70-411 R2 Test Bank Lesson 18

70-411 Test Bank, Lesson 18 Configuring Account Policies
16 Multiple Choice
6 Short Answer
4 Best Answer
4 Build List
4 Repeated Answer
34 questions
Multiple Choice
1. What are examples of password policies? Select all that apply.
a. history
b. length
c. complexity
d. age
Answer: all of the above
Difficulty: Easy
Section Ref: Configuring Password Policy Settings
Explanation: The first folder under Account Policies is for password policies.
Password policies include enforced password history, maximum password age,
minimum password age, minimum password length, and complexity requirements.
2. Why primarily are account lockout policies put into place?
a. privacy
b. security
c. policy
d. regulations
Answer: b
Difficulty: Easy
Section Ref: Configuring Account Lockout Settings
Explanation: With enough time, a hacker can crack any password. To help prevent
password cracking, you can limit how many times a hacker can guess a password
before the account is locked.
3. What is the default setting for password history?
a. 6
b. 10
c. 16
d. 24
Answer: d
Difficulty: Medium
Explanation: The enforce password history setting defines the number of unique,
new passwords that must be associated with a user account before an old password
can be reused. The default setting is 24 previous passwords.
4. What is the default minimum password length in characters?
a. 5
b. 7
c. 8
d. 10
Answer: b
Difficulty: Medium
Explanation: The minimum password length setting defines the minimum number of
characters that a users password must contain. The default value is seven.
5. What setting can you give for account lockout duration that requires an
administrator to manually unlock the account?
a. 0
b. 10
c. 99
d. 99,999
Answer: a
Difficulty: Medium
Explanation: The account lockout duration determines the length of time a lockout
will remain in place before another logon attempt can be made. This can be set
from 0 to 99,999 minutes. If set to 0, an administrator will need to unlock the
account manually.
6. By default, who has read/write capability to the Default Domain Policy?
a. local administrators
b. power users
c. domain users
d. domain administrators
Answer: d
Difficulty: Easy
Section Ref: Delegating Password Settings Management
Explanation: By default, the Domain Admins group has Read and Write capabilities
to the Default Domain Policy.
7. How should you assign Password Settings objects (PSOs) to users?
a. Assign the PSOs directly to individual users.
b. Assign the PSOs to a new group and add the users to the new group.
c. Assign the PSOs to a global security group and add users to the group.
d. Assign the PSOs to various Active Directory groups as needed.
Answer: c
Difficulty: Medium
Explanation: To assign a PSO to a user, it is best to assign the PSO to a global
security group and then add the user to the global security group.
8. What is the primary advantage of using Group Policies in a domain environment?
a. ease of enforcement
b. user compliance
c. centralized management
d. ease of creation
Answer: c
Difficulty: Medium
Section Ref: Working with Account Policies
Explanation: Group Policies provide centralized management and configuration of
operating systems, applications, and user settings in an Active Directory
environment.
9. What is the secpol.msc utility used for?
a. editing group policies
b. editing local security policies
c. editing global security policies
d. editing domain-level policies
Answer: b
Difficulty: Medium
Section Ref: Configuring Local User Password Policy
Explanation: The easiest method to access the account policies is to execute
secpol.msc from a command prompt to open the Local Security Policy.
10. What does the minimum password age setting control?
a. how many seconds a user must wait before a password reset

