Lesson 5: Managing Windows Networking

Question 1

Adapter card that provides one or more Ethernet ports for connecting hosts to a network so that they can exchange data over a link.

Answer 1

network interface card (NIC)

Question 2

Number of bits applied to an IP address to mask the network ID portion from the host/interface ID portion.

Answer 2

subnet mask

Question 3

A unique number that identifies a device on a network, like a computer or phone. It helps devices find and communicate with each other over the internet.

Answer 3

Internet Protocol (IP)

Question 4

Service that maps fully qualified domain name labels to IP addresses on most TCP/IP networks, including the Internet.

Answer 4

Domain Name System (DNS)

Question 5

Protocol used to automatically assign IP addressing information to hosts that have not been configured manually.

Answer 5

Dynamic Host Configuration Protocol (DHCP)

Question 6

Windows feature that categorizes network profile as public or private. Each profile can have a different firewall configuration, with public network types being more restricted, by default.

Answer 6

Network Location Awareness (NLA)

Question 7

Secure tunnel created between two endpoints connected via an unsecure transport network (typically the Internet).

Answer 7

Virtual Private Network (VPN)

Question 8

Network covering a large area using wireless technologies, such as a cellular radio data network or line-of-sight microwave transmission.

Answer 8

Wireless Wide Area Network (WWAN)

Question 9

Windows feature for indicating that network data transfer is billable and for setting warnings and caps to avoid unexpected charges from the provider.

Answer 9

metered

Question 10

Server that mediates the communications between a client and another server. It can filter and often modify communications as well as provide caching services to improve performance.

Answer 10

proxy server

Question 11

True or false? Windows Defender Firewall can be disabled.

Answer 11

True.
It is not usually a good idea to do so, but it can be disabled via Security Center or the Control Panel applet.

Question 12

You are assisting another user who is trying to configure a static IP on a Windows workstation. The user says that 255.255.255.0 is not being accepted in the prefix length box. Should the user open a different dialog to complete the configuration or enter a different value?

Answer 12

The user should enter a different value, should be 24

The Network & Internet settings Edit IP settings dialog can be used. 255.255.255.0 is the subnet mask in dotted decimal format. The dialog just requires the number of mask bits. Each “255” in a dotted decimal mask represents 8 bits.

Question 13

You are assisting a user with configuring a static IP address. The user has entered the following configuration values and now cannot access the Internet. Is there a configuration issue or a different problem?

IP: 192.168.1.1
Mask: 255.255.255.0
Gateway: 192.168.1.0
DNS: 192.168.1.0

Answer 13

There is a configuration problem. 192.168.1.0 is not a host address. With the subnet mask 255.255.255.0, it identifies the network range as 192.168.1.0/24. The gateway is usually configured as the first available host address in this range: 192.168.1.1. The DNS server should also be set to 192.168.1.1. The client IP should be set to any other available value, such as 192.168.1.100.

Question 14

You are supporting a user who has just replaced a wireless router. The user has joined the new wireless network successfully but can no longer find other computers on the network. What should you check first?

Answer 14

Use Network & Internet to check the network profile type. When the network changed, the user probably selected the wrong option at the prompt to allow the PC to be discoverable, and the profile is probably set to Public. Change the type Private.

Question 15

You need to set up a VPN connection on a user’s Windows laptop. The VPN type is IKEv2. What other information, if any, do you need to configure the connection?

Answer 15

Also need either the fully qualified domain name (FQDN) or the IP address of the remote access VPN server

Question 16

Command tool used to gather information about the IP configuration of a Windows host.

Answer 16

ipconfig command

Question 17

Cross-platform command tool for testing IP packet transmission.

Answer 17

ping command

Question 18

Diagnostic utilities that trace the route taken by a packet as it “hops” to the destination host on a remote network. tracert is the Windows implementation, while traceroute runs on Linux.

Answer 18

tracert command

Question 19

Windows utility for measuring latency and packet loss across an internetwork.

Answer 19

pathping command

Question 20

What are the 3 main areas where network services fail?

Answer 20

1) Security
2) Name resolution
3) Application/OS

Question 21

Cross-platform command tool for querying DNS resource records.

Answer 21

nslookup command

Question 22

Cross-platform command tool to show network information on a machine running TCP/IP, notably active connections, and the routing table.

Answer 22

netstat command

Question 23

A DHCP server has been reconfigured to use a new network address scheme following a network problem. What command would you use to refresh the IP configuration on Windows client workstations?

