Which of the following is true about the security Configuration and Analysis tool?

Test your knowledge of the CISSP exam’s Domain 1: Security and Risk Management -- one of the heaviest-weighted portions of the test -- with this practice quiz.

Inhaltsverzeichnis Show

Test your knowledge of the CISSP exam’s Domain 1: Security and Risk Management -- one of the heaviest-weighted portions of the test -- with this practice quiz.
What is security configuration and analysis?
Which of the following is true about Microsoft Baseline Security Analyzer MBSA?
Which of the following is an open source tool for scanning computers to identify vulnerabilities?
Which of the following can be used to define which programs are allowed or disallowed in the system?

For IT professionals whose background may be more focused on hardware and software, the world of cybersecurity, risk management and compliance can be new, and sometimes challenging, territory. As opposed to the muscle-memory tasks like firewall configuration or patch deployment, the skills needed to navigate the shifting, strategic concepts of risk and compliance uses a different part of your brain. But these areas are critical for building a security program in any organization, from small businesses to global enterprises.

The importance of these disciplines is not lost on the (ISC)2, which administers the Certified Information Systems Security Professional (CISSP) exam. Domain 1 of the certification exam, Security and Risk Management, is one of the most heavily weighted sections of the test. It accounts for 16% of the final score -- the largest amount assigned to the exam’s eight domains. Only other section of the test, Domain 7: Security Operations, shares the same weight.

At a high level, Domain 1 covers cybersecurity, risk management, compliance, law, regulations and business continuity. According to (ISC)2, more specific concepts tested in Domain 1 include:

confidentiality, integrity and availability
security governance principles
compliance
legal and regulatory issues
professional ethics
security policies, standards, procedures and guidelines

Planning to take the CISSP exam and obtain certification? Test your knowledge of Domain 1 with this practice quiz, comprising five multiple-choice questions and 10 true/false questions on key concepts, vocabulary and principles of cybersecurity, risk management, compliance and more.

CISSP® is a registered mark of (ISC)².

This was last published in July 2017

Dig Deeper on Careers and certifications

3 best professional certifications for CISOs and aspiring CISOs
By: Jerald Murphy
10 cybersecurity certifications to boost your career in 2022
By: Steve Zurier
10 CIPP/US practice questions to test your privacy knowledge
By: Isabella Harford
Sample CompTIA Security+ exam questions and answers
By: Sharon Shea

ch02
True/False

Indicate whether the statement is true or false.
____ 1. The Security Configuration and Analysis snap-in can be used to configure local and remote computers.
____ 2. The three areas in local policies are Audit Policy, User Rights Assignment, and Security Options.
____ 3. Group policies are applied to three types of Active Directory objects: users, computers, and networks.
____ 4. The IIS role is one of the most vulnerable server roles due to its inherent exposure to the Internet.
____ 5. Group Policy provides the easiest way to apply security settings in an Active Directory domain.
Modified True/False

Indicate whether the statement is true or false. If false, change the identified word or phrase to make the statement true.
____ 6. In Windows Server 2003 security is set to the

fewest possible permissions. _________________________
____ 7. The Secure template requires NTLM v5. _________________________
____ 8. Group policy is passed down from child to parent object within the domain. _________________________
____ 9. Desktop configurations, Internet Explorer settings, and security settings can all be configured using Group Policy. _________________________
____ 10. The most common threats to DCs are those that attempt to gain access to the security database on a DC. _________________________
Multiple Choice

Identify the choice that best completes the statement or answers the question.
____ 11. Which of the following is the baseline security template?

a.	rootsec.inf	c.	Setup security.inf
b.	secure*.inf	d.	DC security.inf

____ 12. If you want to apply the securews.inf security template to a client computer, you must ensure that all DCs that contain user accounts that might be accessed through the client computer are running _____ or later.

a.	Windows NT 4.0 Service Pack 3	c.	Windows 2000 Service Pack 3
b.	Windows NT 4.0 Service Pack 4	d.	Windows XP

____ 13. If a server is configured to use the hisec*.inf template, all clients must use _____ packet signing.

a.	SMB	c.	LM
b.	NTLM	d.	LDAP

____ 14. What is the recommended way to customize security templates?

a.	Make changes directly to the predefined security template.
b.	Use the Save As command to save a copy of a predefined template, then modify the copy.
c.	Use the Copy command to create a copy of a predefined security template, then modify the copy.
d.	Use the New command to create a blank security template, then add the settings.

