SG: Ch 23: Securing Operating Systems Flashcards
A user is in both the Sales group and the Marketing group. The Sales group has full permission at the share level, and the Marketing group has read-only permissions. The files on NTFS are secured with the Modify permission for the Sales group and the Read & Execute permission for the Marketing group. Which permissions will the user have?
A. Full
B. Modify
C. Read-only
D. Read & Execute
B. Modify
Because the user is in both groups and the Sales group has full share permissions and the Sales group has modify NTFS permissions, the most restrictive of the two is Modify, so that will be the effective permission for the user. All of the other answers are incorrect.
A user is in the Sales group. The Sales group has no permissions at the share level. The files on NTFS are secured with the Modify permission for the Sales group. What permissions with the user have?
A. The user will have the Modify permission when connecting from the network.
B. The user will have the Modify permission when logged in locally to the computer.
C. The user will have no access when logged in locally to the computer.
D. The user will have read-only permissions when connecting from the network.
B. The user will have the Modify permission when logged in locally to the computer.
The user will have only the Modify permission when logged in locally to the computer, since the filesystem is not shared with the appropriate permissions. The user will not have the Modify permission when connecting from the network. The user will still have the Modify permission when logged in locally, because of the NTFS permissions. The user will not have read-only permissions when connecting from the network.
You need to secure your mobile device’s lock screen with the highest level of protection. Which of the following should you use? (Choose the best answer.)
A. Fingerprint lock
B. Face lock
C. Passcode lock
D. Swipe lock
A. Fingerprint lock
Fingerprint locks are the most secure of all the lock methods, since fingerprints are hard to duplicate. Face locks have a high number of false positives, which can be used to gain access to the phone. Passcode locks can be cracked or shoulder surfed. Swipe locks can be shoulder surfed and are usually simple.
You need to enforce profile security requirements on mobile devices. Which should you use to achieve this goal?
A. AUP
B. NDA
C. BYOD
D. MDM
D. MDM
Mobile device management (MDM) software enables you to enforce profile security requirements on mobile devices. The acceptable use policy (AUP) is a code of ethics your users should follow when dealing with organizational resources. A non-disclosure agreement (NDA) is an agreement between an employee and the organization to protect intellectual property. A bring you own device (BYOD) policy contains how devices should be secured but provides no enforcement.
You need to encrypt a single file on a Windows Desktop. Which technology should you use?
A. EFS
B. BitLocker
C. NTFS
D. BitLocker to Go
A. EFS
The Encrypted File System (EFS) is a functionality of the Windows NTFS filesystem. EFS can encrypt individual files and folders. BitLocker is a full device encryption technology. NTFS is a filesystem that supports encryption and security, among other functionality. BitLocker to Go is used for full device encryption of removable drives.
Which of the following has the goal of allowing a username/password combination to be entered once, and then allowing claims to be used for consecutive logins? (Choose the best answer.)
A. Tokens
B. Kerberos
C. Single sign-on
D. Multifactor authentication
C. Single sign-on
The goal of single sign-on (SSO) is to allow a username/password combination. Once the combination is entered, claims are used to access additional resources. Tokens are given to the operating system after a user successfully logs in; they allow a user to access rights on the operating system. Kerberos is used (along with Active Directory) to authenticate a user on the Windows operating system. Multifactor authentication is the use of two or more factors to authenticate a user.
By default, when setting up an Android device, what is the relevance to the Google account required?
A. The device requires email setup.
B. The account is used for cloud synchronizations.
C. The account is used for desktop backups.
D. The device requires registration.
B. The account is used for cloud synchronizations.
By default, a Google account is required on Android devices; it is used to synchronize data and app purchases to the cloud. The device does not require email to be set up, but the account can be used for the setup. The account is not used for desktop backups. The device does not require registration.
What is a best practice for mitigating the risk of a contractor account that is forgotten about? (Choose the best answer.)
