CCNA Security Architecture Questions

71 of 221 questions · Page 3/3 · Security Architecture topic · Answers revealed

151
MCQmedium

A small company is redesigning its network for a public web application. The web front end must be reachable from the internet, but the database should never be exposed directly to external or general user traffic. Which architecture is the best choice?

A.Place both the web server and database in the same internal subnet and rely on host firewalls.
B.Place the web server in a DMZ and keep the database in a private internal subnet with only required application traffic allowed.
C.Place the database in the DMZ so the web server can query it directly without internal routing.
D.Keep both systems public but restrict access with NAT and strong administrator passwords.
AnswerB

This separates the internet-facing system from the sensitive backend. The DMZ limits exposure of the web server, while the database remains inaccessible from external networks and is reachable only over tightly filtered application ports from the web tier.

Why this answer

Option B is correct because it implements a layered security architecture: the web server resides in a DMZ (demilitarized zone) where it is reachable from the internet, while the database is placed in a private internal subnet with strict firewall rules that only allow the required application traffic (e.g., TCP port 3306 for MySQL or 1433 for MSSQL) from the web server. This ensures the database is never directly exposed to external or general user traffic, reducing the attack surface and preventing direct internet-based attacks on the database.

Exam trap

The trap here is that candidates may think host firewalls are sufficient for internal subnet isolation (Option A) or mistakenly believe placing the database in the DMZ simplifies routing (Option C), overlooking the fundamental security principle of defense in depth and the need to keep sensitive data stores off the internet-facing network.

How to eliminate wrong answers

Option A is wrong because placing both the web server and database in the same internal subnet exposes the database to any compromise of the web server or any internal host, and host firewalls alone are insufficient to prevent lateral movement or internal scanning. Option C is wrong because placing the database in the DMZ directly exposes it to the internet, defeating the purpose of isolation and making it vulnerable to direct attacks from external sources.

152
MCQmedium

In a virtualized environment, several workloads share the same physical host and the same IP subnet. After one payroll VM is compromised, the security team wants to prevent that VM from freely scanning or reaching the other workloads on the host. Which control best addresses this lateral-movement risk?

A.Microsegmentation with policy rules applied per workload or per VM
B.Expanding the subnet mask so all workloads are easier to reach
C.Creating a shared administrator account for all virtual machines
D.Disabling DHCP and forcing every VM to use a static IP address
AnswerA

Microsegmentation creates fine-grained trust boundaries between workloads, even when they share the same subnet or host. This limits east-west traffic and reduces the ability of a compromised VM to discover or attack neighboring systems. It is the most direct control for this risk.

Why this answer

Microsegmentation allows granular security policies to be applied per workload or per VM, even within the same subnet and on the same hypervisor. By enforcing firewall rules at the virtual switch or hypervisor level, it prevents a compromised payroll VM from scanning or communicating laterally with other VMs on the same host, directly addressing the lateral-movement risk.

Exam trap

The trap here is that candidates often confuse subnetting or IP addressing changes (like expanding the subnet mask or using static IPs) with actual network security controls, failing to realize that only policy-based segmentation at the hypervisor or virtual switch layer can block lateral traffic within the same broadcast domain.

How to eliminate wrong answers

Option B is wrong because expanding the subnet mask (e.g., from /24 to /16) actually increases the broadcast domain and makes more IP addresses reachable, which would facilitate lateral movement rather than prevent it. Option C is wrong because creating a shared administrator account for all VMs would reduce accountability and provide an attacker with a single set of credentials to compromise all workloads, increasing lateral-movement risk. Option D is wrong because disabling DHCP and forcing static IPs does not restrict network communication between VMs; it only changes how IP addresses are assigned, leaving all traffic unblocked and the VM free to scan the subnet.

153
Multi-Selecteasy

A company wants employees to use their normal login from managed devices but require extra verification when they sign in from an unmanaged laptop or a new location. Which two controls should the team use? Select two.

Select 2 answers
A.Conditional access
C.DNS filtering
D.Disk encryption
AnswersA, B

Conditional access lets the organization change sign-in rules based on device, location, or risk. It is the best control for requiring different access conditions in different situations.

Why this answer

Conditional access (A) is correct because it allows the company to define policies that grant or block access based on conditions such as device compliance (managed vs. unmanaged) and location (trusted vs. new). Multi-factor authentication (B) is correct because it provides the extra verification step required when the conditional access policy detects an unmanaged laptop or a new location, ensuring the user proves their identity beyond just a password.

Exam trap

The trap here is that candidates often pick MFA alone, forgetting that MFA is only enforced when a conditional access policy triggers it based on device or location conditions, so both controls are needed together.

154
Multi-Selectmedium

A customer portal must keep serving users if one application server fails and also remain available if the primary site becomes unreachable. Management prefers automatic recovery over manual intervention. Which two design choices best satisfy the goal? Select two.

Select 2 answers
A.Deploy multiple application servers behind a load balancer across separate availability zones.
B.Use a single high-end server with RAID 10 and a larger power supply.
C.Keep only nightly backups and restore manually after an outage.
D.Store the database on a local disk array attached to the primary server.
E.Replicate the database to a standby site with automatic failover.
AnswersA, E

Load balancing across multiple instances removes the single server failure point and supports automatic failover.

Why this answer

Deploying multiple application servers behind a load balancer across separate availability zones (A) provides redundancy at the application tier: if one server fails, traffic is automatically redirected to healthy servers. Replicating the database to a standby site with automatic failover (E) ensures that if the primary site becomes unreachable, the database can be promoted to active without manual intervention, meeting the requirement for automatic recovery.

Exam trap

CompTIA often tests the misconception that hardware redundancy (like RAID 10) alone is sufficient for high availability, but it ignores site-level failures and automatic recovery requirements.

155
Multi-Selectmedium

A team deploys a Linux virtual machine in IaaS and stores documents in a managed cloud object storage service. The provider secures datacenters, hardware, and the storage platform, but the organization still wants to reduce exposure. Which two tasks remain the organization's responsibility? Select two.

Select 2 answers
A.Patch and harden the Linux virtual machine operating system.
B.Replace the provider's datacenter controls with a customer-owned firewall appliance.
C.Assume the provider will apply tenant-specific application permissions automatically.
D.Configure IAM roles, bucket policies, and least-privilege access for the customer's resources.
E.Rely on the cloud provider to classify the company's documents for compliance.
AnswersA, D

In IaaS, the customer still manages the guest OS and must reduce vulnerabilities on the VM itself.

Why this answer

Option A is correct because in an IaaS model, the customer is responsible for securing the operating system of the virtual machine, including applying patches and hardening configurations. The cloud provider secures the underlying hypervisor and physical infrastructure, but the customer must manage the OS-level security controls.

Exam trap

The trap here is that candidates often assume the cloud provider handles all security for managed services, but the shared responsibility model clearly places OS patching and access control configuration on the customer, even for IaaS and object storage.

156
MCQmedium

A regulated workload must run in the cloud with the strongest possible isolation from other tenants, and the company wants to avoid managing its own physical hardware. Which placement is the best fit?

A.Use a dedicated host so the underlying hardware is allocated to one customer only.
B.Use a shared tenancy instance with tighter security groups and a private subnet.
C.Move the workload into a public subnet so the provider can inspect traffic more easily.
D.Use a container within a shared platform because containers always isolate tenants completely.
AnswerA

A dedicated host provides the highest level of tenant isolation without requiring the organization to own or maintain the physical server. It is a strong fit for regulated workloads where the business wants reduced sharing at the hardware layer.

Why this answer

A dedicated host provides the strongest possible isolation by ensuring that the physical server is not shared with any other tenant. This meets the requirement for a regulated workload without the company managing its own hardware, as the cloud provider still handles maintenance and patching.

Exam trap

The trap here is that candidates often confuse logical isolation (like security groups or private subnets) with physical isolation, assuming that network controls alone satisfy the requirement for the strongest possible isolation from other tenants.

How to eliminate wrong answers

Option B is wrong because shared tenancy instances, even with tighter security groups and a private subnet, still share the underlying physical hardware with other tenants, which does not meet the requirement for the strongest possible isolation. Option C is wrong because moving the workload into a public subnet exposes it directly to the internet and does not enhance isolation; the provider inspecting traffic does not prevent resource sharing at the hardware level.