Answer 23

ipconfig /renew

Question 24

You are pinging a host at 192.168.0.99 from a host at 192.168.0.200. The response is “Reply from 192.168.0.200: Destination host unreachable.” The hosts use the subnet mask 255.255.255.0. Does the ping output indicate a problem with the default gateway?

Answer 24

No. The hosts are on the same IP network (192.168.0.0/24). This means that 192.168.0.200 does not try to use a router (the gateway) to send the probes. 192.168.0.200 uses address resolution protocol (ARP) to find the host with the IP 192.168.0.99. The host unreachable message indicates that there was no response, but the problem will be an issue such as the host being disconnected from the network or configured to block discovery rather than a gateway issue.

Question 25

You are checking that a remote Windows workstation will be able to dial into a web conference with good quality audio/video. What is the best tool to use to measure latency between the workstation’s network and the web conferencing server?

Answer 25

pathping measures latency over a longer period and so will return a more accurate measurement than the individual round trip time (RTT) values returned by ping or tracert.

Question 26

A computer cannot connect to the network. The machine is configured to obtain a TCP/IP configuration automatically. You use ipconfig to determine the IP address and it returns 0.0.0.0. What does this tell you?

Answer 26

This is an irregular state for a Windows PC. If a DHCP server cannot be contacted, the machine should default to using an APIPA address (169.254.x.y). As it has not done this, something is wrong with the networking software installed on the machine. The best option is probably to perform a network reset via the Settings > Network & Internet > Status page.

Question 27

Collection of access control entries (ACEs) that determines which subjects (user accounts, host IP addresses, and so on) are allowed or denied access to the object and the privileges given (read-only, read/write, and so on).

Answer 27

Access Control List (ACL)

Question 28

Basic principle of security stating that unless something has explicitly been granted access, it should be denied access.

Answer 28

Implicit Deny

Question 29

Basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.

Answer 29

Least Privilege

Question 30

User account that can be authenticated again and allocated permissions for the computer that hosts the account only.

Answer 30

A local account

Question 31

Access control feature that allows permissions to be allocated to multiple users more efficiently.

Answer 31

A security group

Question 32

Privileged user account that has been granted memberships of the Administrators security group. There is also an account named Administrator, but this is usually disabled by default.

Answer 32

Administrators

Question 33

Non-privileged user account in Windows that typically has membership of the Users security group only.

Answer 33

standard account

Question 34

Non-privileged account that is permitted to access the computer/network without authenticating.

Answer 34

Guest

Question 35

One of the default Windows group accounts. Its use is deprecated, but it is still included with Windows to support legacy applications.

Answer 35

Power Users

Question 36

Windows feature designed to mitigate abuse of administrative accounts by requiring explicit consent to use privileges.

Answer 36

User Account Control (UAC)

Question 37

Authentication scheme that requires the user to present at least two different factors as credentials; for example, something you know, something you have, something you are, something you do, and somewhere you are. Specifying two factors is known as 2FA.

Answer 37

MFA (multi-factor authentication)

Question 38

Authentication mechanism that uses a separate channel to authorize a sign-on attempt or to transmit an additional credential. This can use a registered email account or a contact phone number for an SMS or voice call.

Answer 38

2-step verification

Question 39

Either an additional code to use for 2-step verification, such as a one-time password, or authorization data that can be presented as evidence of authentication in an SSO system.

Answer 39

soft token

Question 40

System for sending text messages between cell phones.

Answer 40

SMS (short message service)

Question 41

Software that allows a smartphone to operate as a second authentication factor or as a trusted channel for 2-step verification.

Answer 41

authenticator application

Question 42

USB storage key or smart card with a cryptographic module that can hold authenticating encryption keys securely.

Answer 42

hard token

Question 43

Login Option
The Local Security Authority (LSA) compares the submitted credential to the one stored in the Security Accounts Manager (SAM) database, which is part of the registry. This is also referred to as interactive logon.

Answer 43

Windows local sign-in

Question 44

Login Option
The LSA can pass the credentials for authentication to a network service. The preferred system for network authentication is based on a system called Kerberos.

Answer 44

Windows network sign-in

Question 45

Login Option
If the user’s device is not connected to the local network, authentication can take place over some type of virtual private network (VPN) or web portal.

