CCNA Security Architecture Questions

75 of 221 questions · Page 2/3 · Security Architecture topic · Answers revealed

76
MCQeasy

Guest tablets in a conference room use the same physical switches as employee devices. The security team wants guests to have internet access only, with no route to internal subnets. Which design best meets the goal?

A.Keep guests on the same VLAN and rely on a separate Wi-Fi password.
B.Place guests on a separate VLAN and block internal access with ACLs.
C.Use stronger WPA3 encryption on the wireless network and leave the network flat.
D.Enable MAC address filtering on the switch and allow all ports to remain in the default network.
AnswerB

A separate VLAN creates logical segmentation, and ACLs enforce which networks the guests can reach.

Why this answer

Option B is correct because placing guest tablets on a separate VLAN segments traffic at Layer 2, and applying ACLs on the Layer 3 interface (SVI or router) blocks all routes to internal subnets while permitting internet access. This design ensures that even though guests share the same physical switches, their traffic is isolated from employee VLANs and cannot reach internal resources.

Exam trap

The trap here is that candidates confuse authentication/encryption methods (password, WPA3, MAC filtering) with network segmentation, failing to recognize that only Layer 2 VLAN separation combined with Layer 3 ACLs can enforce routing restrictions between subnets.

How to eliminate wrong answers

Option A is wrong because relying on a separate Wi-Fi password does not provide network segmentation; devices on the same VLAN can still communicate at Layer 2, and a guest could potentially discover and access internal hosts. Option C is wrong because stronger WPA3 encryption protects wireless traffic from eavesdropping but does not prevent a guest device from routing to internal subnets if the network is flat (no VLAN segmentation). Option D is wrong because MAC address filtering only controls which devices can connect to the switch port, but it does not restrict traffic between VLANs or subnets; leaving all ports in the default network allows guests to reach internal resources directly.

77
MCQmedium

A company wants employees to sign in once to access several SaaS applications, but it also wants to require MFA only when users connect from unmanaged devices or outside the corporate network. Which architecture best supports this goal?

A.Create separate usernames and passwords for each SaaS application and disable browser-based token sharing.
B.Implement federated identity with single sign-on and conditional access policies tied to device posture and network location.
C.Use local accounts in each SaaS application and rotate passwords every 30 days.
D.Grant all employees the same access role to simplify authentication and reduce support tickets.
AnswerB

Federation lets the organization use one identity provider for multiple SaaS applications, which enables single sign-on. Conditional access then adds policy-based decisions such as requiring MFA for unmanaged devices or external access. This combination is both more secure and more user-friendly than separate credentials or blanket MFA for every sign-in.

Why this answer

Option B is correct because federated identity with single sign-on (SSO) allows users to authenticate once and access multiple SaaS applications, while conditional access policies evaluate device posture (e.g., compliance status, managed vs. unmanaged) and network location (e.g., corporate IP range vs. external) to enforce MFA only when risk conditions are met. This architecture leverages standards like SAML 2.0 or OpenID Connect for SSO and integrates with device management systems (e.g., MDM) to assess device health before granting access.

Exam trap

The trap here is that candidates often confuse 'federated identity' with simple password synchronization or think that SSO alone handles MFA, missing the critical role of conditional access policies that dynamically enforce MFA based on device and network context.

How to eliminate wrong answers

Option A is wrong because creating separate usernames and passwords for each SaaS application eliminates SSO, forcing users to sign in repeatedly, and disabling browser-based token sharing does not address MFA requirements based on device or network context. Option C is wrong because using local accounts in each SaaS application with 30-day password rotation increases administrative overhead, fails to provide SSO, and does not support conditional MFA enforcement tied to device posture or network location. Option D is wrong because granting all employees the same access role violates the principle of least privilege, does not enable SSO, and provides no mechanism to enforce MFA based on device or network conditions.

78
Multi-Selecthard

After a server rebuild, a Linux database host still has several unnecessary services enabled, including a graphical desktop, Telnet, and a printer service. The operations team wants a secure baseline that prevents the same drift from happening again after future maintenance. Which two actions best address the issue? Select two.

Select 2 answers
A.Remove the unused packages and disable the unnecessary services and ports.
B.Document the approved build and enforce it with configuration management or drift detection.
C.Allow administrators to enable any service they need without approval during maintenance windows.
D.Keep the default installation profile so vendor updates are easier to apply.
E.Open the firewall broadly and rely only on strong passwords.
AnswersA, B

Removing unused packages and disabling unneeded services directly reduces the server attack surface. Fewer active services means fewer listening ports, fewer vulnerabilities, and fewer opportunities for misuse. This is the most immediate hardening step when a server contains features that are not required for its role.

Why this answer

Removing unused packages and disabling unnecessary services directly reduces the attack surface by eliminating potential entry points like Telnet (which transmits credentials in cleartext) and unused printer services. This aligns with the principle of least functionality, ensuring only required services run on the Linux database host.

Exam trap

The trap here is that candidates may think removing services is sufficient without also enforcing the baseline via configuration management, or they may mistakenly believe that strong passwords alone can compensate for insecure services like Telnet.

79
Multi-Selecthard

A company is redesigning a three-tier customer portal. Internet users must reach only the web tier, the application tier must never be directly reachable from the internet, database traffic must flow only from the app tier, and administrators need a protected path to manage servers. Which two design choices best meet these requirements? Select two.

Select 2 answers
A.Place the public web tier in a DMZ behind a reverse proxy or WAF so the internet never reaches application or database hosts directly.
B.Put all three tiers on the same VLAN and depend on host-based firewalls to separate them.
C.Use a bastion host on a dedicated management network for all administrative access to the servers.
D.Allow administrators to SSH or RDP from the standard employee VLAN for faster troubleshooting.
E.Expose the database listener to the internet and require strong passwords for application connections.
AnswersA, C

A DMZ places the internet-facing web tier in a controlled network segment that can be tightly filtered and monitored. A reverse proxy or WAF further reduces exposure by terminating client connections and filtering malicious requests before they reach internal tiers. This design supports the requirement that only the web tier is reachable from the internet while preserving separation from the app and database layers.

Why this answer

Option A is correct because placing the public web tier in a DMZ behind a reverse proxy or WAF ensures that internet traffic is terminated at the proxy layer, which inspects and filters requests before forwarding them to the web servers. This architecture prevents direct internet access to the application or database tiers, enforcing the required isolation. The reverse proxy or WAF can also provide SSL/TLS termination, load balancing, and application-layer attack mitigation, aligning with the principle of defense in depth.

Exam trap

The trap here is that candidates often assume host-based firewalls are sufficient for network segmentation, but the SY0-701 exam emphasizes that proper network segmentation requires separate VLANs, ACLs, or firewall rules at the network layer, not just software-based filters on each host.

80
MCQmedium

A small company is moving its public web app to a new network. The front-end server must be reachable from the internet, the application server should only accept traffic from the front end, and the database must never be reachable from the internet or user VLANs. Which design best meets these requirements with the least exposure?

A.Place all three servers in the same server VLAN and use host-based firewalls to separate them.
B.Place the web server in a DMZ, the application server in an internal subnet, and the database in a separate restricted subnet with firewall rules between each tier.
C.Place the database in the DMZ so the web and application servers can access it directly without extra firewall rules.
D.Place the web server on the user VLAN and use NAT to hide the database server from the internet.
AnswerB

This is the strongest design because each tier is isolated according to exposure. The web server is the only internet-facing system, the application tier only receives approved traffic from the web tier, and the database is protected behind internal filtering. That layout limits attack paths and supports least privilege between network zones.

Why this answer

Option B is correct because it implements a classic three-tier architecture with network segmentation. The web server in the DMZ is isolated from internal networks but accessible from the internet, the application server in an internal subnet is protected by firewall rules that only allow traffic from the DMZ, and the database in a separate restricted subnet is further isolated with firewall rules that only permit traffic from the application server. This design minimizes exposure by enforcing least privilege and defense in depth, using network-layer segmentation rather than relying solely on host-based controls.

Exam trap

The trap here is that candidates may think host-based firewalls are sufficient for isolation (Option A) or that placing the database in the DMZ simplifies access (Option C), but the exam expects you to recognize that network segmentation with separate subnets and firewall rules is the most secure and least exposure approach for multi-tier applications.

How to eliminate wrong answers

Option A is wrong because placing all three servers in the same VLAN with host-based firewalls violates the principle of network segmentation; a single compromised host could pivot laterally to other servers within the same broadcast domain, and host-based firewalls are more easily misconfigured or bypassed than network-layer ACLs. Option C is wrong because placing the database in the DMZ directly exposes it to the internet, which contradicts the requirement that the database must never be reachable from the internet; this design also increases the attack surface by allowing the web and application servers to access the database without intermediate firewall enforcement.

81
Multi-Selectmedium

An online retailer is redesigning a network for a public web app. Customers must reach only the web tier from the internet. The web tier must reach the application tier, and the application tier must reach the database tier. Which two design changes best support this zoning model? Select two.

Select 2 answers
A.Place all three server tiers on the same flat VLAN and rely on host firewalls.
B.Put the internet-facing web tier in a DMZ with tightly filtered inbound rules.
C.Give the database server a public IP address so the web tier can connect faster.
D.Place the application and database tiers in separate internal zones with firewall allow-lists between them.
E.Use a single NAT device for all servers and disable interserver filtering.
AnswersB, D

A DMZ exposes only the web tier to the internet while keeping internal systems off the public network.

Why this answer

Option B is correct because placing the internet-facing web tier in a DMZ (demilitarized zone) with tightly filtered inbound rules ensures that external users can only reach the web servers, while the DMZ network isolates them from internal tiers. This aligns with the principle of defense in depth, where the DMZ acts as a buffer zone, and inbound rules (e.g., allowing only TCP/443 for HTTPS) minimize the attack surface. The web tier can then initiate outbound connections to the application tier through a firewall with specific allow-lists, maintaining strict segmentation.

Exam trap

The trap here is that candidates often confuse a flat VLAN with host firewalls as sufficient segmentation, not realizing that host firewalls can be disabled or bypassed once an attacker gains local access, whereas network-layer segmentation (e.g., DMZ and separate internal zones) provides a more robust security boundary that is harder to circumvent.

82
MCQeasy

Employees sign in once to the company portal and then can access email, the ticketing system, and the HR site without logging in again. What is this called?

A.Single sign-on
B.Port forwarding
C.Tokenization
AnswerA

SSO lets a user authenticate once and access multiple integrated services without repeated logins.

Why this answer

Single sign-on (SSO) allows a user to authenticate once and gain access to multiple applications or systems without re-entering credentials. In this scenario, the company portal acts as the identity provider (IdP), and after initial authentication, it issues a token (e.g., SAML assertion or Kerberos ticket) that is accepted by the email, ticketing, and HR systems as proof of identity. This eliminates the need for repeated logins across these services.

Exam trap

The trap here is that candidates confuse single sign-on with tokenization, because both involve 'tokens,' but tokenization is a data protection method for sensitive data, not an authentication mechanism for accessing multiple applications.

How to eliminate wrong answers

Option B is wrong because port forwarding is a network address translation (NAT) technique that redirects traffic from one IP address and port to another, typically used to expose internal services to the internet, not to manage authentication across multiple applications. Option C is wrong because tokenization replaces sensitive data (like credit card numbers) with a non-sensitive placeholder (token) for security, but it does not provide a mechanism for authenticating a user once and accessing multiple systems. Option D is wrong because network address translation (NAT) modifies IP address information in packet headers to map private addresses to public ones, and has no role in authentication or session management across applications.

83
MCQmedium

Network engineers need to manage switches in a data center from home. The solution must encrypt management traffic, strongly authenticate users, and avoid exposing management ports directly to the internet. Which approach is best?

A.Telnet to the switches over a router port-forward rule.
B.SSH directly to the switches from the internet using password-only authentication.
C.Use SNMPv2c with restricted source IP addresses.
D.Connect through a VPN to a bastion host, then use SSH to the switches.
AnswerD

A VPN hides management interfaces from the public internet, and a bastion host provides a controlled jump point for secure administration.

Why this answer

Option D is correct because it combines a VPN (which encrypts all traffic and provides strong authentication) with a bastion host (a hardened jump server) to avoid exposing switch management interfaces directly to the internet. SSH then provides encrypted, authenticated access to the switches from the bastion host, meeting all three requirements: encryption, strong authentication, and no direct internet exposure.

Exam trap

The trap here is that candidates often think SSH alone (Option B) is sufficient because it encrypts traffic, but they overlook the requirement to avoid exposing management ports directly to the internet, which is a critical security design principle tested in SY0-701.

How to eliminate wrong answers

Option A is wrong because Telnet transmits all data, including passwords, in cleartext (no encryption) and port-forwarding exposes the switch management port directly to the internet, violating the requirement to avoid direct exposure. Option B is wrong because SSH does provide encryption, but allowing direct SSH from the internet exposes the switch management port and password-only authentication is not considered strong authentication (lacks multi-factor or key-based methods). Option C is wrong because SNMPv2c uses community strings in cleartext (no encryption) and provides only weak authentication; restricting source IPs does not encrypt traffic or provide strong user authentication.

84
Multi-Selectmedium

After a merger, dozens of laptops arrive with inconsistent settings and a history of unsupported utilities installed by the previous owner. The security team wants to establish a known-good configuration, reduce future drift, and accelerate remediation of newly discovered vulnerabilities. Which three actions best support that goal? Select three.

Select 3 answers
A.Build and deploy a secure baseline or gold image for the laptops.
B.Use centralized patch management with staged rollouts and reporting.
C.Enforce configuration management that reapplies approved settings after drift is detected.
D.Allow each user to customize local security settings for productivity.
E.Skip validation after patching because the baseline will always remain correct.
AnswersA, B, C

A secure baseline establishes the approved configuration for the fleet and gives the team a repeatable starting point. A gold image reduces configuration variation from device to device and makes it easier to verify what should be present. It is the most direct way to normalize inherited systems after a merger or acquisition.

Why this answer

A is correct because building and deploying a secure baseline or gold image ensures all laptops start from a known-good configuration, eliminating inconsistencies and unsupported utilities from the previous owner. This directly supports the goal of establishing a trusted state and provides a reference point for detecting future drift.

Exam trap

The trap here is that candidates may think user customization (Option D) is acceptable for productivity, but the scenario explicitly requires a known-good configuration and reduced drift, making any uncontrolled customization counterproductive.

85
Multi-Selectmedium

A manufacturer wants partner-company users to access a procurement portal. The manufacturer does not want to create separate local accounts, and the partners want to authenticate their own users with existing corporate identities. Which two capabilities should be implemented? Select two.

