CCNA Security Architecture Questions

75 of 221 questions · Page 1/3 · Security Architecture topic · Answers revealed

1
MCQmedium

Based on the exhibit, which change best reduces the blast radius if a user workstation is compromised?

A.Add more allow rules from VLAN 10 to VLAN 30 for SMB and RDP so restore jobs stay flexible.
B.Move the backup server into the user VLAN to avoid routing and ACL complexity.
C.Remove direct user access to the backup VLAN and allow only the dedicated backup path.
D.Increase the DHCP lease time so backup jobs run less often during business hours.
AnswerC

Limiting backup access to dedicated systems preserves segmentation and protects recovery data from workstation compromise.

Why this answer

Option C is correct because removing direct user access to the backup VLAN and allowing only the dedicated backup path enforces network segmentation, which limits lateral movement. If a workstation in VLAN 10 is compromised, an attacker cannot pivot directly to the backup server in VLAN 30, reducing the blast radius. This aligns with the principle of least privilege and defense-in-depth for backup infrastructure.

Exam trap

The trap here is that candidates may think adding more allow rules (Option A) improves flexibility, but in security architecture, reducing unnecessary access paths is key to minimizing blast radius, not increasing connectivity.

How to eliminate wrong answers

Option A is wrong because adding more allow rules from VLAN 10 to VLAN 30 for SMB and RDP increases the attack surface, allowing a compromised workstation to directly access backup servers, which expands rather than reduces the blast radius. Option B is wrong because moving the backup server into the user VLAN eliminates network segmentation entirely, exposing the backup server to any compromised workstation in the same broadcast domain and defeating the purpose of isolation. Option D is wrong because increasing the DHCP lease time does not affect network access controls or segmentation; it only delays IP address renewal and has no impact on blast radius reduction.

2
MCQmedium

A company is redesigning its network to host a public-facing web application that accesses a confidential database. The security team needs to minimize the risk of a direct attack against the database server while still allowing the web server to retrieve and update data. Which network architecture best achieves this objective?

A.Place both the web server and the database server in the same DMZ segment and rely on host-based firewalls for protection.
B.Place the web server in the DMZ and the database server on the internal network. Configure the firewall to allow inbound traffic from the web server to the database server on the required port only.
C.Connect both servers to a single internal VLAN and use a reverse proxy to forward external traffic to the web server.
D.Use a site-to-site VPN to connect the web server and database server, and place both behind a single NAT gateway.
AnswerB

This architecture follows the principle of defense in depth. The DMZ provides an additional security layer for the web server, while the database is isolated on the internal network with a restrictive firewall rule that limits access to only the web server, reducing the attack surface.

Why this answer

Option B is correct because it implements a tiered network architecture where the web server resides in the DMZ (a semi-trusted zone) and the database server is placed on the internal network, isolated from direct internet access. The firewall is configured with a stateful rule that permits only the web server's IP and the specific database port (e.g., TCP 3306 for MySQL or 1433 for MSSQL), preventing any direct inbound connections from the internet to the database. This minimizes the attack surface by ensuring that even if the web server is compromised, the database is not directly reachable from external hosts.

Exam trap

The trap here is that candidates often assume placing both servers in the DMZ is sufficient because they think the DMZ itself provides isolation, but they overlook that the DMZ is still a single security zone where lateral movement between hosts is not restricted, making the database vulnerable if the web server is breached.

How to eliminate wrong answers

Option A is wrong because placing both servers in the same DMZ segment exposes the database server to the same untrusted network as the web server, and host-based firewalls alone are insufficient to stop a determined attacker who compromises the web server from pivoting laterally to the database. Option C is wrong because connecting both servers to a single internal VLAN places the database server on the same Layer 2 domain as the web server, and a reverse proxy only protects the web server from direct external access but does not isolate the database from internal threats or lateral movement. Option D is wrong because a site-to-site VPN and a single NAT gateway treat both servers as peers on the same logical network, offering no segmentation between the web and database tiers, and the NAT gateway does not enforce application-layer filtering between them.

3
Multi-Selecthard

A platform team runs production, staging, and developer containers on the same Kubernetes cluster. After a staging compromise, the team wants to reduce the chance of access to production secrets or lateral movement to other namespaces. Which two architecture changes are most effective? Select two.

Select 2 answers
A.Move production workloads into a separate cluster or dedicated node pool with stricter tenancy boundaries.
B.Run all namespaces on the same privileged worker nodes so scaling is easier.
C.Apply network policies or microsegmentation so staging pods cannot talk freely to production services.
D.Store secrets as plain environment variables because container images are already isolated.
E.Grant every service account cluster-admin so deployments fail less often.
AnswersA, C

Separating production from less trusted workloads reduces the blast radius of a compromise and keeps sensitive workloads away from shared resources. A dedicated cluster or node pool also makes it easier to apply stricter controls, monitoring, and change management to production. This is an effective way to limit cross-environment impact.

Why this answer

Option A is correct because moving production workloads to a separate cluster or dedicated node pool enforces stronger tenancy boundaries, preventing a compromise in staging from directly accessing production secrets or pods. Kubernetes namespaces alone do not provide strong isolation, as a single cluster shares the same control plane and node resources, making lateral movement possible. This architectural change reduces the attack surface by physically or logically separating production from staging and development environments.

Exam trap

CompTIA often tests the misconception that Kubernetes namespaces provide sufficient security isolation, but the trap here is that namespaces share the same control plane and node resources, so without separate clusters or node pools, a compromise in one namespace can lead to lateral movement to others.

4
MCQmedium

After a server rebuild, an administrator notices that Remote Desktop, SMBv1, and Print Spooler are still enabled on a Windows file server even though the server only stores department documents. The security team also wants to know if future changes drift away from the approved build. What should be implemented?

A.Apply the approved secure baseline and enable configuration drift monitoring against it.
B.Keep the server as-is and rely on the antivirus console to stop misuse.
C.Move the server into a different VLAN and leave the operating system settings unchanged.
D.Schedule a monthly reboot to clear temporary settings and reduce attack surface.
AnswerA

A secure baseline defines the expected hardened state, and drift monitoring detects unauthorized or accidental changes over time. This directly addresses both the current unnecessary services and the need to catch future deviations. It is the most complete and operationally useful response.

Why this answer

Option A is correct because applying an approved secure baseline (e.g., via Group Policy or Security Compliance Toolkit) ensures that unnecessary services like Remote Desktop, SMBv1, and Print Spooler are explicitly disabled. Enabling configuration drift monitoring (e.g., using Azure Policy, DSC, or a SIEM) allows the security team to detect and alert on any unauthorized changes that deviate from the baseline, addressing both the immediate risk and the long-term compliance requirement.

Exam trap

The trap here is that candidates often think network segmentation (VLAN) or periodic reboots are sufficient to mitigate service-level vulnerabilities, but the question specifically asks for a solution that prevents future drift from an approved build, which requires a baseline and monitoring, not just isolation or temporary fixes.

How to eliminate wrong answers

Option B is wrong because relying solely on an antivirus console does not disable or prevent the exploitation of enabled services like SMBv1 (which is vulnerable to EternalBlue) or Print Spooler (which has known privilege escalation flaws); antivirus is not a substitute for reducing the attack surface. Option C is wrong because moving the server to a different VLAN does not disable the enabled services; it only segments network traffic, leaving the server still vulnerable to lateral movement if an attacker gains access to that VLAN. Option D is wrong because scheduling a monthly reboot does not permanently disable services or prevent drift; it only clears temporary settings, and the unwanted services would remain enabled after each reboot.

5
MCQeasy

After building a new file server, an administrator reviews the security baseline and notices that a remote desktop service is enabled even though no one uses it. What is the best hardening action?

A.Keep the service enabled in case someone needs it later
B.Disable the unnecessary service
C.Change the server name to make it harder to find
D.Increase disk space on the server
AnswerB

Removing unused services reduces attack surface and aligns the server with the secure baseline.

Why this answer

The best hardening action is to disable the unnecessary remote desktop service because it reduces the attack surface. An enabled but unused service, such as Remote Desktop Protocol (RDP) on TCP/3389, is a common vector for brute-force attacks and exploits (e.g., BlueKeep, CVE-2019-0708). Disabling it eliminates this risk without affecting legitimate operations.

Exam trap

The trap here is that candidates may confuse 'security through obscurity' (e.g., renaming the server) with a proper hardening action, or they may assume that keeping a service enabled 'just in case' is acceptable, when the correct approach is to disable any unnecessary service to minimize the attack surface.

How to eliminate wrong answers

Option A is wrong because keeping an unused service enabled violates the principle of least functionality and needlessly exposes the server to potential exploitation. Option C is wrong because changing the server name does not mitigate the risk of the service being discovered or attacked; RDP can still be scanned and targeted regardless of the hostname. Option D is wrong because increasing disk space does not address the security risk of an unnecessary service; it is a resource management action, not a hardening measure.

6
Multi-Selecteasy

A help desk team needs to reset passwords on servers during incidents, but they should not keep standing administrator rights all day. Which two controls best support this requirement? Select two.

Select 2 answers
A.Use privileged access management (PAM) to control and audit elevated access.
B.Grant time-limited or just-in-time elevation only when the task is approved.
C.Share one permanent domain administrator account with the whole team.
D.Use a regular user account and disable all authentication logging.
E.Give every help desk user full access all the time so work is faster.
AnswersA, B

PAM is designed for elevated accounts and privileged actions. It helps approve, track, and audit special access instead of leaving high privilege available all the time.

Why this answer

Privileged Access Management (PAM) solutions enforce just-in-time (JIT) elevation, time-bound access, and session auditing. This allows the help desk team to obtain administrator rights only when needed for incident response, eliminating the need for standing admin rights while maintaining full audit trails.

Exam trap

The trap here is that candidates may think sharing a single domain admin account is efficient for a team, but CompTIA tests that this violates auditability and the principle of least privilege, making it the opposite of what the scenario requires.

7
MCQmedium

Based on the exhibit, which change should be made first to secure remote administration of the network device?

A.Enable FTP so administrators can upload and download configuration files securely.
B.Disable Telnet and allow SSHv2 only for remote administration.
C.Open the management interface to any internet host as long as the password is complex.
D.Use one shared local administrator account for all network engineers.
AnswerB

SSHv2 encrypts the management session, while Telnet sends credentials and commands in clear text.

Why this answer

Telnet transmits all data, including credentials, in cleartext, making it vulnerable to interception. SSHv2 provides encrypted remote administration and is the secure replacement for Telnet. Disabling Telnet and enabling only SSHv2 is the immediate and necessary first step to secure remote device management.

Exam trap

The trap here is that candidates may think enabling a protocol like FTP with 'secure' in its name is sufficient, or they may overlook that Telnet's lack of encryption is the most critical vulnerability to address first, not password complexity or shared accounts.

How to eliminate wrong answers

Option A is wrong because FTP also transmits credentials and data in cleartext; it is not a secure protocol and should not be used for remote administration. Option C is wrong because exposing the management interface to any internet host dramatically increases the attack surface, regardless of password complexity; management should be restricted to trusted IPs or a jump host. Option D is wrong because using a shared local administrator account eliminates accountability and audit trails; each administrator should have unique credentials for non-repudiation and proper logging.

8
Multi-Selecteasy

Employees need to sign in once to the corporate portal and then access email and the HR app without entering credentials again. Which two technologies make this possible in a secure design? Select two.

Select 2 answers
A.Single sign-on (SSO).
B.Federation between the identity provider and the other applications.
C.Network address translation (NAT).
D.Port address translation (PAT).
E.A hardened BIOS password on each workstation.
AnswersA, B

SSO lets a user authenticate once and then access multiple trusted applications without reentering credentials. It improves usability while still keeping centralized identity control.

Why this answer

Single sign-on (SSO) allows a user to authenticate once and then access multiple applications (email, HR app) without re-entering credentials. This is achieved by the identity provider (IdP) issuing a token (e.g., SAML assertion, OIDC ID token) that is trusted by the service providers. SSO reduces password fatigue and centralizes authentication, but must be paired with federation to securely share identity across different domains or applications.

Exam trap

CompTIA often tests the distinction between SSO and federation, where candidates mistakenly think SSO alone is sufficient for cross-domain access, but federation is required when the applications are managed by different identity domains or external providers.

9
MCQmedium

Administrators need to manage internal switches from home. Management traffic must be encrypted, MFA must be used, and no switch management interface should be exposed directly to the internet. Which design is best?

A.Open SSH directly to each switch on a public IP address and restrict access by source IP only.
B.Use a VPN into the internal network, then administer the switches through a hardened jump host over SSH.
C.Allow HTTPS management to each switch over the internet because the channel is encrypted.
D.Use Telnet inside the office and route home users through a split-tunnel VPN.
AnswerB

This design keeps management interfaces internal, encrypts traffic over the VPN, and lets the organization enforce MFA at the VPN or jump-host entry point. SSH provides secure device administration while the jump host centralizes access and logging.

Why this answer

Option B is correct because it uses a VPN to create an encrypted tunnel from the home user to the internal network, then requires SSH (which encrypts management traffic) through a hardened jump host. This design ensures MFA can be enforced at the VPN or jump host layer, and no switch management interface is directly exposed to the internet, satisfying all three requirements.

Exam trap

The trap here is that candidates often think HTTPS encryption alone is sufficient for internet-exposed management, ignoring the requirement that no management interface be directly exposed to the internet, and that MFA must be enforced separately.

How to eliminate wrong answers

Option A is wrong because opening SSH directly to each switch on a public IP address exposes the management interface to the internet, violating the requirement that no switch interface be directly exposed; source IP restriction alone is insufficient as a security control and does not enforce MFA. Option C is wrong because allowing HTTPS management directly over the internet still exposes the switch management interface to the internet, and while HTTPS encrypts the channel, it does not inherently enforce MFA or prevent direct exposure. Option D is wrong because Telnet transmits data in cleartext (no encryption), and a split-tunnel VPN would route home users through the internet for management traffic, failing to encrypt the management session and exposing the traffic.

10
MCQeasy

A team manages virtual machines in a public cloud and wants an audit trail of who created instances, changed security groups, and modified IAM settings. What should be enabled first?

