CCNA Remote Access Technologies Questions

30 questions · Remote Access Technologies topic · All types, answers revealed

1
MCQeasy

A small business owner wants to allow a remote employee to access their office desktop from home, but is concerned about security. They currently have a standard router with a public IP. Which of the following is the most secure method to enable this access?

A.Enable port forwarding on the router for TCP 3389 to the desktop's IP address.
B.Configure a VPN server on the office network and have the employee connect via VPN before using RDP.
C.Use a third-party remote desktop service like TeamViewer without additional configuration.
D.Change the RDP port to a non-standard port number and enable port forwarding.
AnswerB

A VPN encrypts all traffic and requires authentication, adding a layer of security before RDP access is permitted.

Why this answer

Exposing RDP directly to the internet is risky due to brute-force attacks. A VPN creates an encrypted tunnel, authenticating the user before allowing access to the internal network, making it far more secure. This is the recommended best practice.

2
MCQmedium

A technician is setting up remote access for a salesperson who frequently works from coffee shops. The company uses a VPN with two-factor authentication (2FA). The salesperson reports that after entering their username and password, they receive a prompt for a code but do not have their token. What should the technician do to resolve this?

A.Disable two-factor authentication for the user's account temporarily.
B.Provide the user with a one-time bypass code from the administrator console.
C.Instruct the user to reset their password and try again.
D.Ask the user to connect from a different network location.
AnswerB

Most 2FA systems allow administrators to generate temporary codes for users who have lost their token, maintaining security while granting access.

Why this answer

This scenario tests knowledge of 2FA troubleshooting. The user has a token but does not have it available. The correct action is to provide a temporary bypass code, which is a standard feature of 2FA systems for such situations.

Disabling 2FA would weaken security, and other options are not appropriate.

3
MCQmedium

A company is implementing a remote access solution for employees using personal smartphones. They need to ensure that corporate email and documents are accessible but that no corporate data remains on the device if it is lost or wiped. Which technology should they use?

A.Virtual Private Network (VPN) with split tunneling.
B.Remote Desktop Protocol (RDP) to a virtual desktop.
C.Mobile Device Management (MDM) with a containerized work profile.
D.Third-party remote access software like LogMeIn.
AnswerC

MDM enables IT to manage corporate data separately, enforce policies, and perform selective wipes, ensuring no corporate data remains on a lost device.

Why this answer

Mobile Device Management (MDM) with a containerized work profile creates a separate, encrypted sandbox on the smartphone that stores corporate email and documents. This container can be remotely wiped by the administrator without affecting the user's personal data, ensuring no corporate data remains on a lost or wiped device.

Exam trap

CompTIA often tests the distinction between remote access technologies that only provide connectivity (VPN, RDP) versus those that enforce data separation and selective wipe (MDM containerization), leading candidates to mistakenly choose VPN or RDP for data protection requirements.

How to eliminate wrong answers

Option A is wrong because a VPN with split tunneling only encrypts traffic to the corporate network but does not prevent corporate data from being stored locally on the device; it offers no containerization or selective wipe capability. Option B is wrong because RDP to a virtual desktop streams the desktop interface but still allows data to be downloaded or copied to the local device unless strict clipboard and drive redirection policies are enforced, and it does not inherently provide a containerized work profile for mobile devices. Option D is wrong because third-party remote access software like LogMeIn provides remote control of a PC but does not isolate corporate data in a sandbox on the smartphone; data can be transferred to the device and remains there after the session ends.

4
MCQmedium

A technician is configuring a VPN for a remote user. The user's home router uses NAT, and the technician wants to ensure the VPN traffic is encapsulated and encrypted. Which VPN protocol should the technician choose for the best balance of security and compatibility?

A.PPTP
B.L2TP/IPsec
C.OpenVPN
D.SSTP
AnswerC

OpenVPN is highly configurable, works through NAT, and offers strong encryption, making it a reliable choice.

Why this answer

OpenVPN is the correct choice because it provides a robust balance of security and compatibility, especially for remote users behind NAT. It uses SSL/TLS for encryption and can operate over a single UDP or TCP port (typically 1194), which easily traverses NAT without requiring additional configuration. Unlike L2TP/IPsec, OpenVPN does not rely on IPsec's NAT-sensitive protocols like ESP, making it more reliable across home routers.

Exam trap

CompTIA often tests the misconception that L2TP/IPsec is always the best for security and compatibility, but the trap here is that IPsec's ESP protocol can fail with NAT unless NAT-T is enabled, making OpenVPN a more practical choice for remote users behind home routers.

How to eliminate wrong answers

Option A is wrong because PPTP uses outdated MPPE encryption (RC4) and has known vulnerabilities, making it insecure for modern use. Option B is wrong because L2TP/IPsec can have issues with NAT traversal due to IPsec's ESP protocol, often requiring NAT-T or additional router configuration, which reduces compatibility with home routers. Option D is wrong because SSTP is primarily designed for Windows environments and uses TCP port 443, which can be blocked or throttled by some firewalls, and it lacks the cross-platform compatibility of OpenVPN.

5
MCQmedium

A system administrator configures a new VPN server for remote employees. The requirement is that all traffic from the remote user's device must be routed through the corporate network to enforce security policies. Which VPN protocol setting should the administrator enable?

