Company XYZ provides cable television services to several regional areas. They are currently installing fiber-to-the-home in many areas with hopes of also providing telephone and Internet services. The telephone and Internet services portions of the company will each be separate subsidiaries of the parent company. The board of directors wishes to keep the subsidiaries separate from the parent company. However all three companies must share customer data for the purposes of accounting, billing, and customer authentication. The solution must use open standards, and be simple and seamless for customers, while only sharing minimal data between the companies. Which of the following solutions is BEST suited for this scenario?
A. The companies should federate, with the parent becoming the SP, and the subsidiaries becoming an IdP.
B. The companies should federate, with the parent becoming the IdP, and the subsidiaries becoming an SSP.
C. The companies should federate, with the parent becoming the IdP, and the subsidiaries becoming an SP.
D. The companies should federate, with the parent becoming the ASP, and the subsidiaries becoming an IdP.
Correct Answer: C
The question states that "all three companies must share customer data for the purposes of accounting, billing, and customer authentication". The simplest solution is a federated solution. In a federated solution, you have a single
authentication provider.
In this question, the parent company should be the authentication provider. The authentication provider is known as the IdP (Identity Provider). The IdP is the partner in a federation that creates security tokens for users. The other two
subsidiaries, the telephone and Internet services providers will be the SP (Service Provider). The SP is the partner in a federation that consumes security tokens for providing access to applications.
Question 12:
Two universities are making their 802.11n wireless networks available to the other university's students. The infrastructure will pass the student's credentials back to the home school for authentication via the Internet.
The requirements are:
Mutual authentication of clients and authentication server
The design should not limit connection speeds
Authentication must be delegated to the home school No passwords should be sent unencrypted
The following design was implemented:
WPA2 Enterprise using EAP-PEAP-MSCHAPv2 will be used for wireless security
RADIUS proxy servers will be used to forward authentication requests to the home school
The RADIUS servers will have certificates from a common public certificate authority
A strong shared secret will be used for RADIUS server authentication
Which of the following security considerations should be added to the design?
A. The transport layer between the RADIUS servers should be secured
B. WPA Enterprise should be used to decrease the network overhead
C. The RADIUS servers should have local accounts for the visiting students
D. Students should be given certificates to use for authentication to the network
Correct Answer: A
One of the requirements in this question states, "No passwords should be sent unencrypted". The design that was implemented makes no provision for the encryption of passwords as they are sent between RADIUS servers. The local RADIUS servers will pass the student's credentials back to the home school RADIUS servers for authentication via the Internet. When passing sensitive data such as usernames and passwords over the internet, the data should be sent over a secure connection. We can secure the transport layer between the RADIUS servers by implementing TLS (Transport Layer Security). Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).
Question 13:
A system administrator needs to meet the maximum amount of security goals for a new DNS infrastructure. The administrator deploys DNSSEC extensions to the domain names and infrastructure. Which of the following security goals does this meet? (Select TWO).
A. Availability
B. Authentication
C. Integrity
D. Confidentiality
E. Encryption
Correct Answer: BC
DNSSEC (short for DNS Security Extensions) adds security to the Domain Name System. The original design of the Domain Name System (DNS) did not include security; instead it was designed to be a scalable distributed system. The Domain Name System Security Extensions (DNSSEC) attempts to add security, while maintaining backwards compatibility. DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. It is a set of extensions to DNS, which provide to DNS clients (resolvers): origin authentication of DNS data data integrity (but not availability or confidentiality) authenticated denial of existence.
All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. While protecting IP addresses is the immediate concern for many users, DNSSEC can protect other information such as general-purpose cryptographic certificates stored in CERT records in the DNS.
Question 14:
A port in a fibre channel switch failed, causing a costly downtime on the company's primary website. Which of the following is the MOST likely cause of the downtime?
A. The web server iSCSI initiator was down.
B. The web server was not multipathed.
C. The SAN snapshots were not up-to-date.
D. The SAN replication to the backup site failed.
Correct Answer: B
In this question, we only have one path to the Fibre Channel storage that provides the storage for the company website. The path failed due to a switch port failure so the storage was unavailable. We can prevent this happening by configuring
multiple paths to the storage. If one path fails, other paths are used.