A.Host-based antivirus on each virtual machine.
B.Cloud control plane or audit logging.
C.A guest operating system screen saver policy.
D.A static public IP address for every virtual machine.
AnswerB

This is the best answer because audit logs record management actions such as instance creation, security group changes, and IAM updates. Those events are central to cloud investigations and change tracking. Enabling cloud-native logging first gives the team visibility into who did what and when, which is essential for security monitoring and accountability.

Why this answer

Cloud control plane or audit logging (e.g., AWS CloudTrail, Azure Monitor, or Google Cloud Audit Logs) captures all API calls that create instances, modify security groups, or change IAM settings. This provides the required audit trail of who performed each action, when, and from what source, which is essential for security incident response and compliance.

Exam trap

The trap here is confusing guest OS-level controls (antivirus, screen saver) with cloud provider-level audit logging, leading candidates to pick a security tool that addresses a different threat surface.

How to eliminate wrong answers

Option A is wrong because host-based antivirus protects against malware on the VM's operating system but does not log cloud control plane actions like instance creation or IAM changes. Option C is wrong because a guest OS screen saver policy enforces local session locking, which is unrelated to auditing cloud-level administrative actions. Option D is wrong because assigning a static public IP to each VM provides a fixed network address but generates no audit logs for who created instances or modified security groups.

11
Multi-Selectmedium

Field staff use company-owned tablets that also run approved personal apps. Security needs business data isolated from personal data, the ability to wipe only corporate content, and enforcement of screen lock and encryption. Which two controls best fit? Select two.

Select 2 answers
A.Enroll the tablets in MDM and enforce encryption and a screen-lock PIN.
B.Use a managed work profile or container to separate corporate apps and data.
C.Allow rooted devices if the antivirus app is current.
D.Place all apps in one shared profile and use a single passcode for every user.
E.Disable remote wipe so personal photos are never affected.
AnswersA, B

MDM can enforce baseline device protections such as encryption, lock screens, and compliance settings.

Why this answer

Option A is correct because Mobile Device Management (MDM) enforces security policies like encryption and screen-lock PIN across the device, meeting the requirements for data protection. Option B is correct because a managed work profile or container (e.g., Android Work Profile or iOS Managed Open In) isolates corporate apps and data from personal apps, allowing selective wipe of corporate content without affecting personal data.

Exam trap

The trap here is that candidates often confuse MDM with MAM (Mobile Application Management) and assume MDM alone provides data isolation, when in fact a managed work profile or container is required for selective wipe and app-level separation.

12
MCQhard

A contractor signs in to a project portal that fronts several SaaS tools. Access must be granted only if all of the following are true: the user is assigned to the project, the device is managed, and the request occurs during the approved maintenance window. Which access model best supports this requirement?

A.Role-based access control because the contractor has one project role
B.Attribute-based access control because multiple runtime attributes determine access
C.Single sign-on because the user should not log in more than once
D.Privileged access management because the contractor needs temporary access
AnswerB

ABAC is the best fit because the decision depends on several attributes evaluated dynamically: user assignment, device status, and time of request. This lets the organization express a policy that is more precise than a static role and better aligned to least privilege. In a federated portal, ABAC can also work alongside identity assertions to make access decisions at sign-in and during session use.

Why this answer

Attribute-based access control (ABAC) evaluates multiple runtime attributes—such as user-project assignment, device management status, and time of request—against policies to grant access. This matches the requirement because all three conditions must be true simultaneously, and ABAC can combine subject, resource, and environment attributes in a single policy rule. Role-based access control (RBAC) would only check the user's role, not device or time attributes.

Exam trap

The trap here is that candidates see 'contractor' and 'project' and immediately think of RBAC roles, overlooking that the requirement explicitly demands evaluation of multiple runtime attributes (device managed, maintenance window) which only ABAC can handle dynamically.

How to eliminate wrong answers

Option A is wrong because RBAC grants access based solely on a user's role (e.g., 'contractor'), not on dynamic runtime attributes like device management status or time of day; it cannot enforce the multi-condition logic required. Option C is wrong because single sign-on (SSO) only provides a unified authentication experience (e.g., using SAML or OIDC) and does not enforce authorization policies based on device or time attributes. Option D is wrong because privileged access management (PAM) is designed to control and audit elevated access (e.g., admin credentials or just-in-time privileges), not to evaluate general access conditions like project assignment or device compliance.

13
MCQeasy

A team is moving an application to a cloud provider. The cloud provider will secure the physical data center and core infrastructure, while the company must still secure its own application settings and user access. What concept does this describe?

A.Fail-open design
B.Shared responsibility model
C.Air gap
D.Data masking
AnswerB

Cloud security duties are divided between the provider and the customer, depending on the service model.

Why this answer

The shared responsibility model defines the division of security obligations between a cloud provider and its customer. In this scenario, the provider secures the physical data center and core infrastructure (the 'security of the cloud'), while the company retains responsibility for application settings and user access (the 'security in the cloud'). This model is foundational to all major cloud providers, including AWS, Azure, and Google Cloud.

Exam trap

The trap here is that candidates often confuse the shared responsibility model with a simple 'provider does everything' or 'customer does everything' approach, failing to recognize that security obligations are split based on the service model (IaaS, PaaS, SaaS) and that the customer always retains responsibility for data and access management.

How to eliminate wrong answers

Option A is wrong because a fail-open design refers to a security mechanism that defaults to allowing access when it fails (e.g., a firewall that passes all traffic upon crash), not to the division of security responsibilities in cloud computing. Option C is wrong because an air gap is a physical or logical isolation of a network from unsecured networks (e.g., no network connection at all), which is unrelated to the shared security duties between a cloud provider and its customer. Option D is wrong because data masking is a technique used to obfuscate sensitive data (e.g., replacing real credit card numbers with fictitious ones for testing), not a model for distributing security controls between parties.

14
MCQmedium

Based on the exhibit, which network change best isolates finance workstations from general user PCs while still allowing printing and application access? VLAN table: - VLAN 20 Users: 10.20.20.0/24 - VLAN 30 Finance: 10.20.30.0/24 - VLAN 40 Printers: 10.20.40.0/24 - VLAN 50 Accounting App: 10.20.50.0/24 Current SVI routing policy: permit ip any any Management goal: Finance devices must not initiate traffic to User VLAN 20, but they must be able to print and access the accounting application.

A.Put finance workstations on the same VLAN as the printers to simplify access.
B.Add inter-VLAN ACLs that deny Finance VLAN access to User VLAN 20 while permitting Finance VLAN traffic to VLAN 40 and VLAN 50.
C.Remove routing between all VLANs and let users print through email attachments.
D.Place the accounting application in the User VLAN so finance devices no longer need segmentation.
AnswerB

This is the best option because it keeps the finance systems isolated from general user devices while still allowing the required business functions. The ACL can allow only the exact destinations and services needed for printing and the accounting application, which reduces lateral movement risk without breaking the workflow. It is a practical example of subnet isolation with traffic filtering.

Why this answer

Option B is correct because it uses inter-VLAN ACLs to enforce the principle of least privilege: denying traffic from the Finance VLAN (10.20.30.0/24) to the User VLAN (10.20.20.0/24) while explicitly permitting traffic to the Printer VLAN (10.20.40.0/24) and the Accounting App VLAN (10.20.50.0/24). This preserves the required segmentation and still allows the necessary services (printing and application access) without altering the existing VLAN structure or routing policy.

Exam trap

The trap here is that candidates often assume VLANs alone provide security isolation, forgetting that by default inter-VLAN routing permits all traffic (as shown by the 'permit ip any any' SVI policy), so additional ACLs are required to enforce directional restrictions while still allowing specific services.

How to eliminate wrong answers

Option A is wrong because placing finance workstations on the same VLAN as printers would collapse segmentation, allowing unrestricted traffic between finance devices and printers, and would not isolate finance from user PCs—it also violates the management goal of preventing finance-initiated traffic to the User VLAN. Option C is wrong because removing routing between all VLANs would completely block inter-VLAN communication, preventing finance devices from accessing the printers and accounting application, which directly contradicts the requirement to allow printing and application access. Option D is wrong because placing the accounting application in the User VLAN would expose it to all user PCs, defeating the purpose of segmentation and potentially allowing unauthorized access from the User VLAN to the application, while still not isolating finance workstations from user PCs.

15
Multi-Selecteasy

An organization wants employees to sign in once and then access several SaaS applications without repeated logins. Which two technologies make this possible? Select two.

Select 2 answers
A.Single sign-on
B.Identity federation
D.Port forwarding
E.Full-disk encryption
AnswersA, B

Single sign-on lets a user authenticate once and reuse that session for multiple approved applications. It improves usability while reducing password fatigue and repeated logins.

Why this answer

Single sign-on (SSO) allows a user to authenticate once and then access multiple SaaS applications without re-entering credentials. It works by establishing a trusted session (often via SAML assertions or OIDC tokens) that is presented to each application, eliminating repeated logins. This directly meets the requirement for a single authentication event granting access to several services.

Exam trap

CompTIA often tests the distinction between SSO (which handles authentication within a single domain) and identity federation (which extends SSO across different trust domains), leading candidates to pick only one when both are required for the scenario.

16
Multi-Selectmedium

A regulated analytics workload is moving to a public cloud. The business wants the strongest practical tenant isolation without managing physical servers, and it also needs an audit trail for changes made to the cloud environment. Which two design choices best meet those requirements? Select two.

Select 2 answers
A.Place the workload in a dedicated account, project, or subscription with restricted cross-account access.
B.Enable cloud control-plane logging and retain the logs centrally.
C.Deploy the workload in a shared public subnet to simplify routing between tenants.
D.Assume the cloud provider will record every guest operating system event automatically.
E.Disable logging to reduce storage costs because the provider already has all necessary records.
AnswersA, B

A dedicated account, project, or subscription provides stronger logical isolation than placing the workload in a shared environment. Restricting cross-account access reduces accidental or unauthorized sharing and makes governance easier. This is a common cloud architecture pattern for regulated workloads that need separation without the overhead of managing physical infrastructure.

Why this answer

Option A is correct because placing the workload in a dedicated account, project, or subscription with restricted cross-account access provides strong logical isolation at the cloud provider's control plane. This approach meets the requirement for tenant isolation without managing physical servers, as it leverages the provider's built-in resource boundaries and IAM policies to prevent unauthorized access between tenants.

Exam trap

The trap here is that candidates often confuse network-level isolation (like subnets) with tenant isolation at the control plane, or assume cloud providers automatically handle guest OS auditing, leading them to select C or D instead of the correct combination of A and B.

17
Multi-Selectmedium

A help desk manager is hardening a fleet of Windows laptops. The goal is to prevent booting from untrusted external media and to ensure only approved software can run on the devices. Which two controls best address those goals? Select two.

Select 2 answers
A.Enable Secure Boot in firmware.
B.Implement application allowlisting or application control.
C.Rely only on full-disk encryption to stop unauthorized boot code.
D.Increase the screen-lock timeout so users are interrupted less often.
E.Use a stronger Wi-Fi password so malware cannot start.
AnswersA, B

Secure Boot helps ensure the device only starts trusted boot components that are signed by a trusted key. That reduces the risk of booting unapproved loaders or malicious recovery media. It is a platform hardening control that directly addresses firmware-level trust during startup, which is exactly what the scenario calls for.

Why this answer

Secure Boot is a UEFI firmware feature that verifies the digital signature of the bootloader against a database of trusted signatures stored in the firmware. By enabling Secure Boot, the system will refuse to boot from any external media (e.g., USB drives) that does not have a valid, trusted signature, directly preventing unauthorized boot code from executing.

Exam trap

The trap here is that candidates often confuse full-disk encryption with boot security, mistakenly thinking encryption prevents unauthorized boot media, when in fact encryption only protects data confidentiality and does not control the boot process or software execution.

18
Multi-Selectmedium

A company is designing a secure industrial control system (ICS) network that must be isolated from the corporate IT network. Which three of the following architectural controls should be implemented? (Choose three.)

Select 3 answers
.Deploy a unidirectional gateway to allow data to flow only from the ICS to the corporate network.
.Use a jump box (bastion host) with multi-factor authentication for administrative access to the ICS.
.Connect the ICS and corporate networks directly through a standard router for low latency.
.Implement a DMZ between the ICS and corporate networks to inspect and control traffic.
.Allow all ICS devices to use the same default credentials for ease of maintenance.
.Place the ICS historian directly on the internet for remote monitoring by vendors.

Why this answer

A unidirectional gateway (data diode) ensures that data can only flow from the ICS to the corporate network, preventing any external traffic from reaching the ICS. This is a critical security control for isolating sensitive industrial control systems from potential cyber threats originating from the corporate IT network.

Exam trap

The trap here is that candidates might think a standard router or direct connection is acceptable for low latency, but CompTIA emphasizes that isolation and security take precedence over performance in ICS environments.

19
MCQeasy

Before applying a major patch to a virtual machine, the administrator wants a quick way to return the VM to its exact pre-change state if the patch fails. What should the administrator create?

A.A full backup to removable media
B.A snapshot of the virtual machine
C.A separate VLAN for the virtual machine
D.A digital certificate for the patch server
AnswerB

A snapshot captures the VM state at a specific moment, making rollback fast after a failed patch.

Why this answer

A snapshot captures the exact state of the virtual machine (disk, memory, and power state) at a point in time, allowing the administrator to revert instantly if the patch fails. This is the fastest and most storage-efficient method for a quick rollback compared to a full backup, which is slower and more resource-intensive.

Exam trap

The trap here is that candidates confuse a snapshot with a full backup, but the question emphasizes 'quick way to return to exact pre-change state,' which is the defining characteristic of a snapshot, not a backup.

How to eliminate wrong answers

Option A is wrong because a full backup to removable media is a slower, more cumbersome process that requires restoring the entire VM from external storage, not a quick revert. Option C is wrong because a separate VLAN isolates network traffic but does not preserve or restore the VM's operating system or application state. Option D is wrong because a digital certificate authenticates the patch server but provides no mechanism to revert the VM to a previous state.

20
MCQmedium

A manufacturing company is redesigning its plant network. PLCs must communicate with a SCADA server for telemetry, but neither the PLCs nor the SCADA server should be reachable from employee laptops or the internet. Which architecture best meets the requirement?