A.Enable split tunneling
B.Disable split tunneling
C.Use PPTP instead of L2TP
D.Increase the MTU size
AnswerB

Disabling split tunneling forces all traffic through the VPN tunnel, ensuring all traffic is subject to corporate security controls.

Why this answer

Disabling split tunneling ensures that all traffic from the remote user's device is routed through the corporate VPN tunnel, enforcing security policies such as content filtering and intrusion detection. When split tunneling is enabled, only traffic destined for the corporate network goes through the VPN, while internet-bound traffic bypasses it, violating the requirement. This setting is typically configured in the VPN client or server profile (e.g., using the 'DisableSplitTunneling' registry key on Windows or the 'tunnel-all' directive in OpenVPN).

Exam trap

CompTIA often tests the misconception that the choice of VPN protocol (PPTP vs. L2TP) determines traffic routing behavior, when in fact split tunneling is a separate policy setting that must be explicitly enabled or disabled.

How to eliminate wrong answers

Option A is wrong because enabling split tunneling would allow remote users to access the internet directly without traversing the corporate network, which directly contradicts the requirement to route all traffic through the corporate network. Option C is wrong because using PPTP instead of L2TP does not affect traffic routing behavior; PPTP and L2TP are tunneling protocols that encapsulate data, but split tunneling is a separate routing policy that must be configured regardless of the protocol chosen. Option D is wrong because increasing the MTU size addresses packet fragmentation issues, not traffic routing; it can improve performance but does not enforce that all traffic is sent through the VPN tunnel.

6
MCQhard

A company is experiencing a security incident where an attacker gained access to the internal network via a compromised VPN account. The technician must prevent future attacks. Which two-factor authentication method should the technician implement for VPN access?

A.Require a complex password with a minimum length of 20 characters
B.Implement a time-based one-time password (TOTP) via an authenticator app
C.Restrict VPN access to specific IP addresses
D.Enable single sign-on (SSO) with Active Directory
AnswerB

TOTP provides a second factor that changes every 30 seconds, making it much harder for an attacker to reuse stolen credentials.

Why this answer

Two-factor authentication (2FA) adds a second factor beyond the password, such as a one-time code from an authenticator app. This significantly reduces the risk of account compromise even if the password is stolen.

7
MCQhard

A company requires that all remote access sessions be recorded for compliance purposes. The current VPN solution does not support session recording. Which of the following additional technologies can be integrated to capture and store remote desktop sessions?

A.Implement a Remote Desktop Gateway with session recording software
B.Use SSH tunneling for all remote access
C.Configure the VPN to use PPTP instead of L2TP
D.Deploy a VNC server on each remote workstation
AnswerA

RD Gateway can be used to securely publish RDP applications and desktops, and third-party software can record all sessions for compliance.

Why this answer

A Remote Desktop Gateway (RD Gateway) can be configured to broker and log RDP sessions, and when combined with a session recording solution, it can capture all activity. VPN alone does not provide session recording, and other methods like VNC or SSH typically lack built-in recording features.

8
MCQeasy

A user is traveling and needs to access a file on their office computer. They have a dynamic IP address at the hotel. Which remote access technology should the technician recommend for a secure connection?

A.Configure a direct RDP connection using the user's home IP address.
B.Set up a Virtual Private Network (VPN) client on the user's laptop to connect to the office network.
C.Use a remote desktop gateway that requires a static IP on the user's end.
D.Email the file to the user as an attachment.
AnswerB

A VPN client works with any internet connection, regardless of IP address, and provides encrypted access to the office network.

Why this answer

Option B is correct because a VPN client creates an encrypted tunnel between the user's laptop and the office network, allowing secure access to files regardless of the user's dynamic IP address. VPNs authenticate the user and encrypt all traffic, protecting data over untrusted networks like hotel Wi-Fi.

Exam trap

CompTIA often tests the misconception that remote access requires a static IP or that direct RDP is acceptable, but the key is that a VPN handles dynamic IPs and provides encryption, which is essential for secure remote access over public networks.

How to eliminate wrong answers

Option A is wrong because a direct RDP connection using the user's home IP address is irrelevant—the user is at a hotel with a dynamic IP, not at home, and RDP directly exposed to the internet is insecure and not recommended. Option C is wrong because a remote desktop gateway does not require a static IP on the user's end; it typically uses a gateway server that accepts connections from any IP, but the statement incorrectly implies a static IP is mandatory. Option D is wrong because emailing the file as an attachment is not a remote access technology and poses security risks (e.g., interception, lack of encryption in transit) and does not provide ongoing access to the office computer.

9
MCQeasy

A user working from home reports that they can no longer connect to the company's internal file server using Remote Desktop. They confirm their internet connection is working. Which remote access technology should the technician verify is still active on the user's VPN client?

A.SSH tunnel
B.Remote Desktop Gateway
C.VPN connection
D.VNC server
AnswerC

A VPN connection provides encrypted access to the corporate network, which is necessary before RDP can reach internal resources.

Why this answer

The user's internet connection is working, but they cannot reach the internal file server via Remote Desktop. This indicates the VPN tunnel, which provides encrypted access to the internal network, has likely dropped or is misconfigured. Without an active VPN connection, the user's client cannot route traffic to the private IP range of the file server, even though general internet access is available.

Exam trap

CompTIA often tests the misconception that Remote Desktop Gateway (RD Gateway) is a VPN client technology, when in fact it is a separate role that proxies RDP connections over HTTPS and does not provide full network-layer access like a VPN tunnel does.