A. Time restrictions
B. Password complexity
C. Account expiration
D. Password expiration
C. Account expiration
Account expiration is the best approach to mitigating the risk of a contractor account that is forgotten about. If an expiration for the account is set, it will automatically deny logins after the set time. Time restrictions will limit when the account can be logged into but will not deactivate the account. Password complexity will have no effect on mitigating the risk; it will only require a stronger password. Password expiration will have no effect on mitigating the risk; it will only require the password to be changed.
What should be implemented to mitigate the risk of a password from being shoulder surfed or keylogged?
A. Antivirus
B. Privacy screens
C. Password complexity
D. Password expiration
D. Password expiration
Password expiration is a tactic to mitigate passwords from being shoulder surfed or keylogged. Although it won’t remove the threat completely, requiring passwords to expire makes it less likely that the password could be used over a long period time. Antivirus will not prevent shoulder surfing by other users. Privacy screens would not prevent keyloggers from capturing a password. Password complexity makes it harder to shoulder surf a password but does not mitigate the risk of a keylogger.
As a best practice, after a set period of inactivity on a Windows workstation, what should happen?
A. The system should shut down.
B. The system should restart.
C. A password-enabled screensaver should automatically start.
D. The system should log out the user.
C. A password-enabled screensaver should automatically start.
A screensaver should automatically start after a short period of idle time, and that screensaver should require a password before the user can begin the session again. The system should neither shut down nor restart, since work could still be open. For the same reason, the system should not log out the user.
You want to follow the rules of good security administration as set by CompTIA and vendors. To do so, which account should be disabled on most Windows operating systems for security reasons?
A. Guest
B. Print Operators
C. Power Users
D. Userone
A. Guest
The Guest account should be disabled on the operating system, unless there is good reason to leave the account enabled. Print Operators is a group found on Windows servers. Power Users is a group found on both Windows workstations and servers. Userone is obviously a user account. Unless the user has left the organization, there should be no reason to disable the account.
What is normally performed when an employee is offboarded?
A. Their user account is deleted.
B. Their user account is unlocked.
C. Their user account is created.
D. Their user account’s password is reset.
A. Their user account is deleted.
When an employee is offboarded, their user account is deleted or disabled. A user account is not created, nor is its password reset, during the offboarding process. A user account normally is created during the onboarding process.
James just moved a folder on the same partition. What will happen with the permissions for the folder?
A. The permissions will be the same as they were before the move.
B. The permissions will be inherited from the new parent folder.
C. The permissions will be configured as the root folder for the drive letter.
D. The permissions will be blank until configured.
A. The permissions will be the same as they were before the move.
The permissions will be the same as before the move, since you are just moving the files and not creating a new entity. The permissions will not be inherited from the parent folder. The permissions will not be configured the same as the root folder. The permissions will not be blank.
Which of the following passwords is a secure password? (Choose the best answer.)
A. serverpassword0ne
B. $erVer1
C. *erverP%ssw#rd
D. serverpassword1
C. *erverP%ssw#rd
The password *erverP%ssw#rd uses uppercase and lowercase letters, symbols, and numbers, for a possible character base of 95 combinations per position. The password serverpassword0ne uses only lowercase and numbers, for a character base of 36 combinations per position; although it is longer than *erverP%ssw#rd, the complexity still falls short. The password $erVer1 uses uppercase and lowercase letters, symbols, and numbers, but it is too short. The password serverpassword1 is also long and uses lowercase and numbers, but it only has a character base of 36 combinations per position.
A new app developed for the Android platform has which extension?
A. .sdk
B. .apk
C. .ipa
D. .exe
B. .apk
Android apps have an .apk (Android Package Kit) extension. Apps are developed with a software development kit (SDK), but .sdk is not a valid extension. Apple iOS apps use an .ipa (iOS App Store Package) extension. Only the Windows desktop operating system can execute .exe files.