Chapter 9 - Access Control Methods and Models

Question 1

Which of the following is the strongest password?
A. |ocrian#
B. Marqu1sD3S0d
C. This1sV#ryS3cure
D. Thisisverysecure

Answer 1

C. Answer C incorporates case-sensitive letters, numbers, and special characters and is 16 characters long. The other answers do not have the complexity of answer C.

Question 2

Which of these is a security component of Windows 7?
A. UAC
B. UPS
C. Gadgets
D. Control Panel

Answer 2

A. User Account Control (UAC) adds a layer of security to Windows Server 2008, Windows 7, and Windows Vista to protect against malware and user error and conserve resources. It enforces a type of separation of duties.

Question 3

What key combination helps to secure the logon process?
A. Windows+R
B. Ctrl+Shift+Esc
C. Ctrl+Alt+Del
D. Alt+F4

Answer 3

C. Ctrl+Alt+Del is the key combination used to help secure the logon process. It can be added by configuring the Local Security policy.

Question 4

Which of the following is the most common authentication model?
A. Username and password
B. Biometrics
C. Key cards
D. Tokens

Answer 4

A. By far the username and password combination is the most common authentication model. Although biometrics, key cards, and tokens are also used, the password is still the most common.

Question 5

Which of the following access control methods uses rules to govern whether object access will be allowed? (Select the best answer.)
A. Rule-based access control
B. Role-based access control
C. Discretionary access control
D. Mandatory access control

Answer 5

A. Rule-based access control uses rules to govern whether an object can be accessed. It is a type of mandatory access control.

Question 6

When using the mandatory access control model, what component is needed?
A. Labels
B. Certificates
C. Tokens
D. RBAC

Answer 6

A. Labels are required in the mandatory access control model (MAC).

Question 7

Which of the following statements regarding the MAC access control model is true?
A. Mandatory access control is a dynamic model.
B. Mandatory access control enables an owner to establish access privileges to a resource.
C. Mandatory access control is not restrictive.
D. Mandatory access control users cannot share resources dynamically.

Answer 7

D. In MAC (mandatory access control) users cannot share resources dynamically. MAC is not a dynamic model; it is a static model. Owners cannot establish access privileges to a resource; this would be done by the administrator. MAC is indeed very restrictive, as restrictive as the administrator wants it to be.

Question 8

In the DAC model, how are permissions identified?
A. Role membership.
B. Access control lists.
C. They are predefined.
D. It is automatic.

Answer 8

B. In the discretionary access control model, permissions to files are identified by access control lists or ACLs. Role membership is used in RBAC. The mandatory access control model predefines permissions. Either way, it is not identified automatically.

Question 9

Robert needs to access a resource. In the DAC model, what is used to identify him or other users?
A. Roles
B. ACLs
C. MAC
D. Rules

Answer 9

B. Access control lists (ACLs) are used in the Discretionary Access Control model. This is different from role-based, rule-based, and MAC (Mandatory Access Control) models.

Question 10

A company has a high attrition rate. What should you ask the network administrator do first? (Select the best answer.)
A. Review user permissions and access control lists.
B. Review group policies.
C. Review Performance logs.
D. Review the Application log.

Answer 10

A. The first thing administrators should do when they notice that the company has a high attrition rate (high turnover of employees) is to conduct a thorough review of user permissions, rights, and access control lists. A review
of group policies might also be necessary but is not as imperative. Performance logs and the Application log will probably not pertain to the fact that the company has a lot of employees being hired and leaving the company.

Question 11

Your company has 1,000 users. Which of the following password management systems will work best for your company?
A. Multiple access methods
B. Synchronize passwords
C. Historical passwords
D. Self-service password resetting

Answer 11

D. It would be difficult for administrators to deal with thousands of users passwords; therefore, the best management system for a company with 1,000 users would be self-service password resetting.

Question 12

In a discretionary access control model, who is in charge of setting permissions to a resource?
A. The owner of the resource
B. The administrator
C. Any user of the computer
D. The administrator and the owner

Answer 12

A. In the discretionary access control model DAC), the owner of the resource is in charge of setting permissions. In a mandatory access control model, the administrator is in charge.

Question 13

Jason needs to add several users to a group. Which of the following will help him to get the job done faster?
A. Propagation
B. Inheritance
C. Template
D. Access control lists

Answer 13

C. By using a template, you can add many users to a group at once simply by applying the template to the users. Propagation and inheritance deal with how permissions are exchanged between parent folders and subfolders. Access control lists show who was allowed access to a particular resource.

Question 14

How are permissions defined in the mandatory access control model?
A. Access control lists
B. User roles
C. Defined by the user
D. Predefined access privileges

Answer 14

D. The mandatory access control model uses predefined access privileges to define which users have permission to resources.

Question 15

Which of the following would lower the level of password security?
A. After a set number of failed attempts, the server will lock the user out, forcing her to call the administrator to reenable her account.
B. Passwords must be greater than eight characters and contain at least one special character.
C. All passwords are set to expire after 30 days.
D. Complex passwords that users cannot change are randomly generated by the administrator.

Answer 15

D. To have a secure password scheme, passwords should be changed by the user. They should not be generated by the administrator. If an administrator were to generate the password for the user, it would have to be submitted in written (and unencrypted) form in some way to the user. This creates a security issue, especially if the user does not memorize the password and leaves a written version of it lying around. All the other answers would increase the level of password security.