157
MCQmedium

A security architect is designing a solution to securely store sensitive customer data in a cloud object storage service. The architect's primary concern is that if the storage bucket is accidentally configured as publicly accessible, the data should still be protected from unauthorized viewing. Which of the following architectural designs provides the strongest defense in depth to meet this concern?

A.Use server-side encryption with a cloud-managed key (SSE-S3) and restrict access with bucket policies.
B.Use client-side encryption with a customer-managed key stored in a hardware security module (HSM) and restrict access with IAM roles.
C.Use default encryption with a cloud-managed key (SSE-S3) and enable bucket logging.
D.Use server-side encryption with a customer-provided key (SSE-C) and require MFA for delete operations on the bucket.
AnswerB

Client-side encryption encrypts the data before it is uploaded, so the cloud provider never sees plaintext. The customer retains sole control of the encryption key in an HSM. Even if the bucket is made publicly accessible, an attacker can only retrieve encrypted ciphertext, which is indecipherable without the key. This provides the strongest defense in depth against accidental public exposure.

Why this answer

Option B is correct because client-side encryption ensures data is encrypted before it ever leaves the client, so even if the bucket is accidentally made publicly accessible, the ciphertext remains unreadable without the customer-managed key stored in the HSM. This provides defense in depth by combining encryption at the application layer with IAM role restrictions, which control access at the AWS API level. Server-side encryption alone (as in the other options) only protects data at rest on the server side, leaving it vulnerable if the bucket policy or ACLs are misconfigured to allow public read access.

Exam trap

The trap here is that candidates often assume server-side encryption (SSE) alone is sufficient to protect data in a publicly accessible bucket, but they overlook that SSE only protects data at rest on the server side and does not prevent an authorized (or public) user from downloading the encrypted object and then decrypting it using the keys that the server automatically provides to any authenticated requester.

How to eliminate wrong answers

Option A is wrong because server-side encryption with SSE-S3 encrypts data at rest on the server side, but if the bucket is publicly accessible, the decryption keys are managed by AWS and the encrypted objects can still be retrieved by anyone who can read the bucket; the encryption does not prevent unauthorized viewing of the data once the object is downloaded. Option C is wrong because default encryption with SSE-S3 similarly only protects data at rest, and bucket logging merely records access events—it does not prevent unauthorized viewing of the data if the bucket is misconfigured as public. Option D is wrong because server-side encryption with SSE-C encrypts data at rest using a customer-provided key, but if the bucket is publicly accessible, an attacker who can read the bucket can still download the encrypted objects and, if they also obtain the SSE-C key (e.g., via a separate breach), decrypt them; requiring MFA for delete operations does not protect against unauthorized read access.

158
MCQmedium

A company uses a third-party expense application and wants employees to sign in with their corporate identity once, then automatically lose access in the expense app when they are terminated in the HR system. Which solution best meets both requirements?

A.Create separate local usernames in the expense app and synchronize passwords weekly.
B.Implement federated single sign-on and automated user provisioning and deprovisioning.
C.Require a VPN connection before users can open the expense app.
D.Use a shared generic account for all employees and rotate the password monthly.
AnswerB

Federation provides single sign-on with corporate credentials, and automated lifecycle sync removes access promptly when status changes.

Why this answer

Federated single sign-on (SSO) allows users to authenticate once using their corporate identity (e.g., via SAML or OIDC), and automated provisioning/deprovisioning (often via SCIM) ensures that when an employee is terminated in the HR system, their access to the expense app is automatically revoked. This meets both requirements: seamless sign-in and immediate loss of access upon termination.

Exam trap

The trap here is that candidates may think VPN or password synchronization provides adequate access control, but they fail to recognize that only federated SSO combined with automated provisioning/deprovisioning ensures both seamless authentication and immediate revocation tied to the corporate identity lifecycle.

How to eliminate wrong answers

Option A is wrong because creating separate local usernames and synchronizing passwords weekly does not provide single sign-on (users still need separate credentials) and weekly sync introduces a delay, so terminated employees could retain access for up to a week. Option C is wrong because requiring a VPN connection controls network access but does not address authentication or automated deprovisioning; a terminated employee could still sign in if their credentials are valid. Option D is wrong because a shared generic account violates the principle of individual accountability, cannot tie access to a specific employee's termination, and monthly password rotation does not automatically revoke access upon termination.

159
MCQmedium

An HR portal has three job functions: HR staff update employee records, managers approve leave requests, and payroll views salary data. The security team wants to prevent any one role from having all capabilities. Which access design is the best fit?

A.Use a single superuser account for the entire department so tasks can be completed quickly.
B.Create role-based access groups aligned to each job function and grant only the permissions needed for that role.
C.Give every employee access to all portal features and depend on audit logs to catch mistakes later.
D.Require the payroll team to share one common password and use it only from the office network.
AnswerB

Role-based access control is the right design because it maps permissions to job responsibilities. HR, managers, and payroll each receive only the access they need, which supports separation of duties and makes access reviews easier. It also reduces the chance that one user or one account can perform every sensitive action in the portal.

Why this answer

Role-based access control (RBAC) is the correct design because it enforces the principle of least privilege by granting each job function only the permissions necessary for its tasks. This prevents any single role from accumulating all capabilities (e.g., HR staff cannot approve leave or view salary data), directly addressing the security team's requirement to separate duties. RBAC aligns with NIST SP 800-53 AC-6 and is a standard access control model for multi-role enterprise applications.

Exam trap

The trap here is that candidates may confuse 'role-based access control' with 'discretionary access control' (DAC) or think that audit logs alone are sufficient for security, but the SY0-701 exam emphasizes that preventive controls (like RBAC) are superior to detective controls (like logging) for enforcing separation of duties.

How to eliminate wrong answers

Option A is wrong because a single superuser account violates separation of duties and least privilege, granting all capabilities to one user and increasing the risk of insider threats or credential compromise. Option C is wrong because giving every employee full access to all portal features removes all access controls, making the system reliant solely on audit logs for detection rather than prevention, which is a security anti-pattern. Option D is wrong because shared passwords eliminate non-repudiation and accountability, and restricting access by network location (e.g., office network) does not prevent a single role from having all capabilities; it only adds a weak perimeter control.

160
MCQmedium

An HR portal has three groups: HR staff can edit employee records, managers can approve leave, and payroll can view salary data. No one should have all functions. Which access model should the engineer implement?

A.Role-based access control with separate groups mapped to each business function.
B.A single shared admin account so all tasks can be completed quickly.
C.Mandatory access control with all users assigned the same clearance level.
D.Local account creation on the portal for each user, with permissions assigned manually one by one.
AnswerA

RBAC fits business duties well and keeps access aligned to job functions instead of individual exceptions.

Why this answer

Option A is correct because Role-Based Access Control (RBAC) allows the engineer to define three distinct roles (HR staff, managers, payroll) with granular permissions mapped to specific business functions, ensuring no single user inherits all privileges. This model enforces the principle of least privilege by separating duties across groups, preventing any user from having full access to the portal's sensitive operations.

Exam trap

The trap here is that candidates may confuse RBAC with MAC or DAC, assuming that any access control model can enforce separation of duties, but only RBAC with distinct role groups directly addresses the requirement of mapping business functions to permissions without granting overlapping privileges.

How to eliminate wrong answers

Option B is wrong because a single shared admin account violates the principle of least privilege and separation of duties, as it would grant all three functions to anyone using the account, making auditing and accountability impossible. Option C is wrong because Mandatory Access Control (MAC) with all users assigned the same clearance level would not differentiate between HR, managers, and payroll functions; MAC relies on labels and clearances, not job roles, so it cannot enforce the required separation of business functions. Option D is wrong because local account creation with manual permissions is not scalable, introduces administrative overhead, and lacks the centralized, role-based grouping needed to enforce consistent separation of duties across the portal.

161
MCQmedium

Based on the exhibit, which wireless security change best addresses both unauthorized device access and the risk of a lost laptop connecting to corporate resources?

A.Increase the PSK length and rotate it every 30 days.
B.Move the SSID to WPA2-Enterprise or WPA3-Enterprise with 802.1X, device certificates, and MDM-based compliance checks.
C.Hide the SSID and enable MAC address filtering on the access points.
D.Keep the current wireless design and rely on a VPN client for all remote access.
AnswerB

Enterprise Wi-Fi uses individual authentication instead of a shared passphrase, so access can be tied to a specific user or device. Device certificates and MDM compliance checks strengthen control over enrolled endpoints and make it easier to revoke access for lost or noncompliant devices. This is the most secure and manageable architecture shown by the exhibit.