A.Place the PLCs and office workstations on the same VLAN and rely on endpoint antivirus.
B.Create a separate OT zone behind a firewall with explicit allow rules only to the SCADA server.
C.Publish the SCADA server through a public reverse proxy so vendors can reach it remotely.
D.Put the PLCs on the same subnet as user devices and hide them behind NAT.
AnswerB

This option isolates industrial devices in their own security zone and uses deny-by-default filtering, which is appropriate for production environments.

Why this answer

Option B is correct because it creates an isolated OT (Operational Technology) zone using a firewall, which enforces segmentation between the industrial control systems (PLCs and SCADA) and the corporate IT network. By placing the SCADA server and PLCs behind a firewall with explicit allow rules only for necessary SCADA-to-PLC telemetry, the architecture ensures that employee laptops and the internet cannot reach these devices, meeting the requirement for no reachability from those sources.

Exam trap

The trap here is that candidates may confuse network segmentation with security controls like antivirus or NAT, mistakenly believing that endpoint protection or address translation alone can prevent unauthorized access from the same subnet or from the internet.

How to eliminate wrong answers

Option A is wrong because placing PLCs and office workstations on the same VLAN eliminates network segmentation, allowing any device on that VLAN (including employee laptops) to directly communicate with the PLCs, and endpoint antivirus alone cannot prevent network-level attacks or unauthorized access. Option C is wrong because publishing the SCADA server through a public reverse proxy intentionally makes it reachable from the internet, directly violating the requirement that neither the PLCs nor the SCADA server should be reachable from the internet. Option D is wrong because putting PLCs on the same subnet as user devices and hiding them behind NAT still allows direct Layer 2 communication between user devices and PLCs on the same subnet, and NAT does not prevent inbound connections initiated from within the subnet; it only obscures outbound traffic, so employee laptops could still reach the PLCs.

21
Multi-Selectmedium

A small enterprise is rebuilding its public customer portal. The web front end must be reachable from the internet, the application tier should never be directly exposed, and the database must remain private even if the web server is compromised. Which two design changes best meet those goals? Select two.

Select 2 answers
A.Place the web front end in a DMZ behind a firewall rule allowing only HTTPS from the internet.
B.Put the database on the same subnet as the web front end so internal calls have lower latency.
C.Place the application tier on an internal subnet and allow only the web front end to reach it on the app port.
D.Allow the database to accept connections from the internet if strong passwords are used.
E.Disable all inbound filtering on the DMZ so troubleshooting is simpler.
AnswersA, C

A DMZ is the correct place for the internet-facing web front end because it limits exposure if the server is attacked. Allowing only HTTPS from the internet reduces unnecessary access and supports a tight inbound filtering strategy. This choice fits a common secure web architecture pattern and keeps the higher-value internal systems separate from direct public reach.

Why this answer

Option A is correct because placing the web front end in a DMZ behind a firewall rule that permits only HTTPS (TCP/443) from the internet ensures the public-facing component is isolated from internal networks. This design prevents direct inbound access to the application or database tiers, reducing the attack surface while still allowing legitimate web traffic.

Exam trap

The trap here is that candidates often assume placing the database on the same subnet as the web server improves performance (Option B) without recognizing that it sacrifices security isolation, which is the primary goal in this scenario.

22
MCQeasy

A laptop repeatedly starts with an unapproved bootloader, and the security team wants the firmware to refuse boot code that is not signed by a trusted key. Which feature should be used?

A.Secure Boot.
B.BitLocker full-disk encryption.
C.A DHCP reservation.
D.A local administrator password policy.
AnswerA

This is the best answer because Secure Boot verifies that boot components are signed by trusted keys before allowing them to load. That helps prevent bootkits and other pre-boot tampering from taking control before the operating system starts. It is a core platform hardening feature on modern systems and directly addresses trust in the boot process.

Why this answer

Secure Boot is a UEFI firmware feature that verifies the digital signature of bootloaders and kernel code against a database of trusted keys before allowing execution. By configuring Secure Boot to only accept boot code signed by a trusted key, the firmware will reject any unapproved bootloader, preventing unauthorized code from running during the boot process.

Exam trap

The trap here is that candidates often confuse Secure Boot with BitLocker, thinking that disk encryption also verifies boot integrity, but BitLocker only protects data after the OS loads and does not validate the bootloader's signature.

How to eliminate wrong answers

Option B is wrong because BitLocker full-disk encryption protects data at rest by encrypting the entire drive, but it does not validate the integrity or signature of boot code before execution. Option C is wrong because a DHCP reservation assigns a fixed IP address to a device based on its MAC address and has no role in verifying bootloader signatures or firmware-level security. Option D is wrong because a local administrator password policy controls password complexity and expiration for local user accounts, but it does not enforce cryptographic verification of boot components.

23
Multi-Selecthard

An architect reviews a design where an internet-facing reverse proxy in a DMZ forwards HTTPS to a web application tier, and the web tier queries a database on a protected internal subnet. The current firewall plan allows the DMZ subnet to reach the database subnet on any TCP port, and the admins want to manage the proxy without exposing it to the user VLAN. Which two changes best improve the design? Select two.

Select 2 answers
A.Collapse the DMZ and internal database into the same VLAN so firewall rules are simpler.
B.Place the public reverse proxy in a DMZ separated from the internal network by a firewall.
C.Allow the database subnet to accept inbound connections from the internet for easier scaling.
D.Restrict DMZ-to-database access to only the required application port and source host.
E.Disable stateful inspection on the firewall so return traffic is automatically trusted.
AnswersB, D

This isolates the exposed service from internal resources and keeps internet-facing traffic in a controlled zone. A DMZ is appropriate for systems that must accept inbound requests from untrusted networks. It reduces the blast radius if the proxy is compromised and allows the organization to apply stricter internal controls behind the perimeter firewall.

Why this answer

Option B is correct because placing the public reverse proxy in a DMZ separated from the internal network by a firewall enforces a layered security model. The DMZ acts as a buffer zone, ensuring that even if the proxy is compromised, the attacker cannot directly access the internal web or database tiers without traversing another firewall. This aligns with defense-in-depth principles for internet-facing services.

Exam trap

The trap here is that candidates may think collapsing VLANs simplifies management (Option A) or that disabling stateful inspection improves performance (Option E), but both weaken security; the exam tests understanding that segmentation and least-privilege access are critical for protecting internal assets.

24
MCQmedium

A small company is deploying a public web application with a front-end server, an API server, and a database. The web server must be reachable from the internet, the API must be reachable only from the web server, and the database must never be accessible from user subnets. Which design best meets the requirement?

A.Place all three servers on the same internal VLAN and use host firewalls only.
B.Place the web server in a DMZ, the API server in an internal subnet, and the database in a separate restricted subnet.
C.Place the database in the DMZ so the web server can connect to it with fewer firewall rules.
D.Use a single NAT gateway for all servers and rely on public IP filtering at the edge.
AnswerB

This creates clear trust boundaries and limits exposure. Only the web server is internet-facing, the API stays internal, and the database can be isolated behind strict filtering rules.

Why this answer

Option B is correct because it implements a layered security architecture: the web server resides in a DMZ (demilitarized zone) to be publicly accessible, the API server is placed in an internal subnet with firewall rules allowing only traffic from the web server, and the database is isolated in a restricted subnet with no access from user subnets. This design enforces the principle of least privilege and prevents direct internet exposure of the API and database, which is critical for protecting sensitive data.

Exam trap

The trap here is that candidates often think placing the database in the DMZ simplifies connectivity, but they overlook that the DMZ is inherently less secure and directly violates the requirement that the database must never be accessible from user subnets.

How to eliminate wrong answers

Option A is wrong because placing all three servers on the same internal VLAN with only host firewalls fails to isolate the database from the web server and API, and does not prevent direct internet access to the API or database if the web server is compromised. Option C is wrong because placing the database in the DMZ exposes it to the internet and increases the attack surface, violating the requirement that the database must never be accessible from user subnets. Option D is wrong because relying on a single NAT gateway and public IP filtering at the edge does not provide subnet-level segmentation; all servers would share the same public IP, making it impossible to restrict API access to only the web server and database access to internal subnets.

25
Multi-Selecthard

A team is deploying a containerized API to a public cloud. The service must be reachable only by internal corporate applications, and secrets must not be embedded in images or readable as plaintext by administrators of the underlying host. Which two actions best fit the design? Select two.

Select 2 answers
A.Place the API in a private subnet and expose it only through an internal load balancer or private endpoint.
B.Give each container a public IP and restrict access by source IP allowlist.
C.Store secrets in a managed vault and retrieve them at runtime with short-lived IAM permissions.
D.Bake database passwords into the container image so deployment is simpler.
E.Assume the cloud provider's tenant isolation alone is enough to protect secrets from misuse.
AnswersA, C

Private subnets and internal endpoints keep the service off the public internet while still allowing controlled access from trusted corporate systems. This reduces exposure, simplifies firewall policy, and supports the requirement that only internal applications can reach the API. It is a common secure cloud architecture pattern for internal services.

Why this answer

Option A is correct because placing the API in a private subnet and exposing it only through an internal load balancer or private endpoint ensures that the service is reachable only by internal corporate applications, as traffic never traverses the public internet. This design leverages network segmentation and private IP addressing to enforce access control at the network layer, aligning with the requirement for internal-only reachability.

Exam trap

The trap here is that candidates often confuse network-level access control (public IP with allowlist) with true private connectivity, or they underestimate the risk of host administrators reading secrets from container images or environment variables, assuming that tenant isolation or encryption at rest alone is sufficient.

26
MCQmedium

A company wants employees to use one corporate login for multiple SaaS applications, require MFA when users sign in from unmanaged devices, and centralize account lifecycle management. Which design best meets these requirements?

A.Create separate local usernames and passwords in each SaaS application.
B.Use shared accounts for each department and keep one password vault for the team.
C.Implement federated single sign-on through a central identity provider with MFA and conditional access policies.
D.Require all users to connect through a VPN before any SaaS login and remove identity federation.
AnswerC

Federated SSO lets the identity provider authenticate users once and pass trusted assertions to multiple SaaS apps. MFA can be enforced centrally, and conditional access can require additional controls based on device trust or location. This also simplifies account creation, removal, and policy management.

Why this answer

Option C is correct because federated single sign-on (SSO) through a central identity provider (IdP) like Azure AD or Okta allows employees to use one corporate login across multiple SaaS applications via protocols such as SAML 2.0 or OIDC. The IdP enforces MFA for unmanaged devices through conditional access policies (e.g., device compliance checks) and centralizes account lifecycle management by provisioning/deprovisioning users from a single directory (e.g., LDAP or SCIM).

Exam trap

The trap here is that candidates may confuse 'shared accounts' (Option B) with SSO, not realizing that shared accounts lack individual accountability and cannot enforce per-user MFA or conditional access policies.

How to eliminate wrong answers

Option A is wrong because creating separate local usernames and passwords in each SaaS application violates the requirement for a single corporate login, does not enforce MFA based on device trust, and fragments account lifecycle management across silos. Option B is wrong because shared accounts for each department break non-repudiation and audit trails, password vaults do not provide SSO or conditional access, and they fail to centralize lifecycle management per user.

27
MCQeasy

A security team wants to know whether a workstation has drifted away from the approved hardened configuration after several months of changes. What should they use to compare the current state against the approved setup?

A.A file compression tool
B.A configuration baseline
C.A password vault
D.A network cable tester
AnswerB

A baseline defines the approved secure configuration and serves as the reference for drift checks.

Why this answer

A configuration baseline is the approved hardened state of a system, typically captured as a snapshot of settings, registry keys, file permissions, and installed software. By comparing the current workstation state against this baseline using tools like Microsoft Security Compliance Toolkit or CIS-CAT, the team can detect drift—unauthorized changes that deviate from the secure configuration. This is the standard method for maintaining compliance and security posture over time.

Exam trap

The trap here is that candidates confuse a configuration baseline with a backup or recovery tool, thinking a file compression tool could somehow 'compare' states, when in fact baselines are specifically designed for compliance drift analysis.

How to eliminate wrong answers

Option A is wrong because a file compression tool (e.g., WinRAR, gzip) only reduces file size for storage or transfer; it cannot compare system configurations or detect drift from a security baseline. Option C is wrong because a password vault (e.g., KeePass, LastPass) securely stores credentials but has no capability to assess system hardening or compare configuration states.

28
Multi-Selectmedium

A SaaS vendor hosts a customer relationship platform for multiple organizations. Your company wants to know which two responsibilities typically remain with the customer rather than the SaaS provider. Select two.

Select 2 answers
A.Assigning user roles and approving access within the tenant.
B.Protecting the organization's data classification and sharing rules.
C.Patching the provider's underlying database engine.
D.Maintaining the vendor's physical data center power and cooling.
E.Replacing the provider's hypervisors during maintenance windows.
AnswersA, B

Customer organizations usually remain responsible for deciding who gets access and what role each user receives inside the SaaS tenant. The provider supplies the platform, but the customer controls business authorization decisions. This is a core shared responsibility item because access mistakes often come from tenant configuration rather than provider infrastructure.

Why this answer

Option A is correct because in a SaaS model, the customer retains administrative control over user identities, roles, and access permissions within their own tenant. The SaaS provider manages the underlying application and infrastructure, but the customer must configure role-based access control (RBAC) to enforce least privilege and approve access requests. This aligns with the shared responsibility model where identity and access management (IAM) at the application layer falls to the customer.

Exam trap

The trap here is that candidates often confuse infrastructure maintenance tasks (like patching databases or replacing hypervisors) with customer responsibilities, but in SaaS, the provider handles all underlying infrastructure while the customer only manages tenant-specific configurations and data governance.

29
MCQhard

A supplier portal is browser-based and used by external partner companies. Each partner already has its own identity provider. The portal must trust assertions from those IdPs and avoid creating separate local passwords for each partner. Which integration is best?

A.Use LDAP directory synchronization for all partner users.
B.Use SAML 2.0 federation with trust relationships to the partner identity providers.
C.Use NTLM pass-through authentication to each partner account.
D.Use PAP over TLS so the portal can collect partner passwords securely.
AnswerB

SAML is well suited to browser-based federation and signed assertions from external identity providers.

Why this answer

SAML 2.0 federation is the correct choice because it enables the supplier portal to trust assertions from multiple external identity providers (IdPs) without creating local passwords. SAML uses XML-based tokens signed by the partner's IdP, allowing the portal to accept authentication claims via a trust relationship, which directly meets the requirement of avoiding separate local credentials for each partner.