Answer 45

Remote sign-in

Question 46

Single sign-on authentication and authorization service that is based on a time-sensitive, ticket-granting system.

Answer 46

Kerberos

Question 47

Feature that supports passwordless sign-in for Windows.

Answer 47

Windows Hello subsystem

Question 48

Specification for secure hardware-based storage of encryption keys, hashed passwords, and other user- and platform-identification information.

Answer 48

TPM (trusted platform module)

Question 49

Biometric authentication device that can produce a template signature of a user’s fingerprint and then subsequently compare the template to the digit submitted for authentication.

This type of bio gesture authentication uses a sensor to scan the unique features of the user’s fingerprint.

Answer 49

Fingerprint

Question 50

Biometric authentication mechanism that uses an infrared camera to verify that the user’s face matches a 3D model recorded at enrollment.

This bio gesture uses a webcam to scan the unique features of the user’s face. The camera records a 3-D image using its infrared (IR) sensor to mitigate attempts to use a photo to spoof the authentication mechanism.

Answer 50

Facial recognition

Question 51

This uses a removable USB token or smart card. It can also use a trusted smartphone with an NFC sensor.

Answer 51

Security Key

Question 52

Authentication technology that enables a user to authenticate once and receive authorizations for multiple services.

A user authenticates once to a device or network to gain access to multiple applications or services. The Kerberos authentication and authorization model for Active Directory domain networks implements this…

Answer 52

SSO (single sign-on)

Question 53

Advantage and Disadvantage of SSO?

Answer 53

Advantage:
The advantage of SSO is that each user does not have to manage multiple digital identities and passwords.

Dis:
The disadvantage is that compromising the account also compromises multiple services. The use of passwords in SSO systems has proven extremely vulnerable to attacks.

Question 54

Group of hosts that is within the same namespace and administered by the same authority.

Answer 54

Domain

Question 55

Network directory service for Microsoft Windows domain networks that facilitates authentication and authorization of user and computer accounts.

Answer 55

Active Directory

Question 56

Any application server computer that has joined a domain but does not maintain a copy of the Active Directory database.

Answer 56

Member server

Question 57

Access control feature that allows permissions to be allocated to multiple users more efficiently.

Answer 57

security groups

Question 58

Structural feature of a network directory that can be used to group objects that should share a common configuration or organizing principle, such as accounts within the same business department.

Answer 58

OU (organizational unit)

Question 59

On a Windows domain, a way to deploy per-user and per-computer settings such as password policy, account restrictions, firewall status, and so on.

Answer 59

GPO (group policy objects)

Question 60

Command-line tools to apply and analyze group policies. Group policies are a means of configuring registry settings.

Answer 60

gpupdate

Question 61

Code that performs a series of tasks automatically when a user account is authenticated.

Answer 61

login script

Question 62

Process and supporting technologies for tracking, controlling, and securing the organization’s mobile infrastructure.

Answer 62

MDM (mobile device management)

Question 63

You are writing a tech note to guide new technicians on operational procedures for working with Active Directory. As part of this note, what is the difference between the gpupdate and gpresult commands?

Answer 63

gpupdate is used to refresh local policy settings with updates or changes from the policy template.

gpresult is used to identify the Resultant Set of Policies (RSoP) for a given computer and/or user account.

Question 64

Angel unboxed a new tablet that his company just purchased and tried to connect to the corporate network. He knows the SSID of the wireless network and the password used to access the wireless network. He was denied access, and an enrollment warning message was displayed that he must contact the IT Department immediately. What happened, and why did he receive the message?

Answer 64

Mobile device management (MDM) is being used to mediate network access. The device must be enrolled with the MDM software before it can join the network.

Question 65

What are the requirements for configuring fingerprint authentication via Windows Hello?

Answer 65

The computer must have a fingerprint reader and a trusted platform module (TPM). Windows Hello must first be configured with a personal identification number (PIN) as a backup method.

Question 66

While you are assigning privileges to the accounting department in your organization, Cindy, a human resource administrative assistant, insists that she needs access to the employee records database so that she can fulfill change of address requests from employees. After checking with her manager and referring to the organization’s access control security policy, you discover that Cindy’s job role does not fall into the authorized category for access to that database. What security concept are you practicing in this scenario?

Answer 66

The principle of least privilege.

Question 67

True or false? If you want the same policy to apply to a number of computers within a domain, you could add the computers to the same Organizational Unit (OU) and apply the policy to the OU.