Select 2 answers
A.Create a separate local account for every partner employee and store the passwords internally.
B.Trust the partner identity providers through federation and accept their assertions.
C.Use a shared generic partner login for each company to simplify support.
D.Map partner roles or groups to application permissions after authentication.
E.Require partners to email screenshots of their credentials to request access.
AnswersB, D

Federation lets the portal rely on partner identity systems instead of creating local passwords.

Why this answer

Option B is correct because federation allows the manufacturer to trust identity assertions from the partners' own identity providers (IdPs) using standards like SAML 2.0 or OIDC. This eliminates the need for local accounts while enabling partners to authenticate with their existing corporate identities, meeting both requirements.

Exam trap

The trap here is that candidates may confuse federation with role mapping (option D) as the primary solution, but federation is the core capability for external authentication, while role mapping is a separate authorization step that occurs after authentication.

86
MCQmedium

A company wants all corporate laptops to authenticate to Wi-Fi using device certificates instead of shared passwords. It also wants to deny network access to systems that do not meet the baseline requirement for disk encryption and current endpoint protection. Which approach best satisfies both goals?

A.Use a single WPA2-Personal passphrase and email it to all employees.
B.Deploy 802.1X with certificate-based authentication and network access control posture checks.
C.Allow any device to join and rely on antivirus scans after users log in.
D.Use MAC address filtering and a captive portal for all internal Wi-Fi users.
AnswerB

802.1X with certificates verifies device identity, and NAC posture assessment can block noncompliant endpoints.

Why this answer

802.1X with certificate-based authentication ensures that only devices with valid certificates can authenticate to the Wi-Fi network, eliminating reliance on shared passwords. Network access control (NAC) posture checks then evaluate each device against baseline requirements (e.g., disk encryption, current endpoint protection) and deny access to non-compliant systems. This combination directly satisfies both goals of certificate-only authentication and conditional access based on security posture.

Exam trap

The trap here is that candidates often confuse 802.1X with simple certificate authentication and overlook the NAC posture check component, assuming that certificate-based authentication alone meets the baseline requirement, but the question explicitly requires denying access to non-compliant systems, which only NAC can enforce.

How to eliminate wrong answers

Option A is wrong because WPA2-Personal uses a single shared passphrase, which does not enforce device-specific authentication or posture checks, and emailing the passphrase to all employees introduces a security risk. Option C is wrong because allowing any device to join and relying on post-login antivirus scans does not prevent non-compliant devices from accessing the network initially, violating the requirement to deny access to systems that do not meet baseline requirements. Option D is wrong because MAC address filtering can be spoofed and does not verify device certificates or security posture, and a captive portal typically only controls web access after connection, not the initial network authentication or compliance checks.

87
MCQmedium

An online ticketing system must survive a single server failure and continue operating after a primary site outage. The business wants the lowest-cost design that still improves availability. Which architecture is best?

A.Deploy active-active servers across multiple regions with load balancing.
B.Use an active-passive design with replicated data and automatic failover to a secondary site.
C.Schedule nightly backups and restore only after the outage is confirmed.
D.Add RAID to the server to protect against all availability failures.
AnswerB

Active-passive redundancy balances cost and resilience by keeping a standby environment ready for server or site failure.

Why this answer

An active-passive design with replicated data and automatic failover (Option B) meets the requirement of surviving a single server failure and a primary site outage while minimizing cost. Unlike active-active, it uses standby resources that only activate during failover, reducing operational expense. This architecture improves availability without the complexity and cost of multi-region active-active deployment.

Exam trap

The trap here is that candidates often choose active-active (Option A) because it offers the highest availability, but they overlook the explicit 'lowest-cost' constraint, which makes the cheaper active-passive design the correct answer despite its slightly longer failover time.

How to eliminate wrong answers

Option A is wrong because deploying active-active servers across multiple regions with load balancing provides high availability but at significantly higher cost due to redundant active infrastructure in multiple geographic locations, which exceeds the 'lowest-cost' requirement. Option C is wrong because nightly backups with restore only after outage confirmation does not provide continuous availability; it results in significant downtime (potentially hours or days) and data loss (up to 24 hours of transactions), failing the 'continue operating' requirement. Option D is wrong because RAID protects only against local disk failures, not against server failure (e.g., motherboard, power supply) or site outage (e.g., power loss, network cut), so it does not meet the survivability requirement.

88
MCQmedium

A hospital is redesigning its wireless network. Guest devices must reach only the internet. Staff laptops need access to internal applications. Medical devices must communicate with a monitoring server but never with guest devices or the broader employee LAN. What design best meets these goals with the least operational complexity?

A.Place all devices on one flat network and rely on endpoint antivirus for protection.
B.Create separate VLANs for guest, staff, and medical devices, then enforce traffic rules between them with firewall policies.
C.Use a single wireless SSID with client isolation enabled and NAT all traffic through one gateway.
D.Deploy network access control only at login time and allow all devices onto the same internal subnet afterward.
AnswerB

This approach provides clean segmentation while keeping administration manageable. Separate VLANs define distinct trust zones, and firewall policies or ACLs control exactly which services can cross boundaries. That lets guest traffic stay internet-only, staff reach approved internal apps, and medical devices communicate only with the monitoring server.

Why this answer

Option B is correct because VLANs logically segment the network into isolated broadcast domains for guest, staff, and medical devices, while firewall policies (e.g., using ACLs or stateful inspection) enforce granular traffic rules. This design ensures medical devices can only communicate with the monitoring server, guests are restricted to internet-only access, and staff can reach internal applications, all without requiring complex physical reconfiguration.

Exam trap

The trap here is that candidates may choose client isolation (Option C) thinking it provides security, but it breaks required device-to-server communication and does not enforce role-based access, whereas VLANs with firewall policies offer precise, scalable segmentation.

How to eliminate wrong answers

Option A is wrong because a flat network with only endpoint antivirus provides no network-level segmentation, allowing guest devices to potentially access staff or medical systems, violating isolation requirements. Option C is wrong because a single SSID with client isolation prevents all device-to-device communication, which would block legitimate traffic between medical devices and the monitoring server, and NAT alone does not enforce access controls between device groups. Option D is wrong because network access control only at login time (e.g., 802.1X authentication) does not enforce ongoing traffic restrictions; after authentication, all devices share the same subnet, allowing unauthorized communication between guest, staff, and medical devices.

89
MCQmedium

An organization is redesigning its office network. Guest Wi-Fi must reach the internet only, employee laptops need access to internal apps, and a payment-processing system must be separated from general user traffic but still reach one database server. Which design best meets these requirements?

A.Place all devices on one flat network and rely on host firewalls for isolation.
B.Create separate VLANs or subnets for guest, user, and payment zones, then filter inter-zone traffic with firewalls or ACLs.
C.Put the payment system in a DMZ and allow direct internet access for database synchronization.
D.Use NAT on every endpoint so internal devices cannot be individually identified on the network.
AnswerB

Separate zones with internal filtering limit lateral movement and allow only required flows.

Why this answer

Option B is correct because it uses VLANs or subnets to segment guest, employee, and payment-processing traffic into separate broadcast domains, then applies firewall rules or ACLs to control inter-zone traffic. This allows guest Wi-Fi to be restricted to internet-only access, employee laptops to reach internal apps, and the payment system to communicate only with its specific database server while being isolated from general user traffic.

Exam trap

The trap here is that candidates often think a DMZ is always the correct answer for any sensitive system, but in this scenario, the payment system needs controlled access to an internal database, not internet exposure, making VLAN segmentation with firewalls the proper design.

How to eliminate wrong answers

Option A is wrong because a single flat network provides no segmentation; host firewalls alone cannot enforce network-level isolation between guest, employee, and payment traffic, leaving the payment system exposed to all other devices. Option C is wrong because placing the payment system in a DMZ with direct internet access for database synchronization violates the requirement to separate it from general user traffic and introduces unnecessary exposure to the internet, whereas the database should be accessed only via controlled internal paths. Option D is wrong because NAT on every endpoint does not provide network segmentation or access control; it only hides internal IP addresses, failing to isolate guest, employee, and payment traffic or restrict their communication paths.

90
MCQmedium

Based on the exhibit, which architecture best meets the goal of keeping the order service running if one application server fails?

A.Use one active server with a warm standby server that is started manually during outages.
B.Run the application servers active-active behind the load balancer.
C.Store the application binaries on RAID 1 disks to prevent service interruption.
D.Take nightly backups of the application servers and restore them after a failure.
AnswerB

Active-active design keeps service available because surviving servers continue handling traffic automatically.

Why this answer

Option B is correct because an active-active architecture behind a load balancer ensures that if one application server fails, the load balancer automatically redirects traffic to the remaining healthy server(s). This provides high availability and fault tolerance without manual intervention, keeping the order service running continuously.

Exam trap

The trap here is that candidates often confuse data redundancy (RAID 1) with server-level fault tolerance, or they mistake backup strategies (nightly backups) for high-availability solutions, failing to recognize that only active-active or active-passive clustering with automatic failover meets the requirement of uninterrupted service during a server failure.

How to eliminate wrong answers

Option A is wrong because a warm standby server that is started manually introduces significant downtime (minutes to hours) while an administrator detects the failure and brings the standby online, failing the goal of keeping the service running during a failure. Option C is wrong because RAID 1 (mirroring) protects against disk failure but does not address application server failure; if the server itself crashes or its OS/application becomes unresponsive, the mirrored disks are still inaccessible. Option D is wrong because nightly backups are a disaster recovery measure, not a high-availability solution; restoring from backup can take hours and results in data loss from the last backup point, so the service would be interrupted for an extended period.

91
MCQmedium

Based on the exhibit, what is the best cloud identity control to ensure terminated users lose access to the SaaS application quickly and consistently?

A.Keep the SaaS local user accounts and require the help desk to disable them manually after each termination.
B.Enable federated authentication with the corporate IdP and automate provisioning and deprovisioning with SCIM.
C.Create a shared emergency administrator account so access can be revoked by changing one password.
D.Require users to clear browser cookies after termination so the SaaS session expires sooner.
AnswerB

Federation centralizes authentication in the corporate identity provider, and SCIM automates account lifecycle changes based on HR events. That means terminations, transfers, and new hires can be reflected quickly in the SaaS application without relying on manual email tickets. This reduces orphaned accounts and improves consistency across the cloud environment.

Why this answer

Option B is correct because federated authentication with a corporate identity provider (IdP) combined with SCIM (System for Cross-domain Identity Management) ensures that when a user is terminated in the IdP (e.g., Active Directory or Azure AD), the SaaS application is automatically notified via SCIM to deprovision the user account. This eliminates manual intervention and guarantees consistent, near-instant revocation of access across all federated SaaS applications.

Exam trap

The trap here is that candidates often confuse session management (clearing cookies) with account deprovisioning, or they assume manual processes are acceptable for security, when the exam emphasizes automation and centralized identity management for consistency and speed.

How to eliminate wrong answers

Option A is wrong because keeping local SaaS accounts and manually disabling them via the help desk introduces human delay and inconsistency, violating the principle of automated, timely deprovisioning. Option C is wrong because a shared emergency administrator account does not address individual user termination; changing one password would affect all administrators, not just the terminated user, and violates non-repudiation and least privilege. Option D is wrong because clearing browser cookies only ends the current session on that specific browser; it does not revoke the user's underlying account or prevent re-authentication from other devices, and the user could simply log in again.

92
MCQmedium

A development team wants to deploy a new internal application without managing operating system patching, runtime updates, or automatic scaling. The security team still wants the company to control the application code and its data access settings. Which cloud service model best fits this need?

A.Infrastructure as a Service, because the company can ignore guest OS patching entirely.
B.Platform as a Service, because the provider manages the platform and the company manages the application and data.
C.Software as a Service, because the team can deploy custom application code inside the vendor portal.
D.On-premises hosting, because the company can still use the provider's patching tools.
AnswerB

PaaS shifts patching and scaling responsibilities to the provider while preserving customer control over code, configurations, and data.

Why this answer

Platform as a Service (PaaS) is the correct choice because the provider manages the underlying platform—including OS patching, runtime updates, and automatic scaling—while the company retains control over the application code and data access settings. This aligns with the shared responsibility model where the customer is responsible for the application and data, not the infrastructure.

Exam trap

The trap here is that candidates confuse PaaS with IaaS, assuming 'no patching' means IaaS, but IaaS still requires the customer to patch the guest OS and runtime, whereas PaaS fully offloads that responsibility.

How to eliminate wrong answers

Option A is wrong because Infrastructure as a Service (IaaS) requires the customer to manage guest OS patching and runtime updates, contradicting the team's desire to avoid those tasks. Option C is wrong because Software as a Service (SaaS) does not allow the customer to deploy custom application code; it only provides pre-built applications accessed via a vendor portal. Option D is wrong because on-premises hosting places full responsibility for patching and scaling on the company, not the provider, and does not eliminate the need for OS management.

93
MCQmedium

A manufacturer needs to grant a partner company access to a procurement portal. Partner users should authenticate with their own identity provider, and the manufacturer does not want to create local passwords for each partner employee. Which design best supports this?

A.Create local accounts for every partner user and reset passwords manually when staff changes occur.
B.Share one VPN credential with the partner organization and let them manage access internally.
C.Use NTLM pass-through authentication to avoid setting up trust relationships.
D.Establish federation with SAML or OIDC and support just-in-time provisioning for partner users.
AnswerD

Federation lets partner users authenticate through their own identity provider while the portal trusts that assertion and creates accounts as needed.

Why this answer

Federation with SAML or OIDC allows the partner company to use its own identity provider for authentication, eliminating the need for local passwords. Just-in-time provisioning automatically creates user accounts in the manufacturer's procurement portal upon first successful authentication, ensuring access is granted without manual account management. This design supports secure cross-organization trust without sharing credentials or maintaining duplicate user stores.

Exam trap

The trap here is that candidates may confuse NTLM pass-through authentication (Option C) as a viable cross-org solution, not realizing it requires a direct Active Directory trust and cannot work without establishing a federation relationship, whereas federation with SAML/OIDC is the correct modern approach for external identity provider integration.

How to eliminate wrong answers

Option A is wrong because creating local accounts for every partner user and manually resetting passwords on staff changes is operationally unsustainable, violates the principle of least privilege, and introduces password management overhead that federation avoids. Option B is wrong because sharing one VPN credential violates the principle of non-repudiation and accountability, as it cannot distinguish individual users, and the partner cannot securely manage internal access without per-user authentication. Option C is wrong because NTLM pass-through authentication is a legacy Windows protocol that requires direct trust relationships between domains, does not support modern identity federation standards like SAML or OIDC, and is unsuitable for cross-organizational access without establishing a trust.