Exam trap

The trap here is that candidates may confuse LDAP synchronization (which replicates accounts) with federation (which avoids storing accounts), or mistakenly think NTLM can be extended across organizational boundaries, when in fact NTLM is a legacy challenge-response protocol limited to a single Windows domain.

How to eliminate wrong answers

Option A is wrong because LDAP directory synchronization would require the supplier to replicate partner user directories into a local LDAP store, which still creates local accounts and passwords, violating the requirement to avoid separate local passwords. Option C is wrong because NTLM pass-through authentication is a Windows-specific protocol designed for on-premises Active Directory environments and cannot be used to federate with external partner identity providers over the internet.

30
MCQmedium

A team hosts a confidential document repository on an IaaS virtual machine. The provider secures the datacenter, hardware, and hypervisor. The organization wants to control who can decrypt the files and be able to revoke that access without changing providers. Which control is best?

A.Use the provider's default managed encryption keys for the storage service.
B.Rely on security groups and network ACLs to protect the document contents.
C.Use customer-managed encryption keys in the cloud KMS or HSM.
D.Enable automated snapshots so deleted files can be restored later.
AnswerC

Customer-managed keys give the organization direct control over encryption and key revocation, even while using the provider's infrastructure.

Why this answer

Customer-managed encryption keys (CMEK) in a cloud KMS or HSM allow the organization to retain control over key material, enabling them to decrypt files and revoke access independently of the cloud provider. This meets the requirement to control decryption and revocation without changing providers, as the provider cannot access the keys. In contrast, provider-managed keys do not offer the same level of tenant-controlled revocation.

Exam trap

The trap here is that candidates often confuse network access controls (security groups/ACLs) with encryption-based access control, failing to recognize that only cryptographic controls can enforce decryption revocation independently of the provider.

How to eliminate wrong answers

Option A is wrong because provider-managed default encryption keys give the organization no ability to independently revoke access to the encrypted files; the provider retains control over the key lifecycle. Option B is wrong because security groups and network ACLs are network-layer controls that protect access to the VM but do not encrypt the document contents or control decryption; they cannot enforce file-level decryption revocation. Option D is wrong because automated snapshots provide backup and recovery capabilities but do not control decryption or enable revocation of access to encrypted files.

31
Multi-Selecteasy

A team is moving a workload to infrastructure as a service (IaaS). Which two items are usually the customer's responsibility? Select two.

Select 2 answers
A.Patch the guest operating system running on the cloud virtual machine.
B.Replace failed power supplies in the cloud provider's data center.
C.Configure the application's user permissions and access settings.
D.Maintain the cloud provider's hypervisor firmware.
E.Manage the physical firewall blades inside the provider's facility.
AnswersA, C

In IaaS, the customer typically manages the guest operating system, including security updates and configuration. Unpatched operating systems remain a common path to compromise.

Why this answer

In an IaaS model, the customer is responsible for managing the guest operating system, including applying security patches and updates. This is because the cloud provider only manages the underlying physical infrastructure and hypervisor, while the customer controls the OS and applications running on the virtual machine.

Exam trap

The trap here is that candidates often confuse IaaS with PaaS or SaaS, mistakenly thinking the provider handles all OS-level patching, but in IaaS, the customer retains full control and responsibility for the guest OS and application configuration.

32
MCQmedium

An online retailer is redesigning its public web application so the web server can receive internet traffic, the application server can only be reached by the web tier, and the database server can only be reached by the application tier. Which placement best supports this design?

A.Place all three servers on the same private subnet and control access only with strong passwords.
B.Put the web server in a public zone, the application server in a private zone, and the database server in an isolated internal zone.
C.Put the database in the public zone so the web tier can query it directly from the internet.
D.Use a single reverse proxy for all three servers and disable network segmentation to simplify management.
AnswerB

This tiered placement supports a classic defense-in-depth design. The web server is internet-facing, the application tier is not directly exposed, and the database is placed in the most restricted zone. Network rules then allow only the necessary north-south and east-west traffic between tiers.

Why this answer

Option B is correct because it implements a classic three-tier architecture with network segmentation. The web server in a public zone (DMZ) accepts internet traffic, the application server in a private zone is isolated from direct internet access and only reachable by the web tier, and the database server in an isolated internal zone is only reachable by the application tier. This design enforces the principle of least privilege and minimizes the attack surface by using firewalls or security groups to restrict traffic between tiers.

Exam trap

The trap here is that candidates often confuse 'private subnet' with 'security' and fail to recognize that without network segmentation, a single compromised server can lead to full lateral access, or they mistakenly think placing the database in a public zone is acceptable for direct queries.

How to eliminate wrong answers

Option A is wrong because placing all three servers on the same private subnet with only strong passwords fails to provide network segmentation; if the web server is compromised, an attacker can directly access the application and database servers without any network-level barriers. Option C is wrong because placing the database in the public zone exposes it directly to the internet, violating the requirement that the database server can only be reached by the application tier and creating a severe security risk. Option D is wrong because using a single reverse proxy for all three servers and disabling network segmentation eliminates the isolation between tiers, allowing an attacker who compromises the proxy to reach all servers directly, contradicting the design requirement.

33
Multi-Selecthard

A development team runs multiple customer workloads in a shared Kubernetes cluster. Security wants to reduce the risk that one compromised container can read another team's data or deploy an altered image. Which three actions best improve the design? Select three.

Select 3 answers
A.Require signed, scanned images from an approved registry before deployment.
B.Run each container as root so file permissions inside the container do not block apps.
C.Use namespaces and network policies to separate the workloads by trust zone.
D.Mount the host filesystem into every pod so support staff can troubleshoot more quickly.
E.Run containers with the minimum Linux capabilities and a read-only root filesystem where possible.
AnswersA, C, E

Image signing and scanning help ensure the cluster only deploys trusted builds that have been checked for known vulnerabilities. Using an approved registry adds supply-chain control and reduces the chance of pulling tampered or unreviewed images. This directly addresses the risk of altered or unsafe container content entering production.

Why this answer

Requiring signed, scanned images from an approved registry ensures that only trusted, vulnerability-free images are deployed. Image signing (e.g., using Docker Content Trust or Notary) verifies the image's integrity and origin, preventing tampered images from being deployed. Scanning catches known vulnerabilities before runtime, reducing the attack surface.

This directly addresses the risk of deploying an altered image.

Exam trap

The trap here is that candidates often think running containers as root is necessary for app functionality, but Kubernetes security best practices (and the CIS Benchmark for Kubernetes) explicitly require running containers with non-root users and read-only root filesystems to limit damage from a compromise.

34
MCQmedium

A security architect is designing the wireless network for a new branch office. The branch will have two types of users: employees who need access to internal corporate resources, and guests who need internet-only access. The architect plans to use WPA3-Enterprise for the employee SSID and WPA3-SAE for the guest SSID. Which of the following additional configurations is MOST critical to prevent guests from accessing internal corporate resources?

A.Implement MAC address filtering on the guest SSID to allow only authorized guest devices.
B.Place the guest wireless network on a separate VLAN with a firewall rule blocking inbound traffic to the corporate VLAN.
C.Disable SSID broadcast for the guest network to make it less discoverable.
D.Require guests to accept a captive portal agreement before gaining internet access.
AnswerB

This is the most critical configuration because it enforces network segmentation at Layer 3. The guest VLAN is isolated from the corporate VLAN by the firewall, preventing any direct access to internal resources.

Why this answer

The most critical configuration is to isolate the guest network from the corporate network. Placing the guest SSID on a separate VLAN and implementing a firewall rule that blocks inbound traffic from the guest VLAN to the corporate VLAN ensures that even if a guest device is compromised or malicious, it cannot initiate connections to internal corporate resources. This leverages network segmentation and access control lists (ACLs) to enforce the principle of least privilege.

Exam trap

The trap here is that candidates focus on wireless security protocols (WPA3-SAE vs. Enterprise) or SSID hiding, but the exam tests the understanding that network segmentation and firewall rules are the critical controls for preventing unauthorized access between different trust zones, regardless of the wireless encryption method used.

How to eliminate wrong answers

Option A is wrong because MAC address filtering is a weak security control that can be easily bypassed by MAC spoofing and does not prevent a guest device from accessing internal resources once connected; it only restricts which devices can associate with the SSID. Option C is wrong because disabling SSID broadcast (cloaking) only hides the network name from beacon frames, which is a trivial security-through-obscurity measure that does not prevent a connected guest from accessing internal corporate resources; it does not provide any access control or segmentation.

35
Multi-Selectmedium

A company wants employees to sign in once to several SaaS apps, while the security team also wants to require extra verification when users sign in from unmanaged devices or unusual locations. Which two architecture changes best satisfy both requirements? Select two.

Select 2 answers
A.Federate authentication to a central identity provider.
B.Enable conditional access policies based on device posture and sign-in risk.
C.Create separate passwords for each SaaS app so compromise is contained.
D.Turn off MFA because single sign-on already reduces logins.
E.Use shared generic accounts for contractors to simplify onboarding.
AnswersA, B

Federation allows the organization to centralize authentication and give users a single identity across multiple SaaS applications. That is the architectural foundation for single sign-on because the SaaS apps trust the central identity provider instead of storing separate credentials. It also makes access governance easier because one identity system can enforce stronger controls and lifecycle management.

Why this answer

Option A is correct because federating authentication to a central identity provider (IdP) enables single sign-on (SSO) across multiple SaaS apps using standards like SAML 2.0 or OIDC. This allows employees to sign in once, while the IdP becomes a centralized point to enforce additional security controls.

Exam trap

The trap here is that candidates may think SSO eliminates the need for MFA or that separate passwords improve security, but the question specifically requires both single sign-on and extra verification for risky scenarios, which only federation plus conditional access can deliver.

36
MCQmedium

Based on the exhibit, which logging capability should be enabled first to create an audit trail for cloud administration changes? Exhibit: 2026-04-25 09:14:03 iam:AttachRolePolicy user=alice 2026-04-25 09:15:10 ec2:AuthorizeSecurityGroupIngress user=alice 2026-04-25 09:16:22 s3:PutBucketPolicy user=alice Requirement: Security wants to track management-plane API calls and configuration changes across cloud resources.

A.Enable cloud control-plane audit logging such as CloudTrail or the provider equivalent.
B.Install a rootkit detector on each workload and ignore management-plane activity.
C.Capture only DNS traffic, because it reveals all admin changes indirectly.
D.Rely on manual change tickets in a spreadsheet because cloud platforms do not record useful logs.
AnswerA

This is the best choice because the exhibit shows API-level changes to identity, networking, and storage policies. Control-plane audit logging records who made those changes, what action was taken, and when it occurred. That creates the most useful evidence for investigations, change tracking, and compliance in a cloud environment.

Why this answer

Option A is correct because cloud control-plane audit logging (e.g., AWS CloudTrail, Azure Monitor, or GCP Cloud Audit Logs) captures all management-plane API calls—such as IAM role attachments, security group rule changes, and bucket policy modifications—as shown in the exhibit. This directly meets the requirement to track configuration changes across cloud resources, providing a tamper-proof audit trail for security and compliance.

Exam trap

The trap here is that candidates may confuse data-plane logging (e.g., VPC Flow Logs or DNS logs) with management-plane logging, or assume manual processes are sufficient, when the exhibit clearly shows API-level events that only a control-plane audit service can capture.

How to eliminate wrong answers

Option B is wrong because rootkit detectors focus on workload-level threats (e.g., malware in virtual machines) and do not log management-plane API calls or configuration changes; they ignore the control plane entirely. Option C is wrong because DNS traffic only reveals domain resolution queries, not the specific API calls or resource modifications made by administrators; it cannot reconstruct an audit trail of cloud administration changes. Option D is wrong because manual change tickets are error-prone, lack automation, and cannot capture the granular, timestamped API calls that cloud platforms natively log; relying on spreadsheets violates the principle of automated audit trails required for compliance.

37
Multi-Selecteasy

A company wants guest laptops on Wi-Fi to reach the internet, but not internal file servers or printers. Which two changes best support that design? Select two.

Select 2 answers
A.Place guest devices in a separate VLAN or subnet from employee devices.
B.Add ACL or firewall rules that block guest traffic from reaching internal private networks.
C.Put guests on the same VLAN as employees and rely on stronger Wi-Fi passwords.
D.Disable SSID broadcast so guests cannot discover the network name.
E.Allow guest devices to use the same DHCP scope as internal endpoints.
AnswersA, B

A separate VLAN or subnet creates a distinct trust zone for guests, which helps keep their traffic isolated from internal corporate systems. It is a standard first step in secure network segmentation and makes later filtering easier.

Why this answer

Placing guest devices in a separate VLAN or subnet (Option A) is a fundamental network segmentation technique that isolates guest traffic from the internal corporate network at Layer 2 and Layer 3. This ensures that guest laptops cannot directly communicate with internal file servers or printers unless explicitly routed, and it allows the administrator to apply distinct security policies to the guest subnet.

Exam trap

The trap here is that candidates often confuse hiding the SSID (Option D) with actual access control, or they mistakenly believe that a strong Wi-Fi password (Option C) is sufficient to protect internal resources from authenticated guests, when in fact network segmentation via VLANs and ACLs is required.

38
Multi-Selecthard

A cloud support team is replacing separate logins for several internal apps. The new design must support one sign-in, reduce the chance that a stolen session remains valid too long, and let the identity team revoke access centrally after termination. Which three controls best fit? Select three.

Select 3 answers
A.Implement SSO through federation with the identity provider as the source of truth.
B.Configure short idle and absolute session timeouts with reauthentication for sensitive actions.
C.Use MFA so the initial authentication requires something the user has or is.
D.Keep app-specific local accounts so each application can manage sessions independently.
E.Disable centralized logout so active sessions are never interrupted during maintenance.
AnswersA, B, C

Federation and SSO let one identity provider authenticate the user and then assert that identity to connected applications. This eliminates repeated logins while keeping authentication centralized. It also makes termination and access changes easier because the identity team controls the authoritative account.