Answer 67

True

Question 68

Which three principal user security groups are created when Windows is installed?

Answer 68

Users, Administrators, and Guests.
You might also include Power Users, though use of this group is deprecated. Going beyond the account types listed in the exam objectives, you might include groups such as Remote Desktop Users, Remote Management Users, or Backup Operators. There are also system groups, such as Everyone, but users cannot be assigned manually to these.

Question 69

What tool would you use to add a user to a local security group?

Answer 69

You can change the account type between Standard and Administrator via Control Panel, but the Local Users and Groups management console is the tool to use for a custom security group. You could also use the net localgroup command.

Question 70

Group of network hosts that shares resources in a peer-to-peer fashion. No one computer provides a centralized directory.

Answer 70

workgroup

Question 71

Windows firewall configuration that makes a host visible to network browsers.

Answer 71

network discovery

Question 72

Windows firewall configuration that opens the network ports required to operate as a file/print server.

Answer 72

file sharing

Question 73

Windows mechanism for navigating shared network folders by assigning them with drive letters.

Answer 73

mapped drive

Question 74

net use commands

Answer 74

Display a list of servers on the local network:
net view

View the shares available on server named MYSERVER:
net view \MYSERVER

Map the DATA folder on MYSERVER to the M: drive:
net use M: \MYSERVER\DATA /persistent:yes

Remove the M: drive mapping:
net use M: /delete

Remove all mapped drives:
net use * /delete

Question 75

ACL that mediates local and network access to a file system object under Windows when the volume is formatted with NTFS.

Answer 75

NTFS permissions

Question 76

permission options for files

Answer 76

Read/list/execute permissions allows principals to open and browse files and folders and to run executable files.

Write allows the principal to create files and subfolders and to append data to files.

Modify allows the principal write permission plus the ability to change existing file data and delete files and folders.

Full control allows all the other permissions plus the ability to change permissions and change the owner of the file or folder.

Question 77

File system access-control-concept where child objects are automatically assigned the same permissions as their parent object.

Answer 77

inheritance

Question 78

System security group that represents any account, including unauthenticated users.

Answer 78

“Everyone”

Question 79

Default local or network folder for users to save data files to.

Answer 79

home folder

Question 80

Configuring a network share to hold user profile data. The data is copied to and from the share at logon and logoff.

Answer 80

Roaming profiles

Question 81

In Windows, redirecting an individual user profile folder, such as Documents or Pictures, to a network share.

Answer 81

folder redirection

Question 82

A user is assigned Read NTFS permissions to a resource via his user account and Full Control via membership of a group. What effective NTFS permissions does the user have for the resource?

Answer 82

Full control—the most effective permissions are applied.

Question 83

What are the prerequisites for joining a computer to a domain?

Answer 83

• The computer must be running a supported edition of Windows (Pro, Enterprise, or Education).
• The PC must be configured with an appropriate IP address and have access to the domain DNS servers.
• An account with domain administrative credentials must be used to authorize the join operation.

Question 84

What is the significance of a $ symbol at the end of a share name?

Answer 84

The share is hidden from the file browser. It can be accessed by typing a UNC. The default administrative shares are all configured as hidden.

Question 85

You receive a call from a user trying to save a file and receiving an “Access Denied” error. Assuming a normal configuration with no underlying file corruption, encryption, or malware issue, what is the cause and what do you suggest?

Answer 85

The user does not have “Write” or “Modify” permission to that folder. If there is no configuration issue, you should advise the user about the storage locations permitted for user-generated files. If there were a configuration issue, you would investigate why the user had not been granted the correct permissions for the target folder.

Question 86

When you set NTFS permissions on a folder, what happens to the files and subfolders by default?

Answer 86

They inherit the parent folder’s permissions.

Question 87

If a user obtains Read permissions from a share and Deny Write from NTFS permissions, can the user view files in the folder over the network?

Answer 87

Yes (but he or she cannot create files).

Question 88

A server administrator’s profile is set up to copy the whole profile from a share at logon and copy the updated profile back at logoff. This allows the administrator to hop on to any of the company’s computers. What technique was set up?

A.Folder redirection
B.Home folder
C.Group policy
D.Roaming profile

Answer 88

D. Roaming profile

Roaming profiles copies the whole profile from a share at logon and copies the updated profile back at logoff.

Folder redirection changes the target of a personal folder, such as the Documents folder, Pictures folder, or Start Menu folder, to a file share.