In computer storage, multipath I/O is a fault-tolerance and performance-enhancement technique that defines more than one physical path between the CPU in a computer system and its mass-storage devices through the buses, controllers,
switches, and bridge devices connecting them.
As an example, a SCSI hard disk drive may connect to two SCSI controllers on the same computer, or a disk may connect to two Fibre Channel ports. Should one controller, port or switch fail, the operating system can route the I/O through
the remaining controller, port or switch transparently and with no changes visible to the applications.
Question 15:
Two separate companies are in the process of integrating their authentication infrastructure into a unified single sign-on system. Currently, both companies use an AD backend and two factor authentication using TOTP. The system administrators have configured a trust relationship between the authentication backend to ensure proper process flow. How should the employees request access to shared resources before the authentication integration is complete?
A. They should logon to the system using the username concatenated with the 6-digit code and their original password.
B. They should logon to the system using the newly assigned global username: first.lastname#### where #### is the second factor code.
C. They should use the username format: LAN\first.lastname together with their original password and the next 6-digit code displayed when the token button is depressed.
D. They should use the username format: [email protected], together with a password and their 6-digit code.
Correct Answer: D
The two companies use Active Directory domains for the authentication (plus the TOTP second factor). The system administrators have configured a trust relationship between the authentication backend. This trust relationship will be an external Active Directory forest/domain trust. With this trust relationship, the AD domain controllers in one domain `trust' the AD domain controllers in the other domain to perform the authentication. We just need a way of telling the domain controllers which domain the user is from so the authentication can be passed to the appropriate domain controllers. We can do this by logging on with the username format: [email protected]. The `@company.com' part of the username will tell the domain controllers whether the user account is in the local domain or in the other (trusted) domain. Now that the domain login has been passed to a domain controller in the appropriate domain, the user can complete the authentication by entering their password and their TOTP 6-digit code.
Question 16:
Which of the following BEST constitutes the basis for protecting VMs from attacks from other VMs hosted on the same physical platform?
A. Aggressive patch management on the host and guest OSs.
B. Host based IDS sensors on all guest OSs.
C. Different antivirus solutions between the host and guest OSs.
D. Unique Network Interface Card (NIC) assignment per guest OS.
Correct Answer: A
This question is asking "Which of the following BEST constitutes the basis for protecting VMs from attacks from other VMs hosted on the same physical platform. In other words, what is the primary method protecting VMs.
The first thing we should do to protect the VMs is to ensure that the guest OS's are patched and ensure that the host is patched. The host provides the virtualization software to enable the running of the virtual machines. Any floors in the
virtualization software that affect the VM separation enabling an attack between VMs running on the host would hopefully be fixed by the virtualization software vendor in a patch. The most important step and therefore "the basis" for protecting
VMs would be aggressive patch management.
Question 17:
After reviewing a company's NAS configuration and file system access logs, the auditor is advising the security administrator to implement additional security controls on the NFS export. The security administrator decides to remove the no_root_squash directive from the export and add the nosuid directive. Which of the following is true about the security controls implemented by the security administrator?
A. The newly implemented security controls are in place to ensure that NFS encryption can only be controlled by the root user.
B. Removing the no_root_squash directive grants the root user remote NFS read/write access to important files owned by root on the NAS.
C. Users with root access on remote NFS client computers can always use the SU command to modify other user's files on the NAS.
D. Adding the nosuid directive disables regular users from accessing files owned by the root user over NFS even after using the SU command.
Correct Answer: C
If a user has root access, the user can log in with a non-root access account and then use the SU (Switch User) command to perform functions that require root access such as modifying other user's files on the NAS.
By default, NFS shares change the root user to the nfsnobody user, an unprivileged user account. In this way, all root-created files are owned by nfsnobody, which prevents uploading of programs with the setuid bit set. If no_root_squash is
used, remote root users are able to change any file on the shared file system and leave trojaned applications for other users to inadvertently execute.