94
Multi-Selecteasy

A company wants guest laptops on Wi-Fi to reach the internet but not internal printers or servers. Which two changes best support this design? Select two.

Select 2 answers
A.Assign guest access points to a separate VLAN with its own subnet.
B.Allow guests on the same VLAN as employee devices for simpler routing.
C.Use firewall rules to deny guest traffic to internal RFC1918 address ranges.
D.Enable WPA2-Enterprise on employee wireless only, and reuse that on guest devices.
E.Put printers on the guest VLAN so guests can print directly.
AnswersA, C

A separate VLAN and subnet keep guest devices logically isolated from corporate systems. This is a common first step in segmentation because it limits what guest traffic can reach and makes firewall policy easier to enforce.

Why this answer

Assigning guest access points to a separate VLAN with its own subnet isolates guest traffic at Layer 2, preventing direct communication with internal devices like printers and servers. This segmentation is a foundational step for enforcing access control policies without relying solely on higher-layer filtering.

Exam trap

The trap here is that candidates often think VLAN separation alone is sufficient, forgetting that a Layer 3 gateway (router/firewall) can still route between VLANs unless explicit ACLs or firewall rules block RFC1918 destinations.

95
Multi-Selecteasy

A web application must be reachable from the internet, but its database should be isolated from direct internet access. Which two placements or controls are most appropriate? Select two.

Select 2 answers
A.Place the web server in a DMZ.
B.Keep the database on an internal network segment and restrict access to the web server only.
C.Place both the web server and the database on the same internet-facing subnet.
D.Expose the database port to the internet so administrators can connect faster.
E.Use the guest wireless VLAN for both systems.
AnswersA, B

A DMZ is a screened network segment designed for systems that must be reachable from outside while still being separated from the internal network. It is a standard place for public-facing web servers.

Why this answer

Placing the web server in a DMZ (Option A) allows it to be reachable from the internet while the internal firewall restricts inbound traffic to only necessary ports (e.g., TCP 80/443). Keeping the database on an internal network segment (Option B) and configuring firewall rules to allow traffic only from the web server’s IP address ensures the database is isolated from direct internet access, preventing external attacks on the database service.

Exam trap

The trap here is that candidates often think placing both systems in the DMZ is acceptable, but they overlook that the database must be on an internal segment with strict access controls, not just any segment with internet exposure.

96
MCQeasy

An office wants finance workstations separated from general user PCs, but employees still need to print to a shared printer and access one accounting application. Which change best supports this?

A.Place all systems on one VLAN and rely on strong passwords.
B.Move finance systems to a separate VLAN or subnet and allow only required traffic through filtering rules.
C.Put the printer in a different building to make it more secure.
D.Enable screen lock timers on the finance PCs and keep the network flat.
AnswerB

This is the best choice because it separates finance systems from general users while still allowing approved services like printing and application access. VLANs or subnets reduce lateral movement, and firewall or ACL rules limit communication to only what is needed. That supports least privilege at the network layer.

Why this answer

Option B is correct because placing finance systems on a separate VLAN or subnet with a Layer 3 boundary enforces network segmentation, which limits broadcast domains and restricts lateral movement. By configuring access control lists (ACLs) or firewall rules to permit only the required traffic (e.g., SMB/CIFS for printer sharing and specific TCP/UDP ports for the accounting application), the organization achieves a least-privilege network architecture. This approach aligns with the principle of defense-in-depth, reducing the attack surface while maintaining necessary business functionality.

Exam trap

The trap here is that candidates often confuse physical separation (Option C) with logical network segmentation, or assume that strong passwords (Option A) or endpoint controls (Option D) are sufficient substitutes for network-layer isolation, when in fact VLANs and ACLs are required to enforce least-privilege access between different security zones.

How to eliminate wrong answers

Option A is wrong because placing all systems on one VLAN with strong passwords only provides authentication security but fails to segment traffic; a single VLAN allows any compromised general user PC to directly communicate with finance workstations via Layer 2, bypassing any network-level controls. Option C is wrong because moving the printer to a different building does not change the logical network topology—if the printer remains on the same flat network, it still exposes a shared resource without addressing segmentation, and physical relocation adds no security benefit against network-based attacks. Option D is wrong because enabling screen lock timers on finance PCs only addresses local physical access risks, while keeping the network flat (no VLANs or subnets) means all devices share the same broadcast domain, allowing potential attackers on general user PCs to perform ARP spoofing or sniff traffic destined for the printer or accounting application.

97
MCQmedium

An enterprise is moving from on-prem identity to a SaaS HR platform. Employees should sign in with corporate credentials, and terminated users must lose access quickly without manually creating or deleting SaaS passwords. Which solution best fits?

A.Create a shared HR password for all employees and change it quarterly.
B.Use LDAP bind accounts directly against the SaaS platform for every login.
C.Implement federated SSO with the corporate identity provider and automated provisioning and deprovisioning.
D.Require each user to create a separate local SaaS account and store the credentials in a vault.
AnswerC

Federated SSO lets users authenticate through the corporate identity provider while lifecycle automation removes access quickly when HR changes occur.

Why this answer

Federated SSO with the corporate identity provider (IdP) allows employees to sign in using their existing corporate credentials via standards like SAML 2.0 or OIDC, eliminating the need for separate SaaS passwords. Automated provisioning and deprovisioning (e.g., via SCIM) ensures that when a user is terminated in the HR platform, their access to the SaaS application is revoked immediately without manual intervention, meeting the requirement for rapid access removal.

Exam trap

The trap here is that candidates often confuse LDAP bind (Option B) with federated SSO, thinking that LDAP can directly authenticate against SaaS platforms, but LDAP is a directory access protocol that requires a gateway or federation service to work with cloud apps, and it lacks automated provisioning capabilities.

How to eliminate wrong answers

Option A is wrong because a shared HR password violates the principle of non-repudiation and individual accountability, and changing it quarterly does not provide immediate revocation of access for terminated users. Option B is wrong because LDAP bind accounts are designed for on-premises directory authentication and are not natively supported by most modern SaaS platforms; they would require a complex LDAP-to-SAML bridge and do not support automated deprovisioning. Option D is wrong because requiring each user to create a separate local SaaS account and store credentials in a vault introduces manual password management, contradicts the goal of using corporate credentials, and does not enable automated deprovisioning upon termination.

98
MCQhard

A Linux operations team has a standing need to restart services and edit protected configuration files on production servers, but administrators should not keep root privileges all day. Every elevation must be approved through a ticket and logged centrally. Which solution best meets this requirement?

A.Create one shared root password and rotate it weekly
B.Use privileged access management with just-in-time elevation and session logging
C.Assign each administrator the server local administrator role permanently
D.Use single sign-on so administrators only authenticate once each morning
AnswerB

PAM with just-in-time elevation is the best match because it grants administrative rights only when needed and only after approval. Central session logging provides accountability, and the regular user account remains the default for normal work. This reduces standing privilege, limits misuse, and gives auditors a clear record of who elevated, when, and why.

Why this answer

Privileged Access Management (PAM) with just-in-time (JIT) elevation and session logging meets the requirement because it grants temporary, request-based root privileges that are automatically revoked after the task, and it centrally logs all commands executed during the elevated session. This ensures every elevation is approved via a ticket and auditable, without administrators retaining permanent root access.

Exam trap

The trap here is that candidates often confuse 'single sign-on' (SSO) with 'privilege elevation control,' assuming SSO's convenience implies security control, when in fact SSO only handles authentication, not authorization or session auditing.

How to eliminate wrong answers

Option A is wrong because a shared root password rotated weekly violates the principle of non-repudiation (no individual accountability) and does not enforce per-elevation approval or logging. Option C is wrong because permanently assigning the local administrator role (e.g., sudoers membership) gives continuous root-equivalent privileges, contradicting the requirement that administrators should not keep root privileges all day. Option D is wrong because single sign-on (SSO) only simplifies initial authentication; it does not control or log privilege elevation events, nor does it enforce ticket-based approval for each root action.

99
MCQmedium

Several company laptops were found to boot from a removable drive containing an untrusted pre-boot utility before the operating system loaded. The security team wants to prevent unsigned or tampered boot code from starting. Which control is the best fit?

A.Enable Secure Boot in firmware and block external boot devices where possible.
B.Turn on screen lock after ten minutes of inactivity.
C.Increase the password complexity policy for user accounts.
D.Disable Windows Defender notifications on the endpoints.
AnswerA

Secure Boot checks boot components against trusted signatures before they are allowed to run, which directly addresses tampered or untrusted pre-boot code. Disabling external boot adds another layer by reducing the chance of unauthorized removable media being used to bypass protections.

Why this answer

Secure Boot is a UEFI firmware feature that verifies the digital signature of boot code against a trusted database before execution. By enabling Secure Boot and blocking external boot devices, the security team ensures that only signed, trusted bootloaders and drivers can run, preventing untrusted pre-boot utilities from loading. This directly addresses the scenario where laptops boot from a removable drive containing unsigned or tampered boot code.

Exam trap

The trap here is that candidates may confuse endpoint security controls (like screen lock or password policies) with boot-time integrity mechanisms, failing to recognize that Secure Boot is the only option that validates code before the OS loads.

How to eliminate wrong answers

Option B is wrong because screen lock after inactivity addresses unauthorized physical access to an already-booted OS, not the pre-boot execution of untrusted code. Option C is wrong because password complexity policies protect user account credentials but have no effect on boot-time code integrity or device boot order. Option D is wrong because disabling Windows Defender notifications only suppresses security alerts; it does not prevent unsigned boot code from executing.

100
MCQeasy

A company wants guest Wi-Fi to reach only the internet, employee laptops to reach internal apps, and payment servers to remain isolated from both. What is the best design approach?

A.Place all systems on one flat network and rely on antivirus.
B.Use separate network segments with firewall rules between guest, employee, and payment zones.
C.Put all systems behind a single VPN so every device is treated the same.
D.Use a larger internet circuit so the payment servers are harder to attack.
AnswerB

This is the best choice because segmentation limits what each group can reach and reduces the impact of a compromise. Guest users are confined to internet access, employee systems can be limited to approved internal services, and payment servers can be placed in a tightly controlled zone with only required ports open. That design supports least privilege at the network layer and makes monitoring and containment easier.

Why this answer

Option B is correct because network segmentation using separate VLANs or subnets with firewall rules enforces isolation between guest Wi-Fi, employee laptops, and payment servers. This design ensures that guest traffic can only reach the internet, employee traffic can access internal apps, and payment servers are completely isolated from both, meeting the principle of least privilege and reducing the attack surface.

Exam trap

The trap here is that candidates may think a VPN provides isolation, but a VPN only encrypts traffic and does not inherently segment networks; without separate firewall rules, all VPN clients share the same network access.

How to eliminate wrong answers

Option A is wrong because placing all systems on one flat network with antivirus only provides endpoint protection and does not prevent lateral movement; an attacker on the guest Wi-Fi could directly access payment servers or internal apps. Option C is wrong because putting all systems behind a single VPN treats every device identically, removing the ability to enforce different access policies; it would allow guest devices to reach internal apps and payment servers, violating isolation requirements.

101
MCQmedium

A payment processor stores full card numbers in its transaction database, but developers and analysts should never see the real numbers in nonproduction reports or troubleshooting tools. The business still needs to correlate the same card across multiple records. Which technique is the best fit?

A.Tokenization, because it replaces the real value with a surrogate token for business use.
B.Hashing, because the output can always be reversed by the application later.
C.Data masking, because it permanently deletes the sensitive record from the database.
D.Compression, because reducing file size also hides the payment information from users.
AnswerA

Tokenization preserves referential value for transactions while keeping the original card number out of ordinary views and reports.

Why this answer

Tokenization is the best fit because it replaces the full card number with a unique, non-reversible surrogate token that retains the ability to correlate records (the same card always produces the same token). This allows the business to perform analytics and troubleshooting without exposing the actual sensitive data, as the token has no mathematical relationship to the original PAN and cannot be reversed.

Exam trap

The trap here is that candidates confuse tokenization with hashing, assuming both are irreversible, but hashing is reversible for small input spaces like credit card numbers and does not provide a controlled surrogate for business correlation without exposing the original data.

How to eliminate wrong answers

Option B is wrong because hashing, while one-way, is deterministic and can be reversed via brute-force or rainbow tables if the input space is small (e.g., credit card numbers); it also does not provide a controlled surrogate for business use and may expose the original value if the hash is cracked. Option C is wrong because data masking dynamically obscures data (e.g., showing only last four digits) but does not permanently delete records; it still allows the real value to exist in the database and can be bypassed in nonproduction tools. Option D is wrong because compression reduces file size for storage or transmission but does not hide or protect sensitive data; the original card numbers remain fully visible after decompression.

102
MCQeasy

An organization is placing its public-facing website behind a new security design. The site must be reachable from the internet, but the database and file servers must stay isolated from direct external access. What design should the architect use?

A.Place the web server on the internal user subnet so it can reach the database directly.
B.Create a demilitarized zone (DMZ) for the public web server.
C.Use a VPN concentrator so the website can be accessed securely from outside.
D.Use network address translation (NAT) on the web server to hide its IP address.
AnswerB

A DMZ places internet-facing services in a separate network segment, reducing exposure of trusted internal systems.

Why this answer

A demilitarized zone (DMZ) is a network segment that isolates public-facing services, such as a web server, from the internal network. By placing the web server in the DMZ, the organization allows internet traffic to reach the website while keeping the database and file servers on the internal network, which are not directly accessible from the internet. This design enforces a security boundary where only necessary traffic (e.g., HTTP/HTTPS) is permitted through firewall rules, preventing direct external access to sensitive backend systems.

Exam trap

The trap here is that candidates often confuse NAT or VPN as security controls for isolation, when in fact they do not provide network segmentation; the DMZ is the only design that creates a physical or logical boundary to isolate public-facing servers from internal resources.

How to eliminate wrong answers

Option A is wrong because placing the web server on the internal user subnet would expose the internal network to direct internet traffic, violating the isolation requirement for the database and file servers. Option C is wrong because a VPN concentrator is designed for secure remote access by authenticated users, not for hosting a public website that must be reachable by anonymous internet clients. Option D is wrong because network address translation (NAT) on the web server only hides its IP address but does not isolate the database and file servers from direct external access; NAT alone provides no security boundary or segmentation.