Why this answer

Option A is correct because implementing SSO through federation with the identity provider (IdP) as the source of truth allows users to sign in once and access multiple internal apps without separate logins. This design centralizes authentication, so when the identity team revokes access after termination, the IdP denies all subsequent token requests, effectively invalidating sessions across all apps. Federation typically uses SAML 2.0 or OIDC, where the IdP issues signed assertions or ID tokens that apps trust, eliminating the need for app-specific credentials.

Exam trap

The trap here is that candidates may think MFA alone (Option C) satisfies the requirement to reduce stolen session validity, but MFA only strengthens initial authentication and does not control session duration or enable centralized revocation after termination.

39
MCQmedium

Based on the exhibit, which change would best reduce the attack surface of the public web server while preserving remote administration from the internal network?

A.Assign WEB01 a public IP address directly and remove the firewall rules.
B.Move WEB01 into a DMZ and allow only the reverse proxy or load balancer to reach it on HTTPS, with admin access limited to the jump host.
C.Place WEB01 on the same VLAN as user workstations so the firewall can inspect traffic more easily.
D.Keep the server where it is and add outbound web filtering to stop exploitation attempts.
AnswerB

A DMZ creates a separate trust boundary for the internet-facing service, limiting blast radius if the web server is compromised. Restricting inbound access to a proxy or load balancer reduces direct exposure, and allowing administration only from a jump host preserves controlled remote management. This is the strongest architectural improvement in the scenario.

Why this answer

Moving WEB01 into a DMZ and restricting inbound HTTPS traffic to only the reverse proxy or load balancer minimizes the server's exposure to the internet while still allowing external users to access the web application. Admin access from the internal network is preserved by limiting it to a jump host, which provides a controlled, audited entry point. This architecture follows the principle of least privilege and network segmentation, reducing the attack surface without sacrificing necessary functionality.

Exam trap

The trap here is that candidates often think placing a server on a separate VLAN or adding filtering is sufficient, but the key is using a DMZ with a reverse proxy to eliminate direct inbound connections and a jump host to control administrative access.

How to eliminate wrong answers

Option A is wrong because assigning a public IP directly to WEB01 and removing firewall rules would expose the server directly to the internet, vastly increasing the attack surface and eliminating all network-layer protection. Option C is wrong because placing WEB01 on the same VLAN as user workstations would bypass the firewall's ability to segment traffic, exposing the server to lateral movement from compromised workstations and violating the principle of network segregation. Option D is wrong because keeping the server in its current location and adding outbound web filtering does not reduce the inbound attack surface; it only attempts to mitigate exploitation after traffic reaches the server, leaving it directly accessible from the internet.

40
MCQmedium

A security architect is redesigning the network for a payment card processing environment. The goal is to create a cardholder data environment (CDE) that is isolated from the rest of the corporate network to reduce PCI DSS scope. The CDE will contain only the payment application servers and the database storing credit card numbers. The architect must allow authorized administrators in the corporate network to perform updates and monitoring on the CDE servers. Which of the following network architecture designs provides the strongest isolation while still meeting the requirement for authorized administrative access?

A.Place the CDE servers on a separate subnet within the same VLAN as the corporate network, and rely on host-based firewalls on each server to deny all traffic except from specific administrative IP addresses.
B.Deploy a dedicated firewall that connects the corporate network to an isolated CDE segment. Configure firewall rules to allow only SSH and RDP from a specific jump box in the corporate network to the CDE servers, and deny all other inbound traffic from the corporate network.
C.Place the CDE servers on a separate VLAN with a Layer 3 switch that uses ACLs to allow only ICMP traffic from the corporate network to the CDE for monitoring, and require administrators to physically connect to the CDE network via a dedicated console server.
D.Connect the CDE servers directly to the internet through a web application firewall (WAF), and require all management access to occur through a cloud-based VPN with two-factor authentication.
AnswerB

A dedicated firewall provides strong network-level segmentation between the corporate network and the CDE. Using a jump box (bastion host) as the sole admin entry point limits exposure and allows for centralized logging and auditing. This design meets both isolation and authorized access requirements.

Why this answer

Option B is correct because it uses a dedicated firewall to create a true network isolation boundary between the corporate network and the CDE, which is a core PCI DSS requirement for reducing scope. By allowing only SSH and RDP from a specific jump box, it enforces strict least-privilege administrative access while preventing any direct or uncontrolled traffic from the corporate network. This design ensures that the CDE is a separate, protected segment with a single controlled entry point, meeting both isolation and authorized access needs.

Exam trap

The trap here is that candidates often think VLANs with ACLs (Option C) provide sufficient isolation, but PCI DSS requires a clear network segmentation boundary enforced by a firewall, not just Layer 3 ACLs or host-based controls.

How to eliminate wrong answers

Option A is wrong because placing CDE servers on a separate subnet within the same VLAN as the corporate network does not provide true isolation; VLANs share the same broadcast domain and rely on host-based firewalls, which are not sufficient for PCI DSS network segmentation and can be bypassed if the host is compromised. Option C is wrong because allowing only ICMP traffic from the corporate network does not enable the required administrative access (updates and monitoring typically need SSH, RDP, or similar protocols), and requiring physical console server access is impractical for routine remote administration. Option D is wrong because connecting CDE servers directly to the internet, even with a WAF and cloud VPN, violates PCI DSS requirements for network segmentation and exposes the cardholder data environment to external threats, increasing attack surface and scope.

41
MCQmedium

A team moved a Linux VM to IaaS. They need OS login events, process activity, and network flow metadata sent to one central platform for alerting. What is the best first step?

A.Enable only perimeter security groups and assume the cloud provider will collect all host telemetry.
B.Deploy an endpoint logging agent and enable cloud-native flow logs to a centralized logging service.
C.Store the VM snapshots in object storage and review them manually during incidents.
D.Rely on the hypervisor console and disable guest-level logging to reduce overhead.
AnswerB

This gives visibility into both host activity and network metadata, which is needed for practical monitoring and investigation.

Why this answer

Option B is correct because deploying an endpoint logging agent (e.g., auditd, osquery, or a SIEM agent) on the Linux VM captures OS login events and process activity at the guest level, while enabling cloud-native flow logs (e.g., AWS VPC Flow Logs, Azure NSG flow logs) provides network flow metadata. Sending both to a centralized logging service (e.g., AWS CloudWatch Logs, Azure Log Analytics, or a third-party SIEM) ensures all required telemetry is aggregated for alerting. This approach directly addresses the need for host-level and network-level visibility without relying on the cloud provider to collect guest OS internals.

Exam trap

The trap here is that candidates may assume cloud providers automatically collect guest OS telemetry (like login events and process activity) when they only provide infrastructure-level logs (e.g., hypervisor or network flow logs), leading them to choose Option A or D incorrectly.

How to eliminate wrong answers

Option A is wrong because perimeter security groups only filter network traffic at the cloud boundary and do not collect OS login events, process activity, or network flow metadata; the cloud provider does not automatically collect host-level telemetry from guest VMs. Option C is wrong because storing VM snapshots in object storage is a backup/recovery method, not a real-time logging solution, and manual review during incidents is too slow and impractical for continuous alerting. Option D is wrong because relying solely on the hypervisor console provides only hypervisor-level logs (e.g., VM start/stop), not guest OS login events or process activity, and disabling guest-level logging removes the very data needed for security monitoring.

42
MCQhard

A company runs payroll and HR application servers on the same VLAN because a redesign is not possible this quarter. Security wants to reduce lateral movement if one workload is compromised, but the team cannot renumber the environment or add new physical firewalls. Which control best fits the requirement?

A.Move the servers into a single larger subnet so internal routing is simplified
B.Implement microsegmentation with host-based or distributed firewall rules between workloads
C.Place the servers behind a network address translation device to hide their IP addresses
D.Rely on password rotation and MFA for administrative logins only
AnswerB

Microsegmentation is the best fit when the organization cannot redesign the network but still needs to isolate workloads more tightly. Host-based or distributed firewall rules can restrict east-west traffic between individual servers, even when they share the same VLAN. That reduces lateral movement far better than coarse VLAN-only separation and does not require renumbering the environment.

Why this answer

Microsegmentation using host-based or distributed firewall rules (e.g., via a hypervisor firewall or host firewall policies) allows the security team to enforce zero-trust east-west traffic controls between the payroll and HR servers without changing the VLAN, subnet, or adding physical firewalls. This directly reduces lateral movement by restricting communication to only what is necessary, even though both workloads share the same Layer 2 broadcast domain.

Exam trap

The trap here is that candidates often assume VLAN segmentation is the only way to isolate workloads, but the question explicitly prevents renumbering or adding firewalls, so the correct answer leverages host-based or distributed firewall rules to achieve microsegmentation without changing the network topology.

How to eliminate wrong answers

Option A is wrong because moving servers into a single larger subnet simplifies routing but does nothing to restrict lateral movement between workloads; in fact, it may increase the attack surface by placing more hosts in the same broadcast domain. Option C is wrong because placing servers behind a NAT device hides their IP addresses from external networks but does not restrict traffic between the two servers on the same VLAN; NAT operates at Layer 3/4 and does not enforce host-to-host segmentation within the same subnet. Option D is wrong because password rotation and MFA protect administrative logins but do not prevent a compromised workload from moving laterally to another server; they address authentication, not network-level or host-level traffic filtering.

43
Multi-Selecthard

A payment application must keep running if one application server fails, and the business can tolerate no more than 5 minutes of lost transactions and 30 minutes of downtime during a site outage. Which two controls best match the availability requirements? Select two.

Select 2 answers
A.Deploy at least two active application nodes behind a load balancer so one server failure does not interrupt service.
B.Use a cold site that is powered off until a disaster is declared.
C.Configure near-real-time database replication or synchronous replication to a standby so recent transactions are preserved.
D.Take nightly backups to meet the 5-minute recovery point objective.
E.Rely on weekly VM snapshots because they are faster than replication.
AnswersA, C

A load balancer with multiple active nodes removes the single-server dependency and lets traffic continue if one node fails or is taken down for maintenance. This directly addresses the requirement to survive an application server failure without stopping the service. It is a standard high-availability design for front-end and application tiers.

Why this answer

Option A is correct because deploying at least two active application nodes behind a load balancer ensures that if one server fails, traffic is automatically redirected to the remaining healthy node(s), achieving zero downtime for the application itself. This directly meets the requirement that the payment application must keep running if one application server fails, without any interruption to service.

Exam trap

The trap here is that candidates often confuse recovery point objective (RPO) with recovery time objective (RTO), mistakenly choosing nightly backups (Option D) or weekly snapshots (Option E) because they think any backup meets the RPO, but the 5-minute RPO requires near-continuous data protection, not periodic backups.

44
Multi-Selecthard

A company is redesigning a customer portal. Internet users must reach only the web tier, the web tier must talk to the application tier, and the application tier must talk to the database tier. The security team also wants to reduce lateral movement if one server is compromised. Which three changes best meet these goals? Select three.

Select 3 answers
A.Place the web tier in a DMZ and publish only the reverse proxy or load balancer to the internet.
B.Put the web, application, and database servers in the same flat VLAN so routing is simpler.
C.Place the database tier in a separate internal subnet and allow traffic only from the application tier.
D.Use host-based or microsegmentation rules to restrict east-west traffic between tiers.
E.Give the database tier direct internet access for vendor patching and cloud backups.
AnswersA, C, D

A DMZ keeps the internet-facing systems in a separate trust zone, so the public attack surface is limited to the web layer. If one web server is compromised, the attacker does not automatically gain access to the application or database tiers. Putting only the reverse proxy or load balancer online further reduces exposure and centralizes filtering.

Why this answer

Option A is correct because placing the web tier in a DMZ and publishing only the reverse proxy or load balancer to the internet ensures that external users can only reach the web tier, not the application or database tiers. This aligns with the requirement to restrict internet access to the web tier only, while the reverse proxy or load balancer can inspect and forward traffic, reducing the attack surface. It also supports the goal of reducing lateral movement by isolating the web tier from internal networks.

Exam trap

The trap here is that candidates may think a flat VLAN simplifies routing and is acceptable for security, but CompTIA tests the principle of least privilege and network segmentation, where a flat network fails to prevent lateral movement after a breach.

45
Matchingmedium

A company is redesigning how systems are separated in its office and data center network. Match each network design element to the scenario it best supports. Use each term once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A subnet that hosts public-facing web servers while keeping them separated from the internal LAN.

Separating finance and engineering workstations on the same switches into different broadcast domains.

A rule set that allows only TCP 8443 from the web tier to the application tier and denies everything else.

Restricting east-west traffic between individual workloads inside the same data center or cloud cluster.

Grouping systems that share similar security requirements and access assumptions for policy design.

Why these pairings

VLANs separate broadcast domains, subnets divide IP networks, ACLs filter traffic, DMZs isolate public servers, VPNs provide secure remote access, and NAT translates private to public IPs.

46
MCQmedium

Based on the exhibit, which identity architecture change best addresses the repeated password resets and delayed offboarding across the company's SaaS applications? Exhibit: - SaaS A uses local user accounts - SaaS B uses local user accounts - SaaS C supports SAML and automated provisioning - Help desk reports 120 password reset tickets per month - Former employees can remain active in two apps for up to 24 hours after termination Management wants one sign-in and faster deprovisioning.

A.Implement federated SSO with the enterprise identity provider and automated provisioning for SaaS users.
B.Create one shared account for each application and store the passwords in a vault.
C.Keep local accounts in every SaaS app and reset passwords whenever staff change roles.
D.Put the SaaS apps behind a network firewall and use source IP filtering instead of identity.
AnswerA

This is the best answer because federation centralizes authentication, and automated provisioning improves lifecycle management. Users sign in once through the identity provider, reducing password fatigue and help desk resets. When accounts are created, modified, or removed centrally, access changes can reach supported applications much faster, which helps with offboarding and reduces orphaned access.

Why this answer

Option A is correct because implementing federated SSO with the enterprise identity provider (IdP) centralizes authentication, allowing users to sign in once. Combined with automated provisioning (SCIM), it enables near-instant deprovisioning when an employee is terminated, eliminating the 24-hour delay and reducing password reset tickets by removing the need for local account management.

Exam trap

The trap here is that candidates confuse network-layer controls (firewall, IP filtering) with identity-layer solutions, failing to recognize that only federated SSO with automated provisioning addresses both single sign-in and rapid deprovisioning across SaaS apps.