Why this answer

Option B is correct because WPA2-Enterprise or WPA3-Enterprise with 802.1X, device certificates, and MDM-based compliance checks provides mutual authentication and per-user, per-session encryption. This eliminates the risk of a lost laptop connecting to corporate resources (since device certificates can be revoked) and prevents unauthorized device access through certificate-based authentication and MDM compliance enforcement, unlike shared PSK which cannot be individually revoked.

Exam trap

The trap here is that candidates often think hiding the SSID or MAC filtering provides meaningful security, but these are easily bypassed and do not address revocation or per-device authentication, while PSK rotation seems proactive but fails to solve the lost-laptop revocation problem.

How to eliminate wrong answers

Option A is wrong because increasing PSK length and rotating it every 30 days still uses a shared pre-shared key, which cannot be individually revoked if a laptop is lost; any device with the current PSK can connect, and rotating the PSK requires reconfiguring all authorized devices, causing operational overhead. Option C is wrong because hiding the SSID and enabling MAC address filtering are trivial security measures: SSID hiding is easily defeated by passive monitoring (the SSID is broadcast in probe requests and beacons), and MAC addresses can be spoofed, so neither prevents a lost laptop from connecting nor stops unauthorized devices. Option D is wrong because relying solely on a VPN client without changing the wireless security leaves the network open to unauthorized devices connecting directly to the wireless LAN; a lost laptop with VPN credentials could still connect to the corporate network via the wireless SSID before the VPN is established, and there is no per-device revocation mechanism.

162
Matchingeasy

Match each traffic control to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Tracks connection state and allows return traffic for approved sessions

Allows or denies traffic using source, destination, port, and protocol rules without tracking sessions

Blocks traffic unless a rule explicitly permits it

Limits traffic moving between internal subnets or tiers

Why these pairings

ACLs filter based on IPs/ports; QoS prioritizes traffic; shaping controls rate; policing drops excess; NAT translates addresses; port security limits MACs per port.

163
MCQmedium

A development team deploys a Linux web server on an IaaS cloud VM. The cloud provider secures the datacenter, hardware, and hypervisor. Which control remains the organization's responsibility?

A.Monitor physical badge access at the provider facility.
B.Apply OS patches and harden services running inside the virtual machine.
C.Replace the provider's network backbone with a private carrier circuit.
D.Ensure the hypervisor is updated before every release cycle.
AnswerB

In IaaS, the customer still manages the guest operating system and applications, including patching and hardening.

Why this answer

In an IaaS model, the provider handles the physical infrastructure, storage, networking foundation, and hypervisor layer. The customer remains responsible for what runs on the VM, including the guest operating system, services, configuration, and application patching. Hardening the server inside the VM is therefore the correct answer because it is one of the core customer responsibilities in this cloud model.

Why others are wrong: Physical badge access and hypervisor patching are provider duties in IaaS, so the customer cannot rely on those as their own control. Replacing the provider backbone is outside the scope of the customer’s operational responsibility and is not how shared responsibility works. The question asks for the organization’s remaining duty, which is securing the guest OS and its applications.

164
Multi-Selectmedium

Which four of the following are key principles of secure network architecture design that help enforce defense-in-depth? (Choose four.)

Select 4 answers
.Implementing a demilitarized zone (DMZ) for externally facing services
.Segmenting internal networks using VLANs and firewalls
.Using a single, unified security appliance at the network perimeter
.Deploying network access control (NAC) to authenticate devices before granting access
.Placing all servers on the same flat subnet for ease of management
.Utilizing virtual private networks (VPNs) for secure remote access

Why this answer

Implementing a DMZ isolates externally facing services (e.g., web, email) from the internal network, ensuring that if an attacker compromises a public-facing server, they cannot directly pivot to internal resources. This is a foundational defense-in-depth layer that enforces traffic inspection and access controls between zones.

Exam trap

The trap here is that candidates often think a single perimeter appliance is sufficient for security, but CompTIA emphasizes that defense-in-depth requires multiple, diverse controls—not a single device—to avoid a single point of failure.

165
MCQmedium

Based on the exhibit, which change best meets the requirement that guest devices can reach the internet but must not reach any internal subnets or printer VLANs?

A.Add more allow rules for the printer VLAN so guests can print without changing routing.
B.Move guests into a dedicated guest zone with outbound NAT and default-deny rules to internal networks.
C.Place guest and corporate devices on the same VLAN and rely on the wireless password for separation.
D.Allow guest traffic to reach internal DNS and DHCP servers across all RFC1918 subnets.
AnswerB

A dedicated guest zone with outbound-only internet access enforces least privilege and keeps guests isolated from internal VLANs.

Why this answer

Option B is correct because placing guest devices in a dedicated guest zone with outbound NAT allows them to access the internet while default-deny rules to internal subnets and printer VLANs enforce network segmentation. This approach uses firewall policies to explicitly block RFC 1918 private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) from guest traffic, ensuring no Layer 3 connectivity to internal resources.

Exam trap

The trap here is that candidates may think adding more allow rules (Option A) or using a shared VLAN with a password (Option C) provides sufficient isolation, but they fail to recognize that network-layer segmentation via dedicated zones and firewall rules is required to prevent guest-to-internal communication at both Layer 2 and Layer 3.

How to eliminate wrong answers

Option A is wrong because adding more allow rules for the printer VLAN would permit guest traffic to reach printers, directly violating the requirement that guests must not reach printer VLANs; it also does not address blocking access to other internal subnets. Option C is wrong because placing guest and corporate devices on the same VLAN eliminates Layer 2 segmentation, and relying solely on a wireless password provides no network-layer isolation, allowing guests to potentially communicate with corporate hosts via ARP or broadcast traffic. Option D is wrong because allowing guest traffic to internal DNS and DHCP servers across all RFC1918 subnets would create a pathway to internal networks, breaking the requirement that guests must not reach any internal subnets.

166
Multi-Selecthard

A company distributes update packages through a web portal. Users must verify the portal's identity over the network, and the downloaded packages must be trusted even if the web server is later compromised. Which two controls best satisfy these goals? Select two.

Select 2 answers
A.Use HTTPS with a certificate from a trusted certificate authority so users can validate the portal.
B.Use FTP over the internet because the credentialed login keeps the transfer secure enough.
C.Digitally sign the update packages so clients can verify integrity even if the web server is later compromised.
D.Publish a SHA-256 hash on the same download page and trust that the server will remain honest.
E.Use plain HTTP and rely on file permissions to protect the updates in transit.
AnswersA, C

HTTPS protects the connection in transit and lets clients validate that they are communicating with the expected portal through trusted certificate chains. That addresses the need to confirm the portal's identity over the network and prevents interception or modification by an attacker on the path.

Why this answer

HTTPS with a certificate from a trusted certificate authority (CA) allows the client to validate the web portal's identity by verifying the certificate's chain of trust and ensuring the domain name matches. This prevents man-in-the-middle attacks and confirms the server is legitimate before any data is exchanged.

Exam trap

The trap here is that candidates may think FTP with credentials is sufficient for identity verification, but FTP does not provide certificate-based server authentication, and the question specifically requires verifying the portal's identity over the network, which only HTTPS with a trusted CA certificate achieves.

167
MCQmedium

Employees must sign in to several SaaS applications with corporate credentials, and terminated users should lose access quickly without manual changes in each app. Which solution best meets the requirement?

A.Create separate local usernames and passwords in each SaaS application.
B.Use federation for sign-on and automated provisioning and deprovisioning through an identity lifecycle process.
C.Require users to share one department password for each SaaS platform.
D.Store the same password in every application vault and sync it nightly.
AnswerB

Federation allows users to authenticate with the corporate identity provider, while automated provisioning helps create, update, and disable accounts across connected SaaS apps. This design supports single sign-on, faster offboarding, and centralized control over access lifecycle changes. It also reduces the risk of forgotten orphaned accounts remaining active after termination.

Why this answer

Federation enables single sign-on (SSO) using standards like SAML 2.0 or OIDC, allowing users to authenticate once with corporate credentials across multiple SaaS apps. Automated provisioning and deprovisioning via SCIM (System for Cross-domain Identity Management) ensures that when an employee is terminated, their access is revoked from all connected applications instantly without manual intervention, meeting the requirement for rapid access removal.

Exam trap

The trap here is that candidates may confuse federation with simple SSO, overlooking the automated provisioning/deprovisioning component that is essential for the 'lose access quickly' requirement, and instead pick a password-vaulting solution thinking it centralizes credentials.