How to eliminate wrong answers

Option A is wrong because an SSH tunnel is a port-forwarding mechanism typically used for secure shell access or specific TCP port forwarding, not for establishing a full network-layer connection to an internal corporate network; it would not be the primary technology verified on a VPN client. Option B is wrong because Remote Desktop Gateway (RD Gateway) is a role service that allows RDP connections over HTTPS from the internet, but it is not a VPN client technology; the question specifically asks about verifying a technology on the user's VPN client. Option D is wrong because a VNC server is a remote desktop sharing protocol that operates over a direct network connection or VPN, but it is not a VPN client technology itself; verifying a VNC server would not restore network-layer access to the internal file server.

10
MCQmedium

A small business owner wants to allow their remote employees to securely access a specific internal application without giving them full network access. Which remote access technology should the technician recommend?

A.Site-to-site VPN
B.Remote Desktop Services
C.Application gateway
D.SSH tunneling
AnswerC

An application gateway (like a reverse proxy) allows secure access to specific applications without granting full network access.

Why this answer

An application gateway (reverse proxy) is the correct choice because it provides granular, application-layer access control, allowing remote employees to reach a specific internal application without granting them full network-level access. Unlike VPNs that create a tunnel to the entire network, an application gateway authenticates and proxies only the designated application traffic, often using protocols like HTTPS and enforcing policies at Layer 7.

Exam trap

The trap here is that candidates often confuse 'remote access' with 'full network connectivity' and choose a VPN (site-to-site or client-based) because they think encryption alone solves the access control problem, overlooking the need for application-specific, least-privilege access.

How to eliminate wrong answers

Option A is wrong because a site-to-site VPN connects entire networks (e.g., branch office to headquarters), giving remote employees full network access, not just to a single application. Option B is wrong because Remote Desktop Services provides a full desktop session or individual applications via RDP, but it exposes the entire desktop environment or multiple apps, not a single internal application with granular access control. Option D is wrong because SSH tunneling creates an encrypted tunnel for specific TCP ports, but it requires manual configuration, exposes the underlying network if misconfigured, and does not provide application-layer filtering or authentication for a single web application.

11
MCQhard

A technician is configuring a remote desktop solution for a user who needs to access a Linux server from a Windows 10 workstation. The technician wants to use a secure, encrypted connection. Which remote access technology should the technician configure on the Linux server?

A.RDP
B.VNC
C.SSH
AnswerC

SSH provides encrypted command-line access and is the standard for secure remote administration of Linux servers.

Why this answer

SSH (Secure Shell) is the correct choice because it provides encrypted, authenticated remote shell access to Linux/Unix servers over an insecure network. It uses TCP port 22 and supports strong encryption algorithms (e.g., AES, ChaCha20) and public-key authentication, making it the standard secure remote access protocol for Linux systems.

Exam trap

The trap here is that candidates often confuse RDP (a Windows-centric GUI protocol) with SSH (a Linux-centric secure shell protocol), or mistakenly think VNC is inherently secure, when in fact SSH is the only option that provides built-in encryption and is the standard for secure Linux remote access.

How to eliminate wrong answers

Option A is wrong because RDP (Remote Desktop Protocol) is a proprietary Microsoft protocol primarily used for remote GUI access to Windows systems, not Linux servers, and while it can be encrypted, it is not the native secure remote access method for Linux. Option B is wrong because VNC (Virtual Network Computing) typically transmits data in cleartext by default and requires additional tunneling (e.g., over SSH) to be secure; it is not inherently encrypted and is not the standard secure remote access technology for Linux servers. Option D is wrong because Telnet transmits all data, including credentials, in plaintext over TCP port 23, providing no encryption or security, and is obsolete for secure remote administration.

12
MCQmedium

A technician is troubleshooting a remote user's inability to connect to the corporate network via VPN. The user can ping the VPN server's public IP address. Which step should the technician take next to isolate the issue?

A.Reboot the user's modem
B.Check the VPN client logs for errors
C.Disable the user's firewall
D.Reinstall the VPN client software
AnswerB

Logs often contain specific error codes (e.g., authentication failure, certificate issues) that guide further troubleshooting.

Why this answer

Since the user can reach the VPN server, the issue is likely at the authentication or configuration layer. Checking the VPN client logs provides detailed error messages that can pinpoint the problem.

13
MCQhard

A technician is troubleshooting a slow Remote Desktop connection for a user working from home. The user's internet speed test shows 50 Mbps download and 10 Mbps upload. The office network has a 100 Mbps symmetrical connection. Which of the following is the most likely cause of the slowness?

A.The office network is oversubscribed
B.The user's internet connection has high latency
C.The user's upload speed is insufficient for RDP
D.The VPN is using an outdated encryption protocol
AnswerC

RDP sends screen updates from the host to the client, so the host's upload speed (user's upload) is critical. 10 Mbps may be too low for a good experience.

Why this answer

Remote Desktop Protocol (RDP) is highly sensitive to upload bandwidth because it transmits screen updates, keyboard/mouse input, and clipboard data from the client to the server. With only 10 Mbps upload at the user's home, the bottleneck is the user's upstream capacity, which is insufficient to handle the continuous screen refresh and input data required for a smooth RDP session, especially if the remote desktop is graphics-intensive or has high resolution.

Exam trap

CompTIA often tests the misconception that download speed is the primary factor for RDP performance, when in reality the user's upload speed is the bottleneck because RDP sends client input and screen updates upstream.