103
Drag & Dropmedium

Drag and drop the steps for the TLS 1.3 handshake process into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

TLS 1.3 reduces round trips; the client and server exchange key shares early, and the server's certificate is sent in the second flight.

104
MCQmedium

Based on the exhibit, which data protection control best allows analysts to work with the records without exposing full card numbers?

A.Encrypt the entire analytics database and give the team the decryption key.
B.Tokenize the card numbers and keep the token mapping in a secured vault.
C.Hash the card numbers with SHA-256 so the analytics team can reverse them later if needed.
D.Delete all but the last four digits from the production database immediately.
AnswerB

Tokenization replaces sensitive card numbers with non-sensitive substitutes that can still support joins and repeated reporting without revealing the original values. Keeping the mapping in a secured vault protects the real numbers while allowing the analytics team to work with consistent placeholders. This fits the business need much better than simple encryption or masking alone.

Why this answer

Tokenization replaces sensitive card numbers with non-sensitive placeholders (tokens) that retain the format and length of the original data but have no exploitable value. The analytics team can work with the tokens for reporting and analysis, while the actual card numbers remain securely stored in a separate token vault, preventing exposure even if the analytics database is compromised.

Exam trap

CompTIA often tests the misconception that encryption is always the best data protection control, but the trap here is that encryption still exposes the data to anyone with the key, whereas tokenization removes the sensitive data from the working environment entirely, making it the correct choice for analytics without exposure.

How to eliminate wrong answers

Option A is wrong because encrypting the entire database and giving the team the decryption key would expose the full card numbers to anyone with the key, defeating the purpose of protecting the data during analysis. Option C is wrong because SHA-256 is a one-way hash function that cannot be reversed; the claim that the team can 'reverse them later' is technically impossible, and hashing does not preserve the format needed for analytics. Option D is wrong because deleting all but the last four digits from the production database is a destructive action that permanently loses data and does not allow the team to work with the full card numbers for any legitimate analysis that requires the complete value.

105
MCQmedium

A customer portal must keep operating if one application server fails and also remain available if an entire site goes offline. Management is willing to pay more for automatic failover and the shortest possible interruption. Which design is best?

A.An active-active deployment across two sites with load balancing and replicated data.
B.A cold site that restores from nightly backups after a failure.
C.A single active site with one standby server in the same rack.
D.RAID 1 on the database server with no additional redundancy.
AnswerA

Active-active across sites offers the highest availability and the fastest automatic failover, though it is more complex and costly.

Why this answer

An active-active deployment across two sites with load balancing and replicated data ensures continuous operation if one application server fails and also if an entire site goes offline. Load balancers distribute traffic to healthy servers, and synchronous data replication keeps both sites consistent, enabling automatic failover with minimal interruption. This design meets the requirement for the shortest possible interruption because failover is instantaneous and does not require manual intervention or data restoration.

Exam trap

The trap here is that candidates often confuse high availability within a single site (like a standby server in the same rack) with disaster recovery across sites, failing to recognize that site-level failures require geographic redundancy, not just server-level redundancy.

How to eliminate wrong answers

Option B is wrong because a cold site that restores from nightly backups after a failure introduces significant downtime (hours or days) for restoration and does not provide automatic failover or the shortest possible interruption. Option C is wrong because a single active site with one standby server in the same rack cannot survive an entire site outage, as both servers are in the same physical location and share the same site-level risks (e.g., power failure, natural disaster). Option D is wrong because RAID 1 on the database server provides only local disk redundancy within a single server, not application-level failover or site-level availability, and does not address server or site failures.

106
MCQeasy

A manager can access the HR portal normally from a managed laptop, but if they sign in from an unmanaged tablet, the system should require extra verification before granting access. Which control best fits?

A.Conditional access based on device trust or risk.
B.A longer password expiration interval.
C.A separate VLAN for each manager.
D.Data encryption at rest on the HR database.
AnswerA

This is the best answer because conditional access can change authentication requirements depending on the device or sign-in context. A managed laptop can be allowed normally, while an unmanaged tablet can trigger extra verification such as MFA or access restrictions. That lets the organization balance usability and security instead of using the same rule for every login.

Why this answer

Conditional access policies evaluate device trust (e.g., compliance with security baselines, domain membership) and risk signals (e.g., location, sign-in behavior) to enforce step-up authentication. This directly matches the requirement: allow normal access from a managed laptop, but require extra verification from an unmanaged tablet. Other options like password expiration, VLAN segmentation, or encryption do not dynamically adjust authentication requirements based on device trust.

Exam trap

The trap here is that candidates often confuse data protection controls (encryption, VLANs) with access control mechanisms, failing to recognize that conditional access is the only option that dynamically adjusts authentication requirements based on device trust or risk.

How to eliminate wrong answers

Option B is wrong because a longer password expiration interval does not differentiate between managed and unmanaged devices; it applies uniformly to all users regardless of device trust. Option C is wrong because a separate VLAN for each manager provides network segmentation but does not enforce extra verification based on device trust or risk at the authentication layer. Option D is wrong because data encryption at rest protects stored data on the HR database but does not control access decisions or require additional authentication based on the device used to sign in.

107
Multi-Selectmedium

Which four of the following are essential considerations when designing a secure cloud architecture in a hybrid environment? (Choose four.)

Select 4 answers
.Ensuring data encryption both at rest and in transit between cloud and on-premises resources
.Using a shared secret key for all API authentication to simplify integration
.Implementing a cloud access security broker (CASB) to enforce security policies
.Configuring identity federation with single sign-on (SSO) for centralized access control
.Placing all cloud resources in a single availability zone to reduce latency
.Applying least privilege principles to IAM roles and policies

Why this answer

Ensuring data encryption both at rest and in transit is critical in a hybrid environment to protect sensitive data from exposure during movement between cloud and on-premises resources and while stored. This includes using TLS 1.2/1.3 for data in transit and AES-256 for data at rest, addressing compliance requirements and mitigating interception risks.

Exam trap

The trap here is that candidates may think a shared secret key simplifies integration and is secure, but the SY0-701 exam emphasizes that shared secrets lack granularity and rotation capabilities, making them a security risk in hybrid environments.

108
MCQmedium

A hospital has clinical workstations, badge readers, and building cameras all connected to the same switching infrastructure. After a workstation infection, the security team wants to prevent those endpoints from laterally reaching the badge readers while still allowing the cameras to report to a recording server. What should be implemented first?

A.Create separate VLANs and apply ACLs between device groups based on business need.
B.Increase the DHCP lease time so devices keep the same IP addresses longer.
C.Replace the switches with unmanaged models to simplify configuration.
D.Disable the cameras' encryption so the recording server can process traffic faster.
AnswerA

Separate VLANs establish different trust zones, and ACLs limit only the necessary traffic between them.

Why this answer

Creating separate VLANs segments the network into distinct broadcast domains, preventing workstations from directly reaching badge readers at Layer 2. Applying ACLs between VLANs then enforces granular access control, allowing only the cameras to communicate with the recording server while blocking lateral movement from infected endpoints. This aligns with the principle of least privilege and is the foundational step for network segmentation.

Exam trap

The trap here is that candidates often overlook the need for Layer 2 segmentation (VLANs) as a prerequisite for Layer 3/4 ACLs, mistakenly thinking ACLs alone on a flat network can block lateral movement between devices in the same subnet.

How to eliminate wrong answers

Option B is wrong because increasing DHCP lease time does not provide any security controls; it only reduces IP address churn and does not prevent lateral movement between devices. Option C is wrong because replacing managed switches with unmanaged models removes the ability to configure VLANs, ACLs, or any traffic filtering, making segmentation impossible. Option D is wrong because disabling encryption on cameras would expose video traffic to eavesdropping and does not address the need to restrict workstation-to-badge-reader access; it also violates security best practices.

109
Multi-Selecthard

An office is replacing WPA2-PSK. The new design must ensure only company-managed laptops can join the wireless network, and any device that falls out of compliance must be blocked or quarantined until remediated. Which two controls best meet the requirement? Select two.

Select 2 answers
A.Deploy 802.1X with EAP-TLS so devices prove possession of a unique certificate.
B.Use a single WPA3-Personal passphrase printed in the lobby for all managed devices.
C.Rely on MAC address allow lists because they cannot be forged easily.
D.Enforce NAC posture checks and move noncompliant devices to a remediation VLAN.
E.Hide the SSID and disable client isolation to reduce discovery by attackers.
AnswersA, D

EAP-TLS uses device certificates to authenticate the endpoint, which is far stronger than a shared password. Because each managed laptop has its own certificate, access can be tied to the device identity rather than a static secret. This is a common enterprise wireless control for preventing unmanaged devices from joining corporate Wi-Fi.

Why this answer

802.1X with EAP-TLS is correct because it requires each device to present a unique client certificate issued by the company's PKI. This ensures only company-managed laptops (which have the certificate) can authenticate, and it ties directly into the requirement for device-specific identity rather than a shared secret.

Exam trap

The trap here is that candidates often confuse WPA3-Personal's improved encryption with authentication control, but it still relies on a shared passphrase and cannot enforce per-device identity or compliance checks.

110
MCQmedium

Based on the exhibit, which change best reduces exposure for the public web application while keeping the backend tiers protected? The current design is: Internet -> Firewall -> DMZ VLAN 10: reverse proxy Private App VLAN 20: application server 10.10.20.20 Private DB VLAN 30: database server 10.10.30.30 User VLAN 40: internal workstations ACL summary: 1. permit tcp any -> 10.10.10.10 eq 443 2. permit tcp 10.10.10.10 -> 10.10.20.20 eq 8443 3. permit tcp 10.10.20.20 -> 10.10.30.30 eq 1433 4. deny ip any -> 10.10.30.30

A.Move the database server into the DMZ so the public proxy can reach it directly.
B.Keep the reverse proxy in the DMZ and place the application and database servers in private subnets behind it.
C.Allow inbound Internet access directly to the application server on 8443, but restrict the database.
D.Collapse all servers into one VLAN and rely on strong passwords for protection.
AnswerB

This is the best design because it limits Internet exposure to the reverse proxy while keeping the application and database tiers segmented behind internal controls. The proxy can forward only approved traffic to the app tier, and the app tier can talk to the database through tightly defined rules. That preserves function while reducing the attack surface of the more sensitive backend systems.

Why this answer

Option B is correct because it maintains the defense-in-depth architecture: the reverse proxy in the DMZ (VLAN 10) terminates external HTTPS (TCP/443) and forwards only necessary traffic to the application server in a private VLAN (VLAN 20) over TCP/8443, while the database server remains isolated in a separate private VLAN (VLAN 30) with strict ACLs. This layered segmentation ensures that the public web application's exposure is limited to the reverse proxy, and backend tiers (app and DB) are not directly reachable from the internet, reducing the attack surface while preserving functional separation.

Exam trap

The trap here is that candidates often think moving a server to the DMZ simplifies access (Option A) or that direct internet access to the app server is acceptable (Option C), failing to recognize that the reverse proxy is the only component designed to handle untrusted traffic and that network segmentation is critical for protecting backend tiers from pivot attacks.

How to eliminate wrong answers

Option A is wrong because moving the database server into the DMZ exposes it directly to the reverse proxy without the protection of a private VLAN, violating the principle of least privilege and increasing the risk of lateral movement if the proxy is compromised. Option C is wrong because allowing inbound internet access directly to the application server on TCP/8443 bypasses the reverse proxy's security controls (e.g., SSL termination, request filtering) and exposes the application server to direct external attacks, negating the DMZ's purpose. Option D is wrong because collapsing all servers into one VLAN eliminates network segmentation entirely, making it trivial for an attacker who compromises any tier to pivot laterally to the database or application server, and strong passwords alone cannot mitigate network-level threats like ARP spoofing or VLAN hopping.

111
Multi-Selecthard

An operations team manages Linux servers over SSH. The security team wants to stop direct management access from employee laptops, reduce lateral movement if one admin endpoint is compromised, and keep a log of every administrative session. Which two design choices best fit? Select two.

Select 2 answers
A.Require administrators to connect to a bastion host or jump server before reaching the Linux servers.
B.Let all corporate laptops connect directly to SSH on the servers if MFA is enabled.
C.Restrict management interfaces so only the bastion host can reach them and log each session.
D.Expose SSH to the internet because key-based authentication is already strong.
E.Use split tunneling for admin traffic so management packets can bypass the VPN.
AnswersA, C

A bastion host is a hardened choke point for privileged access, so all administrative sessions can be concentrated, filtered, and monitored. It prevents direct SSH exposure from general user systems and gives the security team a single place to enforce logging and session control. This is a common hardened management-path pattern.

Why this answer

Option A is correct because a bastion host (jump server) acts as a single, hardened entry point that administrators must connect to before reaching internal Linux servers. This eliminates direct SSH access from employee laptops, reducing the attack surface and preventing lateral movement if an admin endpoint is compromised. The bastion host can also enforce centralized logging of all administrative sessions, meeting the security team's requirement for session recording.

Exam trap

The trap here is that candidates often think MFA alone (Option B) is sufficient to secure direct access, but the question specifically requires reducing lateral movement and logging sessions, which only a bastion host with restricted access (Option A and C) can fully achieve.

112
MCQeasy

A company runs a Linux virtual machine in an IaaS cloud service. The provider secures the physical datacenter and hypervisor. Which task remains the company's responsibility?

A.Patching the guest operating system on the virtual machine.
B.Replacing failed physical storage drives in the provider's data center.
C.Hardening the hypervisor that hosts the cloud tenant.
D.Controlling badge access to the cloud vendor's server room.
AnswerA

In an IaaS model, the organization still manages what runs inside the VM, including the guest operating system, patches, applications, and configuration. The cloud provider secures the underlying facility, hardware, and hypervisor, but it does not maintain the customer's OS or application stack. Keeping the guest OS patched is essential to reduce exposure to known vulnerabilities and aligns with the shared responsibility model.

Why this answer

In an IaaS cloud model, the provider is responsible for the physical infrastructure, including the datacenter, network, storage, and hypervisor. The customer retains responsibility for securing the guest operating system, including applying patches and updates. Patching the guest OS is a shared responsibility that falls squarely on the company operating the virtual machine.

Exam trap

The trap here is that candidates often confuse the shared responsibility model and assume the cloud provider handles all security tasks, including guest OS patching, when in fact the customer is responsible for anything above the hypervisor.

How to eliminate wrong answers

Option B is wrong because replacing failed physical storage drives is the responsibility of the cloud provider, who manages the underlying hardware in the datacenter. Option C is wrong because hardening the hypervisor is also the provider's responsibility, as the hypervisor is part of the virtualization layer that the customer does not have administrative access to.