How to eliminate wrong answers

Option A is wrong because creating separate local usernames and passwords in each SaaS app requires manual management for each account, making it impossible to quickly revoke access for terminated users across all apps without individual changes. Option C is wrong because sharing one department password violates the principle of least privilege and non-repudiation, as it prevents individual accountability and does not allow targeted revocation for a single terminated user. Option D is wrong because storing the same password in every application vault and syncing it nightly does not provide immediate access revocation; a terminated user could still authenticate until the next sync, and password reuse across apps increases security risk if one vault is compromised.

168
Multi-Selecthard

A virtualization host connects to an access switch through one Ethernet link. It must carry only VLAN 30 for production VMs and VLAN 40 for management VMs. A review finds the link currently accepts every VLAN, uses VLAN 1 as the native VLAN, and a guest VLAN can accidentally be added later. Which two changes best harden the design? Select two.

Select 2 answers
A.Prune the trunk so it carries only VLAN 30 and VLAN 40, not every possible VLAN.
B.Leave the trunk open to all VLANs so future changes require no switch updates.
C.Change the native VLAN to an unused ID to reduce VLAN-hopping and mis-tagging risk.
D.Keep VLAN 1 as the native VLAN because it is the vendor default and easiest to support.
E.Enable dynamic trunk negotiation on the host link so the virtualization server can discover VLANs automatically.
AnswersA, C

Limiting the trunk to the exact VLANs needed reduces the chance of accidental exposure or unauthorized traffic crossing the link. This is both a security and operational control because it makes the path easier to audit and less likely to carry unplanned networks. Trunk pruning is a straightforward hardening step for segmented environments.

Why this answer

Option A is correct because pruning the trunk to carry only VLANs 30 and 40 reduces the attack surface by preventing unauthorized VLANs (like a guest VLAN) from being accidentally added later. This aligns with the principle of least privilege for network segmentation, ensuring only necessary traffic traverses the link.

Exam trap

The trap here is that candidates often assume keeping VLAN 1 as the native VLAN is acceptable because it is the default, but the SY0-701 exam emphasizes changing it to an unused ID to prevent VLAN hopping and mis-tagging risks.

169
MCQhard

Employees use a browser-based SaaS portal, a native expense app, and an internal API. The company wants one corporate identity, API access without separate passwords, and automatic account removal when HR disables a user. Which solution best fits?

A.Use LDAP binds directly against each application and manage local passwords separately.
B.Use OpenID Connect federation with OAuth 2.0 access tokens and SCIM provisioning.
C.Use shared local accounts in each application and sync passwords nightly from the directory.
D.Use Kerberos constrained delegation to each vendor tenant for every application.
AnswerB

OIDC handles modern sign-in across browser and mobile experiences, OAuth supports API access, and SCIM automates provisioning and deprovisioning.

Why this answer

OpenID Connect (OIDC) federation with OAuth 2.0 provides a single corporate identity (federated SSO), allows API access without separate passwords (using access tokens), and SCIM provisioning automates account removal when HR disables a user. This combination meets all three requirements: unified identity, passwordless API access, and lifecycle management.

Exam trap

The trap here is that candidates often confuse LDAP or Kerberos (both legacy on-premises protocols) with modern cloud federation, failing to recognize that OIDC + OAuth 2.0 + SCIM is the only combination that provides SSO, token-based API access, and automated provisioning for SaaS and native apps.

How to eliminate wrong answers

Option A is wrong because LDAP binds require separate password management per application and do not provide API access without passwords, nor do they support automatic account removal via SCIM. Option C is wrong because shared local accounts with nightly password sync violate the requirement for a single corporate identity and do not enable API access without passwords; they also lack automatic provisioning/deprovisioning. Option D is wrong because Kerberos constrained delegation is designed for on-premises Windows environments and does not federate to browser-based SaaS or native apps, nor does it support SCIM-based lifecycle management.

170
MCQeasy

A company needs a public website that anyone on the internet can reach, but the application and database servers must stay off the internet. Where should the web server be placed?

A.On the internal user network with the database server.
B.In a DMZ separated from the internal application and database networks.
C.On the same subnet as the firewall management interface.
D.Directly on the database subnet so performance is faster.
AnswerB

A DMZ is the best choice because it allows public access to the web server while keeping the application and database tiers behind additional security controls. If the web server is compromised, the attacker still has to cross another boundary to reach internal systems. This layered zoning is a standard architecture pattern for public-facing services and helps contain risk.

Why this answer

The web server must be placed in a DMZ (demilitarized zone) because this network segment is designed to host publicly accessible services while isolating them from internal networks. The DMZ allows inbound traffic from the internet to the web server, but the application and database servers remain on internal networks with strict firewall rules that block direct internet access, enforcing a layered security architecture.

Exam trap

The trap here is that candidates often confuse a DMZ with a 'public subnet' and think placing the web server directly on the internet-facing side of the firewall is sufficient, but the DMZ is a separate, isolated network segment that enforces strict traffic inspection and prevents direct lateral movement to internal resources.

How to eliminate wrong answers

Option A is wrong because placing the web server on the internal user network with the database server would expose both to direct internet traffic, violating the requirement to keep application and database servers off the internet and creating a single point of compromise. Option C is wrong because the firewall management interface subnet is a highly restricted administrative network; placing a public web server there would expose management interfaces to attack and violate security best practices. Option D is wrong because placing the web server directly on the database subnet would allow internet traffic to reach the database server directly, bypassing the application layer and defeating the purpose of network segmentation.

171
MCQeasy

A company uses a SaaS file-sharing platform for employee documents. Which action is the company's responsibility, not the provider's?

A.Patching the vendor's application servers.
B.Setting user sharing permissions and access controls for company data.
C.Replacing failed disks in the provider's storage cluster.
D.Maintaining the cloud provider's identity center and hypervisor.
AnswerB

In a SaaS model, the provider manages the application and underlying infrastructure, but the customer remains responsible for how the service is used. That includes user provisioning, access permissions, sharing settings, and data handling decisions. Configuring who can see or edit documents is a customer duty because it directly affects the organization's confidentiality and compliance obligations.

Why this answer

In a SaaS model, the provider manages the underlying infrastructure, including application servers, storage, and hypervisors. The customer is responsible for configuring access controls and permissions for their own data within the application. Option B correctly identifies this shared responsibility boundary.

Exam trap

The trap here is that candidates often confuse the SaaS model with IaaS or PaaS, incorrectly assuming the customer is responsible for patching or hardware maintenance, when in fact the provider handles all infrastructure layers in SaaS.

How to eliminate wrong answers

Option A is wrong because patching the vendor's application servers is the provider's responsibility under the SaaS shared responsibility model, not the customer's. Option C is wrong because replacing failed disks in the provider's storage cluster is an infrastructure maintenance task owned by the SaaS provider. Option D is wrong because maintaining the cloud provider's identity center and hypervisor is part of the provider's responsibility for the underlying platform, not the customer's.

172
MCQmedium

Based on the exhibit, which network redesign would best limit lateral movement between user endpoints and building systems after a workstation compromise?

A.Move every device into a single flat subnet so internal routing is simpler.
B.Separate workstations, phones, badge readers, and cameras into different VLANs with ACLs or firewall rules between them.
C.Keep the design unchanged and rely on antivirus on the workstations to block access to the cameras.
D.Put all traffic through the guest Wi-Fi VLAN to isolate it from the corporate network.
AnswerB

Separating device classes into distinct VLANs creates clear trust boundaries and limits what a compromised endpoint can reach. Inter-VLAN ACLs or firewall rules can then enforce only the necessary traffic paths, such as management or service traffic. This reduces lateral movement from a workstation to sensitive building systems like cameras and badge readers.

Why this answer

Option B is correct because segmenting workstations, phones, badge readers, and cameras into separate VLANs with ACLs or firewall rules between them enforces micro-segmentation. This prevents a compromised workstation from directly initiating lateral movement to building systems (e.g., cameras or badge readers) by restricting inter-VLAN traffic at Layer 3/4, limiting the blast radius of an attack.

Exam trap

The trap here is that candidates often think antivirus or a flat network simplifies management, but the SY0-701 exam specifically tests the principle of network segmentation to contain lateral movement, not just endpoint protection or network simplicity.

