An administrator notices that former temporary employees’ accounts are still active on a domain. Which of the following can be implemented to increase security and prevent this from happening?
A. Implement a password expiration policy. B. Implement an account expiration date for permanent employees. C. Implement time of day restrictions for all temporary employees. D. Run a last logon script to look for inactive accounts.
Correct Answer: D Section: Threats and Vulnerabilities
You can run a script to return a list of all accounts that haven’t been used for a number of days, for example 30 days. If an account hasn’t been logged into for 30 days, it’s a safe bet that the user the account belonged to is no longer with the company. You can then disable all the accounts that the script returns. A disabled account cannot be used to log in to a system. This is a good security measure. As soon as an employee leaves the company, the employees account should always be disabled.
A: A password expiration policy is always a good idea as it forces users to change their passwords regularly. However, an expired password does not prevent you logging in. When you log in using an account with an expired password, you are prompted to change the password.
B: Implementing an account expiration date for permanent employees is not a good idea. When the accounts expire, no one would be able to log in. Account expiration is useful for temporary employees (where you know when they will be leaving), not permanent employees.
C: Time of day restrictions will restrict users to logging in at certain times of the day only (for example: during office hours). However this does not prevent people logging in during the allowed hours.
A company is installing a new security measure that would allow one person at a time to be authenticated to an area without human interaction. Which of the following does this describe?
A. Fencing B. Mantrap C. A guard D. Video surveillance
Correct Answer: B Section: Compliance and Operational Security
Mantraps make use of electronic locks and are designed to allow you to limit the amount of individual allowed access to an area at any one time.
A: Fencing is a physical perimeter security measure that is designed to prevent unauthorized access to your premises.
C: A guard will act as a deterrent to keep any intruders out, but involves human interaction.
D: Video surveillance is best accomplished when the camera is recording and being monitored by a person which in turn means human interaction.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 372
While previously recommended as a security measure, disabling SSID broadcast is not effective against most attackers because network SSIDs are:
A. no longer used to authenticate to most wireless networks. B. contained in certain wireless packets in plaintext. C. contained in all wireless broadcast packets by default. D. no longer supported in 802.11 protocols.
Correct Answer: B Section: Network Security
The SSID is still required for directing packets to and from the base station, so it can be discovered using a wireless packet sniffer.
A, D: The SSID is still used as a unique identifier for a wireless LAN. It is therefore still valid for authentication, and also still supported in 802.11 protocols.
C: Devices which are configured to connect to a network which does not broadcast its SSID may try to connect to the network by broadcasting for the network. This results in the SSID
being revealed to wireless snoopers in the vicinity of the device. It is not included by default.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 61