113
MCQmedium

A customer portal must keep operating if one application server fails. Management wants the simplest and lowest-cost design that still improves availability. What should the team implement?

A.Add more backups and schedule them every hour.
B.Use a second data center with synchronous replication and active-active clustering.
C.Deploy a hot standby application server with automatic failover.
D.Restart the failed server manually after the help desk is notified.
AnswerC

A hot standby provides a ready replacement if the primary application server fails, and automatic failover restores service without waiting for manual intervention. This design improves availability while staying simpler and less costly than a full active-active architecture across multiple sites. It matches the business need for continuity after one server failure without overengineering the solution.

Why this answer

A hot standby (active/passive) application server with automatic failover provides the simplest and lowest-cost improvement to availability. It eliminates the single point of failure by having a standby server ready to take over if the primary fails, without requiring complex load balancing or synchronous replication. This design directly addresses the requirement of keeping the portal operational during a single server failure while minimizing cost and complexity.

Exam trap

The trap here is that candidates often confuse high availability with disaster recovery, choosing synchronous replication and a second data center (Option B) when a simpler active/passive failover within the same site meets the requirement at lower cost.

How to eliminate wrong answers

Option A is wrong because increasing backup frequency does not improve availability; backups protect against data loss, not server failure, and the portal would still be unavailable until restored from backup. Option B is wrong because a second data center with synchronous replication and active-active clustering is significantly more complex and expensive, involving geographic redundancy, network latency management, and load balancing, which exceeds the 'simplest and lowest-cost' requirement.

114
MCQmedium

A SaaS vendor supports both browser access and a mobile app. The company wants employees to sign in with corporate credentials, avoid separate passwords for each app, and use token-based authentication that works well with modern APIs. Which integration should the architect choose?

A.SAML federation to the SaaS vendor using browser assertions only.
B.OpenID Connect federation with the corporate identity provider.
C.LDAP bind authentication directly against each SaaS application.
D.Kerberos tickets issued directly by the SaaS vendor.
AnswerB

OpenID Connect is built on modern token-based authentication and works well for browser, mobile, and API-driven applications.

Why this answer

OpenID Connect (OIDC) is the correct choice because it is an identity layer built on top of OAuth 2.0, designed for token-based authentication that works seamlessly with modern REST APIs and mobile apps. It allows employees to sign in with corporate credentials via the corporate identity provider (IdP), eliminates separate app passwords, and issues ID tokens (JWT) and access tokens that the SaaS vendor can validate without browser redirects.

Exam trap

The trap here is that candidates often confuse SAML (which is browser-based) with OpenID Connect, assuming SAML can handle mobile apps and API tokens just as easily, but SAML lacks native support for token-based API authentication without complex extensions.

How to eliminate wrong answers

Option A is wrong because SAML federation using browser assertions only works well for web-based access but does not natively support mobile apps or token-based API authentication without additional extensions like SAML Bearer Assertion for OAuth 2.0, making it less suitable for modern API-driven scenarios. Option C is wrong because LDAP bind authentication requires direct network connectivity to the corporate directory, exposes credentials to each SaaS application, and does not provide token-based authentication or single sign-on across apps. Option D is wrong because Kerberos tickets are designed for on-premises Windows environments and require the SaaS vendor to be part of the same Kerberos realm, which is impractical for cloud-based SaaS; they also do not integrate with modern REST APIs or token-based flows.

115
MCQmedium

Network engineers need to administer internal switches from home. The company wants encrypted management traffic, strong user verification, and no management ports exposed directly to the internet. Which approach is best?

A.Require a VPN or ZTNA connection with MFA, then allow SSH or HTTPS management only through that protected tunnel.
B.Expose SSH on the internet and rely on key-based authentication alone.
C.Use RDP with port forwarding because it is simpler for remote support.
D.Allow split tunneling without MFA so engineers can reduce latency while working remotely.
AnswerA

A protected remote-access layer keeps management services off the public internet while preserving encryption and strong authentication.

Why this answer

Option A is correct because it enforces encryption (via VPN or ZTNA tunnel), strong user verification (MFA), and network segmentation (no direct internet exposure). SSH or HTTPS management traffic is then allowed only through the protected tunnel, ensuring confidentiality, integrity, and access control. This aligns with the principle of defense in depth for remote network device administration.

Exam trap

The trap here is that candidates may think SSH key-based authentication alone is sufficient for remote access, overlooking the requirement to avoid direct internet exposure and the need for strong user verification like MFA.

How to eliminate wrong answers

Option B is wrong because exposing SSH directly to the internet violates the requirement of no management ports exposed to the internet, and key-based authentication alone does not provide strong user verification (e.g., no MFA). Option C is wrong because RDP is not designed for switch management (switches typically lack RDP support) and port forwarding still exposes the management port to the internet, violating the exposure restriction. Option D is wrong because split tunneling without MFA bypasses the encrypted tunnel requirement and weakens user verification, leaving management traffic potentially exposed and vulnerable to interception.

116
MCQmedium

An organization is redesigning access for its HR portal. HR staff need to update employee records, managers need to approve leave requests, and payroll staff need access to salary data, but no single user should receive all of those permissions by default. What is the best access model?

A.Create separate roles for HR, managers, and payroll, and grant only the permissions needed for each job function.
B.Assign everyone the same portal permissions to simplify administration.
C.Give every manager full HR and payroll access so approvals are faster.
D.Use one shared administrator account for all HR actions to keep audits simple.
AnswerA

This follows role-based access control and least privilege. Each role gets only the permissions required for its work, which reduces the chance of accidental or unauthorized access across sensitive HR functions.

Why this answer

Option A is correct because Role-Based Access Control (RBAC) assigns permissions based on job functions, ensuring that HR staff, managers, and payroll personnel receive only the privileges necessary for their roles. This enforces the principle of least privilege and prevents any single user from inheriting all permissions by default, which aligns with the organization's security requirement.

Exam trap

The trap here is that candidates may confuse RBAC with simpler models like DAC or MAC, or assume that convenience (e.g., faster approvals) justifies overriding least privilege, but the exam emphasizes that role separation and minimal permissions are mandatory for secure access design.

How to eliminate wrong answers

Option B is wrong because assigning everyone the same portal permissions violates the principle of least privilege, granting excessive access to users who do not need it and increasing the risk of unauthorized data exposure or modification. Option C is wrong because giving every manager full HR and payroll access bypasses role separation, allowing managers to view salary data and update employee records without need, which could lead to privilege escalation and compliance violations. Option D is wrong because using one shared administrator account eliminates accountability and audit trails, making it impossible to attribute actions to specific users and violating non-repudiation principles.

117
MCQeasy

A help desk team wants guest Wi-Fi users to access only the internet and nothing on the internal corporate network. Which control should the network team implement at the wireless edge?

A.A single shared password for all guest users
B.An ACL or firewall rule set that blocks guest network access to internal subnets
C.A stronger DNS server
D.A longer Wi-Fi passphrase rotated monthly
AnswerB

An ACL or firewall rule can explicitly allow internet access while denying routing to internal ranges.

Why this answer

To prevent guest Wi-Fi users from accessing the internal corporate network while allowing internet access, the network team must implement an ACL or firewall rule set at the wireless edge. This control explicitly blocks traffic from the guest VLAN/subnet to internal subnets (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) while permitting outbound traffic to the internet. This is a fundamental network segmentation technique that enforces the principle of least privilege at Layer 3/4.

Exam trap

The trap here is that candidates confuse authentication controls (passwords, passphrase rotation) with network access controls (ACLs, firewall rules), assuming that a strong password or DNS server can prevent lateral movement, when in fact only explicit Layer 3/4 filtering at the edge can enforce network segmentation.

How to eliminate wrong answers

Option A is wrong because a single shared password for all guest users does not restrict network access; it only provides authentication to the SSID, and without ACLs, guests could still reach internal resources. Option C is wrong because a stronger DNS server (e.g., using DNSSEC or a public resolver) does not block traffic to internal subnets; it only improves name resolution security and does not enforce network segmentation. Option D is wrong because a longer Wi-Fi passphrase rotated monthly improves authentication strength but does not control which networks a guest can reach once connected; it is a credential policy, not an access control mechanism.

118
MCQeasy

A small company is publishing an internal website to the internet. The security team wants the web server reachable from the internet while keeping the database and file share isolated from direct internet access. Which design is best?

A.Place the web server and database on the same flat internal network behind the firewall.
B.Place the web server in a DMZ and keep the database and file share on a private internal subnet.
C.Place the database in the DMZ and keep the web server on the internal user VLAN.
D.Use a VPN for all users and keep every server on the same subnet.
AnswerB

This is the best design because the internet-facing system is isolated in a DMZ, while sensitive back-end systems stay off the public path. Traffic can be tightly filtered so only the required web-to-database communication is allowed. That reduces exposure if the web server is compromised.

Why this answer

Option B is correct because it implements a DMZ architecture where the web server is placed in a publicly accessible network segment, while the database and file share reside on a private internal subnet. This design ensures that even if the web server is compromised, an attacker cannot directly access the internal resources because firewall rules restrict inbound traffic to only the DMZ and block any initiated connections from the DMZ to the internal network. This follows the principle of defense in depth and network segmentation as recommended by CompTIA for securing multi-tier applications.

Exam trap

The trap here is that candidates often confuse a DMZ as a place to put all servers that need internet access, but the correct design isolates only the front-end web server in the DMZ while keeping backend services like databases and file shares on a separate internal subnet to prevent direct exposure.

How to eliminate wrong answers

Option A is wrong because placing the web server and database on the same flat internal network behind the firewall exposes the database to direct internet traffic if the web server is compromised, violating the principle of least privilege and network segmentation. Option C is wrong because placing the database in the DMZ exposes it directly to the internet, which defeats the purpose of isolating sensitive data; the web server should be the only component reachable from the internet, with the database kept on a private subnet. Option D is wrong because using a VPN for all users and keeping every server on the same subnet eliminates network segmentation entirely, meaning that if any server is breached, all resources including the database and file share are immediately accessible, and VPN access does not prevent lateral movement within the same subnet.

119
MCQmedium

A company wants to stop employees from running unauthorized tools downloaded from the internet on managed Windows laptops, but still allow approved internal apps and vendor-updated software. Which control is best?

A.Application control using an allowlist for approved executables and publishers.
B.Full-disk encryption on every laptop before deployment.
C.A stronger screen-lock timeout and automatic logoff policy.
D.A firmware password for the BIOS without any other endpoint restrictions.
AnswerA

Allowlisting blocks unapproved software while still permitting known-good internal and vendor-signed applications.

Why this answer

Application control with an allowlist (also known as whitelisting) is the correct choice because it explicitly defines which executables, scripts, and publishers are permitted to run on managed Windows laptops. This prevents unauthorized tools downloaded from the internet from executing, while allowing approved internal apps and vendor-updated software that match the allowlist criteria. Technologies like Windows Defender Application Control (WDAC) or AppLocker enforce this by checking file hashes, publisher signatures, or path rules at runtime.

Exam trap

The trap here is that candidates often confuse data-at-rest protection (encryption) or session management (screen lock) with application execution control, mistakenly thinking they can prevent unauthorized software from running, when in fact they address entirely different security domains.

How to eliminate wrong answers

Option B is wrong because full-disk encryption (e.g., BitLocker) protects data at rest from unauthorized access if the laptop is lost or stolen, but it does not control which applications can run on the device; it has no mechanism to block execution of unauthorized tools. Option C is wrong because a stronger screen-lock timeout and automatic logoff policy addresses session security and unauthorized physical access, but it does not prevent a user from running downloaded executables while logged in; it has no application execution control capability.

120
MCQmedium

A company is redesigning a customer portal. Internet users must reach only the web tier, the application tier must be reachable only from the web tier, and the database must be reachable only from the application tier. Administrators should manage servers from a dedicated jump host. Which design best meets these requirements?

A.Place all servers on one VLAN and use host firewalls on each system.
B.Place web servers in a DMZ, application servers in an internal server subnet, databases in a restricted trust zone, and allow administration only through ACLs from a jump host.
C.Place the database servers in the DMZ so the web tier can query them directly from the internet-facing network.
D.Use NAT for all servers and keep every system on the same internal subnet to simplify routing.
AnswerB

This design separates the exposure of each tier and limits traffic to the minimum necessary paths. The web servers can face the internet in a DMZ, while the application and database tiers remain progressively more restricted. ACLs and a jump host also enforce controlled administrative access and reduce direct management exposure.

Why this answer

Option B correctly implements a layered security architecture by placing web servers in a DMZ (accessible from the internet), application servers in an internal subnet (accessible only from the DMZ), and databases in a restricted trust zone (accessible only from the application tier). Administration is restricted to a dedicated jump host, enforcing strict network segmentation and least-privilege access control via ACLs.

Exam trap

The trap here is that candidates may think host firewalls alone are sufficient for segmentation, ignoring that VLANs and network ACLs are required to prevent lateral movement and enforce tier-to-tier access restrictions at the network layer.

How to eliminate wrong answers

Option A is wrong because placing all servers on a single VLAN with host firewalls violates the requirement for network segmentation; host firewalls can be misconfigured or bypassed, and a single VLAN allows lateral movement between tiers if any host is compromised. Option C is wrong because placing database servers in the DMZ exposes them directly to the internet, contradicting the requirement that the database be reachable only from the application tier and creating a severe security risk.

121
MCQeasy

A help desk team wants users to be unable to install unsanctioned browser extensions or freeware on corporate Windows laptops, while approved business apps still run. Which endpoint control is best?

A.Full-disk encryption on every laptop.
B.Application allowlisting or application control.
C.A remote access VPN.
D.A desktop wallpaper policy.
AnswerB

This is the best choice because allowlisting permits only approved software and blocks unapproved tools, extensions, and installers. It is a strong way to reduce malware risk and limit user-driven software sprawl. Approved business applications can still run because they are explicitly allowed, which preserves usability while enforcing a controlled endpoint environment.

Why this answer

Application allowlisting (or application control) is the correct endpoint control because it explicitly defines which software executables, scripts, and installers are permitted to run on the system. By default, all unapproved applications—including unsanctioned browser extensions and freeware—are blocked, while approved business apps are allowed to execute. This directly addresses the requirement to prevent unauthorized installations while maintaining normal operations for sanctioned software.

Exam trap

The trap here is that candidates often confuse data protection controls (like encryption) or network controls (like VPN) with application execution controls, failing to recognize that only allowlisting directly governs what software can run on the endpoint.