b. how many minutes a user must wait before a password reset
c. how many hours a user must wait before a password reset
d. how many days a user must wait before a password reset
Answer: d
Difficulty: Medium
Explanation: The minimum password age setting controls how many days users
must wait before they can reset their password.
11. Why should administrator passwords change more often than user passwords?
a. because administrator passwords are usually simpler than user passwords
b. because administrator accounts carry more security sensitivity than users do
c. because administrators are paranoid about security
d. because administrator accounts are watched by management in large companies
Answer: b
Difficulty: Easy
Explanation: The maximum password age setting controls the maximum period of
time that can elapse before you are forced to reset your password. This setting can
range from 1 to 999 days, or it can be set to 0 if you never want passwords to
expire. A general rule for this setting is 90 days for user accounts, although for
administrative accounts, its generally a good idea to reset passwords more
frequently.
12. What is the range of password history settings?
a. 0 to 9
b. 0 to 15
c. 0 to 24
d. 0 to 63
Answer: c
Difficulty: Medium
Explanation: Microsoft allows you to set the password history value between 0 and
24. In standard environments, 10 is a fairly common setting, although Windows
Server 2012 and Windows Server 2012 R2 defaults to 24 on domain controllers.
13. What is an easy method of creating a strong password?
a. Use your username and add numbers and special characters.
b. Use your favorite football teams name with numbers and special characters.
c. Ask a friend for some ideas for good passwords and then add your own number
and characters.
d. Start with a sentence and then add numbers and special characters.
Answer: d
Difficulty: Medium
Section Ref: Understanding Strong Passwords
Explanation: The trick with strong passwords is how to create a strong password
that you can remember. One way is to start with a phrase or sentence, remove the
spaces between the words in a sentence and then do some character substitution.
For example, instead of using the "a" character, you substitute @. You also can add
a couple of digits at the end.
14. Why is a setting of 0 for maximum password age not a good idea? Check all that
apply.
a. It means that passwords never expire, which is a major security problem.
b. It means that your passwords expire every day.
c. It means that youve disabled password aging.
d. It means that youve disabled the use of passwords.
Answer: a and c
Difficulty: Medium
Explanation: The minimum password age setting must be set to a lower value than
the maximum password age, unless the maximum password age is set to 0, which
means passwords never expire, which is never appropriate in a production
environment.
15. Account policies contain various subsets. Which of the following are legitimate
subsets of account policies? Check all that apply.
a. Password Policy
b. Account Lockout Policy
c. Kerberos Policy
d. Username Policy
Answer: a, b, and c
Difficulty: Medium
Section Ref: Working with Account Policies
Explanation: Account policies contain three subsets: Password Policy, Account
Lockout Policy, and Kerberos Policy.
16. By default, which of the following represents the maximum amount of time by
which a computers internal clock can be inaccurate yet still be able to use Kerberos
authentication?
a. 30 seconds
b. 1 minute
c. 5 minutes
d. 8 minutes
Answer: c
Difficulty: Medium
Section Ref: Configuring Kerberos Policy Settings
Explanation: In Windows Server 2012 R2, the maximum tolerance for computer
clock synchronization determines the maximum time difference (in minutes) that
the Kerberos V5 protocol tolerates between the time on the client clock and the
time on the domain controller that provides Kerberos authentication. The default is
5 minutes.
Short Answer
17. Describe a complex password.
Answer: A complex password doesnt contain your username, is at least six
characters long, and contains upper- and lowercase letters, numbers, and special
characters.
Difficulty: Medium
Explanation: A complex password does not contain your name or username,
contains at least six characters, and contains characters from three of the following
four groups: uppercase letters [AZ], lowercase letters [az], numerals [09], and
special, non-alphanumeric characters, such as !@#)(*&^%.
18. What is wrong with a 14-character password?
Answer: Its length makes it more secure but also makes it very difficult to
remember. Users will likely write down a very long password, which removes the
purpose of the long password.
Difficulty: Medium
Explanation: A 14-character password is difficult for most users to remember. When
passwords become long, users often must write down their passwords, which
defeats any security benefits you might have from requiring a 14-character
password in the first place.
29. What is the purpose behind enforcing password history?
Answer: A password history prevents users from reusing passwords and bypassing
security. The longer a password is used, the more likely it is to become
compromised.
Difficulty: Medium
Explanation: The password history setting determines the number of unique
passwords that must be used before a password can be reused. This setting
prevents users from recycling the same passwords through a system. The longer
the period of time a password is used, the greater the chances it can be
compromised.
20. Explain account lockout.
Answer: Account lockout is a disabling of a user account after a prescribed number
of failed logon attempts.
Difficulty: Medium
Explanation: Account lockout refers to the number of incorrect logon attempts
permitted before a system locks an account. Each bad logon attempt is tracked and
added to the bad logon counter. When the counter exceeds the account lockout
threshold, the account is locked and no further logon attempts are permitted.
21. If you have departments within your administrative jurisdiction and some are
more security-sensitive than others, what can you do to make their user accounts
more secure?
Answer: I can implement fine-grained password policies for those user groups,
which means I can enforce one policy standard for everyone in the domain and
more restrictive ones for those who require them.
Difficulty: Hard
Section Ref: Configuring and Applying Password Settings Objects
Explanation: Fine-grained password policies allow you to specify multiple password
policies within a single domain so that you can apply different restrictions for
password and account lockout policies to different sets of users in a domain.
22. Identify the one restriction with using fine-grained password policies on your
domain.
Answer: The domain functional level must be at least Windows Server 2008.
Difficulty: Hard
Explanation: To use a fine-grained password policy, your domain functional level
must be at least Windows Server 2008.
Best Answer
23. Which of the following passwords is considered complex?
a. M!croS0ft
b. candybar01
c. bobj
d. fred@local
Answer: a
Difficulty: Medium
Explanation: A complex password does not contain your name or username,
contains at least six characters, and contains characters from three of the following
four groups: uppercase letters [AZ], lowercase letters [az], numerals [09], and
special, non-alphanumeric characters, such as !@#)(*&^%.
24. What character length for a password generally accepted as minimum?
a. four
b. six
c. eight
d. fourteen
Answer: c
Difficulty: Easy
Explanation: The generally accepted minimum password length is eight characters.
25. The default maximum password age is how long?
a. 12 days
b. 36 days
c. 42 days
d. 86 days
Answer: c
Difficulty: Medium
Explanation: The maximum password age setting defines the number of days that a
password can be used before the user must change it. The default setting is 42
days.
26. Which aspect of passwords is a key component of their strength?
a. easy to remember
b. number of characters
c. dictionary basis
d. keyboard complexity
Answer: b
Difficulty: Medium
Explanation: A passwords length is a key component of its strength. Password
length is the number of characters used in a password.
Build List
27. Order the following steps required to configure password policies.
a. Edit the Default Domain Policy.
b. Open the Group Policy Management console.
c. Modify the properties for the settings you want to change.
d. Open Security Settings > Account Policies > Password Policy.
e. Open Computer Configuration > Policies > Windows Settings.
Answer: B A E D C
Difficulty: Medium
Explanation: Refer to the steps in the Configure Password Policies section.
28. Order the following steps required to create and configure password settings
container.
a. Enter a name for the Password Settings Container.
b. Open the Active Directory Administrative Center.
c. Enter a Precedence number.
d. Open the Password Settings Container.
e. Apply the Password Settings Container to users or groups.
f. Create a new task and then select Password Settings.
g. Open the System folder in ADAC.
Answer: B G D F A C E
Difficulty: Hard
Explanation: Refer to the Create and Configure Password Settings Container steps.
29. Order the following steps required to view the msDS-ResultantPSO Attribute.
a. Select Properties.
b. Select Filter and then Constructed.
c. Select the Attribute Editor tab.
d. Open View and check Advanced Features.
e. Find the msDS-ResultantPSO attribute to see the current PSO being applied.
f. Open Active Directory Users and Computers.