Question 16

Of the following access control models, which use object labels? (Select the best answer.)
A. Discretionary access control
B. Role-based access control
C. Rule-based access control
D. Mandatory access control

Answer 16

D. The mandatory access control (MAC) model uses object and subject labels. DAC and RBAC (role-based access control) do not. Rule-based access control is a portion of MAC, and although it might use labels, MAC is the best answer.

Question 17

Which of the following methods could identify when an unauthorized access
has occurred?
A. Two-factor authentication
B. Session termination
C. Previous logon notification
D. Session lock

Answer 17

C. Previous logon notification can identify whether unauthorized access has occurred. Two-factor authentication means that person will supply two forms of identification before being authenticated to a network or system. Session termination is a mechanism that can be implemented to end an unauthorized access. Session lock mechanisms can be employed to lock a particular user or IP address out of the system.

Question 18

What would you use to control the traffic that is allowed in or out of a network?  (Select the best answer.)
A. Access control lists
B. Firewall
C. Address resolution protocol
D. Discretionary access control

Answer 18

A. Access control lists can be used to control the traffic that is allowed in or out of a network. They are usually included as part of a firewall, and they are the better answer because they specifically will control the traffic. Address resolution protocol or ARP resolves IP addresses to MAC addresses. In the discretionary access control model, the owner controls permissions of resources.

Question 19

In an attempt to detect fraud and defend against it, your company cross-trains people in each department. What is this an example of?
A. Separation of duties
B. Chain of custody
C. Job rotation
D. Least privilege

Answer 19

C. When a company cross-trains people, it is known as job rotation. Separation of duties is in a way the opposite; this is when multiple people are needed to complete a single task. Chain of custody has to do with the legal paper trail of a particular occurrence. Least privilege is a mitigation technique to defend against privilege escalation attacks.

Question 20

What is a definition of implicit deny?
A. Everything is denied by default.
B. All traffic from one network to another is denied.
C. ACLs are used to secure the firewall.
D. Resources that are not given access are denied by default.

Answer 20

D. If a resource is not given specific access, it will be implicitly denied by default. Access control lists are used to permit or deny access from one network to another and are often implemented on a firewall.

Question 21

In an environment where administrators, the accounting department, and the marketing department all have different levels of access, which of the following access control models is being used?
A. Role-based access control (RBAC)
B. Mandatory access control (MAC)
C. Discretionary access control (DAC)
D. Rule-based access control (RBAC)

Answer 21

A. Role-based access control is when different groups or roles are assigned different levels of permissions; rights and permissions are based on job function. In the mandatory access control model, an administrator centrally controls permissions. In the discretionary access control model, the owner of the user sets permissions. In the rule-based access control model, rules are defined by the
administrator and are stored in an ACL.

Question 22

Which security measure should be included when implementing access control?
A. Disabling SSID broadcast
B. Time-of-day restrictions
C. Changing default passwords
D. Password complexity requirements

Answer 22

D. By implementing password complexity requirements, users will be forced to select and enter complex passwords, for example, eight characters or more, uppercase characters, special characters, and more. Disabling the SSID deals with
wireless networks, time-of-day restrictions are applied only after persons log in with their username and password, and changing default passwords should be part of a password policy.

Question 23

Which password management system best provides for a system with a large number of users?
A. Locally saved passwords management systems
B. Synchronized passwords management systems
C. Multiple access methods management systems
D. Self-service password reset management systems

Answer 23

D. If a network has a large number of users, the administrator should set up a system and policies to enforce the system that will allow for users to reset their own passwords. The passwords should be stored centrally, not locally. Also, it would be best if single sign-on were implemented and not a multiple access method.

Question 24

You administer a bulletin board system for a rock and roll band. While reviewing logs for the board, you see one particular IP address posting spam multiple times per day.  What is the best way to prevent type of problem?
A. Block the IP address of the user.
B. Ban the user.
C. Disable ActiveX.
D. Implement CAPTCHA.

Answer 24

D. By implementing CAPTCHA, another level of security is added that users have to complete before they can register to and/or post to a bulletin board. Although banning a user or the user’s IP address can help to eliminate that particular person from spamming the site, the best way is to add another level of security, such as CAPTCHA. This applies to all persons who attempt to attack the bulletin board.

Question 25

Your organization has enacted a policy where employees are required to create passwords with at least 15 characters. What type of policy does this define?
A. Password length
B. Password expiration
C. Minimum password age
D. Password complexity

Answer 25

A. Password length is the policy that deals with how many characters are in a password. Password expiration and minimum (and maximum) password age define how long a password will be valid. Password complexity defines whether the password should have uppercase letters, numbers, and special characters.

Question 26

Users are required to change their passwords every 30 days. Which policy should be configured?
A. Password length
B. Password recovery
C. Password expiration
D. Account lockout

Answer 26

C. The password expiration policy should be configured. For example, in Windows, the maximum password age policy should be set to 30 days. Password length deals with how many characters are in the password. Password recovery defines how (and if) a user can get back his password or create a new one. Account lockout policies dictate how many times the user has to type a password incorrectly to be locked out of the system, and how for long the user will remain locked out.