How to eliminate wrong answers

Option A is wrong because the office network has a 100 Mbps symmetrical connection, and oversubscription would cause slowness for all users, not just this remote user; the question states only this user is experiencing slowness. Option B is wrong because high latency would cause lag or delay, not necessarily slowness in throughput; the user's speed test shows adequate download/upload speeds, and latency is not measured in Mbps. Option D is wrong because outdated encryption protocols (e.g., PPTP) can cause security vulnerabilities but do not inherently cause slowness; modern VPNs with AES encryption have negligible performance impact compared to bandwidth limitations.

14
MCQeasy

A user reports that they can no longer connect to the company network from home using VPN. They confirm their internet connection is working and that they can browse websites. Which of the following should a technician check first to resolve the VPN connectivity issue?

A.Check if the VPN client software is up to date
B.Verify the user's VPN username and password
C.Restart the VPN server at the data center
D.Reinstall the network adapter drivers
AnswerB

Incorrect or expired credentials are a frequent cause of VPN connection failures, and verifying them is a logical first troubleshooting step.

Why this answer

The user's internet connection is working (they can browse websites), which rules out general network connectivity issues. The most common cause of VPN authentication failure is incorrect or expired credentials, so verifying the username and password is the quickest and most logical first step before escalating to more complex troubleshooting.

Exam trap

CompTIA often tests the principle of 'start with the simplest and most likely cause'—the trap here is that candidates jump to advanced fixes like updating software or restarting servers, overlooking the basic credential check that resolves the majority of single-user VPN failures.

How to eliminate wrong answers

Option A is wrong because checking if the VPN client software is up to date is a secondary step; outdated client software typically causes compatibility or feature issues, not authentication failures, and the user's ability to browse indicates the client is at least launching. Option C is wrong because restarting the VPN server at the data center is a drastic, disruptive action that should only be taken after ruling out client-side and authentication issues; it is not a first-line troubleshooting step for a single user. Option D is wrong because reinstalling network adapter drivers addresses hardware or driver-level connectivity problems, but the user's internet is working, so the network adapter is functioning correctly.

15
MCQmedium

A user complains that their Remote Desktop session to a Windows 10 Pro workstation frequently disconnects after a few minutes of inactivity. The workstation is on a local network. Which setting should the technician modify on the host computer to prevent this?

A.Disable the screensaver
B.Increase the idle session limit in Remote Desktop settings
C.Change the power plan to High Performance
D.Enable Network Level Authentication
AnswerB

This setting controls how long a session remains active when idle; increasing it will prevent early disconnection.

Why this answer

The Remote Desktop Session Host (RDSH) has a configurable idle session limit that disconnects sessions after a period of inactivity. By default, Windows 10 Pro may enforce a short idle timeout (often 1-5 minutes) to conserve resources. Increasing this limit in the Remote Desktop Session Host settings (under Local Group Policy or the Remote Desktop Services configuration) prevents the automatic disconnection the user is experiencing.

Exam trap

The trap here is that candidates confuse the idle session timeout with power management or screensaver settings, assuming that preventing the screen from turning off will keep the RDP session alive, when in fact the disconnect is controlled by a dedicated Remote Desktop timeout policy.

How to eliminate wrong answers

Option A is wrong because disabling the screensaver prevents the screen from locking or turning off, but it does not affect the Remote Desktop idle session timeout, which is controlled by RDSH policies, not display settings. Option C is wrong because changing the power plan to High Performance prevents the computer from sleeping or reducing power, but the idle disconnect is a session-level timeout set in Remote Desktop services, not a power management feature. Option D is wrong because Network Level Authentication (NLA) is a security feature that requires pre-authentication before a full RDP connection is established; it does not control session disconnection due to inactivity.

16
MCQmedium

During a security audit, a technician discovers that an employee has been using a third-party remote desktop tool without IT approval. The employee claims it was necessary to access a legacy application. Which security risk is most directly associated with unauthorized remote access tools?

A.Increased bandwidth usage
B.Man-in-the-middle attacks
C.Compatibility issues with the operating system
D.Increased licensing costs
AnswerB

Unauthorized tools may not use strong encryption, exposing sessions to interception and manipulation.

Why this answer

Unauthorized remote desktop tools often lack the encryption and authentication controls found in approved solutions like SSH or RDP with Network Level Authentication. This exposes the connection to man-in-the-middle attacks, where an attacker can intercept, decrypt, or modify the traffic between the employee's workstation and the legacy application server, potentially capturing credentials or sensitive data.

Exam trap

CompTIA often tests the distinction between operational issues (bandwidth, compatibility, cost) and actual security threats, so candidates mistakenly choose a non-security answer like increased bandwidth usage because it sounds like a plausible downside of remote access tools.

How to eliminate wrong answers

Option A is wrong because increased bandwidth usage is a performance concern, not a direct security risk, and unauthorized remote tools may actually use less bandwidth than approved ones. Option C is wrong because compatibility issues with the operating system are a functional problem, not a security risk, and the employee's claim of needing access to a legacy application suggests compatibility was achieved, not a risk. Option D is wrong because increased licensing costs are a financial or compliance issue, not a security risk, and unauthorized tools typically avoid licensing fees altogether.

17
MCQeasy

A company wants to allow external contractors to access a specific internal web application without installing any client software. Which remote access technology best meets this requirement?