____ 15. What is the order of precedence for application of group policies?

a.	domain, local computer, OU	c.	local computer, OU, domain
b.	domain, OU, local computer	d.	OU, domain, local computer

____ 16. The _____ Policies in the predefined security templates allows the administrator to modify settings related to system services such as startup, shutdown, indexing, license logging, and many more.

a.	System Services	c.	Restricted Groups
b.	Event Log	d.	Local

____ 17. Which of the following groups of nodes is listed under each GPO in the Active Directory Users and Computers console?

a.	Software Settings, Hardware Settings, and Local Settings
b.	Software Settings, Windows Settings, and Administrative Templates
c.	Security Templates and Administrative Templates
d.	Windows Settings, Security Settings, and Registry Settings

____ 18. Which MMC snap-in would you use to compare the current security configuration on a computer with another configuration?

a.	Active Directory Users and Computers
b.	Security Configuration and Analysis
c.	Resultant Set of Policy
d.	Security Extensions to Group Policy

____ 19. Which switch to the secedit command is used to create a snapshot of the current configuration values that can later be used to undo changes?

a.	export	c.	generaterollback
b.	snap	d.	generateundo

____ 20. The ____.exe is used to refresh Group Policy settings, including security settings.

a.	gpupdate	c.	refreshgp
b.	gprefresh	d.	gp

____ 21. Which server role typically authenticates domain logons and maintains the security policy as well as the master database for the domain?

a.	Terminal server	c.	Domain controller
b.	Remote access/VPN server	d.	DHCP Server

____ 22. Which version of the IP security protocol should be installed on POP3 servers?

a.	3	c.	9
b.	6	d.	11

____ 23. A _____ attack occurs when someone captures DNS zone data in order to reverse engineer your DNS structure.

a.	denial-of-service	c.	redirection
b.	data modification	d.	footprinting

____ 24. Securing file, print, and member servers is simplified in Windows Server 2003 because _____ is no longer installed by default on these computers.

a.	DNS	c.	WINS
b.	IIS	d.	DHCP

____ 25. A server with the _____ role typically runs the Indexing Service and Remote Storage.

a.	IIS	c.	File server
b.	Application server	d.	Print server

____ 26. Which security templates should be applied to servers with infrastructure services roles?

a.	Setup security.inf (default), secure.inf, hisec.inf, compat*.inf
b.	Setup security.inf (default), secure.inf, compat.inf
c.	Setup security.inf (default)
d.	Setup security.inf (default), secure.inf, hisec.inf

Yes/No

Indicate whether you agree with the statement.
____ 27. Should NTFS be used to secure the data storage for a streaming media server?
____ 28. In Windows Server 2003, are modifications to security templates usually made to tighten default security settings?
____ 29. Does Microsoft recommend applying security templates to sites, domains, and OUs?
____ 30. Is there a security template that allows end users to have appropriate permissions to run noncertified applications and still not grant the full permissions granted to Power Users?
____ 31. Should an administrator modify the predefined templates provided in Windows Server 2003?
Completion

Complete each statement.
32. The ____________________ security template is used for setting very high security between computers for network communications.
33. In Terminal Server, the ____________________ security setting is used when legacy applications accessed through Terminal Server require access to the Registry.
34. Settings for passwords, account lockout, and Kerberos are defined in ____________________ policies.
35. When securing an IIS server, one security measure you can take specific to IIS servers is to place content on a dedicated ____________________.
36. DHCP servers manage a set of DHCP addresses, called a(n) ____________________, and assigns addresses to computers in a dynamic fashion.
Matching
Match each item with a statement below.

a.	Security Extensions to Group Policy	f.	Hfnetchk.exe
b.	DC	g.	firewall
c.	secedit.exe	h.	secure*.inf
d.	RSoP	i.	DNS
e.	setup security.inf

____ 37. software and hardware interface that prevents unauthorized access to internal networks from external locations by means of filtering and routing

____ 38. command-line tool used to analyze, configure, and export system security settings
____ 39. service that provides the means for computers, users, and applications to resolve names to IP addresses
____ 40. default security template
____ 41. server that controls activities on the domain
____ 42. used to define security configurations for various users, groups, or computers within a GPO
____ 43. allows you to see the results of the policies applied to a particular computer
____ 44. secure security template
____ 45. command-line tool that analyzes Windows computers and reports any missing security updates
Short Answer
46. If a strong password policy is set, what are the criteria that user passwords must meet?
47. Describe the function of the Restricted Groups node of the security templates.
48. Describe the use of the analyze switch to secedit.
49. List at least six of the server roles identified by Microsoft Windows Server 2003.
50. What are some of the steps you can take to secure an IIS server?

ch02

Answer Section
TRUE/FALSE
1. ANS: F PTS: 1 REF: 51
2. ANS: T PTS: 1 REF: 69
3. ANS: F PTS: 1 REF: 96
4. ANS: T PTS: 1 REF: 112
5. ANS: T PTS: 1 REF: 133
MODIFIED TRUE/FALSE
6. ANS: T PTS: 1 REF: 53
7. ANS: F, v2