How to eliminate wrong answers

Option B is wrong because shared accounts violate the principle of least privilege and non-repudiation; password vaults do not solve delayed offboarding or reduce password resets, as shared credentials still require manual rotation and do not integrate with identity lifecycle management. Option C is wrong because keeping local accounts and resetting passwords on role changes does not address the 120 monthly password reset tickets (it perpetuates them) and fails to provide faster deprovisioning, as local accounts remain active until manually disabled. Option D is wrong because network firewall and source IP filtering control access at the network layer, not the identity layer; they cannot enforce per-user authentication, single sign-on, or automated deprovisioning, and former employees could still access apps from allowed IPs.

47
MCQmedium

A manufacturer wants partner-company users to access a procurement portal using their own company identities. The manufacturer does not want to create local accounts for each partner user, but it still needs to control what those users can do in the portal. Which approach should be used?

A.Create one shared partner account for each external company and reuse the same password.
B.Use federated identity with role mapping so the portal trusts each partner’s identity provider.
C.Synchronize every partner user into the manufacturer’s directory and require a separate password change.
D.Store partner passwords in the portal database and use password reset emails for access control.
AnswerB

Federation lets external users authenticate with their own identity provider while the manufacturer still controls authorization inside the portal. Role mapping converts trusted identity assertions into specific portal permissions, which avoids local account sprawl and simplifies offboarding at the partner side.

Why this answer

Federated identity with role mapping allows the manufacturer to trust authentication performed by each partner's own identity provider (IdP) using standards like SAML 2.0 or OpenID Connect. This eliminates the need for local accounts while enabling fine-grained access control through roles or attributes passed in the assertion, ensuring partners can only perform authorized actions in the portal.

Exam trap

The trap here is that candidates often confuse federation with synchronization, thinking that syncing user accounts into a local directory is the only way to control access, when in fact federation with role mapping provides both authentication delegation and authorization control without storing external user credentials.

How to eliminate wrong answers

Option A is wrong because a single shared account with a reused password violates the principle of least privilege, provides no audit trail for individual user actions, and creates a massive security risk if the password is compromised. Option C is wrong because synchronizing every partner user into the manufacturer's directory defeats the purpose of avoiding local account management, introduces synchronization latency and complexity, and forces partners to manage yet another set of credentials. Option D is wrong because storing partner passwords in the portal database is a direct violation of secure credential storage best practices (e.g., NIST SP 800-63B), and relying on password reset emails for access control is insecure and unscalable for multiple external organizations.

48
MCQmedium

A customer portal runs on a single application server behind a database cluster. Leadership wants the portal to keep working if that application server fails, but the budget is tight and the team wants the simplest design that can automatically fail over. What should they add?

A.A second application server configured as an active-passive failover pair with health checks.
B.A cold backup server that is started manually after the outage is detected.
C.A multi-region active-active deployment with global traffic steering.
D.Additional RAID storage in the application server to prevent service interruption.
AnswerA

An active-passive pair provides automatic failover for a single server failure without the cost and complexity of a larger multi-node design. Health checks let the standby take over when the primary becomes unavailable, which matches the stated availability goal and budget constraint.

Why this answer

Option A is correct because an active-passive failover pair with health checks provides automatic failover at the lowest complexity and cost. The passive server remains on standby, and health checks (e.g., ICMP, TCP port checks, or HTTP GET requests) detect application server failure, triggering automatic IP or service takeover. This meets the requirement for automatic failover without the expense and complexity of active-active or multi-region designs.

Exam trap

The trap here is that candidates often confuse high availability with disaster recovery, assuming that a cold backup or RAID storage provides automatic failover, when in fact only a hot standby with health checks meets the automatic requirement without over-engineering the solution.

How to eliminate wrong answers

Option B is wrong because a cold backup server that is started manually does not provide automatic failover; it requires human intervention, which violates the requirement for automatic failover. Option C is wrong because a multi-region active-active deployment with global traffic steering is far more complex and expensive than needed for a single application server failure; it introduces DNS-level steering, cross-region replication, and higher operational overhead. Option D is wrong because additional RAID storage only protects against disk failure within the server, not against the entire application server failing; it does not provide any server-level redundancy or failover capability.

49
MCQmedium

Based on the exhibit, which cloud service model best fits the application's operational and security requirements?

A.Infrastructure as a Service (IaaS), because it gives full control over the guest operating system.
B.Platform as a Service (PaaS), because it offloads OS and runtime maintenance while preserving application control.
C.Software as a Service (SaaS), because the organization would not need to maintain anything.
D.Colocation, because the team can place its own servers in a provider facility and manage everything directly.
AnswerB

PaaS fits the requirements because the provider manages the underlying platform, including OS patching, runtime maintenance, and scaling features. The development team can still deploy code and manage the application layer and data model, which matches the scenario. This is a strong secure-service-selection choice when the goal is to reduce patching burden without giving up application control.

Why this answer

The exhibit shows an application that requires the organization to manage the application code and data while offloading the underlying OS, runtime, and middleware maintenance. Platform as a Service (PaaS) provides this exact split: the cloud provider handles the OS patches, runtime updates, and infrastructure scaling, while the organization retains full control over the application deployment and configuration. This matches the requirement of preserving application control without the overhead of managing the guest OS.

Exam trap

The trap here is that candidates see 'full control' in option A and assume it is always better for security, but the question's requirement to offload OS maintenance makes PaaS the correct choice—IaaS would actually increase the security burden by requiring the organization to manage guest OS hardening and patching.

How to eliminate wrong answers

Option A is wrong because IaaS gives full control over the guest OS, but the requirement specifically states the organization does not want to manage the OS or runtime—IaaS would force them to handle patching, hardening, and maintenance of the OS, which contradicts the operational need. Option C is wrong because SaaS would offload everything, including application control, but the requirement explicitly says the organization must preserve control over the application code and data—SaaS removes that control entirely. Option D is wrong because colocation requires the organization to manage all hardware, OS, and software layers themselves, which is the opposite of offloading OS and runtime maintenance; it also introduces physical security and hardware lifecycle burdens not aligned with the stated requirements.

50
Multi-Selecteasy

A company is building a public web app with three tiers. Internet users should reach only the web tier, and the app tier should never be reachable from the internet. Which two network design choices support this goal? Select two.

Select 2 answers
A.Place the web server in a DMZ or public-facing zone.
B.Allow inbound traffic from the internet directly to the application servers.
C.Restrict the application tier so only the web tier can initiate connections to it.
D.Put the database on the guest Wi-Fi VLAN.
E.Use the same flat network for all three tiers.
AnswersA, C

A DMZ is the standard place for internet-facing services because it creates a controlled boundary between public traffic and internal systems. It lets the web tier accept external requests without exposing deeper resources.

Why this answer

Option A is correct because placing the web server in a DMZ (demilitarized zone) or public-facing zone allows internet traffic to reach only the web tier while isolating the internal network. This is a standard security architecture where the DMZ acts as a buffer, and firewall rules permit inbound HTTP/HTTPS (ports 80/443) only to the web servers, not to the application or database tiers.

Exam trap

The trap here is that candidates may think placing the app tier behind a firewall alone is sufficient, but they must also explicitly restrict inbound connections to only the web tier, not just block the internet—otherwise internal lateral movement or misconfigured rules could still expose the app tier.

51
Matchingeasy

Match each cloud security concept to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines which security tasks belong to the cloud provider and which remain with the customer

Separates one customer's cloud resources from another customer's resources

Uses the provider's logging service to record workload and control-plane activity

Places workload resources where they are not directly exposed to the internet

Why these pairings

Each cloud security concept is matched to its primary function: encryption protects data at rest or in transit, IAM manages access, SIEM provides event analysis, IDS detects intrusions, and DLP prevents data loss.

52
MCQeasy

Employees use one corporate login to sign in to email, the ticketing portal, and the HR application. After signing in once, the other apps accept the same identity without separate passwords. What capability is this?

A.Single sign-on (SSO)
B.Federation
C.Multi-factor authentication (MFA)
D.Session timeout
AnswerA

SSO lets users authenticate once and access multiple connected applications without repeated logins.

Why this answer

Single sign-on (SSO) allows a user to authenticate once and gain access to multiple applications without re-entering credentials. In this scenario, the corporate login provides a token (e.g., Kerberos ticket or SAML assertion) that is accepted by the email, ticketing portal, and HR application, eliminating the need for separate passwords. This is the core capability of SSO.

Exam trap

CompTIA often tests the distinction between SSO and federation, where candidates mistakenly choose federation because they think 'multiple apps' implies different domains, but the key is that federation involves separate organizations, not just separate applications within the same organization.

How to eliminate wrong answers

Option B (Federation) is wrong because federation extends SSO across different organizations or domains, establishing trust relationships between separate identity providers, whereas the question describes a single corporate login within one organization. Option C (Multi-factor authentication) is wrong because MFA requires two or more verification factors (e.g., password + token), not the ability to reuse a single authentication across multiple apps. Option D (Session timeout) is wrong because session timeout is a security control that automatically ends a user's session after a period of inactivity, not a mechanism for sharing authentication across applications.

53
Matchingeasy

Match each network segment to the best use in a small enterprise.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Network segment for internet-facing services such as a public web proxy or reverse proxy

Segment for internal systems such as databases that should not be directly reachable from the internet

Restricted network used for switch, firewall, and server administration traffic

Internet-only network for visitors and unmanaged devices

Why these pairings

Each segment serves a specific purpose: guest Wi-Fi for external users, DMZ for public services, internal LAN for daily operations, management for device control, data center for core infrastructure, VPN for secure remote access.

54
Multi-Selecteasy

A branch office has users, finance workstations, and printers on the same LAN. Management wants finance devices isolated from general users while still allowing approved printing and internet access. Which two changes best meet this goal? Select two.

Select 2 answers
A.Put finance systems in a separate VLAN.
B.Use firewall or ACL rules between the VLANs.
C.Remove the default gateway from all finance devices.
D.Place all systems in one flat subnet.
E.Use hubs instead of switches to simplify traffic flow.
AnswersA, B

A separate VLAN creates logical separation between finance devices and general users. This reduces lateral movement and makes it easier to apply different security rules.

Why this answer

Placing finance systems in a separate VLAN (Option A) segments the LAN into isolated broadcast domains, preventing general users from directly accessing finance workstations at Layer 2. This is a foundational step for network segmentation, as VLANs logically separate traffic without requiring physical re-cabling.

Exam trap

The trap here is that candidates often think VLANs alone provide security, forgetting that inter-VLAN routing is enabled by default on most switches, so ACLs or firewall rules are mandatory to actually restrict traffic between VLANs.

55
MCQmedium

A web application needs to be internet-facing. The web tier must accept public traffic, the application tier should be reachable only from the web tier, and the database must be reachable only from the application tier. Which design best supports this?

A.Put all three tiers on one private subnet and rely on host firewalls.
B.Use a three-tier layout with a DMZ, an application zone, and a database zone separated by firewalls.
C.Place the database in the DMZ so the web tier has lower latency.
D.Use NAT for the database server and allow inbound access from the internet.
AnswerB

This design creates clear trust boundaries and lets each tier communicate only with the next tier as required.

Why this answer

Option B is correct because it implements a classic three-tier architecture with separate security zones (DMZ, application zone, database zone) each protected by firewalls. This ensures that only the web tier in the DMZ accepts public traffic, the application tier is isolated and reachable only from the web tier via firewall rules, and the database tier is further isolated and reachable only from the application tier. This layered defense aligns with the principle of defense in depth and minimizes the attack surface by enforcing strict east-west traffic segmentation.

Exam trap

The trap here is that candidates may assume a single subnet with host firewalls is sufficient for segmentation, but CompTIA tests the understanding that network-level firewalls are required to enforce strict traffic flow between tiers and prevent lateral movement in a multi-tier architecture.

How to eliminate wrong answers

Option A is wrong because placing all three tiers on a single private subnet with only host firewalls fails to provide network-level segmentation; a compromise of the web server would allow direct lateral movement to the application and database servers, bypassing the intended access controls. Option C is wrong because placing the database in the DMZ exposes it directly to public traffic, violating the requirement that the database be reachable only from the application tier and increasing the risk of data exfiltration. Option D is wrong because using NAT for the database server and allowing inbound access from the internet directly contradicts the requirement that the database be reachable only from the application tier; this would expose the database to external threats.

56
MCQmedium

A company is publishing an internet-facing customer portal that must also query an internal database containing order history. Security wants to reduce the chance that a compromise of the portal exposes the database directly. Which design is the best choice?

A.Place the database in the same subnet as the web server and rely on host-based antivirus.
B.Place the portal in a DMZ and keep the database on an internal network with firewall rules allowing only required traffic.
C.Use NAT so the internal database does not have a public IP address.
D.Move both systems behind a VPN and require users to authenticate before visiting the portal.
AnswerB

This creates a clear trust boundary, limits exposure of the database, and restricts traffic to only the necessary application flow.

Why this answer

Option B is correct because placing the portal in a DMZ and keeping the database on an internal network with firewall rules that permit only required traffic (e.g., specific ports like 1433/TCP for SQL Server or 3306/TCP for MySQL) creates a defense-in-depth architecture. This design ensures that even if the web server is compromised, the attacker cannot directly access the database from the internet, as the internal network is isolated by the firewall and only allows traffic from the DMZ to the database on necessary ports.

Exam trap

The trap here is that candidates often confuse NAT with a security control, thinking it hides the database from attackers, but NAT alone provides no access control or network segmentation, so a compromised portal can still reach the database if they share a network.

How to eliminate wrong answers

Option A is wrong because placing the database in the same subnet as the web server eliminates network segmentation, meaning a compromise of the portal would give an attacker direct Layer 2 access to the database, and host-based antivirus is insufficient to prevent lateral movement or database exploitation. Option C is wrong because NAT only translates private IP addresses to public ones; it does not provide security isolation or prevent an attacker from reaching the database if the portal is compromised, as the database still resides on the same network segment. Option D is wrong because moving both systems behind a VPN and requiring user authentication does not isolate the database from the portal; once authenticated, users (or an attacker who compromises the portal) would have direct network access to the database, violating the principle of least privilege and network segmentation.

57
MCQeasy

A customer portal must continue operating if one application server fails. The business wants a simple, cost-conscious design that improves availability. What is the best approach?