A.VPN with a client
B.Remote Desktop Protocol
C.Reverse proxy
D.SSH
AnswerC

A reverse proxy allows access to web applications through a standard browser without additional software.

Why this answer

A reverse proxy is the correct choice because it allows external contractors to access a specific internal web application through a public-facing proxy server without requiring any client software installation. The reverse proxy terminates the external connection and forwards requests to the internal web server, handling authentication and encryption at the proxy layer, which meets the requirement of zero client-side setup.

Exam trap

The trap here is that candidates often confuse 'remote access' with VPN or RDP, assuming any secure remote connection requires a client, but the question specifically tests the understanding that a reverse proxy provides application-layer access without client software, unlike VPN or RDP which require dedicated clients.

How to eliminate wrong answers

Option A is wrong because a VPN with a client requires installing and configuring VPN client software on the contractor's device, which violates the 'without installing any client software' requirement. Option B is wrong because Remote Desktop Protocol (RDP) requires a client application (such as Microsoft Remote Desktop Client) to be installed on the accessing device, and it provides full desktop access rather than access to a specific web application. Option D is wrong because SSH is a protocol for secure command-line access to remote systems, typically requiring an SSH client (like PuTTY or OpenSSH) to be installed, and it does not natively provide web application access without additional tunneling or port forwarding.

18
MCQhard

During a remote troubleshooting session, a technician uses a tool that allows them to view the user's screen and control the mouse and keyboard. The user reports that the session is extremely laggy, with noticeable delay between the technician's actions and the screen update. Which of the following is the most likely cause of this lag?

A.The remote desktop software is using an outdated encryption protocol.
B.The user's computer has insufficient RAM to handle remote desktop sessions.
C.The network connection between the technician and the user has high latency or low bandwidth.
D.The technician's computer is running a different operating system than the user's.
AnswerC

Remote desktop traffic is sensitive to latency. High latency causes noticeable delay between input and screen updates, while low bandwidth causes choppy video.

Why this answer

The lag described is a classic symptom of network latency or insufficient bandwidth, which directly impacts the responsiveness of remote desktop protocols like RDP or VNC. These protocols transmit screen updates and input events in real time; high latency delays the round-trip of packets, while low bandwidth can cause frame drops or compression artifacts, resulting in the noticeable delay between the technician's actions and the screen update.

Exam trap

CompTIA often tests the concept that remote desktop lag is primarily a network issue (latency/bandwidth), not a hardware or OS compatibility problem, and the trap here is that candidates may incorrectly attribute the lag to the user's local hardware (RAM) or encryption overhead instead of recognizing the network as the most likely culprit.

How to eliminate wrong answers

Option A is wrong because outdated encryption protocols (e.g., SSL 3.0 vs. TLS 1.2) affect security, not responsiveness; they may add negligible overhead but are not the primary cause of severe lag. Option B is wrong because insufficient RAM on the user's computer would typically cause local application crashes, swapping, or slow local performance, not a specific delay between remote input and screen updates; remote desktop protocols are more sensitive to CPU and network than to RAM.

Option D is wrong because different operating systems between technician and user are handled transparently by cross-platform remote desktop tools (e.g., RDP client on Windows connecting to Linux via xrdp); the OS mismatch does not inherently introduce lag.

19
MCQeasy

A technician is configuring a remote desktop solution for a user who needs to access a Windows 10 Pro workstation from a Linux laptop. Which protocol should the technician ensure is enabled on the Windows machine?

A.VNC
B.RDP
C.SSH
AnswerB

RDP is built into Windows and can be accessed from Linux using compatible clients.

Why this answer

RDP (Remote Desktop Protocol) is the native protocol used by Windows for remote desktop connections. Windows 10 Pro includes an RDP server that listens on TCP port 3389, allowing clients such as the Microsoft Remote Desktop client on Linux to connect and provide a full graphical desktop experience. The technician must ensure the 'Allow remote connections to this computer' setting is enabled and that the Windows Firewall permits inbound RDP traffic.

Exam trap

CompTIA often tests the distinction between native Windows remote desktop (RDP) and cross-platform or command-line protocols, leading candidates to confuse VNC (which is also graphical but not native to Windows) or SSH (which is secure but not graphical) with the correct answer.

How to eliminate wrong answers

Option A is wrong because VNC (Virtual Network Computing) is a cross-platform remote desktop protocol but is not native to Windows; it requires third-party software on both ends and typically uses RFB (Remote Framebuffer) protocol on port 5900, not the built-in Windows solution. Option C is wrong because SSH (Secure Shell) provides encrypted command-line access and file transfer (using port 22) but does not natively support a full graphical desktop environment on Windows without additional components like X11 forwarding or third-party tools. Option D is wrong because Telnet is an unencrypted, text-only protocol (port 23) that offers no graphical interface and is deprecated due to security vulnerabilities; it is not suitable for remote desktop access.

20
MCQhard

A security audit reveals that a company's remote access solution uses a VPN with pre-shared keys (PSK) for authentication. The auditor recommends upgrading to certificate-based authentication. Which of the following is the primary security advantage of certificate-based authentication over PSK?

A.Certificates are easier to configure and manage than PSK.
B.Certificates provide mutual authentication and are unique per device, reducing the risk of a single compromised key affecting all users.
C.Certificates eliminate the need for a VPN server.
D.Certificates are faster than PSK for establishing VPN connections.
AnswerB

Each certificate is unique and can be revoked individually. If a device is lost, only that certificate needs to be revoked, unlike PSK where the shared key must be changed for everyone.