How to eliminate wrong answers

Option A is wrong because a single flat subnet removes all network segmentation, allowing any compromised endpoint to directly communicate with any other device (including building systems) via Layer 2 broadcast or unicast, which maximizes lateral movement risk. Option C is wrong because relying solely on antivirus on workstations does not block network-level access to cameras; antivirus is a host-based detection tool that cannot prevent a compromised workstation from sending malicious traffic to other IP addresses on the same subnet. Option D is wrong because putting all traffic through the guest Wi-Fi VLAN would isolate it from the corporate network, but it would also isolate building systems from necessary management traffic and does not provide granular segmentation between different device types; it also introduces performance and policy issues for non-Wi-Fi devices.

173
MCQmedium

A security architect is designing the network security for a web application hosted in a public cloud environment such as AWS. The application uses an Application Load Balancer (ALB) that distributes traffic to a fleet of web servers. The web servers must only accept traffic from the ALB, and all other inbound traffic must be blocked. The ALB itself needs to accept HTTP/HTTPS traffic from anywhere on the internet. Which of the following cloud security controls should the architect configure on the web servers' network interface to best meet this requirement, assuming the cloud provider offers both stateful and stateless network filtering options?

A.A stateless network ACL that allows inbound traffic from the ALB's subnet only.
B.A stateful security group that allows inbound traffic from the ALB's security group only.
C.A web application firewall (WAF) that inspects all traffic for SQL injection.
D.A host-based firewall on each web server that allows traffic from the ALB's private IP address.
AnswerB

Correct. Security groups are stateful and can use another security group as a source. This configuration cleanly allows only traffic originating from the ALB, automatically handles return traffic, and is the recommended cloud-native approach for controlling instance-level access.

Why this answer

Option B is correct because a stateful security group in AWS can reference another security group as a source, allowing inbound traffic only from instances associated with the ALB's security group. This ensures that web servers accept traffic exclusively from the ALB, while the ALB itself can accept HTTP/HTTPS from the internet via its own security group rules. Stateful filtering automatically allows return traffic, simplifying rule management and meeting the requirement precisely.

Exam trap

The trap here is that candidates often confuse stateless network ACLs with stateful security groups, assuming a subnet-based ACL is sufficient, but they overlook that ACLs cannot filter by security group and require bidirectional rule management, making them unsuitable for this precise ALB-only access requirement.

How to eliminate wrong answers

Option A is wrong because a stateless network ACL requires explicit inbound and outbound rules, and referencing a subnet rather than a security group does not restrict traffic to only the ALB—any instance in that subnet could send traffic, violating the requirement. Additionally, stateless ACLs do not automatically allow return traffic, requiring separate outbound rules, which adds complexity and potential misconfiguration. Option C is wrong because a web application firewall (WAF) inspects application-layer traffic for threats like SQL injection but does not control network-layer access; it cannot block all non-ALB traffic at the network interface level, so it fails to meet the core requirement of restricting inbound traffic to only the ALB.

174
MCQmedium

A security architect is designing a new data center network that will host public-facing web servers and internal application servers handling confidential employee data. The architect places the web servers in a DMZ and the internal application servers on a separate internal network segment. A stateful firewall is configured to allow inbound HTTP/HTTPS traffic from the internet to the web servers only. The firewall also permits only the web servers to initiate outbound connections to the internal application servers on a specific TCP port, and all such traffic is encrypted using TLS. Which security architecture principle is this design primarily intended to enforce?

A.Least privilege
B.Defense in depth
C.Separation of duties
D.Zero trust
AnswerB

Correct. The design uses network segmentation, firewalls, and encryption to create multiple layers of defense. This is the core concept of defense in depth, ensuring that a failure in one layer does not compromise the entire system.

Why this answer

The design enforces defense in depth by layering multiple security controls: a DMZ isolates public-facing web servers from internal networks, a stateful firewall restricts inbound traffic to HTTP/HTTPS only, and outbound connections from web servers to internal application servers are limited to a specific TCP port with TLS encryption. This layered approach ensures that even if one control fails (e.g., a web server is compromised), the attacker still faces additional barriers to reach sensitive internal systems.

Exam trap

The trap here is that candidates confuse 'defense in depth' with 'least privilege' because both involve restricting access, but defense in depth specifically refers to multiple overlapping security layers (network segmentation, firewalls, encryption) rather than minimal permissions for a single component.

How to eliminate wrong answers

Option A is wrong because least privilege would focus on granting only the minimum necessary permissions to users or processes, but the scenario describes network segmentation and traffic filtering, not user or service account permissions. Option C is wrong because separation of duties involves dividing critical tasks among different individuals to prevent fraud or error, whereas this design is about network architecture and access controls, not role-based task division.

175
MCQhard

A stateless firewall sits between a DMZ subnet 10.10.10.0/24 and an internal subnet 10.10.20.0/24. Only the web server at 10.10.10.25 should be allowed to initiate TCP sessions to the app server at 10.10.20.20 on port 8443. All other DMZ-to-internal traffic must remain blocked. Which ACL entry is the best fit on the DMZ-facing interface?

A.deny tcp 10.10.10.0/24 10.10.20.0/24 eq 8443 followed by permit ip any any
B.permit tcp host 10.10.10.25 host 10.10.20.20 eq 8443 followed by deny ip any any
C.permit tcp host 10.10.20.20 host 10.10.10.25 eq 8443 followed by deny ip any any
D.permit ip 10.10.10.0/24 10.10.20.0/24 followed by deny ip any any
AnswerB

This rule is the least-privilege match for the stated requirement. It allows only the specific source host, destination host, and destination port needed for the application flow, while the explicit deny blocks all remaining DMZ-to-internal traffic on that interface. Because the firewall is stateless, narrowing the source and destination at the entry point is the safest way to prevent unintended exposure.

Why this answer

Option B is correct because it explicitly permits only the web server at 10.10.10.25 to initiate TCP sessions to the app server at 10.10.20.20 on port 8443, then denies all other traffic. Since the firewall is stateless, it cannot track session state, so the ACL must be applied on the DMZ-facing interface to control outbound-initiated traffic from the DMZ to the internal subnet. The permit statement uses the 'host' keyword for precise source and destination, followed by an explicit deny all to block any other DMZ-to-internal traffic.

Exam trap

The trap here is that candidates often reverse the source and destination in the permit statement (as in Option C), mistakenly thinking the ACL should allow the app server to respond, rather than correctly permitting the web server to initiate the connection from the DMZ to the internal subnet.

How to eliminate wrong answers

Option A is wrong because it denies the specific traffic (TCP from 10.10.10.0/24 to 10.10.20.0/24 on port 8443) that should be permitted, and then permits all other traffic, which would allow unauthorized DMZ hosts to reach the internal subnet. Option C is wrong because it reverses the source and destination, permitting the app server at 10.10.20.20 to initiate sessions to the web server on port 8443, which violates the requirement that only the web server should initiate the connection. Option D is wrong because it permits all IP traffic from the entire DMZ subnet to the internal subnet, which would allow any DMZ host to reach any internal host, completely bypassing the restriction to only the web server and only on port 8443.

176
MCQeasy

Employees must sign in to several cloud applications with their corporate account, and terminated users should lose access without separate password resets in each app. What is the best solution?

A.Create a separate local username and password in every cloud application.
B.Use federation with single sign-on from a central identity provider.
C.Store the same shared password in a password manager for all applications.
D.Allow each application to authenticate users only by device MAC address.
AnswerB

Federation with SSO is the best option because employees authenticate once with the corporate identity provider and then access multiple applications through trusted token exchange. This reduces password sprawl, improves user convenience, and makes offboarding faster because disabling the central account removes access across connected services. It also supports stronger controls such as MFA at the identity provider rather than repeating them in every application.

Why this answer

Federation with single sign-on (SSO) from a central identity provider (IdP) allows users to authenticate once using their corporate account, and the IdP issues security tokens (e.g., SAML assertions or OIDC tokens) that each cloud application trusts. When a user is terminated, the administrator disables the account in the IdP, and all applications immediately reject the user's tokens, eliminating the need for separate password resets in each app.

Exam trap

The trap here is that candidates confuse password managers (which store credentials but do not provide centralized revocation) with federation, or they mistakenly think MAC address authentication is viable for cloud applications, when in fact MAC addresses are link-layer identifiers not usable over the internet.

How to eliminate wrong answers

Option A is wrong because creating separate local usernames and passwords in every cloud application violates the requirement for centralized access control and would require manual password resets in each app upon termination. Option C is wrong because storing the same shared password in a password manager does not provide centralized revocation; the password would still need to be changed in every application individually to block access. Option D is wrong because authenticating by device MAC address is not feasible for cloud applications (MAC addresses are not transmitted over the internet) and does not support user-level identity or termination.