Answer: F D A C B E
Difficulty: Medium
Explanation: Refer to the steps outlined in View the msDS-ResultantPSO Attribute.
30. Order the following steps required to manage GPO permissions.
a. Open the Group Policy Management console.
b. Select the Delegation tab.
c. Select the appropriate permissions in the Permissions list.
d. Add the user or group in the Enter the object name to select field.
e. Select Default Domain Policy.
Answer: A E B D C
Difficulty: Medium
Explanation: Refer to the steps outlined in Manage GPO Permissions.
Repeated Answer
31. This setting defines a default password filter that is enabled by default.
a. enforce password history
b. maximum password age
c. minimum password length
d. complexity requirements
Answer: d
Difficulty: Medium
Explanation: The complexity requirements setting defines a default password filter
that is enabled by default.
32. This setting defines the number of days that a password can be used before the
user must change it.
Answer: b
Difficulty: Medium
Explanation: The maximum password age setting defines the number of days that a
password can be used before the user must change it.
33. This setting defines the number of unique, new passwords that must be
associated with a user account before an old password can be reused.
Answer: a
Difficulty: Medium
Explanation: The enforce password history setting defines the number of unique,
new passwords that must be associated with a user account before an old password
can be reused.
34. This setting defines the minimum number of characters that a users password
must contain.
Answer: c
Difficulty: Medium
Explanation: The minimum password length setting defines the minimum number of
characters that a users password must contain.

70-411 R2 Test Bank Lesson 18

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

70-411 R2 Test Bank Lesson 18

Diunggah oleh

Hak Cipta:

Format Tersedia

70-411 Test Bank, Lesson 18 Configuring Account Policies

a. how many seconds a user must wait before a password reset

f. Open Active Directory Users and Computers.

Anda mungkin juga menyukai