Why this answer

Certificate-based authentication provides mutual authentication, meaning both the VPN client and server verify each other's identity using digital certificates issued by a trusted Certificate Authority (CA). Unlike PSK, which is a shared secret that can be leaked and reused across all devices, each certificate is unique per device, so compromise of one certificate does not expose the entire VPN infrastructure. This significantly reduces the blast radius of a security breach and aligns with the principle of least privilege.

Exam trap

CompTIA often tests the misconception that certificates are 'easier' or 'faster' than PSK, when in reality the primary security advantage is mutual authentication and per-device uniqueness, not operational simplicity or performance.

How to eliminate wrong answers

Option A is wrong because certificates are generally more complex to configure and manage than PSK, requiring a PKI infrastructure, CA servers, and certificate lifecycle management, whereas PSK is a simple shared string. Option C is wrong because certificates do not eliminate the need for a VPN server; the VPN server is still required to terminate the tunnel and enforce policies, regardless of the authentication method. Option D is wrong because certificate-based authentication often introduces additional latency due to certificate validation, CRL checks, and OCSP lookups, making it typically slower than PSK for establishing VPN connections.

21
MCQeasy

A help desk technician needs to remotely control a user's Windows 10 workstation to install a software update. The user is not technically savvy and needs simple instructions. Which built-in Windows tool should the technician instruct the user to launch to allow remote control?

A.Remote Desktop Connection
B.Windows Remote Assistance
C.Quick Assist
D.Task Manager
AnswerB

Remote Assistance allows a user to invite a technician to view or control their desktop, making it ideal for this scenario.

Why this answer

Windows Remote Assistance (option B) is the correct built-in tool because it allows a user to invite a technician to remotely control their Windows 10 workstation via an invitation file or Easy Connect, using Remote Desktop Protocol (RDP) on TCP port 3389 but with a session-sharing model that requires the user's consent. This is ideal for a non-technical user, as they can launch it from the Start menu and follow simple prompts to generate an invitation or use a Microsoft account to share a code.

Exam trap

The trap here is that candidates often confuse Remote Desktop Connection (option A) with Remote Assistance because both use RDP, but Remote Desktop Connection is designed for direct, unattended remote access, not for an attended, consent-based support session that a non-technical user can easily initiate.

How to eliminate wrong answers

Option A is wrong because Remote Desktop Connection is a client tool used to initiate an outbound RDP session to another computer, not to allow inbound remote control; it requires the target machine to already have Remote Desktop enabled and does not provide a simple invitation mechanism for a non-technical user. Option C is wrong because Quick Assist is a separate tool introduced in Windows 10 version 1607 that uses a different underlying protocol (HTTPS-based) and is not built into earlier versions; while it can be used for remote assistance, the question specifies 'built-in Windows tool' and Windows Remote Assistance is the classic built-in tool available since Windows XP. Option D is wrong because Task Manager is a system utility for monitoring processes, performance, and starting/stopping applications, and it has no capability for remote control or screen sharing.

22
MCQmedium

A company uses a Remote Desktop Gateway to allow employees to access internal desktops from the internet. Users report that they can connect to the gateway but cannot see any available desktops in the list. Which of the following is the most likely cause?

A.The Remote Desktop Gateway service is not running on the server.
B.The users are not members of the correct Active Directory group that is allowed to access specific desktops.
C.The desktops are powered off or disconnected from the network.
D.The user's RDP client is outdated and cannot display the list.
AnswerB

RD Gateway uses connection authorization policies (CAP) and resource authorization policies (RAP). If users are not in the allowed group, they can connect to the gateway but see no resources.

Why this answer

The Remote Desktop Gateway (RD Gateway) acts as a proxy, allowing external RDP connections to internal desktops. When users can connect to the gateway itself but see no desktops, it typically indicates an authorization failure: the RD Gateway uses Resource Authorization Policies (RAPs) to control which desktops a user can access. If the user is not a member of the Active Directory group specified in the RAP, the gateway will deny the list of available desktops, even though the gateway connection succeeds.

Exam trap

CompTIA often tests the distinction between gateway connectivity (CAP) and resource visibility (RAP), tempting candidates to choose generic network or client issues when the real problem is authorization policy misconfiguration.

How to eliminate wrong answers

Option A is wrong because if the RD Gateway service were not running, users would not be able to connect to the gateway at all; the symptom here is a successful connection but no desktop list. Option C is wrong because powered-off or disconnected desktops would still appear in the list (though they might show as unavailable); the RD Gateway does not filter the list based on desktop power state. Option D is wrong because an outdated RDP client might cause display or feature issues, but it would not prevent the gateway from returning the list of desktops; the list is generated server-side based on RAPs.

23
MCQhard

A security analyst discovers that an attacker has been using a compromised VPN account to access the corporate network. The account belongs to a former employee who was terminated two weeks ago. Which of the following should the analyst do immediately to prevent further unauthorized access?

A.Review the VPN logs to determine the extent of the breach
B.Disable the former employee's VPN account
C.Change the VPN server's shared secret
D.Notify the former employee about the security incident
AnswerB

Disabling the account immediately cuts off the attacker's access, containing the breach.