A.Add a second application server behind a load balancer.
B.Schedule nightly backups to a different storage account.
C.Buy a larger server with more CPU and memory.
D.Move the portal to a different subnet without changing the servers.
AnswerA

This is the best answer because it adds redundancy and allows traffic to continue flowing if one application server goes down. A load balancer can route users to the healthy server, which improves availability without requiring a much more expensive architecture. For a simple portal, this is a practical fault-tolerance upgrade that reduces the impact of a single server failure.

Why this answer

Adding a second application server behind a load balancer creates an active-passive or active-active cluster that provides redundancy. If one server fails, the load balancer automatically redirects traffic to the healthy server, ensuring continuous operation. This design is cost-conscious because it uses commodity servers rather than expensive vertical scaling, and it directly improves availability by eliminating the single point of failure.

Exam trap

The trap here is that candidates often confuse data protection (backups) with high availability (redundancy), or they think vertical scaling (bigger server) is a simpler solution, but the exam specifically tests the concept of eliminating a single point of failure through horizontal scaling and load balancing.

How to eliminate wrong answers

Option B is wrong because nightly backups to a different storage account protect against data loss but do not provide real-time failover or maintain service availability during a server failure. Option C is wrong because buying a larger server (vertical scaling) still leaves a single point of failure; if that one server fails, the portal goes down regardless of its size. Option D is wrong because moving the portal to a different subnet changes the network topology but does not add redundancy or failover capability; the same single server remains the sole point of failure.

58
MCQeasy

After a server rebuild, a Windows administrator notices several unneeded services are still enabled, including Remote Registry and Print Spooler on a server that only hosts a database. What should the administrator do to reduce attack surface and keep the build consistent?

A.Install additional endpoint monitoring agents to compensate for the extra services.
B.Apply the approved secure baseline and disable unnecessary services.
C.Increase the disk encryption key size to protect the running services.
D.Move the server to a different subnet and leave the configuration unchanged.
AnswerB

A secure baseline defines the required hardened configuration and removes services that are not needed.

Why this answer

Applying an approved secure baseline and disabling unnecessary services (Option B) directly reduces the attack surface by removing potential entry points like Remote Registry (which allows remote modification of the registry) and Print Spooler (which has known privilege escalation vulnerabilities, e.g., CVE-2021-34527). This also ensures build consistency by enforcing a standardized configuration across all servers, which is critical for compliance and manageability in a Windows environment.

Exam trap

The trap here is that candidates may think adding monitoring or moving subnets compensates for insecure configurations, but the SY0-701 exam emphasizes that reducing attack surface requires removing unnecessary services, not just detecting or isolating them.

How to eliminate wrong answers

Option A is wrong because installing additional endpoint monitoring agents does not reduce the attack surface; it only adds detection capability for threats that exploit the unneeded services, leaving the vulnerabilities in place. Option C is wrong because increasing disk encryption key size (e.g., from AES-128 to AES-256 for BitLocker) protects data at rest but does not affect running services or reduce the attack surface from enabled network-facing services. Option D is wrong because moving the server to a different subnet does not disable the unnecessary services; it only changes network segmentation, and the services remain enabled and exploitable if an attacker gains access to that subnet.

59
MCQmedium

A company uses four cloud applications and wants employees to sign in once with corporate credentials. The applications should trust the company’s identity platform, and disabling a user in the directory should remove access everywhere without separate password resets. Which architecture should the team implement?

A.Create separate local accounts in each cloud application and synchronize passwords manually.
B.Use federation with single sign-on through the corporate identity provider, such as SAML or OpenID Connect.
C.Configure RADIUS authentication directly on each cloud application so users can reuse one password.
D.Store one shared administrator password for all users in a password vault.
AnswerB

Federation with SSO lets the company authenticate users centrally while each cloud application trusts assertions from the identity provider. That supports one login experience, faster deprovisioning, and consistent enforcement of corporate authentication controls across all apps.

Why this answer

Option B is correct because federation with single sign-on (SSO) using the corporate identity provider (IdP) via SAML or OpenID Connect allows users to authenticate once with their corporate credentials. The cloud applications trust the IdP, so disabling a user in the corporate directory immediately revokes access across all applications without requiring separate password resets. This architecture decouples authentication from the applications and centralizes identity management.

Exam trap

The trap here is that candidates confuse RADIUS (a network access protocol) with web SSO protocols like SAML or OpenID Connect, mistakenly thinking RADIUS can provide centralized web authentication and access revocation across cloud applications.

How to eliminate wrong answers

Option A is wrong because creating separate local accounts in each cloud application with manual password synchronization does not provide single sign-on, does not centralize identity management, and disabling a user in the directory would not automatically remove access everywhere—each application would need separate account management. Option C is wrong because RADIUS is a protocol for network access control (e.g., VPN, Wi-Fi) and is not designed for web application authentication; configuring RADIUS directly on each cloud application would not enable SSO with the corporate identity platform and would require separate password management per application.

60
Multi-Selecthard

A Windows file server was rebuilt from a gold image, but later troubleshooting re-enabled Remote Desktop, SMBv1, and the Print Spooler. The security team wants to harden the host and catch the same configuration changes early in the future. Which three actions are the best fit? Select three.

Select 3 answers
A.Disable unnecessary services and remove legacy protocols that are not required.
B.Enforce the approved build with configuration management and drift alerts.
C.Limit administrative access to a dedicated management subnet or jump host.
D.Leave all management ports open so technicians can troubleshoot from anywhere.
E.Turn off logging to reduce the chance that attackers can see the server.
AnswersA, B, C

Disabling Remote Desktop, SMBv1, and the Print Spooler when they are not needed directly reduces attack surface. Legacy protocols and extra services are frequent entry points for attackers. A hardened file server should expose only the functions required for its role and nothing more.

Why this answer

Option A is correct because disabling unnecessary services like the Print Spooler and removing legacy protocols such as SMBv1 directly reduces the attack surface. SMBv1 is known for vulnerabilities like EternalBlue (MS17-010), and the Print Spooler has been exploited in PrintNightmare attacks. This aligns with the principle of least functionality, a core security architecture concept.

Exam trap

The trap here is that candidates may think leaving management ports open (D) is necessary for troubleshooting, but the question asks for hardening and early detection, not convenience, and turning off logging (E) is always a security anti-pattern.

61
MCQmedium

A company is implementing network segmentation to isolate the guest wireless network from the internal corporate network. Which of the following technologies is most appropriate to enforce this separation at Layer 2?

A.VLANs
B.ACLs
C.DMZ
D.VPN
AnswerA

Correct. VLANs create separate broadcast domains at Layer 2, effectively isolating traffic between the guest and corporate networks on the same switch infrastructure.

Why this answer

VLANs (Virtual Local Area Networks) are the correct technology because they operate at Layer 2 (Data Link layer) of the OSI model, allowing network administrators to logically segment a physical switch into multiple isolated broadcast domains. By assigning the guest wireless network to a separate VLAN (e.g., VLAN 100) and the internal corporate network to another (e.g., VLAN 10), traffic between them is blocked at Layer 2 unless explicitly routed through a Layer 3 device with appropriate firewall rules. This directly enforces separation without requiring additional hardware, making VLANs the most appropriate and efficient choice for isolating guest traffic at Layer 2.

Exam trap

The trap here is that candidates often confuse ACLs as a Layer 2 solution because they are commonly used for filtering, but ACLs operate at Layer 3/4 and cannot create broadcast domain isolation; VLANs are the only Layer 2 mechanism listed that directly segments traffic at the Data Link layer.

How to eliminate wrong answers

Option B (ACLs) is wrong because ACLs (Access Control Lists) operate at Layer 3 (Network layer) or higher, filtering traffic based on IP addresses, ports, or protocols, not at Layer 2; they are applied on routers or Layer 3 switches to control routing decisions, not to create isolated broadcast domains. Option C (DMZ) is wrong because a DMZ (Demilitarized Zone) is a network architecture design used to host public-facing services (e.g., web servers) with controlled access from both internal and external networks, not a Layer 2 segmentation technology; it relies on VLANs or firewalls for isolation and does not inherently separate guest and internal traffic at Layer 2.

62
Multi-Selecteasy

A web application must keep running if one application server fails. Management wants the simplest design that automatically switches traffic to a healthy server. Which two choices support that goal? Select two.

Select 2 answers
A.Place the application behind a load balancer with health checks.
B.Run the application on a single server with nightly backups.
C.Deploy at least two application servers in the same service pool.
D.Disable health checks to avoid false failovers.
E.Put the database on the public internet for easier access.
AnswersA, C

A load balancer can send traffic away from a failed server and toward healthy ones. Health checks are important because they let the platform detect when an instance should stop receiving requests.

Why this answer

Option A is correct because a load balancer with health checks can automatically detect a failed application server and redirect traffic to healthy servers, ensuring continuous availability. This is the simplest design that meets the requirement for automatic failover without manual intervention. Health checks typically use HTTP/HTTPS probes or TCP port checks to verify server responsiveness.

Exam trap

The trap here is that candidates may think a single server with backups (Option B) provides high availability, but backups only protect data, not uptime, and failover requires redundant servers and automatic traffic switching.

63
MCQeasy

A development team stores container images in a registry before deployment. Security wants to reduce the chance of shipping vulnerable libraries or packages inside the image. What should the team do before release?

A.Run the container as root so startup problems are less likely.
B.Scan the image and rebuild it from an approved base image.
C.Open the container port on the host firewall so the image can be reached faster.
D.Add more CPU and memory to the cluster to improve image security.
AnswerB

Scanning and using approved base images helps catch vulnerable packages before deployment.

Why this answer

Scanning the image for known vulnerabilities (CVEs) and rebuilding it from an approved, hardened base image ensures that only trusted, patched libraries and packages are included. This directly reduces the attack surface by eliminating vulnerable components before the image is deployed to production.

Exam trap

The trap here is that candidates may confuse operational practices (like running as root or opening ports) with security controls that directly address software supply chain risks, or mistakenly think that adding resources can compensate for insecure image content.

How to eliminate wrong answers

Option A is wrong because running containers as root violates the principle of least privilege and increases the risk of privilege escalation if the container is compromised. Option C is wrong because opening a container port on the host firewall does not affect the security of the image's contents; it only changes network accessibility and may increase exposure. Option D is wrong because adding CPU and memory resources does not address software vulnerabilities; resource allocation has no impact on the security of libraries or packages within the image.

64
MCQeasy

A customer portal must keep serving requests if one application server stops responding. The team wants traffic to be sent to whichever healthy server is available. Which design should they implement?

A.A load balancer in front of multiple application servers
B.A RAID 1 array in the application server
C.A snapshot of the application server before each update
D.A longer password policy for the portal administrators
AnswerA

A load balancer distributes requests across healthy servers and can stop sending traffic to failed nodes.

Why this answer

A load balancer distributes incoming traffic across multiple application servers and performs health checks (e.g., HTTP GET requests to a /health endpoint) to detect failures. If one server stops responding, the load balancer automatically routes requests only to the remaining healthy servers, ensuring continuous availability. This design directly meets the requirement for fault tolerance and active traffic distribution.

Exam trap

The trap here is that candidates confuse high availability (multiple servers with a load balancer) with data redundancy (RAID) or backup strategies (snapshots), thinking any form of redundancy solves the uptime requirement, but only a load balancer with health checks can actively reroute traffic away from a failed server.

How to eliminate wrong answers

Option B is wrong because RAID 1 (mirroring) provides disk-level redundancy for a single server, not application-level failover across multiple servers; it cannot route traffic away from a failed application server. Option C is wrong because a snapshot captures the state of a server at a point in time for backup or recovery, but it does not provide real-time traffic distribution or automatic failover when a server becomes unresponsive. Option D is wrong because a longer password policy improves authentication security for administrators but has no effect on server availability or traffic routing.

65
MCQmedium

Based on the exhibit, what is the best next control to prevent noncompliant mobile devices from accessing corporate email while still allowing IT to wipe company data from lost phones?

A.Enforce conditional access so only compliant MDM-enrolled devices can reach email and enable selective wipe for corporate data.
B.Require users to set a longer password on the email app and keep the current access policy.
C.Disable email on all mobile devices and force users to use desktop computers only.
D.Rely on a remote full factory reset whenever a device is lost or reported stolen.
AnswerA

Conditional access stops noncompliant or compromised devices from using corporate email even if they have valid credentials. Selective wipe is especially important for BYOD because it removes work data without erasing personal content. Together, these controls support both access control and privacy, which is the correct architectural balance for the scenario.

Why this answer

Option A is correct because it combines conditional access policies (e.g., Azure AD Conditional Access or Intune compliance policies) to block noncompliant devices from accessing corporate email, while using MDM selective wipe to remove only corporate data (e.g., email, documents) without affecting personal data on the device. This approach enforces security without requiring a full device wipe, preserving user privacy and IT control.

Exam trap

The trap here is that candidates often confuse full device wipe with selective wipe, assuming any remote wipe is acceptable, or they underestimate the importance of conditional access to enforce compliance before granting access.

How to eliminate wrong answers

Option B is wrong because requiring a longer password on the email app does not prevent noncompliant devices (e.g., jailbroken, missing patches) from accessing email, and it does not provide selective wipe capability. Option C is wrong because disabling email on all mobile devices is overly restrictive, reduces productivity, and fails to address the need for secure mobile access. Option D is wrong because a remote full factory reset wipes all personal data, violating user privacy and potentially causing data loss, whereas selective wipe targets only corporate data.

66
Multi-Selectmedium

A security architect is evaluating a zero trust architecture (ZTA) for a remote workforce. Which three of the following components are essential to the implementation? (Choose three.)

Select 3 answers
.A policy engine that continuously evaluates trust based on user identity, device health, and context.
.A single, static firewall rule that allows all traffic from the corporate VPN IP range.
.Microsegmentation to limit lateral movement even after initial access is granted.
.A mandatory VPN for all remote users before accessing any resource.
.Encryption of all traffic, including internal east-west communications.
.Implicit trust for all devices that are connected to the internal network.

Why this answer

A policy engine is essential in zero trust architecture (ZTA) because it continuously evaluates trust based on user identity, device health, and context, dynamically granting or denying access. Microsegmentation is critical as it enforces granular access controls between workloads, preventing lateral movement even after an initial breach. Encrypting all traffic, including east-west communications, ensures data confidentiality and integrity across the network, aligning with the ZTA principle of never trusting and always verifying.