A home folder is a private drive mapped to a network share in which users can store personal files. The home folder location is configured via the account properties on the Profile tab using the Connect to box.

A roaming profile script was most likely pushed out using group policy for logon and logoff actions, but the actual setup for migrating profiles is called roaming profiles.

Question 89

A network administrator responds to users calling in about a slow network. Which command should the administrator use to diagnose the chokepoint?

A.ipconfig
B.hostname
C.pathping
D.msconfig

Answer 89

C. pathping

The pathping command performs a trace and then pings each hop router a given number of times for a given period to determine the round-trip time (RTT) and measure link latency more accurately.

The ipconfig command displays the IP address, subnet mask, and default gateway (router) for all network adapters to which TCP/IP is bound.

The hostname command returns the name configured on the local machine. If the machine is configured as a server, client machines will need to use the hostname to access shared folders and printers.

Use the System Configuration Utility (msconfig) or Task Manager to prevent unnecessary services and programs from running at startup.

Question 89

SMB

Answer 89

Server Message Block

Question 90

A server administrator wants to connect to a user’s computer and push a file through Server Message Block (SMB). How should the administrator connect to the computer?

A.\userhost\C$
B.userhost
C.comptia.com
D.192.168.14.25

Answer 90

A. \userhost\C$

To connect to a computer via SMB, the administrator should use \userhost\C$.

userhost would only be an example of the host name. The addition of the domain makes it an FQDN.

comptia.com would be an example of a DNS alias. Typically, a host is also configured with the addresses of Domain Name System (DNS) servers that can resolve requests for name resources to IP addresses.

The 192.168.14.25 would be an example of the host’s possible IP address. An Internet Protocol (IP) addressing scheme can use either IPv4 or IPv6.

Question 91

Two IT friends are best friends and want to map each other’s root shares. Which of the following commands will accomplish this?

A.net view M: \BestFriend\C$
B.net view M: \BestFriend\ADMIN$
C.net use M: \BestFriend\C$
D.net use M: \BestFriend\ADMIN$

Answer 91

C. net use M: \BestFriend\C$

To map the root share on the computer BestFriend to the M: drive, they would use net use M: \BestFriend\C$.

The command net view M: \BestFriend\C$ is wrong because of “net view.” The proper command should be net use. There are several net and net use command utilities available to view and configure shared resources on a Windows network.

The command net view M: \BestFriend\ADMIN$ is wrong because of both “net view” and ADMIN$. The root share would be C$.

The command net use M: \BestFriend\ADMIN$ is wrong because of the ADMIN$ share. The root share is C$.

Question 92

A server administrator wants to connect to a user’s computer. They are trying to get their patching numbers up and discover that users must pull the updates, so the administrator wants to push a script that forces the pull. The administrator wants to copy the file to users’ automatically hidden shares. Which of the following could the administrator use? (Select all that apply.)

A.C:\Windows$
B.C$
C.C:\Users$
D.ADMIN$

Answer 92

A. C:\Windows$ and C.C:\Users$

In addition to any local shares created by a user, Windows automatically creates hidden administrative shares. This includes the root folder of any local drives (C$).

It also includes the system folder (ADMIN$). Administrative shares can only be accessed by members of the local Administrators group.

C:\Windows$ is not automatically created. If the administrator wanted to connect, they could first connect to C$ and then navigate to the Windows folder.

C:\Users$ is also not automatically created, but could also be accessed by first accessing the hidden C$ share.

Question 92

A user calls in to support, complaining that they can not seem to reach anything on the network. The user was able to receive an IP address of 169.254.15.83 though. What is most likely the problem?

A.No internet access.
B.The computer does not receive a DNS entry.
C.It cannot find the wireless SSID.
D.No DHCP server found.

Answer 92

D. No DHCP server found.

When no Dynamic Host Configuration Protocol (DHCP) server can be contacted, the adapter will either use an address from the automatic IP addressing (APIPA) 169.254.x.y range or will use an address specified as an alternate configuration in IPv4 properties.

Receiving a 169.254 automatic private IP address (APIPA) does not necessarily mean that there is no internet access. It could mean that the DHCP reservations are full or that a DHCP server cannot be found.

An APIPA is not associated with a domain name system (DNS) entry. DNS entries are usually created when the computer is joined to a domain though.

The scenario does not specify if the user is connecting wirelessly or through a wired connection.