Why this answer

The immediate priority is to disable the compromised account to stop the attack. This is a critical security incident that requires swift action. While investigating the breach and reviewing logs are important, they come after containing the threat.

Changing the VPN server password is not sufficient if the account itself is still active.

24
MCQmedium

A technician is setting up a remote desktop solution for a small business with five employees who need to access their office PCs from home. The office uses a dynamic public IP address. Which of the following should the technician configure to ensure reliable remote access without requiring users to remember a changing IP?

A.Set up port forwarding on the router
B.Configure a dynamic DNS (DDNS) service
C.Assign each employee a static IP address on the office network
D.Use a VPN with a static IP assigned by the ISP
AnswerB

DDNS automatically updates a domain name with the current public IP, providing a stable address for remote access.

Why this answer

A dynamic DNS (DDNS) service maps a domain name to a changing IP address, allowing users to connect using a consistent hostname. This is a standard solution for environments with dynamic public IPs. Port forwarding alone won't solve the IP change issue, and static IPs are not always available or cost-effective.

25
MCQmedium

A company deploys a new remote access solution using a VPN concentrator. After setup, users report that they can connect to the VPN but cannot access internal file servers. Other internal resources like email are accessible. Which of the following is the most likely cause?

A.The VPN client is using an incorrect DNS server
B.The file server is not on the same VLAN as the VPN concentrator
C.The VPN concentrator lacks a route to the file server's subnet
D.The users do not have permission to log on locally to the file server
AnswerC

Without a proper route, traffic destined for the file server subnet will not be forwarded correctly, causing access failure.

Why this answer

Option C is correct because the VPN concentrator must have a route to the file server's subnet to forward traffic from VPN clients. Without this route, packets destined for the file server are dropped, while other resources (like email) remain accessible if their subnets are reachable. This is a classic routing issue in remote access VPN deployments.

Exam trap

CompTIA often tests the misconception that VLAN placement or local permissions are the root cause, when the actual issue is a missing route on the VPN concentrator to the specific subnet.

How to eliminate wrong answers

Option A is wrong because an incorrect DNS server would cause name resolution failures for all internal resources, not selectively block file servers while allowing email access. Option B is wrong because VLAN membership is irrelevant for VPN concentrator routing; the concentrator can route to any subnet regardless of VLAN if a route exists. Option D is wrong because local logon permissions are not required for network file access; file server permissions are based on network shares and user credentials, not local logon rights.

26
MCQeasy

A user reports that they cannot connect to the company's internal file server from home using the provided VPN client. They can access the internet without issues. Which of the following is the most likely cause of this problem?

A.The user's home router is blocking VPN traffic on port 443.
B.The VPN client is configured for split tunneling, and the file server's IP range is not in the allowed routes.
C.The file server is powered off or experiencing a hardware failure.
D.The user's VPN client software is outdated and needs to be reinstalled.
AnswerB

Split tunneling routes only specific traffic through the VPN. If the file server's subnet is omitted, the user cannot reach it, even though the VPN is connected.

Why this answer

Split tunneling allows the VPN client to route only specific traffic (e.g., corporate subnets) through the encrypted tunnel, while all other traffic goes directly to the internet. If the file server's IP range is not included in the allowed routes, traffic to that server will bypass the VPN and be sent unencrypted to the user's local gateway, which cannot reach the internal server. This matches the symptom: internet works, but the file server is unreachable.

Exam trap

The trap here is that candidates often assume any remote access issue is due to firewall blocking or server failure, overlooking the specific split tunneling misconfiguration that allows internet but blocks internal resources.

How to eliminate wrong answers

Option A is wrong because port 443 is typically used for HTTPS or SSL/TLS-based VPNs (e.g., OpenVPN, SSTP), and if the home router were blocking it, the VPN client would fail to establish any connection at all, not just fail to reach the file server. Option C is wrong because a powered-off or failed file server would affect all users, not just a remote VPN user, and the user can access the internet, indicating the VPN tunnel itself is up. Option D is wrong because outdated VPN client software would typically cause connection failures or authentication errors, not a selective inability to reach a specific internal resource while internet access works.

27
MCQmedium

A technician is troubleshooting a remote user's inability to connect to the office network via VPN. The user can ping the VPN server's public IP address but the VPN connection fails after entering credentials. The VPN logs show an authentication error. What should the technician check next?

A.Verify that the VPN server's firewall is allowing UDP port 500 and 4500.
B.Check if the user's account is locked out or if the password has expired.
C.Reinstall the VPN client software on the user's computer.
D.Configure the VPN to use a different encryption protocol.
AnswerB

An authentication error directly indicates a problem with the user's credentials. Locked accounts or expired passwords are common causes.

Why this answer

The VPN logs show an authentication error, which indicates the failure occurs during the credential validation phase, not during network connectivity. Since the user can ping the VPN server's public IP, Layer 3 connectivity is intact, and the issue is likely with the user's account status. Checking if the account is locked out or the password has expired directly addresses the authentication failure.

Exam trap

CompTIA often tests the distinction between connectivity issues (Layer 3 reachability) and authentication issues (Layer 7 credential validation), leading candidates to incorrectly focus on firewall ports or client software when the logs clearly point to an authentication failure.

How to eliminate wrong answers

Option A is wrong because UDP ports 500 and 4500 are used for IPsec IKE traffic, and the user can already ping the VPN server, so firewall rules are not the immediate cause of an authentication error. Option C is wrong because reinstalling the VPN client software would not resolve an authentication error that occurs after credentials are entered; the client is functioning enough to reach the server. Option D is wrong because changing the encryption protocol would not fix an authentication error; it would only alter how data is secured after authentication succeeds.