PTS: 1 REF: 59

8. ANS: F, parent to child

PTS: 1 REF: 70

9. ANS: T PTS: 1 REF: 76
10. ANS: T PTS: 1 REF: 107
MULTIPLE CHOICE
11. ANS: C PTS: 1 REF: 52
12. ANS: B PTS: 1 REF: 58
13. ANS: A PTS: 1 REF: 61
14. ANS: B PTS: 1 REF: 67
15. ANS: D PTS: 1 REF: 70
16. ANS: A PTS: 1 REF: 72
17. ANS: B PTS: 1 REF: 81
18. ANS: B PTS: 1 REF: 86
19. ANS: C PTS: 1 REF: 93
20. ANS: A PTS: 1 REF: 95
21. ANS: C PTS: 1 REF: 107
22. ANS: B PTS: 1 REF: 117
23. ANS: D PTS: 1 REF: 121
24. ANS: B PTS: 1 REF: 123
25. ANS: C PTS: 1 REF: 129
26. ANS: D PTS: 1 REF: 131
YES/NO
27. ANS: Y PTS: 1 REF: 128
28. ANS: N PTS: 1 REF: 129
29. ANS: Y PTS: 1 REF: 136
30. ANS: Y PTS: 1 REF: 57
31. ANS: N PTS: 1 REF: 66
COMPLETION
32. ANS: hisec*.inf

PTS: 1 REF: 59

33. ANS: relaxed

PTS: 1 REF: 63

34. ANS: Account

PTS: 1 REF: 67

35. ANS: volume

PTS: 1 REF: 114

36. ANS: scope

PTS: 1 REF: 120

MATCHING
37. ANS: G PTS: 1 REF: 117
38. ANS: C PTS: 1 REF: 51
39. ANS: I PTS: 1 REF: 120
40. ANS: E PTS: 1 REF: 53
41. ANS: B PTS: 1 REF: 106
42. ANS: A PTS: 1 REF: 51
43. ANS: D PTS: 1 REF: 82
44. ANS: H PTS: 1 REF: 54
45. ANS: F PTS: 1 REF: 51
SHORT ANSWER
46. ANS:

At least seven characters

Does not contain username, real name, company name

Does not contain complete dictionary word

Is different from previous passwords

Contains characters from four groups:

Uppercase

Lowercase

Numerals

Symbols

PTS: 1 REF: 68
47. ANS:

Restricted groups can be used to configure membership of sensitive groups, including the Administrator group. By using this feature, you can control who is and is not included in a group, and every time the policy is refreshed, group membership will be modified to include only the members specified in the Members list.

PTS: 1 REF: 72
48. ANS:

The analyzeswitch causes secedit to analyze security for whichever element is selected. This switch allows you to analyze current database settings against other settings (typically baseline settings) and store the results in a log file.You can view the results in the Security Configuration and Analysis snap-in.The result will show you the difference between the current settings and the baseline settings, allowing you to see and address any potential security holes.This can be very useful when troubleshooting or for analyzing a system whose exact settings might be unknown as compared to a standard security template.You can also use this switch to analyze the difference between a baseline template and a custom security template you create.

PTS: 1 REF: 90
49. ANS:

File server

Print server

Application server

Mail server

Terminal server

Remote Access/VPN server

Domain controller

DHCP server

DNS server

WINS server

Streaming Media server

PTS: 1 REF: 100
50. ANS:

Placing all IIS servers (if your firm is running more than one) into an IIS OU will help you manage GPOs related to securing and managing IIS servers across the organization. Remember to only install the necessary IIS components, including Web Service Extensions, that you’ll use. Another security measure you can take specific to IIS servers is to place content on a dedicated volume. You can also apply IPSec filters to block or permit specific IP traffic and secure sensitive IP traffic.

PTS: 1 REF: 114

What is security configuration and analysis?

The Security Configuration and Analysis is a stand-alone snap-in tool that users can use to import one or more saved configurations to a private security database. Importing configurations builds a machine-specific security database that stores a composite configuration.

Which of the following is true about Microsoft Baseline Security Analyzer MBSA?

Which of the following is true about Microsoft Baseline Security Analyzer (MBSA)? The MBSA is a legacy tool, and each new version scans for fewer vulnerabilities.

Which of the following is an open source tool for scanning computers to identify vulnerabilities?

Nmap is one of the well-known free and open-source network scanning tools among many security professionals. Nmap uses the probing technique to discover hosts in the network and for operating system discovery. This feature helps in detecting vulnerabilities in single or multiple networks.