How to eliminate wrong answers

Option A is wrong because full-disk encryption protects data at rest from unauthorized access if the laptop is lost or stolen, but it does not control which applications or extensions a user can install or run. Option C is wrong because a remote access VPN secures network communications between the laptop and corporate resources, but it has no ability to block local software installations or enforce application policies. Option D is wrong because a desktop wallpaper policy is a visual configuration setting that cannot enforce any security controls over application execution or installation.

122
MCQmedium

A team deploys an e-commerce application on an IaaS virtual machine. The cloud provider secures the datacenter, hardware, and hypervisor. The company wants to reduce the chance that attackers exploit outdated software on the VM itself. Which responsibility remains with the company?

A.Replace the cloud provider’s physical security controls with on-site guards.
B.Patch and harden the guest operating system and application running on the VM.
C.Install new firmware on the physical host server maintained by the provider.
D.Set the data center’s perimeter access badge policy.
AnswerB

In IaaS, the organization is responsible for the guest OS and everything above it, including applications and configuration. If attackers may exploit outdated software on the VM, the company must handle patching, hardening, and secure configuration of that environment.

Why this answer

In an IaaS model, the cloud provider is responsible for the security of the cloud (datacenter, hardware, hypervisor), while the customer is responsible for security in the cloud. This includes patching and hardening the guest OS and application on the VM. The company must manage vulnerabilities in the software stack it controls to prevent exploitation of outdated components.

Exam trap

The trap here is confusing the shared responsibility model: candidates often assume the provider handles all security (including OS patching) because they secure the hypervisor, but in IaaS, the customer retains full responsibility for the guest OS and applications.

How to eliminate wrong answers

Option A is wrong because physical security controls (e.g., on-site guards) are the provider's responsibility under the shared responsibility model; the company cannot replace them. Option C is wrong because firmware updates for the physical host server are the provider's responsibility, not the customer's, as the customer has no access to the hypervisor or host hardware. Option D is wrong because setting data center perimeter access badge policies is a physical security task owned by the provider, not the company using the IaaS VM.

123
MCQmedium

Based on the exhibit, which capability should be added so the SaaS app automatically creates, updates, and disables user accounts as directory changes occur?

A.Require MFA on the SaaS login page and leave account provisioning manual.
B.Add SCIM provisioning between the directory and the SaaS application.
C.Change the password rotation interval to every 30 days for all users.
D.Store credentials in a shared spreadsheet so the help desk can disable access faster.
AnswerB

SCIM automates user lifecycle events so account changes in the directory propagate to the application quickly.

Why this answer

SCIM (System for Cross-domain Identity Management) is the standard protocol designed to automate user provisioning and deprovisioning between an identity provider (like a directory) and a service provider (like a SaaS app). By adding SCIM provisioning, the SaaS app can automatically create, update, and disable user accounts in response to changes in the directory, eliminating the need for manual account management.

Exam trap

The trap here is that candidates may confuse authentication mechanisms (like MFA) or password policies with identity lifecycle management, failing to recognize that SCIM is the specific protocol designed for automated provisioning and deprovisioning.

How to eliminate wrong answers

Option A is wrong because requiring MFA only adds an authentication layer and does not automate account lifecycle management; manual provisioning remains, which does not address the requirement. Option C is wrong because changing the password rotation interval to 30 days is a password policy change that does not automate the creation, update, or disabling of user accounts based on directory changes. Option D is wrong because storing credentials in a shared spreadsheet introduces security risks and does not provide automated provisioning; it only offers a manual, insecure method for disabling access.

124
Multi-Selectmedium

Several corporate laptops occasionally boot from a removable drive containing an untrusted recovery tool before Windows loads. The security team wants to reduce the chance of pre-boot tampering and unauthorized boot media use. Which two controls are most effective? Select two.

Select 2 answers
A.Enable UEFI Secure Boot.
B.Disable booting from external media or protect the firmware setup with a password.
C.Keep local administrator rights so users can recover faster.
D.Turn off disk encryption because it slows startup.
E.Move the laptops to a different subnet.
AnswersA, B

Secure Boot helps ensure that only trusted boot components load during startup. It reduces the chance that a malicious or untrusted bootloader can run before the operating system takes control.

Why this answer

UEFI Secure Boot ensures that only signed, trusted bootloaders and drivers are executed during the boot process. By verifying the digital signature of each component against a database of trusted keys, it prevents unauthorized boot media (such as an untrusted recovery tool) from loading before the operating system starts. This directly reduces the risk of pre-boot tampering and unauthorized boot media use.

Exam trap

The trap here is that candidates often confuse disk encryption (like BitLocker) with boot integrity controls, thinking encryption alone prevents unauthorized boot media, when in fact encryption protects data at rest but does not validate the trustworthiness of the boot process itself.

125
MCQhard

An online retailer is moving its public web app, internal API, and database into separate zones. Public users must reach only the web tier. The web tier must contact the app tier, and only the app tier may query the database. Admins should manage all servers from a hardened jump host. Which design best meets these goals and minimizes lateral movement?

A.Place all servers in one VLAN and rely on host-based firewalls to block unwanted traffic.
B.Create separate DMZ, application, and database zones with default-deny east-west rules and use a jump host for administration.
C.Put the database in the DMZ so the web tier can connect to it without extra firewall rules.
D.Expose the application tier to the Internet and use NAT to hide the database subnet.
AnswerB

This design limits exposure at each layer, prevents direct user-to-database access, and gives administrators a controlled management path.

Why this answer

Option B is correct because it implements a multi-tier network architecture with separate DMZ, application, and database zones, enforcing default-deny east-west traffic rules. This ensures that public users can only reach the web tier, the web tier can only communicate with the app tier, and only the app tier can query the database, while all administrative access is funneled through a hardened jump host, which minimizes lateral movement by restricting inter-zone traffic to only what is explicitly required.

Exam trap

The trap here is that candidates often assume placing the database in the DMZ simplifies connectivity, but this violates the principle of defense in depth by removing network segmentation between the web tier and sensitive data storage.

How to eliminate wrong answers

Option A is wrong because placing all servers in one VLAN with host-based firewalls does not provide network-level segmentation; a compromised host could still potentially bypass host firewalls or exploit misconfigurations, allowing lateral movement across all tiers. Option C is wrong because putting the database in the DMZ exposes it to the same network segment as the web tier, violating the principle of least privilege and increasing the attack surface, as the database should never be directly accessible from the DMZ. Option D is wrong because exposing the application tier to the Internet directly exposes internal logic and APIs to potential attacks, and NAT alone does not enforce access control between tiers, leaving the database vulnerable to lateral movement if the app tier is compromised.

126
MCQmedium

A team runs a confidential document repository on an IaaS virtual machine. The cloud provider secures the datacenter, hardware, and hypervisor. Which task remains the organization’s responsibility?

A.Patching the physical hosts inside the cloud provider's datacenter.
B.Replacing the provider's hypervisor when a new version is released.
C.Hardening the guest operating system and controlling access to the repository application.
D.Managing the cloud provider's physical badge access for the server room.
AnswerC

In IaaS, the organization is responsible for what it deploys on the virtual machine, including the guest operating system, its configuration, patching, and application-level access controls. Those tasks directly affect who can use the document repository and how securely the workload runs. Shared responsibility means the provider handles the platform, while the customer secures the OS and data-layer usage.

Why this answer

In an IaaS model, the cloud provider is responsible for the security of the cloud (physical datacenter, hardware, hypervisor), while the customer is responsible for security in the cloud. This includes hardening the guest OS, configuring firewalls, managing access controls, and patching the operating system and applications. Option C correctly identifies the organization's duty to secure the guest OS and the repository application.

Exam trap

The trap here is confusing the IaaS shared responsibility model with PaaS or SaaS, where the provider handles more of the stack; candidates often assume the provider patches the guest OS or manages application access, but in IaaS those are customer responsibilities.

How to eliminate wrong answers

Option A is wrong because patching physical hosts is the cloud provider's responsibility under the shared responsibility model; the customer has no access to the physical infrastructure. Option B is wrong because replacing the hypervisor is a provider-managed task; the customer only interacts with the virtual machine and its guest OS. Option D is wrong because managing physical badge access to the server room is a physical security control that falls entirely on the cloud provider, not the customer.

127
MCQmedium

Sales staff use company laptops on public Wi-Fi and travel frequently. The company wants the disk contents unreadable if a laptop is stolen, even if the drive is removed and placed in another system. Which control is the best fit?

A.Require a screen lock after five minutes of inactivity.
B.Enable full-disk encryption with a hardware-backed key store such as a TPM, preferably with a pre-boot PIN.
C.Encrypt only the most sensitive folders with file-level encryption.
D.Rely on remote wipe because the device will usually connect to the internet again.
AnswerB

Full-disk encryption protects data at rest, and hardware-backed keys prevent the drive from being read outside the original device.

Why this answer

Full-disk encryption (FDE) with a hardware-backed key store like a TPM ensures that the entire disk contents are encrypted at rest. Even if the drive is removed and placed in another system, the decryption key remains bound to the original TPM, and a pre-boot PIN adds an additional authentication factor, making the data unreadable without both the TPM and the correct PIN.

Exam trap

The trap here is that candidates often choose remote wipe (Option D) because it sounds proactive, but they overlook the critical requirement that the device must be online for remote wipe to work, which is not guaranteed for a stolen laptop that may never connect to the internet.

How to eliminate wrong answers

Option A is wrong because a screen lock after five minutes of inactivity only protects the device while it is locked; it does not encrypt the disk, so if the drive is removed and placed in another system, the data is fully readable. Option C is wrong because file-level encryption only protects specific folders, leaving other areas of the disk (e.g., system files, temp files, and unencrypted user data) exposed when the drive is removed. Option D is wrong because remote wipe relies on the device connecting to the internet; if the laptop is stolen and never reconnects, or if the thief immediately removes the drive, the wipe command cannot execute, leaving the data accessible.

128
Multi-Selecthard

An organization stores full payment card numbers, analysts need the last four digits for investigation, and the backup team is worried about ransomware and stolen backup media. Which three controls best address these requirements? Select three.

Select 3 answers
A.Tokenize primary account numbers before they reach analytics, reporting, or test systems.
B.Store backups on the same production storage array to simplify restore operations.
C.Encrypt backup sets with keys managed outside the backup repository itself.
D.Use simple masking only in spreadsheets while leaving the source database unchanged.
E.Keep one immutable or air-gapped backup copy to resist ransomware and theft.
AnswersA, C, E

Tokenization replaces sensitive values with nonusable substitutes while preserving business usefulness for many workflows. Analysts can still correlate records, but exposed reports and test data no longer reveal the true card number. This is especially valuable for payment data because it reduces the number of environments that ever handle the actual secret value.

Why this answer

Tokenization replaces the full primary account number (PAN) with a unique token that retains the last four digits for analytics, so analysts can perform investigations without exposing sensitive cardholder data. This directly satisfies PCI DSS requirements for minimizing the use of full PANs in non-production environments, while preserving the utility needed for fraud analysis or reporting.

Exam trap

The trap here is that candidates often confuse tokenization with masking or encryption, assuming any obfuscation technique is sufficient, but tokenization is the only option that irreversibly removes the full PAN from analytics systems while preserving the last four digits for investigation.

129
MCQeasy

An HR assistant should be able to view employee records, but should not have access to payroll administration or IT server tools. Which access model is best for assigning permissions by job role?

A.Role-based access control
B.Shared local administrator accounts
C.Open access for all employees
D.Biometric authentication
AnswerA

RBAC assigns permissions based on job functions, which fits users like HR assistants very well.

Why this answer

Role-based access control (RBAC) is the correct model because it assigns permissions based on job functions rather than individual users. In this scenario, the HR assistant role would be granted read/write access to employee records, while being explicitly denied access to payroll administration and IT server tools, ensuring least privilege and separation of duties. RBAC simplifies administration by grouping permissions into roles, which can be easily assigned or revoked as job responsibilities change.

Exam trap

The trap here is that candidates confuse authentication (biometrics) with authorization (access control), or assume that shared accounts or open access can be secured by policy alone, ignoring the fundamental need for role-based permission segregation.

How to eliminate wrong answers

Option B is wrong because shared local administrator accounts provide unrestricted, non-repudiable access to all system resources, which violates the principle of least privilege and would grant the HR assistant full control over payroll and IT tools. Option C is wrong because open access for all employees would allow every user, including the HR assistant, to view and modify payroll and IT server data, directly contradicting the requirement to restrict access. Option D is wrong because biometric authentication is an identity verification method (something you are), not an authorization model; it controls who logs in, not what permissions they have after authentication.

130
MCQhard

A Windows file server was built from a gold image, but six months later a scan shows Remote Desktop enabled, SMBv1 re-enabled, and Print Spooler running. The same drift appears on several other servers after emergency troubleshooting. Security wants to return the environment to the approved baseline and prevent the changes from coming back. What is the best solution?

A.Document the deviations and rely on manual checks after each maintenance window
B.Deploy configuration management that enforces the hardened baseline continuously
C.Run a vulnerability scan more often and close the findings in the ticketing system
D.Increase storage capacity so the image can be rebuilt faster next time
AnswerB

Continuous configuration management is the best answer because it can reapply the approved baseline and correct drift across many systems automatically. This approach does more than detect the problem; it helps prevent the same insecure settings from persisting after troubleshooting or emergency changes. It is the most effective way to standardize hardening at scale and keep the environment aligned to policy.

Why this answer

Configuration management tools like Ansible, DSC, or Group Policy can continuously enforce a hardened baseline by reverting unauthorized changes (e.g., disabling SMBv1, stopping Print Spooler, disabling RDP) at a defined interval or on a trigger. This prevents configuration drift without relying on manual intervention or reactive scanning, directly addressing the root cause of the problem.

Exam trap

The trap here is that candidates confuse reactive vulnerability scanning (Option C) with proactive configuration enforcement, or mistakenly think manual documentation (Option A) or faster rebuilds (Option D) address the continuous drift problem.

How to eliminate wrong answers

Option A is wrong because documenting deviations and relying on manual checks is reactive and does not prevent drift from recurring, especially after emergency troubleshooting. Option C is wrong because running vulnerability scans more often only detects drift after it occurs, and closing findings in a ticketing system does not enforce the baseline or prevent re-enabling of services. Option D is wrong because increasing storage capacity to rebuild images faster does not prevent configuration drift; it only reduces recovery time after a rebuild, which is not a proactive solution.

131
MCQeasy

An HR department wants each employee to access only the systems required for their job. A new hire should receive the same permissions as other HR specialists, and changes to the role should update access centrally. Which access model should be used?

