CompTIA Security Plus Mock Test Q619

An administrator notices that former temporary employees’ accounts are still active on a domain. Which of the following can be implemented to increase security and prevent this from happening?

A. Implement a password expiration policy.
B. Implement an account expiration date for permanent employees.
C. Implement time of day restrictions for all temporary employees.
D. Run a last logon script to look for inactive accounts.

Correct Answer: D
Section: Threats and Vulnerabilities

You can run a script to return a list of all accounts that haven’t been used for a number of days, for example 30 days. If an account hasn’t been logged into for 30 days, it’s a safe bet that the user the account belonged to is no longer with the company. You can then disable all the accounts that the script returns. A disabled account cannot be used to log in to a system. This is a good security measure. As soon as an employee leaves the company, the employees account should always be disabled.

Incorrect Answers:
A: A password expiration policy is always a good idea as it forces users to change their passwords regularly. However, an expired password does not prevent you logging in. When you log in using an account with an expired password, you are prompted to change the password.
B: Implementing an account expiration date for permanent employees is not a good idea. When the accounts expire, no one would be able to log in. Account expiration is useful for temporary employees (where you know when they will be leaving), not permanent employees.
C: Time of day restrictions will restrict users to logging in at certain times of the day only (for example: during office hours). However this does not prevent people logging in during the allowed hours.