Question 93

A user calls into the helpdesk after receiving a recent update to their computer and now certain functions are no longer working properly. The helpdesk technician asks for their FQDN. What would be an example of the FQDN?

A.userhost.comptia.com
B.userhost
C.comptia.com
D.192.168.14.25

Answer 93

A. userhost.comptia.com

userhost.comptia.com would be an example of a fully qualified domain name (FQDN). This includes both the name of the host as well as the domain it is on.

userhost would only be an example of the host name. The addition of the domain makes it an FQDN.

comptia.com would be an example of a DNS alias. Typically, a host is also configured with the addresses of Domain Name System (DNS) servers that can resolve requests for name resources to IP addresses.

The 192.168.14.25 would be an example of the host’s possible IP address. An Internet Protocol (IP) addressing scheme can use either IPv4 or IPv6.

Question 94

RTT

Answer 94

round-trip time

Question 95

ARP

Answer 95

address resolution protocol

Question 95

APIPA

Answer 95

automatic private IP addressing

Question 95

An administrator sets up a network share for the marketing team to collaborate. The requirement is to protect the files from a user who has local access to the computer that hosts the shared resource. What type of permission should the administrator set up?

A.NTFS
B.Share-level
C.FAT32
D.ACE

Answer 95

A. NTFS

New Technology File System (NTFS) permissions are applied for both network and local access and can be applied to folders and to individual files.

Share-level permissions only apply when a folder is accessed over a network connection. They offer no protection against a user who is logged on locally to the computer hosting the shared resource.

The FAT32 file system does not support permissions. Many cameras or other similar devices use storage with FAT32, but it does not support permissions.

Access control entries (ACEs) assign a set of permissions to a principal under the NTFS file structure. A principal can either be a user account or a security group.

Question 95

A user is experiencing what seems to be latency, which is affecting their ability to work. They decide to validate their theory with a ping test. What will indicate latency?

A.ARP
B.RTT
C.APIPA
D.DNS

Answer 95

B. RTT

If the ping is successful, it responds with the message Reply from IP Address and the time it takes for the host’s response to arrive. The millisecond (ms) measures of round-trip time (RTT) can be used to diagnose latency problems.

Address Resolution Protocol (ARP) is used to locate the hardware or media access control (MAC) address of the interface that owns an IP address.

When no DHCP server can be contacted, the adapter will either use an address from the automatic private IP addressing (APIPA) 169.254.x.y range or will use an address specified as an alternate configuration in IPv4 properties.

The domain name system (DNS) itself is not really useful to test latency. The RTT value should be used.

Question 96

A Windows administrator wants to divide a domain up into different administrative realms to delegate responsibility for administering company departments. What should the administrator use to do this?

A.Security groups
B.Member server
C.Group policy
D.OU

Answer 96

D. OU

An organizational unit (OU) is a way of dividing a domain up into different administrative realms. Administrators might create OUs to delegate responsibility for administering company departments or locations.

A domain supports the use of security groups to assign permissions more easily and robustly. User accounts are given membership of security groups to assign them permissions on the network.

A member server is any server-based system that has been joined to the domain but does not maintain a copy of the Active Directory database.

A domain group policy configures computer settings and user profile settings. Some settings are exposed through standard objects and folders, such as Security Settings.

Question 97

A support technician receives a call from a user who cannot seem to access a department share at \fileserv01\ShareDrive. The user also explains that they can somehow reach the share via the IP at \192.168.8.20\ShareDrive. Which of the following should the technician check first?

A.DNS
B.RTT
C.Firewall
D.APIPA

Answer 97

A. DNS

If a service such as domain name system (DNS) is not working, users will be able to connect to servers by IP address but not by name.

If a ping is successful, it responds with the message Reply from IP Address and the time it takes for the host’s response to arrive. The millisecond (ms) measures of round-trip time (RTT) can be used to diagnose latency problems.

A firewall or other security software or hardware might be blocking the connection or proxy settings might be misconfigured. However, if the IP is working, then it is most likely DNS.

When no DHCP server can be contacted, the adapter will most likely use an address from the automatic IP addressing (APIPA) 169.254.x.y range.

Question 97

A PC user is looking at the wireless card adapter properties on their Windows computer. Which of the following is the most important setting to verify in order to ensure the PC is capable of connecting to an existing network?