Some unix programs are called "suid" programs: They set the id of the person running them to whomever is the owner of the file. If a file is owned by root and is suid, then the program will execute as root, so that they can perform operations
that only root is allowed to do. Using the nosuid option is a good idea and you should consider using this with all NFS mounted disks. It means that the server's root user cannot make a suid-root program on the file system, log in to the client
as a normal user and then use the suid-root program to become root on the client too.
Question 18:
A software developer and IT administrator are focused on implementing security in the organization to protect OSI layer 7. Which of the following security technologies would BEST meet their requirements? (Select TWO).
A. NIPS
B. HSM
C. HIPS
D. NIDS
E. WAF
Correct Answer: CE
OSI layer 7 is the application layer. To protect layer 7, we need to use application aware security devices such as Host-based Intrusion Prevention Systems (HIPS) or Web Application Firewalls (WAFs). An IPS generally sits in-line and watches network traffic as the packets flow through it. It acts similarly to an Intrusion Detection System (IDS) by trying to match data in the packets against a signature database or detect anomalies against what is pre-defined as "normal" traffic. In addition to its IDS functionality, an IPS can do more than log and alert. It can be programmed to react to what it detects. The ability to react to the detections is what makes IPSs more desirable than IDSs. There are still some drawbacks to an IPS. IPSs are designed to block certain types of traffic that it can identify as potentially bad traffic. IPSs do not have the ability to understand web application protocol logic. Hence, IPSs cannot fully distinguish if a request is normal or malformed at the application layer (OSI Layer 7). Host IPSs (HIPS) are a little more granular than network IPSs (NIPS). HIPS can monitor the application layer (OSI Layer 7), a little closer to the logic delivered to the web application. But HIPS still lacks some understanding of web application languages and logic. In response to these shortcomings, we are presented the Web Application Firewall. WAFs are designed to protect web applications/servers from web-based attacks that IPSs cannot prevent. In the same regards as an IPS, WAFs can be network or host based. They sit in-line and monitor traffic to and from web applications/servers. Basically, the difference is in the level of ability to analyze the Layer 7 web application logic.
Question 19:
An organization would like to allow employees to use their network username and password to access a third-party service. The company is using Active Directory Federated Services for their directory service. Which of the following should the company ensure is supported by the third-party? (Select TWO).
A. LDAP/S
B. SAML
C. NTLM
D. OAUTH
E. Kerberos
Correct Answer: BE
If we're using Active Directory Federated Services, then we are using Active Directory Domain Services (AD DS). AD DS uses Kerberos for authentication. Active Directory Federated Services provides SAML services. AD FS is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet. When a user needs to access a Web application from one of its federation partners, the user's own organization is responsible for authenticating the user and providing identity information in the form of "claims" to the partner that hosts the Web application. The hosting partner uses its trust policy to map the incoming claims to claims that are understood by its Web application, which uses the claims to make authorization decisions.
Question 20:
A company is trying to decide how to manage hosts in a branch location connected via a slow WAN link. The company desires to provide the same level of performance and functionality to the branch office as it provides to the main campus. The company uses Active Directory for its directory service and host configuration management. The branch location does not have a datacenter, and the physical security posture of the building is weak. Which of the following designs is MOST appropriate for this scenario?
A. Deploy a branch location Read-Only Domain Controller in the DMZ at the main campus with a two-way trust.
B. Deploy a corporate Read-Only Domain Controller to the branch location.
C. Deploy a corporate Domain Controller in the DMZ at the main campus.
D. Deploy a branch location Read-Only Domain Controller to the branch office location with a one-way trust.
E. Deploy a corporate Domain Controller to the branch location.
F. Deploy a branch location Domain Controller to the branch location with a one-way trust.
Correct Answer: B
A read-only domain controller (RODC) is a new type of domain controller in the Windows Server?2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory?Domain Services (AD DS) database. Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a wide area network (WAN), there was no real alternative. In many cases, this was not an efficient solution. Branch offices often cannot provide the adequate physical security that is required for a writable domain controller. Furthermore, branch offices often have poor network bandwidth when they are connected to a hub site. This can increase the amount of time that is required to log on. It can also hamper access to network resources. Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As a result, users in this situation can receive the following benefits: Improved security Faster logon times More efficient access to resources on the network
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your RC0-C02 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.