28
MCQmedium

A technician is tasked with securely connecting a remote office to the main office over the internet. The remote office has 10 users who need access to the same resources as local users. Which of the following remote access methods provides the most secure and scalable solution?

A.Configure port forwarding on the main office router for each required service
B.Set up a site-to-site VPN between the two offices
C.Use Remote Desktop for each user to connect to a workstation at the main office
D.Implement a client-to-site VPN for each user
AnswerB

A site-to-site VPN provides a secure, encrypted connection between entire networks, allowing seamless access for all users.

Why this answer

A site-to-site VPN (often using IPsec or a secure tunnel protocol) creates an encrypted, always-on connection between the two office routers, allowing all 10 users transparent access to the main office resources as if they were on the same LAN. This method is both secure (encrypting all traffic) and scalable (handling multiple users without per-client configuration), making it the best fit for connecting entire networks over the internet.

Exam trap

CompTIA often tests the distinction between site-to-site and client-to-site VPNs, where candidates mistakenly choose client-to-site VPN (Option D) thinking it is more secure per-user, but the question emphasizes 'scalable' and 'connecting a remote office'—a site-to-site VPN is the correct enterprise solution for network-to-network connectivity.

How to eliminate wrong answers

Option A is wrong because port forwarding exposes specific services directly to the internet, creating a large attack surface and requiring manual configuration for each service, which is neither secure nor scalable for multiple users. Option C is wrong because Remote Desktop Protocol (RDP) provides only per-user, per-session access to individual workstations, which is not designed for network-level resource sharing and introduces significant management overhead for 10 users. Option D is wrong because client-to-site VPN requires each user to install and maintain a VPN client, which adds administrative burden and is less scalable than a site-to-site VPN that centralizes the connection at the network edge.

29
MCQeasy

A customer calls the help desk saying their remote desktop session to the office workstation keeps disconnecting after a few minutes. They are using a standard RDP client over the internet. What should the technician check first?

A.Verify that the user's local antivirus is not blocking RDP traffic.
B.Check the remote workstation's power settings to ensure it is not going to sleep.
C.Review the Remote Desktop Session Host configuration for idle session time limits.
D.Reinstall the RDP client on the user's home computer.
AnswerC

Idle time limits disconnect sessions after a period of inactivity. This matches the symptom of disconnecting after a few minutes.

Why this answer

The user's RDP session disconnects after a few minutes, which is a classic symptom of an idle session timeout enforced by the Remote Desktop Session Host (RD Session Host) or Group Policy. By default, Windows Server RDS roles have an idle session limit (often 15 minutes) that disconnects inactive sessions to free resources. Checking this configuration directly addresses the symptom, whereas other options target less likely causes for a consistent, time-based disconnect.

Exam trap

The trap here is that candidates often blame the client or local network (options A or D) for a disconnect, but Cisco tests your understanding that server-side session timeout policies are the most common cause of periodic, predictable RDP disconnections over the internet.

How to eliminate wrong answers

Option A is wrong because local antivirus typically blocks RDP at connection time (e.g., port 3389) with a persistent failure, not a delayed disconnect after minutes of use. Option B is wrong because the remote workstation's power settings would cause the entire machine to sleep, dropping all network connectivity instantly, not just the RDP session after a few minutes of activity. Option D is wrong because reinstalling the RDP client would not resolve a server-side timeout policy; the client software is not the cause of a consistent, timed disconnect.

30
MCQhard

A technician is setting up remote access for a user who will be traveling internationally. The user needs to access files on a Windows server using RDP. Which additional security measure should the technician implement to protect the RDP session?

A.Enable Network Level Authentication (NLA) on the server
B.Use a VPN to encrypt all traffic before initiating RDP
C.Change the RDP port to a non-standard number
D.Disable clipboard redirection in the RDP session
AnswerB

A VPN creates an encrypted tunnel, securing the entire RDP session from interception.

Why this answer

B is correct because RDP traffic is encrypted but not authenticated at the transport layer, making it vulnerable to man-in-the-middle attacks, especially over untrusted international networks. A VPN (e.g., IPsec or OpenVPN) provides an additional layer of encryption and authentication for the entire session before RDP traffic is sent, ensuring confidentiality and integrity even if the RDP protocol itself is compromised.

Exam trap

CompTIA often tests the misconception that RDP's built-in encryption is sufficient for all scenarios, leading candidates to overlook the need for a VPN when the connection traverses untrusted networks, especially in international travel contexts.

How to eliminate wrong answers

Option A is wrong because Network Level Authentication (NLA) requires the user to authenticate before a full RDP session is established, which protects against some attacks but does not encrypt the traffic; it is a pre-session authentication mechanism, not a transport-layer security measure. Option C is wrong because changing the RDP port from the default 3389 to a non-standard number is a form of security through obscurity that does not provide actual encryption or authentication; it only reduces automated scans but does not protect the session from targeted attacks. Option D is wrong because disabling clipboard redirection prevents data transfer via the clipboard but does not encrypt or secure the RDP session itself; it is a data-leakage prevention measure, not a security measure for the session's confidentiality.

Ready to test yourself?

Try a timed practice session using only Remote Access Technologies questions.