A.Power transmission
B.SSID
C.Automatic connection
D.Protocol support

Answer 97

D. Protocol support

Wi-Fi properties for the adapter are configured via Device Manager. The most important setting on a wireless card is support for the 802.11 standards supported by the access point.

Users can adjust parameters such as roaming aggressiveness and transmit power to address connection issues.

If the access point is set to broadcast the network name or service set ID (SSID), then the network will appear in the list of available networks. Otherwise, it will have to be manually entered.

To connect, select the network, and then enter the required credentials. If users choose the Connect automatically option, Windows will use the network without prompting whenever it is in range.

Question 97

A security manager reviews user roles and grants the minimum privileges necessary. What did the manager implement?

A.Implicit deny
B.Least privilege
C.ACL
D.Authentication

Answer 97

B. Least privilege

Least privilege means that a user should be granted the minimum possible rights necessary to perform the job. This can be complex to apply in practice, however.

Implicit deny means that unless there is a rule specifying that access should be granted, any request for access is denied.

A permission is usually implemented as an access control list (ACL) attached to each resource. Within an ACL, each access control entry (ACE) identifies a subject and the permissions it has for the resource.

Authentication means that everything using the system is identified by an account and that an account can only be operated by someone who can supply the correct credentials.

Question 97

A security engineer investigates legacy applications and employees that are still using them. Which of the following user groups represent a security concern?

A.Guest
B.Power users
C.Standard account
D.Local users and groups

Answer 97

B. Power users

The power users group is present to support legacy applications. This approach created vulnerabilities that allowed accounts to escalate to the administrator’s group.

The guest user account is disabled by default. Microsoft ended support for using the Guest account to log in to Windows in a feature update.

A standard account is a member of the Users group. This group is generally only able to configure settings for its profile.

The local users and groups management console is not a user group. The console provides an interface for managing both user and group accounts.

Question 98

A vulnerability manager cleans up the patching program in their enterprise. After getting it back to a good state, the manager focuses efforts on hardening. They begin with a test box and want to look at open connections from services. What command should the manager use?

A.nslookup
B.tracert
C.ipconfig
D.netstat

Answer 98

D. netstat

The netstat command can be used to investigate open ports and connections on the local host. This can be used to see what ports are open on a server and whether other clients are connecting to them.

If the technician identifies or suspects a problem with name resolution, the technician can troubleshoot DNS with the nslookup command, either interactively or from the command prompt.

The tracert command line utility is used to trace the path a packet of information takes to get to its target.

Used without switches, ipconfig displays the IP address, subnet mask, and default gateway (router) for all network adapters to which TCP/IP is bound.

Question 98

A server administrator sets up static network configurations for servers since they do not want the IP address to change. The administrator sets up the IP address on a 24-bit subnet. What should the administrator set the subnet mask to?

A.255.255.0.0
B.255.0.0.0
C.255.255.255.0
D.0.0.0.0

Answer 98

C. 255.255.255.0

Administrators can also adjust the IP configuration via the settings app. In this dialog, they need to enter the mask as a prefix length in bits. A 255.255.255.0 mask is 24 bits.

A subnet mask of 255.255.0.0 would be the subnet mask for the 16-bit wildcard mask. An example would mean the subnet is from 192.168.0.0 - 192.168.255.255.

A subnet mask of 255.0.0.0 would be the subnet mask for the 8-bit wildcard mask. An example would mean the subnet is from 10.0.0.0 - 10.255.255.255.

A subnet mask of 0.0.0.0 would be non-routable. This is usually a black hole where traffic is dropped.

Question 98

A security conscientious administrator wants to make authentication more secure. Which of the following would be the optimal method?

A.Device token
B.Facial recognition
C.MFA
D.UAC

Answer 98

C. MFA

An authentication technology is considered strong if it is multifactor. Multifactor authentication (MFA) means that the user must submit at least two different kinds of credentials.

Using a single factor makes authentication less reliable. A password could be shared, a device token could be stolen, or other mechanisms could become compromised or bypassed.

A facial recognition system is another instance of single factor authentication and could be spoofed using a photograph.

User Account Control (UAC) is a Windows security feature designed to protect the system against malicious scripts and attacks that could exploit privileges assigned to administrator accounts.

Question 99

A transportation company outfits its mobile units with devices that will enable them to analyze routes, patterns, and create efficiencies. The devices will connect to their cloud servers through a 4G WWAN. What will the company need to ensure the devices connect to the cloud resources?