Exam trap

Cisco often tests the misconception that a VPN is a core component of zero trust, but ZTA actually replaces VPNs with more granular, identity-based access controls that do not assume network-level trust.

67
MCQmedium

A branch office has users, finance workstations, printers, and IP phones on one flat network. The security team wants to reduce lateral movement if one user PC is compromised, but printers still need to receive print jobs from users. What is the best design change?

A.Keep one flat network and increase endpoint antivirus scanning frequency.
B.Place finance systems and user devices in separate VLANs and allow only the necessary print and business application traffic through filtering rules.
C.Move all printers into the finance VLAN to avoid managing inter-VLAN rules.
D.Disable printing so user workstations cannot communicate with any other device.
AnswerB

This design reduces lateral movement by separating high-value systems from general user devices. VLANs create logical segmentation, and targeted filtering permits only the traffic required for printing and approved business flows. It preserves functionality while sharply reducing the number of systems reachable after a compromise.

Why this answer

Option B is correct because segmenting the flat network into separate VLANs for finance systems and user devices enforces network segmentation, which limits lateral movement. By using VLANs and firewall rules to allow only necessary traffic (e.g., print jobs via IPP or SMB, and business application traffic), the organization reduces the attack surface while maintaining required functionality. This aligns with the principle of least privilege and zero trust architecture.

Exam trap

The trap here is that candidates often choose Option C, mistakenly thinking that consolidating printers into the finance VLAN simplifies management, but they overlook that printers are notoriously insecure and would become a bridge for lateral movement into the finance segment.

How to eliminate wrong answers

Option A is wrong because increasing endpoint antivirus scanning frequency does not prevent lateral movement on a flat network; once a user PC is compromised, the attacker can still freely move to other devices (including finance workstations) on the same broadcast domain. Option C is wrong because moving all printers into the finance VLAN would expose printers to finance systems without proper isolation, and printers often have weak security (e.g., default credentials, unpatched firmware), creating a pivot point for attackers to reach finance assets; it also fails to address the need for inter-VLAN rules to allow user print jobs.

68
MCQmedium

Based on the exhibit, which cloud deployment choice best satisfies the workload requirements? Exhibit: Workload requirements: - Processes regulated customer records - Should not share underlying compute with other tenants if avoidable - Team wants provider-managed hardware maintenance - Application will run in a public cloud Which deployment choice is the best fit?

A.Shared public tenancy on standard virtual machines.
B.Community cloud shared with other regulated organizations.
C.Public cloud with a dedicated host or equivalent single-tenant compute placement.
D.On-premises private cloud with company-owned servers and full hardware management.
AnswerC

This is the best match because it gives the organization stronger tenant isolation while still using provider-managed cloud infrastructure. A dedicated host or similar single-tenant placement reduces exposure to neighboring tenants and is well suited for regulated data without requiring the customer to buy and maintain physical servers. It balances security and operational convenience.

Why this answer

Option C is correct because a dedicated host or single-tenant compute placement in a public cloud ensures the workload does not share underlying physical hardware with other tenants, meeting the 'should not share underlying compute' requirement. It also provides provider-managed hardware maintenance and runs in a public cloud, aligning with all stated workload requirements for processing regulated customer records.

Exam trap

The trap here is that candidates may confuse 'community cloud' (Option B) as meeting isolation needs, but it still involves multi-tenant compute sharing unless explicitly configured with dedicated hosts, which is not stated in the option.

How to eliminate wrong answers

Option A is wrong because shared public tenancy on standard virtual machines inherently shares the underlying physical server with other tenants, violating the requirement to avoid sharing compute if possible. Option B is wrong because a community cloud, while shared with other regulated organizations, still involves multi-tenant compute sharing and does not guarantee single-tenant isolation; it also may not offer provider-managed hardware maintenance in the same way as a public cloud dedicated host. Option D is wrong because an on-premises private cloud with company-owned servers requires the team to manage hardware maintenance themselves, contradicting the requirement for provider-managed hardware maintenance.

69
Multi-Selecteasy

A company wants visibility into who changed settings in its cloud account and what commands ran on a cloud VM. Which two log sources should the team enable first? Select two.

Select 2 answers
A.Cloud provider audit or API logs
B.Guest operating system event logs
C.Printer spooler logs
D.Browser history from employees' home PCs
E.DHCP lease logs from the office router
AnswersA, B

Audit and API logs record control-plane actions such as configuration changes, role updates, and security group edits. They are essential for tracking who changed cloud settings.

Why this answer

Cloud provider audit or API logs (Option A) capture all changes made to the cloud account via the provider's management plane, including who modified settings and when. Guest operating system event logs (Option B) record commands executed within the VM itself, such as PowerShell or bash commands, providing visibility into runtime activities. Together, these two sources cover both the control plane (account-level changes) and data plane (VM-level commands) for comprehensive monitoring.

Exam trap

The trap here is that candidates often confuse guest OS logs with hypervisor logs or assume cloud provider logs alone are sufficient, missing that VM-level command execution requires OS-level logging.

70
Multi-Selecteasy

A company uses a SaaS email platform. The provider manages the servers and application code. Which two tasks remain the company's responsibility? Select two.

Select 2 answers
A.Configuring who can access company mailboxes and administrative roles.
B.Applying security patches to the provider's mail servers.
C.Deciding what data may be stored in the service and how it is classified.
D.Replacing failed provider storage disks.
E.Hardening the provider's hypervisor.
AnswersA, C

Identity and access configuration is usually the customer’s responsibility in SaaS. The company must decide who gets access, what roles they receive, and how privileges are approved.

Why this answer

Option A is correct because in a SaaS model, the customer retains administrative control over user access and role-based permissions. This includes configuring mailbox permissions, setting up multi-factor authentication, and managing administrative roles within the provider's interface. The provider handles the underlying infrastructure, but identity and access management (IAM) remains the customer's responsibility.

Exam trap

Cisco often tests the misconception that 'patching' is always the customer's job, but in SaaS the provider handles all infrastructure patching, while the customer's responsibility is limited to configuration and data governance.

71
MCQmedium

Based on the exhibit, what is the best security change to address the exposed management access on the cloud VM?

A.Ask the provider to patch the guest operating system on the VM.
B.Move SSH to a public IP on the VM so administrators can reach it more easily.
C.Restrict SSH through a bastion host or VPN and remove direct internet access to the VM.
D.Enable object storage versioning to protect the VM from unauthorized logins.
AnswerC

In IaaS, the customer owns network controls. A bastion or VPN keeps management traffic private and limited to approved admins.

Why this answer

Option C is correct because exposing SSH directly to the internet on a cloud VM creates a significant attack surface, allowing brute-force and credential-stuffing attacks. A bastion host (jump box) or VPN provides a controlled, authenticated entry point, while removing direct internet access to the VM ensures management traffic is isolated and audited. This aligns with the principle of defense in depth and the AWS/cloud best practice of using a bastion host for administrative access.

Exam trap

CompTIA often tests the misconception that patching (Option A) or moving the service to a public IP (Option B) solves exposure issues, when the real security flaw is the lack of network segmentation and a controlled access point like a bastion host or VPN.

How to eliminate wrong answers

Option A is wrong because patching the guest OS addresses software vulnerabilities but does not eliminate the exposed SSH management interface on the public internet; the core issue is network exposure, not missing patches. Option B is wrong because moving SSH to a public IP makes the management access even more exposed, increasing the attack surface and violating the principle of least privilege. Option D is wrong because object storage versioning is a data protection feature for recovering from accidental deletion or overwrite of objects; it has no relevance to securing VM management access or preventing unauthorized logins.

72
MCQhard

An order-entry application must survive a single server failure and continue serving users if the primary site becomes unavailable. Management wants automatic failover, but does not want to pay for fully active production capacity in two regions. Which design is best?

A.Run one server and keep nightly backups in cloud object storage.
B.Use two servers in one site behind a load balancer and maintain an asynchronously replicated warm standby site.
C.Deploy active-active multi-region capacity with identical production load in both regions.
D.Add RAID 1 and a spare power supply to the database server.
AnswerB

This provides local redundancy for server failure and a lower-cost secondary site for failover if the primary site is lost.

Why this answer

Option B is correct because it combines a load-balanced active-passive pair at the primary site with an asynchronously replicated warm standby at a secondary site. This design meets the requirement for automatic failover and continued service after a single server failure or primary site outage, while avoiding the cost of fully active multi-region capacity. Asynchronous replication ensures the standby site is ready to take over without requiring synchronous writes that would add latency or require identical production load.

Exam trap

The trap here is that candidates often confuse high availability (local redundancy) with disaster recovery (site-level failover), and incorrectly assume that RAID or backups alone satisfy the requirement for automatic failover after a site outage.

How to eliminate wrong answers

Option A is wrong because nightly backups in cloud object storage provide only point-in-time recovery, not automatic failover or near-continuous availability; a server failure would cause extended downtime while restoring from backup. Option C is wrong because active-active multi-region capacity with identical production load in both regions directly contradicts management's requirement to avoid paying for fully active production capacity in two regions. Option D is wrong because RAID 1 and a spare power supply protect only against local hardware failures (disk or power supply) within a single server, not against a server failure or a full site outage.

73
MCQeasy

System administrators need to manage internal switches from home. The solution must encrypt management traffic, strongly authenticate users, and avoid exposing management ports directly to the internet. What should be used?

A.Telnet over port 23 with an allow list on the firewall.
B.A VPN into the internal network, then SSH or HTTPS for administration.
C.RDP directly to the switch management interface from the public IP address.
D.Open the management port to the internet and rely on a long password.
AnswerB

This is the best answer because it keeps management interfaces off the public internet while still allowing secure remote administration. The VPN provides encrypted transport and can enforce strong user authentication, and SSH or HTTPS protects the device management session itself. This layered approach matches common best practice for remote admin access and reduces exposure of sensitive management services.

Why this answer

Option B is correct because a VPN creates an encrypted tunnel over the internet, protecting management traffic in transit. Once connected to the internal network, SSH (for CLI) or HTTPS (for web GUI) provides strong authentication and encryption for switch administration. This approach avoids exposing management ports directly to the internet, reducing the attack surface.

Exam trap

The trap here is that candidates may think Telnet with a firewall allow list is sufficient, overlooking that Telnet provides no encryption, or they may confuse RDP as a valid switch management protocol, when switches typically use SSH or HTTPS for administration.

How to eliminate wrong answers

Option A is wrong because Telnet transmits all data, including credentials, in cleartext (no encryption), violating the encryption requirement. Option C is wrong because RDP is designed for remote desktop access to workstations, not for switch management interfaces, and exposing it directly to the internet bypasses the requirement to avoid direct exposure. Option D is wrong because opening the management port to the internet violates the requirement to avoid direct exposure, and relying solely on a long password does not provide strong authentication (e.g., no multi-factor or certificate-based authentication) and leaves the system vulnerable to brute-force attacks.

74
MCQmedium

A company's current remote access solution uses a traditional VPN that grants users full network-layer access to the internal LAN once authenticated. The security architect wants to adopt a zero trust architecture to reduce the risk of lateral movement by compromised endpoints. Which of the following implementations best aligns with zero trust principles?

A.Implement a next-generation firewall and require all remote traffic to pass through it with strict rules.
B.Deploy a secure web gateway and require all remote users to browse through a proxy.
C.Use a software-defined perimeter that authenticates each user and device before granting access only to specific applications.
D.Enable multi-factor authentication for VPN and implement a VPN concentrator with split tunneling.
AnswerC

A software-defined perimeter (SDP) or zero trust network access (ZTNA) solution authenticates and authorizes each connection request individually, creating an encrypted tunnel only to the requested application. This prevents lateral movement because the user never receives a network-level address on the internal LAN.

Why this answer

Option C is correct because a software-defined perimeter (SDP) implements zero trust by authenticating both the user and device before granting access to specific applications, not the entire network. This prevents lateral movement by ensuring that even after authentication, the endpoint can only reach the allowed application, not the full LAN. This aligns with the zero trust principle of 'never trust, always verify' and micro-segmentation.

Exam trap

The trap here is that candidates often confuse 'stronger authentication' (MFA) or 'better firewalling' (NGFW) with zero trust, but zero trust requires eliminating implicit trust at the network layer by granting access only to specific applications, not the entire LAN.

How to eliminate wrong answers

Option A is wrong because a next-generation firewall (NGFW) with strict rules still provides network-layer access to the LAN after authentication, allowing lateral movement if the endpoint is compromised; it does not enforce per-application access. Option B is wrong because a secure web gateway (SWG) only proxies web traffic, not all remote access traffic, and does not restrict network-layer access to internal applications or prevent lateral movement. Option D is wrong because enabling MFA and split tunneling for a traditional VPN still grants full network-layer LAN access after authentication, allowing a compromised endpoint to move laterally; split tunneling actually increases risk by allowing direct internet access.

75
Multi-Selecthard

A customer portal must stay online if an entire site fails, and the company must also be able to recover if data is corrupted or encrypted by ransomware. Which two design choices best satisfy both requirements? Select two.

Select 2 answers
A.Use active-active or automatic failover between two sites with health checks.
B.Keep only RAID 1 inside each server, because mirroring alone handles site outages.
C.Maintain immutable offsite backups and test restores on a regular schedule.
D.Store nightly backups on the same storage array as the production data.
E.Replace the load balancer with a static DNS record for each server.
AnswersA, C

A second site with automatic failover or active-active traffic handling preserves availability when one location goes offline. Health checks let the load balancer or orchestration layer stop sending traffic to a failed site quickly. This directly addresses the requirement to keep the portal online during a total site outage.

Why this answer

Option A is correct because active-active or automatic failover between two sites with health checks ensures that if an entire site fails, traffic is automatically redirected to the surviving site, maintaining availability. This design satisfies the first requirement of staying online during a site failure by using redundant infrastructure and health monitoring to detect and react to outages.

Exam trap

The trap here is that candidates often assume RAID or local backups provide sufficient protection against site outages and ransomware, but RAID only handles disk failure and same-site backups are vulnerable to the same ransomware attack, so both requirements demand geographically separate, immutable backups and multi-site failover.

Page 1 of 3 · 221 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Architecture questions.