Understanding Security Policies


Remember Points

  • The strength of a password can be determined by examining the length, complexity, and randomness of the password. 
  • A complex password will use characters from at least three of the following categories: uppercase characters, lowercase characters, numeric characters, and non-alphanumeric characters
  • Account lockout refers to the number of incorrect login attempts permitted before the system will lock the account. 
  • The length of a password is a key component of ensuring the strength of a password.  
  • The minimum password age setting controls how many days a user must wait before they can reset their password. 
  • The maximum password age setting controls the maximum period of time permitted before a user is forced to reset their password. 
  • A Group Policy Object (GPO) is a set of rules which allow an administrator granular control over the configuration of objects in Active Directory (AD), including user accounts, operating systems, applications, and other AD objects. 
  • Passwords have long been recognized as one of the weak links in many security programs. 
  • A dictionary attack (also known as a brute force attack) uses a dictionary containing an extensive list of potential passwords that the attacker then tries in conjunction with a user ID to attempt to guess the correct password. 
  • A brute force attack tries all the combinations of the permitted character types. 
  • Physical attacks on a computer can completely bypass almost all security mechanisms, by capturing the passwords and other critical data directly from the keyboard when a software or hardware keylogger is used. 
  • In a cracked password attack, the attacker gets access to an encrypted password file from a workstation or server. Once they have access, the attacker will start running password cracking tools against the file. 
  • If an attacker can gain access to your internal network, your wireless network, or even an internet access point used by your employees, they have the ability to use a specialized tool known as a sniffer to try to intercept unencrypted passwords. 
  • While not as prevalent an issue as it was in times past, there is still the possibility that someone could sit down at your computer and guess your password. 
  • Device Guard helps harden a computer system against malware by running only trusted applications, thereby preventing malicious code from running. 
  • Credential Guard isolates and hardens key system and user security information. The Credential Guard and Device Guard technologies are available only through Windows 10 Enterprise.

Select the correct answer(s) for each of the following questions. 

1. Which of the following are not valid password controls? (Choose all that apply.) 

  1. Minimum Password Age 
  2. Maximum Password Age 
  3. Maximum Password Length 
  4. Account Lockout Threshold 
  5. Password History 

(c), (d)


2. Which of the following would be an acceptable password on a Windows 10 Pro system with Password Complexity enabled and a minimum password length set to 8? (Choose all that apply.) 

  1. Summer2010 
  2. $$Thx17 
  3. ^^RGood4U 
  4. Password 
  5. St@rTr3k 

(a), (c), (e)

  • Password must not contain the user's account name or more than two consecutive characters from the user's full name.
  • Password must be six or more characters long.
  • Password must contain characters from three of the following four categories:
    • Uppercase characters A-Z (Latin alphabet)
    • Lowercase characters a-z (Latin alphabet)
    • Digits 0-9
    • Special characters (!, $, #, %, etc.)


3. Which of the following is the maximum setting for Minimum Password Age? 

  1. 14 
  2. 999 
  3. 998 
  4. 256 

(c)

The Minimum password age policy setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow password changes immediately by setting the number of days to 0.


4. Which of the following corresponds with the minimum and maximum password history settings for securing a Windows 10 Pro workstation image? (Choose the best answer.) 

  1. 0, 14 
  2. 1, 14 
  3. 0, 24 
  4. 1, 24 
  5. 0, 998 

(c)

Microsoft allows a password history setting between 0 and 24. A fairly common setting in standard environments is 10, although Windows Server 2008 and higher defaults to 24 for domain controllers and domain member computers.


5. Which of the following are common password attacks? (Choose all that apply.) 

  1. Cracking 
  2. Phreaking 
  3. Phishing 
  4. Leaking 
  5. Brute force 

(a), (e)



6. Which of the following refers to a form of brute force password attack that uses an extensive list of pre-defined passwords? (Choose the best answer.) 

  1. Bible 
  2. Cracking 
  3. Guessing 
  4. Dictionary 

(d)

Hackers will try to crack passwords by first trying obvious passwords, including the name of spouse/partner or children, birthdays, keywords used by the user, hobbies of the user, and common passwords. Then hackers will try brute force attacks, which consist of trying as many combinations of characters as time and money permit. A subset of the brute force attack is the dictionary attack, in which all words in one or more dictionaries are tested. Lists of common passwords are also typically tested.


7. Which setting should be applied to ensure that a possible dictionary attack against a Windows application server has a limited chance of success? (Choose the best answer.) 

  1. Minimum Password Length 
  2. Account Lockout Threshold 
  3. Password History 
  4. Maximum Password Age

(b)

Account lockout refers to the number of incorrect login attempts permitted before the system will lock the account. Each bad logon attempt increments the bad logon counter, and when the counter exceeds the account lockout threshold, no further login attempts will be permitted.


8. Which Administrative Tool should be used to configure password control settings on a new standalone server? 

  1. Active Directory Users and Computers 
  2. Computer Management 
  3. Security Service 
  4. Local Security Policy 

(d)


9. Which two features in Windows Server 2008 and higher permit the use of fine-grained password policies? (Choose two.) 

  1. Global Policy Object 
  2. Password Settings Container 
  3. Password Settings Object 
  4. Password Policy 

(b), (c)

Fine-grained password policies allow you to specify multiple password policies within a single domain so that different restrictions for password and account lockout policies can be applied to different sets of users in a domain. To use a fine-grained password policy, the domain functional level must be at least Windows Server 2008. To enable fine-grained password policies, first, create a Password Settings Object (PSO). Then, configure the same settings that are configured for the password and account lockout policies. In the Windows Server 2016 environment, PSOs can be created and applied by using the Active Directory Administrative Center (ADAC) or Windows PowerShell.


10. Which of the following explains why a minimum password age would be set? 

  1. To ensure that no one can guess a password 
  2. To stop someone from trying over and over to guess a password 
  3. To make sure a user cannot reset a password multiple times until he or she can reuse his or her original password 
  4. To automatically reset a password 

(c)

The Minimum password age policy setting determines the period of time (in days) that a password must be used before the user can change it.


11. Which of the following uses the processor’s virtualization to protect the PC, including data and credential tokens on the system’s disks? 

  1. Virtual smart cards 
  2. Device Guard 
  3. Credential Guard 
  4. Windows Hello 

(a)

Device Guard and Credential Guard use Windows 10 virtual secure mode (VSM) which, in turn, uses the processor’s virtualization to protect the PC, including data and credential tokens on the system’s disks. By using hardware virtualization, Windows 10 is organized into multiple containers. Windows runs one container; the Active Directory security tokens that allow access to your organization’s resources run in another container. Each container is isolated from the other. Therefore, if Windows is compromised by malware, the tokens are protected because they are isolated in their own encrypted container.


12. In Windows 10, which component is used by Device Guard and Credential Guard to protect the PC? 

  1. Windows Store 
  2. Virtual smart cards 
  3. Windows Hello 
  4. Virtual secure mode


(d)

Device Guard helps harden a computer system against malware by running only trusted applications, thereby preventing malicious code from running. Credential Guard isolates and hardens key system and user security information. Both technologies are available only through Windows 10 Enterprise.

Tags

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!