A.Role-based access control (RBAC)
B.Attribute-based access control (ABAC)
C.Multi-factor authentication (MFA)
D.Privileged access management (PAM)
AnswerA

RBAC assigns permissions to job roles, which makes onboarding and access changes easier to manage centrally.

Why this answer

Role-based access control (RBAC) is the correct model because it assigns permissions based on job roles (e.g., HR specialist), ensuring that a new hire automatically inherits the same access as others in that role. Centralized role management allows changes to the role's permissions to propagate to all members, meeting the requirement for centralized updates.

Exam trap

The trap here is that candidates often confuse ABAC with RBAC because both can use attributes, but RBAC relies on static role assignments, whereas ABAC evaluates dynamic attributes at runtime, making RBAC the correct choice for role-based inheritance and centralized updates.

How to eliminate wrong answers

Option B (ABAC) is wrong because it evaluates access based on attributes (e.g., time, location, department) rather than a predefined role, which would require complex policy rules for each user and does not inherently support role-based inheritance. Option C (MFA) is wrong because it is an authentication mechanism, not an access control model; it verifies identity but does not define what resources a user can access. Option D (PAM) is wrong because it is designed to manage and monitor privileged accounts (e.g., administrators), not to assign standard user permissions based on job roles.

132
MCQmedium

A security team discovers that several laptops occasionally boot from a removable drive before Windows loads, allowing unapproved recovery tools to run. Management wants to prevent this with the least impact on normal users. Which control is the best fit?

A.Disable all USB ports permanently on every laptop.
B.Enable secure boot and restrict the firmware boot order so only the approved internal boot path is allowed.
C.Uninstall the endpoint protection agent and replace it with manual inspections.
D.Move user data to cloud storage so rogue boot media can no longer access it.
AnswerB

Secure boot helps ensure the platform loads trusted boot components, while boot-order restrictions prevent users from starting the system from unapproved removable media. Together, they address the problem at the pre-OS layer and preserve normal daily use. This is a targeted hardening change that is less disruptive than disabling all external ports.

Why this answer

Secure Boot ensures that only signed, trusted firmware and bootloaders execute during the startup process. By restricting the firmware boot order to the internal drive only, the laptop will ignore removable media during boot, preventing unapproved recovery tools from running before Windows loads. This has minimal impact on normal users because they can still use USB devices after the OS has booted.

Exam trap

The trap here is that candidates may think disabling USB ports entirely is the simplest solution, but the question specifically asks for the control with the least impact on normal users, and Secure Boot with boot order restriction targets only the pre-boot phase without affecting post-boot USB functionality.

How to eliminate wrong answers

Option A is wrong because disabling all USB ports permanently would prevent legitimate use of USB peripherals (e.g., mice, keyboards, external storage) after boot, causing significant disruption to normal users. Option C is wrong because uninstalling the endpoint protection agent and replacing it with manual inspections removes automated threat detection and response, increasing security risk and administrative overhead without addressing the boot-time attack vector.

133
Multi-Selecteasy

A system administrator is creating a secure baseline for a new Linux application server. Which two actions are appropriate hardening steps? Select two.

Select 2 answers
A.Disable services that the server does not need to perform its job.
B.Close unused listening ports with the host firewall or service configuration.
C.Install extra administrative tools on the server for convenience.
D.Enable passwordless remote shell access for faster troubleshooting.
E.Leave sample accounts and default demo content in place for testing.
AnswersA, B

Turning off unnecessary services reduces the number of programs that could be exploited. A hardened baseline should keep only the functions required for the server's role.

Why this answer

Disabling unnecessary services reduces the attack surface by removing potential entry points for exploitation. In a Linux server baseline, services like Telnet, FTP, or unused web servers should be disabled using systemctl or by removing the associated packages. This aligns with the principle of least functionality, ensuring only required processes run.

Exam trap

The trap here is that candidates may think convenience tools or default content are harmless, but the SY0-701 exam emphasizes that any unnecessary service, port, or account is a security risk that must be eliminated in a secure baseline.

134
MCQmedium

Based on the exhibit, which backup protection change best improves ransomware resilience and protects the backup media if it is stolen?

A.Enable backup encryption only, because encrypted backups cannot be read if stolen.
B.Add an immutable offline or air-gapped copy with separate backup credentials and regular restore testing.
C.Move the USB drive into a different cabinet inside the same server room.
D.Reduce the retention period so backups consume less storage space.
AnswerB

An immutable or offline copy protects backups from tampering, ransomware, and accidental deletion because the attacker cannot easily modify it. Separate credentials reduce the chance that compromised domain admin accounts can reach every backup copy. Regular restore testing ensures the organization can actually recover when needed. This is the strongest improvement in the exhibit.

Why this answer

Option B is correct because implementing an immutable, offline or air-gapped backup copy with separate credentials ensures that even if an attacker compromises the primary backup system or steals the media, they cannot modify or delete the backups. Regular restore testing verifies the integrity and recoverability of the data, which is critical for ransomware resilience. This approach aligns with the 3-2-1 backup rule and NIST SP 800-184 guidance for cyber recovery.

Exam trap

The trap here is that candidates often assume encryption alone (Option A) is sufficient for ransomware protection, overlooking that encryption does not prevent backup corruption or deletion, and that an immutable, air-gapped copy with separate credentials is the only option that addresses both theft and ransomware attack scenarios.

How to eliminate wrong answers

Option A is wrong because backup encryption alone does not prevent ransomware from encrypting or deleting the backup files themselves; encryption only protects data confidentiality if the media is stolen, but the attacker could still corrupt or destroy the backups before encryption is applied. Option C is wrong because moving the USB drive to a different cabinet in the same server room does not create an air gap or offline copy; the drive remains accessible to the same network and threats, and physical theft of the cabinet would still compromise the backups. Option D is wrong because reducing the retention period only frees storage space and does not improve resilience against ransomware; it actually increases the risk of data loss by shortening the recovery window, and it does not protect backups from being encrypted or deleted.

135
MCQeasy

A company uses several SaaS applications and wants employees to sign in once with a corporate account instead of maintaining separate passwords for each app. Which architecture is best?

A.Shared generic accounts for each department.
B.Federated single sign-on with a central identity provider.
C.A separate username and password database in every SaaS application.
D.A site-to-site VPN for every SaaS vendor.
AnswerB

This is the best choice because a central identity provider can authenticate the user once and then issue trusted access to multiple SaaS applications. It reduces password sprawl, simplifies account provisioning, and supports faster deprovisioning when an employee leaves. Federation also improves control because the business can manage identity from one place.

Why this answer

Federated single sign-on (SSO) with a central identity provider (IdP) allows users to authenticate once using their corporate account (e.g., via SAML 2.0 or OIDC) and then access multiple SaaS applications without re-entering credentials. The IdP issues a token that each SaaS app trusts, eliminating the need for separate passwords while maintaining centralized control over authentication policies.

Exam trap

The trap here is that candidates confuse network-level VPN connectivity with identity-level federation, assuming a VPN can provide SSO, when in fact VPNs only secure the transport layer and do not address authentication across separate application domains.

How to eliminate wrong answers

Option A is wrong because shared generic accounts violate the principle of least privilege and non-repudiation, as multiple users share the same credentials, making it impossible to audit individual actions. Option C is wrong because maintaining a separate username and password database in every SaaS application directly contradicts the requirement to eliminate separate passwords and introduces redundant identity silos. Option D is wrong because a site-to-site VPN provides network-layer connectivity, not identity federation; it does not solve the problem of authenticating users across different SaaS applications without separate credentials.

136
MCQmedium

A regulated analytics workload must run in the cloud with the strongest isolation from other customers, but the company does not want to manage its own physical server room. Which placement is most appropriate?

A.A public subnet with an internet gateway so the workload can be reached directly.
B.A shared-tenancy virtual machine in the provider's default compute pool.
C.A dedicated host or equivalent single-tenant compute placement in the provider's environment.
D.A serverless function because it removes all underlying infrastructure concerns.
AnswerC

Single-tenant placement offers the best isolation from other customers while still letting the provider manage the physical infrastructure.

Why this answer

Option C is correct because a dedicated host or single-tenant compute placement ensures that the physical server is not shared with any other customer, providing the strongest isolation required for regulated workloads. This model meets the compliance need for physical separation while still being a cloud service, so the company avoids managing its own server room.

Exam trap

The trap here is that candidates often confuse logical isolation (e.g., VPCs, private subnets) with physical isolation, and mistakenly choose a shared-tenancy option like a private subnet VM, thinking it provides the strongest separation.

How to eliminate wrong answers

Option A is wrong because a public subnet with an internet gateway exposes the workload directly to the internet, which weakens security and does not provide any physical isolation from other customers. Option B is wrong because a shared-tenancy virtual machine runs on hardware shared with other customers, offering only logical isolation and failing the requirement for the strongest physical isolation. Option D is wrong because serverless functions run on shared infrastructure managed by the provider, with no guarantee of single-tenant physical isolation, and they do not meet the explicit need for the strongest isolation from other customers.

137
MCQhard

Company-owned tablets are used by field staff for both corporate email and approved personal apps. Security must isolate company data from personal data, allow remote wipe of only the corporate workspace, and block access if the device is rooted or encryption is disabled. Which approach best fits?

A.Use a consumer anti-malware app and perform a full-device wipe if the tablet is lost.
B.Use MDM or UEM with a managed work profile or container, compliance checks, and selective wipe.
C.Install a VPN app on the tablets and let users choose their own lock-screen settings.
D.Use application allowlisting alone and avoid enrolling the tablets in a management platform.
AnswerB

This meets the isolation, selective wipe, and posture-check requirements while preserving approved personal use on the device.

Why this answer

Option B is correct because Mobile Device Management (MDM) or Unified Endpoint Management (UEM) with a managed work profile (e.g., Android Work Profile or iOS Managed Open In) creates a separate, encrypted container for corporate data. This allows compliance checks to detect rooted devices or disabled encryption, and enables a selective wipe that removes only the corporate workspace without affecting personal apps or data.

Exam trap

The trap here is that candidates often confuse a full-device wipe (which destroys personal data) with a selective wipe (which only removes the corporate container), or assume that a VPN or anti-malware app alone can provide the required isolation and compliance enforcement.

How to eliminate wrong answers

Option A is wrong because a consumer anti-malware app cannot enforce containerization or selective wipe; a full-device wipe destroys all personal data, violating the requirement to isolate and preserve personal data. Option C is wrong because a VPN app alone does not provide work profile isolation, compliance checks for root/encryption, or selective wipe capabilities; letting users choose lock-screen settings undermines security policy enforcement. Option D is wrong because application allowlisting without a management platform cannot create a separate corporate workspace, enforce encryption or root detection, or perform a selective wipe; it only controls which apps can run, not data isolation or remote wipe.

138
MCQmedium

A legacy finance application cannot yet support multifactor authentication. The security team still wants administrators to use separate privileged accounts, receive elevated access only when a ticket is approved, and have those privileges removed automatically after the maintenance window ends. Which solution best fits?

A.Create one shared administrator account and rotate its password every week.
B.Assign permanent administrator rights through role-based access control and rely on audit logs afterward.
C.Use privileged access management with separate admin accounts and time-bound elevation approvals.
D.Move the application behind a federation service so all users can sign in with a single password.
AnswerC

Privileged access management is designed for this situation. Separate admin accounts preserve accountability, while time-bound elevation reduces standing privilege and limits exposure when the elevated rights are not needed. Approval workflows also support operational control and can be tied to maintenance tickets for traceability.

Why this answer

Option C is correct because Privileged Access Management (PAM) solutions are specifically designed to enforce just-in-time (JIT) privileged access. They allow administrators to request time-bound elevation of rights for a specific maintenance window, with automatic revocation after the window expires. This directly meets the requirements of separate privileged accounts, ticket-based approval, and automatic removal of privileges, even when the legacy application itself cannot support MFA.

Exam trap

The trap here is that candidates may confuse federation (SSO) with privileged access management, thinking that a single sign-on solution can enforce time-bound elevation, when in fact federation only centralizes authentication and does not manage granular, time-limited privilege escalation.

How to eliminate wrong answers

Option A is wrong because a shared administrator account violates the principle of least privilege and non-repudiation; rotating the password weekly does not provide time-bound, ticket-approved elevation or automatic removal of privileges. Option B is wrong because permanent administrator rights through RBAC contradict the requirement for elevated access only when a ticket is approved and automatic removal after the maintenance window; audit logs alone do not enforce time-bound access. Option D is wrong because placing the application behind a federation service with a single password does not provide separate privileged accounts, ticket-based approval, or time-bound elevation; it also introduces a single point of failure and does not address the need for privileged access management.

139
Multi-Selecthard

A router interface connects the DMZ subnet 10.10.10.0/24 to the internal network. A web server at 10.10.10.25 must reach an application server at 10.10.20.20 on TCP 8443, and all other DMZ-to-internal traffic must be blocked. Which two ACL entries should be applied inbound on the DMZ-facing interface? Select two.

Select 2 answers
A.permit tcp 10.10.10.25 host 10.10.20.20 eq 8443
B.permit tcp host 10.10.20.20 any eq 8443
C.deny ip 10.10.10.0/24 10.10.20.0/24
D.permit ip any any
E.permit udp 10.10.10.0/24 host 10.10.20.20 eq 8443
AnswersA, C

This rule allows only the required web-server-to-application-server connection on the specified port. It uses a very narrow source and destination definition, which is the safest way to permit the business flow. The ACL should allow the needed application traffic and nothing broader than that.

Why this answer

Option A is correct because it permits TCP traffic from the specific web server (10.10.10.25) to the application server (10.10.20.20) on destination port 8443, which is the only allowed DMZ-to-internal communication. This entry uses the 'host' keyword to specify the exact source IP and the 'eq' keyword to match the required destination port, implementing the principle of least privilege.

Exam trap

Cisco often tests the misconception that a single permit statement is sufficient, but candidates forget that an explicit deny entry is needed to block all other traffic when the requirement specifies 'all other traffic must be blocked', as the implicit deny alone does not satisfy the explicit blocking requirement in the question.

140
Multi-Selecthard

A company is evaluating a multi-tenant SaaS document platform. The security team wants to reduce the impact of another tenant’s breach and ensure employees who leave are removed from the app within minutes. Which two requirements should the team prioritize? Select two.