A.VPN
B.SIM
C.NLA
D.Link-layer Topology Discovery

Answer 99

B. SIM

For GSM and 4G or 5G services, the adapter must also be fitted with a subscriber identity module (SIM) card issued by the network provider. The bandwidth depends on the technologies supported by the adapter and by the local cell tower (3G, 4G, or 5G, for instance).

A virtual private network (VPN) connects the components and resources of two (private) networks over another (public) network.

When a user connects to a new network, the Windows Network Location Awareness (NLA) service prompts the user to set the network type.

In Windows settings, the Link-layer Topology Discovery protocol provides network mapping and discovery functions for networks without dedicated name servers.

Question 99

A desktop technician is setting up a new PC on a local network and is trying to install software as a part of the setup process. They try to access a network share via a UNC path of \fileserv01\Setup\Apps and get a message that the location cannot be reached. They ping the file server by IP and get a reply. What network configuration on the PC should be prioritized for investigation?

A.DHCP
B.DNS
C.VPN
D.NIC

Answer 99

B. DNS

Domain Name System (DNS) would be the first thing to check. If a network resource does not seem to be reachable by hostname (fileserv01) but it can be reached by pinging the IP, the PC cannot seem to resolve the host name, which could indicate a problem with DNS settings.

Dynamic Host Configuration Protocol (DHCP) is used to automatically assign IP addressing information to hosts that have not been configured manually. In this case the PC has an IP address, as it is able to ping another resource.

A Virtual Private Network (VPN) is a secure tunnel created between two endpoints connected via an unsecure transport network (typically the Internet). This is unlikely to be the issue, as the PC is being set up on a local network and not a remote site.

Network Interface Card (NIC) is an adapter card that provides one or more Ethernet ports for connecting hosts to a network so that they can exchange data over a link. This seems to be working, as the PC is able to ping another network resource.

Question 100

SAM

Answer 100

Security Accounts Manager

Question 100

A penetration tester looks to harvest credentials from users who log in locally. Where should the penetration tester look for users who authenticated locally?

A.SAM
B.Kerberos
C.VPN
D.Web portal

Answer 100

A. SAM

In a Windows local sign-in, the Local Security Authority (LSA) compares the submitted credential to the one stored in the Security Accounts Manager (SAM) database, which is part of the registry. This is also referred to as interactive logon.

In a Windows network sign-in, the LSA can pass the credentials for authentication to a network service. The preferred system for network authentication is based on a system called Kerberos.

In a remote sign-in, if the user’s device is not connected to the local network, authentication can take place over some type of virtual private network (VPN).

A pen tester would need access to the web server to access credentials stored to access a web portal.

Question 101

Lesson 5 Summary

Answer 101

You should be able to manage and troubleshoot Windows network settings, configure users and share permissions in workgroup environments, and summarize Active Directory/domain concepts.

Guidelines for Managing Windows Networking

Follow these guidelines to manage Windows networks:

Document the Internet Protocol (IP) addressing scheme to identify appropriate subnet mask, gateway, and DNS settings. Identify hosts that would benefit from static addressing, but plan to use dynamic configuration for most hosts.
Document wired and wireless connection support and any special considerations, such as proxy settings for Internet access, metered connection configuration for WWAN, and VPN type and server address.
Use setup and monitoring checklists and tools to ensure proper configuration of local OS firewall settings, including public versus private network types and application restrictions and exceptions.
Use the principle of least privilege to configure user accounts within security groups with the minimum required permissions. Ensure that UAC is enabled to mitigate risks from misuse of administrator privileges.
Consider replacing password-based local login and SSO authentication with MFA and/or passwordless authentication and sign-in verification, using email, hard token, soft token, SMS, voice call, and authenticator applications.
Design ACL permissions on folders to support policy goals, taking account of share versus NTFS permissions and inheritance.
Make training and education resources available to users to help them use File Explorer navigation and select appropriate network paths for accessing file shares, printers, mapped drives, and home folders.
Develop a knowledge base to document use of command-line tools to resolve common issues (ipconfig, ping, hostname, netstat, nslookup, tracert, pathping, net user, net use, gpupdate, and gpresult).
Consider that a large or growing network might be better supported by implementing an Active Directory domain with support for network-wide security groups, OUs, group policy, login scripts, and roaming profiles/folder redirection.
Additional practice questions for the topics covered in this lesson are available on the CompTIA Learning Center.