Chapter 14 Final Study

D - Authentication represents the way that security principals (users, computers, and processes) prove their identity before they are allowed to connect to your network. In the past, authentication was handled through the use of passwords. Today, additional authentication tools, including digital certificates, smart cards, picture passwords, and biometrics, are used.

D - Windows 10 supports the following methods of authentication: passwords, picture passwords, digital certificates, smart cards, and biometrics.

D - A strong password has the following characteristics: • Is at least eight characters long • Uses at least one character from the following: upper- and lowercase letters, punctuation marks, numbers • Does not include your logon name, your real name, or your company name • Does not include a complete word that can be found in the dictionary • Should not be the same password that you have used in the past or used on other website accounts

A, D - A picture password consists of two components: a picture and a gesture that you draw on it.

A - The TPM is used to encrypt the private key information, which is then stored on the computer's hard drive.

B - Workgroup computers must be on the same network segment and will maintain their own local security database to store user accounts, called the Security Accounts Manager.

B - When you implement multiple domains, a feature called the Global Catalog is used to find users, computers, and resources throughout the other domains.

C - NTLM is used for systems running Windows NT 4.0 and earlier and for computers that are a member of a workgroup.

C - NTLM is used for systems running Windows NT 4.0 and earlier and for computers that are a member of a workgroup. It is also used when authenticating to a server that belongs to a different Active Directory forest.

D - A picture password is limited to three gestures (circles, straight lines, and taps).

C - Windows 10 introduces a new feature called virtual smart cards (VSCs), which makes additional hardware (smart card readers and smart cards) unnecessary. These cards emulate the functionality of regular smart cards but require a Trusted Platform Module (TPM) chip to protect the private keys. The TPM is used to encrypt the information, which is then stored on the computer's hard drive.

B - Virtual smart cards, like physical smart cards, leverage hardware-based security and anti-hammering protection to protect sensitive information using private keys. In the case of virtual smart cards, this protection comes from the device's Trusted Platform Module (TPM), which is a standards-based hardware security component.

C - To assign a PSO to a user, it is best to assign the PSO to a global security group and then add the user to the global security group.

A - Credential Manager allows you to store credentials (such as user names and passwords) that you use to log on to websites or other computers on a network. By storing your credentials, Windows can automatically log you on to websites or other computers.

A - When you join a device using Device Registration, previously known as Workplace Join, Device Registration Service (DRS) registers a non-domain-joined device in Active Directory and installs a certificate on the device. By joining the device, Workplace Join provides a secure single sign-on mechanism while controlling which resources can be accessed by the device.

C - To support Workplace Join, you'll need to install and configure Active Directory Federation Services (AD FS) and the new Device Registration Service.

C - Nonrepudiation is a method used to provide proof that a security principal (user, computer, process) is the source of data, an action, or a communication. This is usually provided through the use of public key/private key technologies.

D - Confidentiality is about preventing people from reading information they are not authorized to read. Confidentiality is handled through the use of encryption technologies.

A - After security principals prove their identity, authorization determines what they can do. This is determined through the use of Access Control Lists (ACLs) that are attached to each resource

B - Integrity is the ability to guarantee that the information has not been arbitrarily changed from the time it was sent from the original source to the time it was received by the other party.

A, B, C, D - Password policies include enforced password history, maximum password age, minimum password age, minimum password length, and complexity requirements.

B - With enough time, a hacker can crack any password. To help prevent password cracking, you can limit how many times a hacker can guess a password.

A, B, C - Account policies contain three subsets: Password Policy, Account Lockout Policy, and Kerberos Policy.

C - Windows Hello is a Windows 10 biometric authentication system that uses a user's face, iris, or fingerprint to unlock devices. Windows Hello requires specialized hardware, including a fingerprint reader, illuminated infrared (IR) sensor, or other biometric sensors.

A - Microsoft Passport is two-factor authentication that consists of an enrolled device (such as a smartphone) and Windows Hello (biometric) or a PIN.

D - Device Guard and Credential Guard use Windows 10 virtual secure mode (VSM) that, in turn, uses the processor's virtualization to protect the PC, including data and credential tokens on the system's disks.

C, D - If you have the correct hardware to run Hyper-V, you will need to install Hyper-V and Isolated User Mode.

A - With Windows 10 and Windows Server 2016, you can enable Device Health Attestation (DHA) to access device security health and verify that the device is using Secure Boot, BitLocker, or Early Launch Antimalware (ELAM). Device Health Attestation is aimed at malware that starts on a system before Windows defenses and antimalware load, which allow the malware to remain hidden.

Digital certificate - A digital certificate is a collection of data that binds an identity to a key pair. A digital certificate contains a name that indicates who or what owns the certificate, a public key, the name of the certificate authority (CA) that issued it, and the digital signature of the CA that

Certificate authority - A certificate authority is the computer that creates and manages the distribution and revocation of certificates.

Windows Biometric Framework - Microsoft introduced native support for biometric technologies through its Windows Biometric Framework (WBF). WBF enables users to manage device settings for biometric devices through Control Panel, provides support for managing device drivers, and manages Group Policy settings that can be used to enable, disable, or limit use of biometric data for a local computer or domain.

A valid ticket granting ticket - A TGT contains information about the user, including group membership, which can be used by the KDC to later issue session tickets allowing access to network resources.

Encryption technologies - Confidentiality is handled through the use of encryption technologies.

B - DACLs contain one or more ACEs. ACEs contain SIDs, but DACLs don't directly contain SIDs.

B - A password's length is a key component of its strength. Password length is the number of characters used in a password.

A - A complex password does not contain your name or user name, contains at least six characters, and contains characters from three of the following four groups: uppercase letters [A...Z], lowercase letters [a...z], numerals [0...9], and special, nonalphanumeric characters, such as !@#)(*&^%.