Select 2 answers
A.Require the provider to document logical tenant isolation and separate customer encryption keys.
B.Use a shared local administrator account for the app so offboarding is easier.
C.Allow anonymous public links as the default method for external collaboration.
D.Integrate the SaaS with the corporate IdP using federation and SCIM lifecycle automation.
E.Rely on manual quarterly cleanup tickets to disable former employees.
AnswersA, D

Logical tenant isolation helps prevent one tenant from reading or influencing another tenant’s data. Separate customer encryption keys further reduce cross-tenant risk because encrypted content is not protected by a single shared key set. Together, these requirements are useful when evaluating multi-tenant SaaS risk and selecting a provider with stronger separation controls.

Why this answer

Option A is correct because logical tenant isolation (e.g., separate databases or namespaces) and separate customer encryption keys ensure that a breach in one tenant cannot access another tenant's data, directly reducing the impact of cross-tenant attacks. This aligns with the shared responsibility model in SaaS, where the provider must enforce strong multi-tenant boundaries at the application and data layers.

Exam trap

The trap here is that candidates may confuse 'shared local admin account' (Option B) with efficient offboarding, but it actually undermines security and auditability, while the correct approach is federation with SCIM for automated lifecycle management.

141
MCQeasy

A customer-facing website must stay available if one of two application servers fails. Which design should the team implement?

A.A single server with a larger power supply
B.A load balancer in front of multiple application servers
C.A daily screenshot of the website
D.A more restrictive password policy
AnswerB

A load balancer can send traffic to a healthy server if one instance becomes unavailable.

Why this answer

A load balancer distributes incoming traffic across multiple application servers, providing high availability and fault tolerance. If one server fails, the load balancer automatically redirects traffic to the remaining healthy server(s), ensuring the website remains accessible. This design directly addresses the requirement for continued availability despite a single server failure.

Exam trap

The trap here is that candidates may confuse high availability with other security or operational measures, such as backups or password policies, failing to recognize that only redundant infrastructure with automatic failover can maintain uptime during a server failure.

How to eliminate wrong answers

Option A is wrong because a larger power supply only addresses power redundancy for a single server, not server-level failure; if the server itself fails, the website goes down regardless of power capacity. Option C is wrong because a daily screenshot captures a static image of the website at a point in time and does nothing to maintain live availability or handle server failures. Option D is wrong because a more restrictive password policy improves authentication security but has no impact on server redundancy or application availability.

142
Multi-Selecteasy

A DevOps team stores container images in a registry before deployment. Which two practices reduce the chance of deploying a risky image? Select two.

Select 2 answers
A.Scan images for known vulnerabilities before they are promoted to production.
B.Use trusted minimal base images and remove unnecessary packages.
C.Run containers as root by default to simplify troubleshooting.
D.Mount the host operating system filesystem into every container.
E.Deploy images using the latest tag without reviewing version history.
AnswersA, B

Image scanning helps identify vulnerable packages and libraries before deployment. This is a practical control because it finds known issues early in the pipeline, when they are easiest to fix.

Why this answer

Option A is correct because scanning container images for known vulnerabilities (e.g., using tools like Trivy or Clair) identifies CVEs in the OS packages or application dependencies before the image reaches production. This proactive check prevents deploying images with exploitable flaws, aligning with secure software supply chain practices. Option B is correct because using trusted minimal base images (e.g., Alpine or distroless) reduces the attack surface, and removing unnecessary packages eliminates potential vulnerabilities from unused components, following the principle of least functionality.

Exam trap

CompTIA often tests the misconception that running containers as root is acceptable for troubleshooting, but the SY0-701 exam emphasizes that containers should always run with the least privileges necessary, and the latest tag is a security anti-pattern because it breaks deterministic deployments.

143
MCQmedium

A company is concerned about ransomware and insider tampering with backups. It wants daily restore points, monthly archives, and protection if a backup drive is stolen from the storage room. Which backup design is the best answer?

A.Store all backups on a shared file server so administrators can restore them quickly.
B.Use encrypted, immutable backups with an offline or offsite copy and defined retention periods.
C.Keep only the most recent snapshot to reduce storage cost and simplify recovery.
D.Rely on RAID mirroring because it automatically creates a secure archival copy.
AnswerB

Encryption protects confidentiality, immutability resists tampering, and offline or offsite copies improve resilience against theft and ransomware.

Why this answer

Option B is correct because encrypted, immutable backups prevent ransomware from encrypting or modifying backup data, and an offline or offsite copy protects against physical theft of the backup drive. Defined retention periods satisfy the daily restore points and monthly archives requirement, while immutability ensures backup integrity even if an attacker gains access to the backup system.

Exam trap

The trap here is that candidates often confuse high-availability features like RAID with backup security, or assume that network-accessible storage is sufficient, failing to recognize that immutability and offline/offsite copies are essential for ransomware and theft protection.

How to eliminate wrong answers

Option A is wrong because storing backups on a shared file server exposes them to the same ransomware and insider threats as the production environment, and it lacks immutability or offline protection. Option C is wrong because keeping only the most recent snapshot eliminates the ability to restore from daily restore points or monthly archives, violating the stated requirements. Option D is wrong because RAID mirroring provides high availability and redundancy against disk failure, but it does not create immutable or offline copies, nor does it protect against ransomware encryption or theft of the backup drive.

144
Multi-Selectmedium

A security architect is designing a multi-tier web application that must meet strict compliance requirements for data confidentiality and integrity. Which three of the following security architecture principles should be applied? (Choose three.)

Select 3 answers
.Implement defense in depth by layering multiple security controls.
.Place the web server, application server, and database server on the same subnet for efficiency.
.Use network segmentation to isolate the database tier from direct internet access.
.Grant all users the same level of access to simplify administration.
.Apply the principle of least privilege to service accounts and user roles.
.Rely solely on a single firewall at the network perimeter for protection.

Why this answer

Defense in depth is correct because it mandates layering multiple security controls (e.g., firewalls, IDS/IPS, encryption, access controls) so that if one control fails, others still protect the data. This directly supports strict compliance requirements for confidentiality and integrity by avoiding a single point of failure.

Exam trap

The trap here is that candidates often confuse 'efficiency' with 'security' and choose the same-subnet option, forgetting that compliance requires isolation between tiers to prevent easy lateral movement after a breach.

145
Multi-Selectmedium

A company uses a SaaS CRM platform. The provider patches the application and underlying infrastructure. Which two responsibilities remain with the company? Select two.

Select 2 answers
A.Set up MFA, conditional access, and user-role assignments for tenant accounts.
B.Patch the SaaS application's source code on the provider's servers.
C.Decide what customer data is entered into the service and how it is shared.
D.Replace the provider's hypervisors with company-owned hardware.
E.Maintain the provider's network firewalls and datacenter cooling systems.
AnswersA, C

Identity governance, MFA, and tenant permissions remain customer responsibilities in SaaS environments.

Why this answer

Option A is correct because in a SaaS model, the customer retains responsibility for securing their tenant accounts, including configuring multi-factor authentication (MFA), conditional access policies, and role-based access control (RBAC) for users. These are identity and access management (IAM) controls that the provider cannot enforce on behalf of the customer, as they depend on the customer's specific user directory and security policies.

Exam trap

The trap here is that candidates confuse the SaaS model with IaaS or PaaS, mistakenly thinking the customer is responsible for patching the application or infrastructure, when in fact the customer's duties are limited to account and data governance.

146
MCQmedium

The help desk can patch endpoints only after testing on a few pilot systems because one legacy app sometimes breaks after updates. What patching approach is most secure and least disruptive?

A.Apply updates to a small pilot group first, then roll them out in stages to the rest of the fleet.
B.Wait until all applications are fully modernized before installing any security updates.
C.Patch every endpoint immediately at the same time without testing to reduce management overhead.
D.Disable automatic updates permanently and patch only after a confirmed incident.
AnswerA

A phased rollout limits the chance of widespread breakage while still moving systems toward current security fixes.

Why this answer

Option A is correct because it follows a phased rollout strategy: testing on a small pilot group first validates compatibility with the legacy app, then staged deployment minimizes disruption while ensuring security patches are applied promptly. This balances the need for security updates with the operational requirement to avoid breaking critical legacy software.

Exam trap

The trap here is that candidates may choose immediate patching (Option C) thinking speed is always best for security, ignoring the real-world need for compatibility testing to prevent operational disruption.

How to eliminate wrong answers

Option B is wrong because waiting for full modernization leaves endpoints vulnerable to known exploits indefinitely, violating the principle of timely patch management. Option C is wrong because immediate, untested patching risks breaking the legacy app across the entire fleet, causing widespread disruption and potential data loss. Option D is wrong because disabling automatic updates and patching only after an incident creates a reactive security posture, leaving systems exposed to attacks that could have been prevented.

147
MCQmedium

A Linux server is being prepared for production as a database host. The build team notices that a graphical desktop environment, an unused FTP service, and an open mail submission port are present on the image, even though none of them are required. The organization wants future builds to be consistent and easy to verify. What is the best approach?

A.Leave the image unchanged so troubleshooting remains easier for administrators.
B.Use the image only for development and skip security review for production.
C.Create and enforce a hardened build standard that removes unnecessary services and ports, then validate future servers against it.
D.Add another firewall rule set and keep every installed service in place.
AnswerC

A hardened build standard defines exactly which services, packages, and ports are allowed on the server. Removing the graphical environment, FTP service, and unnecessary mail port reduces the attack surface. Validating future systems against the standard also makes the build repeatable and helps identify drift quickly.

Why this answer

Option C is correct because it establishes a hardened baseline configuration that removes unnecessary services (e.g., FTP on port 21) and closes unused ports (e.g., mail submission port 587), ensuring consistency and simplifying verification. This aligns with the principle of minimizing attack surface by disabling all non-essential components before production deployment. A hardened build standard also enables automated compliance checks (e.g., using CIS benchmarks or OpenSCAP) to validate future servers against the defined secure state.

Exam trap

The trap here is that candidates may think leaving the image unchanged aids troubleshooting (Option A), but in security architecture, consistency and minimal attack surface always take precedence over convenience, and a hardened standard is the only way to ensure repeatable, verifiable builds.

How to eliminate wrong answers

Option A is wrong because leaving the image unchanged with a graphical desktop, unused FTP service, and open mail submission port increases the attack surface and violates the principle of least functionality, making security audits more difficult rather than easier. Option B is wrong because using the image only for development and skipping security review for production introduces unnecessary risk; production systems must undergo security review regardless of their origin, and development images often contain insecure defaults that should not be promoted without hardening.

148
MCQeasy

A company moves a Linux server to infrastructure as a service (IaaS). Which task remains the customer's responsibility?

A.Patching the guest operating system and installed applications.
B.Replacing failed power supplies in the data center.
C.Maintaining the hypervisor on the host system.
D.Building and securing the provider's network backbone.
AnswerA

This is the best answer because in IaaS the customer still manages the guest operating system and the software running on it. The cloud provider handles the underlying physical infrastructure, but the customer is responsible for keeping the VM patched and hardened. That distinction is a key part of the shared responsibility model.

Why this answer

In an IaaS model, the cloud provider manages the physical infrastructure, hypervisor, and network backbone, while the customer retains responsibility for securing and maintaining the guest operating system and any installed applications. This includes applying security patches, updating software, and configuring the OS-level firewall. For a Linux server, the customer must run commands like `apt update && apt upgrade` or `yum update` to patch the OS and manage application dependencies.

Exam trap

The trap here is that candidates often confuse IaaS with PaaS or SaaS, assuming the provider patches the OS, but in IaaS the customer retains full control and responsibility for the guest operating system and applications.

How to eliminate wrong answers

Option B is wrong because replacing failed power supplies in the data center is the responsibility of the IaaS provider, who manages the physical hardware and facility infrastructure. Option C is wrong because maintaining the hypervisor on the host system is the provider's duty under IaaS, as the hypervisor is part of the virtualization layer that the customer does not control. Option D is wrong because building and securing the provider's network backbone is entirely the provider's responsibility; the customer only manages virtual networks and security groups within their tenant.

149
Multi-Selectmedium

Employees use a browser SaaS portal, a native mobile app, and an internal API. The company wants one corporate identity, reduced password reuse, and automated removal of access when HR terminates users. Which two solutions best meet the requirement? Select two.

Select 2 answers
A.Create separate local usernames and passwords in each application for every employee.
B.Use federation so the SaaS apps trust the company's identity provider.
C.Store passwords in a shared vault and let users retrieve them when needed.
D.Automate account provisioning and deprovisioning from HR changes with SCIM or an equivalent feed.
E.Allow the mobile app to authenticate only from remembered devices, without central identity controls.
AnswersB, D

Federation centralizes authentication at the corporate identity provider and reduces separate credential stores.

Why this answer

Federation (B) allows the SaaS portal, mobile app, and internal API to trust a single corporate identity provider (IdP) using standards like SAML 2.0 or OIDC. This gives employees one set of credentials, reduces password reuse, and enables centralized control. When HR terminates a user, the IdP can revoke access instantly, affecting all federated applications.

Exam trap

The trap here is that candidates often think federation alone solves all identity lifecycle problems, but the question explicitly requires automated removal of access, which demands a provisioning protocol like SCIM in addition to federation.

150
MCQeasy

A company is placing its public web server so internet users can reach it, but the database server must stay hidden from the internet and be reachable only by the web server. Which design best supports this goal?

A.Put both servers on the same flat internal network
B.Place the web server in a DMZ and keep the database server on the internal network
C.Put the database server in the DMZ and the web server on the internal network
D.Disable the firewall so the web server can communicate freely with all hosts
AnswerB

A DMZ is designed for internet-facing systems, while the database remains on a more trusted internal segment.

Why this answer

Option B is correct because it uses a DMZ (demilitarized zone) to isolate the public-facing web server from the internal network. The web server in the DMZ is accessible from the internet, while the database server remains on the internal network, reachable only by the web server through a firewall rule that permits traffic on the specific database port (e.g., TCP 3306 for MySQL). This layered security design prevents direct internet access to sensitive data.

Exam trap

The trap here is that candidates may think placing the database server in the DMZ is acceptable because it is 'protected' by a firewall, but they overlook that the DMZ is still accessible from the internet, making the database directly reachable and violating the requirement to keep it hidden.

How to eliminate wrong answers

Option A is wrong because placing both servers on the same flat internal network exposes the database server to the internet if the web server is compromised, as there is no network segmentation to restrict lateral movement. Option C is wrong because putting the database server in the DMZ and the web server on the internal network would expose the database directly to the internet, defeating the goal of hiding it, and would require the web server to initiate outbound connections to the DMZ, which is less secure and more complex to manage.

← PreviousPage 2 of 3 · 221 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Architecture questions.