Access Control Flashcards
A network administrator must grant the appropriate network permissions to a new employee. Which of the following is the best strategy?
Give the new employee user account the necessary rights and permissions.
Add the new employee user account to a group. Ensure that the group has the necessary rights and permissions.
Ask the new employee what network rights she would like.
Add the new employee user account to a group. Ensure that the group has the necessary rights and permissions.
The best strategy for assigning rights and permissions is to add users to groups. Working with rights and permissions for individual users becomes unmanageable beyond a small number of users. New employees can then simply be added to the appropriate group to acquire the needed access to network resources
In securing your network, you enforce complex user passwords. Users express concern about forgetting their passwords. What should you configure to allay those concerns?
Password expiration
Periodic password change
Password hints
Password hints
Password hints can help a user remember a password, without revealing the actual password
To give a contractor network access, a network administrator adds the contractor account to the Windows Administrators group. Which security principle does this violate?
Separation of duties
Least privilege
Job rotation
Least privilege
The least privilege principle states users should be given only the rights needed to perform their duties and nothing more. Adding a contractor to the Administrators group grants too much privilege to the contractor
James is the branch network administrator for ABC, Inc. Recently the company headquarters requested a network security audit, so James performed an audit himself using freely available Linux tools. What is the problem with James’s actions?
The chief security officer should have conducted the audit.
Freely available tools are not reliable and should not have been used.
A third party should have been hired to conduct the audit.
A third party should have been hired to conduct the audit.
No one person should have control of implementing, maintaining, and auditing an IT infrastructure—this violates the separation of duties principle and presents a conflict of interest
A secure computing environment labels data with various security classifications. Authenticated users must have clearance to read this classified data. What type of access control model is this?
Mandatory access control
Discretionary access control
Role-based access control
Mandatory access control
Mandatory access control (MAC) models can use security labels to classify data. These labels are then compared to a user’s sensitivity level to determine whether access is allowed
To ease giving access to network resources for employees, you decide there must be an easier way than granting users individual access to files, printers, computers, and applications. What security model should you consider using?
Mandatory access control
Discretionary access control
Role-based access control
Role-based access control
Role-based access control (RBAC) would enable you to group access privileges for files, printers, computers, and applications into a single entity (a role). Users needing these rights are then simply added as occupants of the appropriate role
Linda creates a folder called Budget Projections in her home account and shares it with colleagues in her department. Which of the following best describes this type of access control system?
Mandatory access control
Discretionary access control
Role-based access control
Discretionary access control
Discretionary access control enables the data owner—in this case, Linda—to grant other people access to the data
You require that users not be logged on to the network after 6 p.m. while you analyze network traffic during nonbusiness hours. What should you do?
Unplug their stations from the network.
Tell users to press ctrl-alt-del to lock their stations.
Configure time-of-day restrictions to ensure nobody can be logged in after 6 p.m.
Configure time-of-day restrictions to ensure nobody can be logged in after 6 p.m.
Network operating systems (NOSs) can control when users can and cannot log on, as well as end existing logon sessions based on time of day
One of your users, Matthias, is taking a three-month sabbatical because of a medical condition, after which he will return to work. What should you do with Matthias’s user account?
Delete the account and re-create it when he returns.
Disable the account and enable it when he returns.
Export his account properties to a text file for later import and then delete it.
Disable the account and enable it when he returns.
Disabling his account will prevent anyone from logging on with the account but will preserve all of the account settings. When he returns, you can simply enable the account
During an IT security meeting, the topic of account lockout surfaces. When you suggest all user accounts be locked for 30 minutes after three incorrect logon attempts, your colleague Phil states that this is a serious problem when applied to administrative accounts. What types of issues might Phil be referring to?
Dictionary attacks could break into administrative accounts.
Administrative accounts are placed into administrative groups.
DoS attacks could render administrative accounts unusable.
DoS attacks could render administrative accounts unusable.
Denial-of-service (DoS) attacks render a legitimate network service unusable. Attempting three incorrect logon attempts every half hour to privileged administrative accounts would effectively keep those accounts locked, thus preventing legitimate use of those accounts
Your VPN appliance is configured to disallow user authentication unless the user or group is listed as allowed. Regarding blocked users, what best describes this configuration?
Implicit allow
Implicit deny
Explicit allow
Implicit deny
Implicit denial means all are denied unless specifically allowed; there are no specific listings of users or computers that are denied
Margaret is the head of Human Resources for Emrom, Inc. An employee does not want to use his annual vacation allotment, but Margaret insists it is mandatory. What IT benefit is derived from mandatory vacations?
Irregularities in job duties can be noticed when another employee fills that role.
Users feel recharged after time off.
Emrom, Inc., will not be guilty of labor violations.
Irregularities in job duties can be noticed when another employee fills that role.
It is easy for another employee to spot inconsistencies or irregularities when someone is on vacation
What type of attack is mitigated by strong, complex passwords?
DoS
Dictionary
Brute force
Dictionary
Stronger passwords make it more difficult for dictionary password attacks to succeed. A stronger password is a minimum of eight characters, where those characters might be a combination of uppercase letters, lowercase letters, symbols, and numerals
A government contract requires your computers to adhere to mandatory access control methods and multilevel security. What should you do to remain compliant with this contract?
Patch your current operating system.
Purchase new network hardware.
Use a trusted OS.
Use a trusted OS.
A trusted OS uses a secured OS kernel that supports mandatory access control (MAC), which applies security centrally to adhere with security policies. This type of OS is considered too strict for general use and is typically applicable only in high-security environments
Which term is best defined as an object’s list of users, groups, processes, and their permissions?
ACE
ACL
Active Directory
ACL
Access control lists (ACLs) detail which users, groups, or processes have permissions to an object, such as a file or folder