177
MCQhard

An access point connected to a switch suddenly lets guest Wi-Fi users reach an internal printer VLAN, but only on the new wiring closet. The AP uplink is configured as a trunk with dynamic negotiation enabled, native VLAN 1, and allowed VLANs 10, 20, and 30. Guest traffic should be VLAN 40 and must not transit to internal segments. Which change best fixes the issue?

A.Convert the AP uplink to an access port in VLAN 40 and leave the AP to handle all traffic untagged.
B.Disable dynamic trunk negotiation, configure a static trunk, allow only VLANs 40 and 99, and move the native VLAN to an unused value.
C.Add the internal printer VLAN to the allowed list so the AP can filter client traffic itself.
D.Keep the trunk settings and add a layer 3 ACL between the guest and internal networks.
AnswerB

This prevents unintended trunk formation, limits the VLANs that can traverse the link, and reduces risk from the native VLAN.

Why this answer

The issue is that guest traffic (VLAN 40) is not in the allowed list, so the trunk is dropping it; however, the native VLAN 1 is being used for management and may leak traffic. By disabling dynamic trunk negotiation (DTP), configuring a static trunk, allowing only VLANs 40 and 99 (a management VLAN), and changing the native VLAN to an unused value, you ensure guest traffic is properly tagged and isolated from internal VLANs. This prevents the guest VLAN from being inadvertently trunked to internal segments and eliminates the risk of VLAN hopping via the native VLAN.

Exam trap

The trap here is that candidates think adding an ACL or allowing more VLANs will solve the problem, but the root cause is that VLAN 40 is not allowed on the trunk, and the native VLAN 1 introduces a security risk; the correct fix is to explicitly permit only the necessary VLANs and secure the native VLAN.

How to eliminate wrong answers

Option A is wrong because converting the AP uplink to an access port in VLAN 40 would force all traffic from the AP to be untagged in VLAN 40, but the AP typically sends multiple VLANs (e.g., management, guest) as tagged frames; an access port cannot carry multiple VLANs and would drop tagged frames, breaking management and other services. Option C is wrong because adding the internal printer VLAN to the allowed list would explicitly permit guest traffic to reach the printer VLAN, which is the opposite of the security requirement to isolate guest traffic from internal segments. Option D is wrong because keeping the current trunk settings means VLAN 40 is not allowed on the trunk, so guest traffic is already being dropped; adding a Layer 3 ACL would not fix the missing VLAN 40 on the trunk, and ACLs cannot compensate for a Layer 2 misconfiguration that prevents guest traffic from even reaching the switch.

178
MCQmedium

A help desk team manages 300 Windows laptops. A legacy accounting app sometimes fails after updates, so the company wants to reduce patch risk while still preventing long-term exposure. Which patching strategy is the best balance?

A.Apply updates manually to each laptop as soon as they are released.
B.Use a pilot group and phased rollout process before wider deployment.
C.Postpone all updates until the legacy accounting app is replaced.
D.Disable automatic updates permanently and patch only after a security incident.
AnswerB

A pilot-to-broad rollout strategy lets the organization validate patches on a small set of representative devices before deploying them widely. That reduces the chance of a widespread compatibility problem while still keeping systems updated on a reasonable schedule. It is a practical balance between security, reliability, and operational risk.

Why this answer

A phased rollout with a pilot group is the most balanced approach. It allows the team to test new patches on a few systems that reflect the production environment before exposing the entire fleet to possible compatibility issues. That lowers operational risk while still ensuring the organization patches regularly, which is essential for reducing exposure to known vulnerabilities and maintaining a secure baseline.

Why others are wrong: Option A is too labor-intensive and still lacks controlled validation. Option C accepts avoidable risk by deferring all updates indefinitely. Option D is reactive and leaves the fleet exposed until an incident occurs. The correct answer is the only one that preserves security and operational stability at the same time.

179
MCQmedium

A finance team deploys a regulated workload to a public cloud. They want operating system login events, process activity, and network flow metadata to be retained in one central place for detection and investigation. Which action best supports this requirement with the least operational overhead?

A.Rely on the cloud provider to automatically secure all guest operating systems and collect every log type by default.
B.Enable cloud-native logging and forward guest telemetry from the workload into a centralized security logging service or SIEM.
C.Move the workload to a private data center so the cloud provider can no longer access any telemetry.
D.Disable host logging and rely only on perimeter firewall logs to reduce storage costs.
AnswerB

This is the best approach because it uses cloud-native controls to capture logs close to the workload and centralizes them for correlation and retention. It supports visibility across identity, host, and network activity without building a separate logging stack from scratch. It also aligns with the shared responsibility model by keeping customer-controlled telemetry under the organization’s management.

Why this answer

Option B is correct because it directly addresses the requirement to centralize OS login events, process activity, and network flow metadata from a public cloud workload. Cloud-native logging (e.g., AWS CloudTrail, Azure Monitor) can capture guest OS telemetry via agents (e.g., Amazon CloudWatch Agent, Azure Log Analytics agent) and forward it to a centralized security logging service or SIEM, minimizing operational overhead by leveraging built-in cloud services rather than custom infrastructure.

Exam trap

The trap here is that candidates may assume cloud providers automatically handle all guest OS logging under the shared responsibility model, leading them to choose Option A, but in reality, the customer must explicitly configure and forward guest telemetry to a centralized service.

How to eliminate wrong answers

Option A is wrong because cloud providers do not automatically secure guest operating systems or collect every log type by default; they operate under a shared responsibility model where the customer is responsible for guest OS security and log collection, and default logging typically covers only control-plane events (e.g., API calls), not guest OS login events or process activity. Option C is wrong because moving the workload to a private data center increases operational overhead (e.g., managing physical infrastructure, maintaining on-premises logging tools) and does not inherently centralize telemetry; it also contradicts the premise of using a public cloud for the workload.

180
MCQmedium

A security architect is redesigning remote administration for a set of critical Linux servers in a private cloud. Currently, system administrators connect directly from their corporate laptops to the servers over the internet using SSH. The architect's primary goal is to eliminate direct inbound SSH connections from the internet while still allowing authorized administrators to perform maintenance tasks. Which of the following architectural changes would best achieve this objective?

A.Deploy a VPN concentrator and require all administrators to connect to the VPN before initiating SSH sessions directly to the servers.
B.Deploy a jump server (bastion host) in a management subnet and require all administrative SSH connections to originate from the jump server, with the jump server accessible only via the corporate VPN.
C.Replace SSH with a web-based console proxy that uses HTTPS and multi-factor authentication, and allow direct internet access to the console proxy on port 443.
D.Configure each Linux server with a public IP address but restrict inbound SSH to the known public IP addresses of the administrators' corporate laptops.
AnswerB

This is the correct architecture. The jump server acts as a secure intermediary. No SSH traffic from the internet reaches the target servers; all connections must first authenticate to the VPN, then to the jump server, and finally the jump server initiates outbound SSH to the target servers. This eliminates direct inbound SSH and provides a centralized audit point.

Why this answer

Option B is correct because it eliminates direct inbound SSH from the internet by placing a jump server (bastion host) in a management subnet that is only accessible via the corporate VPN. Administrators must first connect to the VPN, then SSH to the jump server, and from there initiate SSH sessions to the target Linux servers. This architecture ensures no SSH port is exposed to the public internet, meeting the primary security goal.

Exam trap

The trap here is that candidates may think a VPN alone (Option A) is sufficient to eliminate direct inbound SSH, but the VPN still allows direct SSH from the VPN client to the server, which does not remove the server’s SSH exposure from the internet—it only adds a layer of encryption and authentication, not a true bastion architecture.

How to eliminate wrong answers

Option A is wrong because deploying a VPN concentrator alone still allows administrators to initiate direct SSH sessions to the servers after connecting to the VPN, meaning the SSH ports on the servers remain exposed to the VPN network and potentially to the internet if the VPN is misconfigured or compromised. Option C is wrong because it replaces SSH with a web-based console proxy accessible directly on port 443 from the internet, which still exposes a management interface to the public internet, failing to eliminate direct inbound connections and introducing a new attack surface.

181
MCQmedium

A company stores customer documents in cloud object storage. The provider already offers encryption at rest and physical security. Which action most directly reduces the risk of unauthorized access to the stored files?

