST to the network server that hosts the desired resource. The network server verifies the ST. If it's verified, it initiates a communication session with the client. From this point forward, Kerberos is no longer involved.

  Incorrect Answers:

  B: The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

  C: TACACS+ makes use of Kerberos as an authentication mechanism.

  D: Radius does not make use of tickets.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 270- 274.

• Question 643:

  In Kerberos, the Ticket Granting Ticket (TGT) is used for which of the following?

  A. Identification

  B. Authorization

  C. Authentication

  D. Multifactor authentication

  Correct Answer: C

  An authentication ticket, also known as a ticket-granting ticket (TGT), is a small amount of encrypted data that is issued by a server in the Kerberos authentication model to begin the authentication process. When the client receives an

  authentication ticket, the client sends the ticket back to the server along with additional information verifying the client's identity. The server then issues a service ticket and a session key (which includes a form of password), completing the

  authorization process for that session.

  In the Kerberos model, all tickets are time-stamped and have limited lifetimes. This minimizes the danger that hackers will be able to steal or crack the encrypted data and use it to compromise the system. Ideally, no authentication ticket

  remains valid for longer than the time an expert hacker would need to crack the encryption. Authentication tickets are session-specific, further improving the security of the system by ensuring that no authentication ticket remains valid after a

  given session is complete.

  Incorrect Answers:

  A, B: The Ticket Granting Ticket (TGT) is used for authentication and not for identification or authorization.

  D: Multifactor authentication pools two or more independent credentials:

  What the user knows (password)

  What the user has (security token)

  What the user is (biometric verification).

  References:

  http://searchenterprisedesktop.techtarget.com/definition/authentication-ticket http://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA

• Question 644:

  Which of the following authentication services should be replaced with a more secure alternative?

  A. RADIUS

  B. TACACS

  C. TACACS+

  D. XTACACS

  Correct Answer: B

  Terminal Access Controller Access-Control System (TACACS) is less secure than XTACACS, which is a proprietary extension of TACACS, and less secure than TACACS+, which replaced TACACS and XTACACS.

  Incorrect Answers:

  A, C: TACACS+ and RADIUS have mostly replaced TACACS and XTACACS in modern networks.

  D: XTACACS is a proprietary extension of TACACS.

  References: http://en.wikipedia.org/wiki/TACACS

• Question 645:

  Which of the following protocols uses TCP instead of UDP and is incompatible with all previous versions?

  A. TACACS

  B. XTACACS

  C. RADIUS

  D. TACACS+

  Correct Answer: D

  TACACS+ is not compatible with TACACS and XTACACS, and makes use of TCP.

  Incorrect Answers:

  A, B: TACACS and XTACACS make use of TCP and UDP.

  C: RADIUS makes use of UDP.

  References: http://en.wikipedia.org/wiki/TACACS

• Question 646:

  Which of the following services are used to support authentication services for several local devices from a central location without the use of tokens?

  A. TACACS+

  B. Smartcards

  C. Biometrics

  D. Kerberos

  Correct Answer: A

  ACACS allows a client to accept a username and password and send a query to a TACACS authentication server. It would determine whether to accept or deny the authentication request and send a response back. The TIP would then allow access or not based upon the response, not tokens.

  Incorrect Answers:

  B: Smartcards are also known as identity tokens containing integrated circuits.

  C: Biometrics is used for user authentication, not device authentication.

  D: Kerberos uses tickets, which lists the privileges of that user, much like a token.

  References:

  http://en.wikipedia.org/wiki/TACACS

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 275, 282, 285. Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 148.

• Question 647:

  A security administrator has been tasked to ensure access to all network equipment is controlled by a central server such as TACACS+. This type of implementation supports which of the following risk mitigation strategies?

  A. User rights and permissions review

  B. Change management

  C. Data loss prevention

  D. Implement procedures to prevent data theft

  Correct Answer: A

  Terminal Access Controller Access-Control System (TACACS, and variations like XTACACS and TACACS+) is a client/server-oriented environment, and it operates in a manner similar to RADIUS. Furthermore TACACS+ allows for credential to be accepted from multiple methods. Thus you can perform user rights and permission reviews with TACACS+.

  Incorrect Answers:

  B: Change management is the structured approach that is followed to secure a company's assets and not a risk mitigation strategy.

  C: Data loss prevention systems are used mainly to monitor the contents of systems and to make sure that key content is not deleted or removed.

  D: Data theft prevention is similar to data loss prevention systems.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 9-10, 146

• Question 648:

  Which of the following is an authentication and accounting service that uses TCP for connecting to routers and switches?

  A. DIAMETER

  B. RADIUS

  C. TACACS+

  D. Kerberos

  Correct Answer: C

  TACACS+ is an authentication, authorization, and accounting (AAA) service that makes us of TCP only. Incorrect Answers:

  A: DIAMETER makes use of TCP, as well as SCTP.

  B: RADIUS makes use of UDP.

  D: Kerberos is not an authentication and accounting service, but an authentication protocol.

  References: http://en.wikipedia.org/wiki/TACACS http://en.wikipedia.org/wiki/Diameter_(protocol) http://en.wikipedia.org/wiki/RADIUS http://en.wikipedia.org/wiki/Kerberos_(protocol)

• Question 649:

  A system administrator is using a packet sniffer to troubleshoot remote authentication. The administrator detects a device trying to communicate to TCP port 49. Which of the following authentication methods is MOST likely being attempted?

  A. RADIUS

  B. TACACS+

  C. Kerberos

  D. LDAP

  Correct Answer: B

  TACACS makes use of TCP port 49 by default.

  Incorrect Answers:

  A: RADIUS makes use of UDP only.

  C, D: Kerberos and LDAP do not make use of TCP port 49.

  References: http://en.wikipedia.org/wiki/TACACS http://en.wikipedia.org/wiki/RADIUS http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

• Question 650:

  Which of the following is mainly used for remote access into the network?

  A. XTACACS

  B. TACACS+

  C. Kerberos

  D. RADIUS

  Correct Answer: D

  Most gateways that control access to the network have a RADIUS client component that communicates with the RADIUS server. Therefore, it can be inferred that RADIUS is primarily used for remote access.

  Incorrect Answers:

  A: XTACACS has been replaced by RADIUS and TACACS+.

  B: The separate components of the TACACS+ protocol is segregated and handled on different servers, whereas the RADIUS protocol is centralized. This means that not only TACACS+ is used by the TACACS+ protocol for remote access.

  C: Kerberos is primarily used for the protection for logon credentials.

  References: http://en.wikipedia.org/wiki/RADIUS http://en.wikipedia.org/wiki/TACACS http://en.wikipedia.org/wiki/Kerberos_(protocol)