A.Assume the provider's default settings are sufficient because encryption at rest is already enabled.
B.Move the documents to a public bucket so users can access them without friction.
C.Configure least-privilege IAM roles, bucket policies, and object permissions for approved users only.
D.Disable encryption at rest so administrators can troubleshoot access problems more easily.
AnswerC

Access control is the customer's main responsibility here, and least-privilege permissions directly limit who can retrieve the files.

Why this answer

Option C is correct because, even with encryption at rest and physical security, unauthorized access can occur if IAM policies, bucket policies, and object permissions are overly permissive. Configuring least-privilege access ensures that only approved users can read or modify the stored files, directly reducing the attack surface. Encryption at rest protects data if storage media is compromised, but it does not prevent authorized users with excessive permissions from accessing files they shouldn't.

Exam trap

The trap here is that candidates confuse encryption at rest with access control, assuming that encryption alone prevents unauthorized access, when in fact it only protects against physical theft of storage media, not against API-level access by users with excessive permissions.

How to eliminate wrong answers

Option A is wrong because assuming default settings are sufficient ignores the principle of least privilege; default IAM roles and bucket policies are often overly permissive (e.g., public read access) and must be explicitly hardened. Option B is wrong because moving documents to a public bucket would expose them to anyone on the internet, directly increasing the risk of unauthorized access. Option D is wrong because disabling encryption at rest would leave data vulnerable if an attacker gains physical access to the storage media or if the provider suffers a breach, and it does not solve access control issues.

182
Multi-Selecteasy

A company wants its laptop fleet to start from a known configuration before shipping to users and to reduce exposure to newly discovered vulnerabilities over time. Which two actions are best? Select two.

Select 2 answers
A.Build the laptops from a secure baseline image.
B.Apply security patches on a regular schedule.
C.Install extra consumer applications by default.
D.Allow users to disable endpoint protection whenever they want.
E.Delay firmware updates until devices fail.
AnswersA, B

A secure baseline ensures every device starts with approved settings and reduced unnecessary exposure. It makes the fleet easier to manage and more consistent to secure.

Why this answer

Building laptops from a secure baseline image ensures that every device starts with a known, hardened configuration, eliminating any pre-existing vulnerabilities or misconfigurations. This directly supports the requirement to begin from a known good state before shipping to users.

Exam trap

The trap here is that candidates may think installing extra applications is helpful for user productivity, but the question specifically asks for actions that reduce vulnerability exposure and ensure a known configuration, making such additions counterproductive.

183
Multi-Selectmedium

A regulated analytics workload must run in a public cloud with the strongest practical tenant isolation while avoiding management of physical servers. The workload should also remain off the public internet. Which two deployment choices best fit? Select two.

Select 2 answers
A.Run the workload on a dedicated host or dedicated instance.
B.Place the workload in a private subnet without a public IP address.
C.Use shared tenancy with security groups only.
D.Assign an elastic IP so administrators can reach the workload directly from anywhere.
E.Expose the workload through a public load balancer to simplify connectivity.
AnswersA, B

Dedicated compute placement provides stronger tenant isolation than shared hardware and is appropriate when a regulated workload needs a higher separation level. It also keeps the organization in a cloud model without requiring ownership of physical servers.

Why this answer

A dedicated host or dedicated instance provides the strongest practical tenant isolation in a public cloud by ensuring that the underlying physical server is not shared with any other customer. This meets the regulatory requirement for strong isolation while avoiding the need to manage physical servers, as the cloud provider still handles hardware maintenance. The dedicated instance model (e.g., AWS Dedicated Instances) offers hardware-level isolation at the instance level, while a dedicated host gives you visibility and control over the physical server, both without requiring you to manage the server itself.

Exam trap

The trap here is that candidates often confuse network isolation (private subnet) with tenant isolation (physical hardware separation), or they assume that a public load balancer can be used without exposing the workload to the internet, forgetting that the load balancer itself has a public endpoint.

184
MCQmedium

A branch office uses a flat LAN, and a compromise on one user workstation could spread quickly to finance systems. Management wants finance workstations isolated from general users, but finance staff still need access to a central finance application and network printer. What is the best design change?

A.Move finance devices to the guest Wi-Fi network so they are separated from employees.
B.Create separate VLANs for finance and user devices, then apply inter-VLAN ACLs to allow only required application and printer traffic.
C.Keep the flat LAN but require stronger passwords on finance PCs and shared folders.
D.Place all devices in one VLAN and rely on endpoint antivirus to stop spread.
AnswerB

Separate VLANs provide segmentation, and inter-VLAN ACLs enforce which systems may communicate. This limits lateral movement while still allowing the finance team to reach approved shared resources such as the finance application and printer.

Why this answer

Option B is correct because creating separate VLANs segments the flat LAN into isolated broadcast domains, preventing lateral movement from compromised user workstations to finance systems. Inter-VLAN ACLs then act as a stateful firewall, permitting only the specific traffic (e.g., TCP 1433 for SQL-based finance app, TCP 9100 for printer) while blocking all other inter-VLAN communication. This aligns with the principle of least privilege and network segmentation, directly addressing the requirement to isolate finance workstations without disrupting their needed access.

Exam trap

The trap here is that candidates may think stronger passwords or guest Wi-Fi solve the isolation problem, but CompTIA tests the understanding that network segmentation via VLANs and ACLs is the only method that both prevents lateral movement and preserves specific required access.

How to eliminate wrong answers

Option A is wrong because moving finance devices to the guest Wi-Fi network would isolate them from the internal LAN, but guest networks typically have no access to internal resources like the central finance application or network printer, breaking the required connectivity. Option C is wrong because keeping the flat LAN with stronger passwords does not prevent lateral movement; a compromised user workstation on the same broadcast domain can still directly attack finance PCs via ARP spoofing, SMB relay, or other Layer 2 attacks, regardless of password strength.

185
Multi-Selecteasy

A company wants employees to sign in once with corporate credentials and access multiple SaaS apps without creating separate passwords for each service. Which two features best support this goal? Select two.

Select 2 answers
A.Federation trust between the corporate identity provider and the SaaS provider.
B.Single sign-on so users authenticate once and reuse that session across apps.
C.Shared generic accounts for each department.
D.Storing the same password inside every SaaS application.
E.Disabling MFA so the sign-in process is faster.
AnswersA, B

Federation lets the SaaS application accept authentication from the company’s identity provider. This avoids local account sprawl and supports centralized control of user sign-in.

Why this answer

Option A is correct because federation trust, typically implemented via standards like SAML 2.0 or OpenID Connect, establishes a trust relationship between the corporate identity provider (IdP) and each SaaS provider. This allows the SaaS app to accept authentication assertions from the corporate IdP, enabling users to sign in with their corporate credentials without needing separate passwords for each service.

Exam trap

The trap here is that candidates may confuse SSO (Option B) with federation (Option A) as being redundant, but they are complementary—federation establishes the trust relationship, while SSO provides the seamless session reuse—so both are required to meet the goal of signing in once with corporate credentials across multiple SaaS apps.

186
Matchinghard

Match each design requirement to the best security architecture control. Use each control once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DMZ

Bastion host

Microsegmentation

Zero Trust Network Access (ZTNA)

Load balancer

Why these pairings

Defense in depth uses layered controls, least privilege minimizes risk, separation of duties prevents fraud, fail secure avoids insecure states, secure defaults reduce misconfiguration, and complete mediation ensures consistent enforcement.

187
MCQmedium

An HR system marks employees as hired, transferred, or terminated. The security team wants those changes to create, update, or disable accounts in multiple SaaS apps automatically after the user authenticates through the company identity provider. Which capability should be added?

A.SAML federation alone, with no additional account lifecycle automation.
B.Password synchronization between every application.
C.SCIM provisioning integrated with the SSO platform.
D.Local administrator groups on each SaaS application.
AnswerC

SCIM automates user and group lifecycle changes, so account creation, updates, and disablement can follow HR events centrally.

Why this answer

SCIM (System for Cross-domain Identity Management) is the correct choice because it provides a standardized protocol for automating the creation, update, and deletion of user accounts across multiple SaaS applications. When integrated with an SSO platform (like SAML), SCIM handles the lifecycle events (hire, transfer, terminate) by sending RESTful API calls to each SaaS app, ensuring accounts are created, updated, or disabled without manual intervention. SAML alone only handles authentication, not account provisioning, making SCIM essential for the described automation.

Exam trap

The trap here is that candidates often confuse SAML federation (which only handles authentication) with full identity lifecycle management, leading them to pick option A, but the question explicitly requires automated account creation, update, and disablement—a capability only SCIM provides.

How to eliminate wrong answers

Option A is wrong because SAML federation alone only handles authentication (single sign-on) and does not include any account lifecycle management—it cannot create, update, or disable accounts automatically. Option B is wrong because password synchronization between applications is a legacy approach that does not automate account provisioning or deprovisioning; it only keeps passwords consistent and introduces security risks without addressing the core requirement of lifecycle automation. Option D is wrong because local administrator groups on each SaaS application are a manual, per-application access control mechanism that does not provide any automated account lifecycle management or integration with the identity provider.

188
MCQmedium

A company moved an internal application to a cloud virtual machine. The security team wants operating system login events, process activity, and network flow metadata to be available in the SIEM for investigations. Which action best supports that goal?

A.Rely only on the cloud provider's service health dashboard and billing alerts.
B.Enable guest OS audit logging and cloud-native flow logs, then forward the data to the SIEM.
C.Encrypt the virtual machine disks and disable all logging to reduce exposure.
D.Install only a web application firewall because that covers server log collection.
AnswerB

This combines host-level visibility with cloud network telemetry. Audit logs capture logons and system activity inside the virtual machine, while flow logs show network connections. Forwarding both to a SIEM gives analysts the context needed to correlate suspicious behavior across layers.

Why this answer

Option B is correct because it directly addresses the requirement to collect operating system login events, process activity, and network flow metadata. Enabling guest OS audit logging (e.g., via Windows Event Log or syslog) captures login and process events, while cloud-native flow logs (e.g., AWS VPC Flow Logs or Azure NSG flow logs) provide network flow metadata. Forwarding both data streams to the SIEM ensures centralized visibility for investigations.

Exam trap

The trap here is that candidates may think cloud provider dashboards or encryption are sufficient for security monitoring, but they fail to recognize that the specific data types required (OS events and network flows) must be explicitly enabled and forwarded from the guest OS and network layer, not inferred from provider-level metrics.

How to eliminate wrong answers

Option A is wrong because relying solely on the cloud provider's service health dashboard and billing alerts provides only infrastructure-level availability and cost data, not the required OS login events, process activity, or network flow metadata. Option C is wrong because encrypting disks and disabling all logging would eliminate the very data needed for investigations, directly contradicting the goal of making that data available in the SIEM.

189
MCQeasy

Field staff use company-owned tablets that also run approved personal apps. Security wants corporate email and documents separated from personal data, with the ability to wipe only the work data if a device is lost. What is the best control?

A.Use a work profile or container managed by a mobile device management platform.
B.Disable all personal apps by removing internet access from the tablet.
C.Install only a screen lock and require a longer PIN for the tablet.
D.Use a USB cable lock so the tablet cannot be physically moved.
AnswerA

A managed work profile or container is the best answer because it separates corporate data from personal applications on the same mobile device. That allows the organization to enforce policies on work data, protect corporate email and documents, and selectively remove only the business container if the tablet is lost or the user leaves. It supports a practical BYOD or COPE style deployment without wiping the user's personal content.

Why this answer

A work profile or container managed by a mobile device management (MDM) platform creates a separate, encrypted partition on the device for corporate data. This allows the organization to enforce policies and perform a selective wipe of only the work container without affecting personal apps or data, meeting the requirement for separation and targeted remote wipe.

Exam trap

The trap here is that candidates may think a screen lock or disabling internet is sufficient for data separation, but the exam specifically tests the concept of containerization and selective wipe as the only method that meets both separation and targeted data removal requirements.

How to eliminate wrong answers

Option B is wrong because disabling internet access on the tablet would block all network connectivity, preventing both personal and corporate apps from functioning, and does not provide any data separation or selective wipe capability. Option C is wrong because a screen lock and longer PIN only protect the device from unauthorized access at rest; they do not separate corporate data from personal data, nor do they enable a selective wipe of work data only.

190
MCQmedium

A company manages 300 laptops and wants to reduce risk from missed patches while avoiding a widespread outage if an update has compatibility issues. Which patching approach is the best choice?

A.Install patches manually on each laptop after users report problems.
B.Deploy all patches to every laptop immediately with no testing.
C.Use a phased rollout with a pilot group, then expand deployment after validation, while keeping a standard baseline configuration.
D.Wait for annual maintenance windows so all changes happen at once.
AnswerC

A phased or ring-based rollout balances speed and stability. A pilot group catches compatibility issues early, and the baseline keeps endpoint settings consistent across the fleet. This approach reduces risk from vulnerabilities without creating unnecessary operational disruption.

Why this answer

Option C is correct because a phased rollout with a pilot group allows the IT team to validate patches on a small subset of laptops before full deployment, reducing the risk of widespread outages from compatibility issues. Maintaining a standard baseline configuration ensures consistency across all 300 laptops, which simplifies patch management and reduces the likelihood of missed patches. This approach balances risk mitigation with operational continuity, aligning with best practices for enterprise patch management.

Exam trap

The trap here is that candidates may choose Option B (immediate deployment) because they prioritize speed and simplicity over risk management, failing to recognize that unvalidated patches can cause cascading failures that negate any security benefits.

How to eliminate wrong answers

Option A is wrong because installing patches manually only after users report problems is a reactive approach that leaves laptops vulnerable to known exploits for extended periods, increasing the risk of security breaches. Option B is wrong because deploying all patches to every laptop immediately with no testing ignores the potential for compatibility issues that could cause widespread outages, application failures, or system instability across the entire fleet.

191
MCQmedium

Employees use several SaaS applications, and the security team wants one corporate login, MFA for unmanaged devices, and centralized account provisioning. Which architecture should be used?

A.Create separate usernames and passwords for each SaaS application.
B.Use federated single sign-on with the corporate identity provider and conditional access policies.
C.Share one generic account for the team so access is easier to audit.
D.Put all users on a VPN and let each SaaS application trust the internal network automatically.
AnswerB

Federation and SSO centralize authentication, while conditional access can require MFA or other controls based on device trust.

Why this answer

Federated single sign-on (SSO) with a corporate identity provider (IdP) allows users to authenticate once using their corporate credentials and access multiple SaaS applications without separate logins. Conditional access policies can enforce MFA specifically for unmanaged devices, and centralized account provisioning (e.g., via SCIM) ensures accounts are created, updated, and deprovisioned from a single directory. This architecture meets all three requirements: single corporate login, MFA for unmanaged devices, and centralized provisioning.

Exam trap

The trap here is that candidates confuse network-level controls (VPN) with identity-level controls (federation), assuming that a VPN provides the same authentication and authorization granularity as SSO with conditional access.

How to eliminate wrong answers

Option A is wrong because creating separate usernames and passwords for each SaaS application violates the requirement for a single corporate login, increases password fatigue, and makes centralized provisioning impossible. Option C is wrong because sharing one generic account eliminates individual accountability, violates the principle of least privilege, and makes auditing impossible since actions cannot be traced to a specific user. Option D is wrong because VPNs only provide network-level access and do not integrate with SaaS application authentication; SaaS apps cannot 'trust the internal network automatically' without federation, and VPNs do not enforce MFA or provide centralized account provisioning.

192
Drag & Dropmedium

Drag and drop the steps to implement a new firewall rule in an iptables-based Linux firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

After adding a rule, it's important to verify it appears in the list, then save permanently, and test to ensure functionality.

193
Multi-Selecteasy

A security team wants to verify that a server has not drifted from its approved hardened configuration after several months of changes. Which two actions help most? Select two.

Select 2 answers
A.Compare the current configuration against the approved baseline.
B.Run a configuration compliance or hardening scan.
C.Restart the server and wait for users to report problems.
D.Increase the storage capacity on the server.
E.Change the desktop wallpaper to remind users of the policy.
AnswersA, B

A baseline comparison directly shows whether the server still matches the secure standard that was originally approved. It is one of the clearest ways to identify configuration drift.

Why this answer

Comparing the current configuration against the approved baseline (Option A) is a direct method to identify any deviations from the hardened state. This process, often performed manually or with scripts, checks each setting against the known-good values defined in the baseline document, such as those from CIS Benchmarks or DISA STIGs. It is the most straightforward way to detect drift after months of changes.

Exam trap

The trap here is that candidates may think restarting a server (Option C) is a valid troubleshooting or verification step, confusing operational recovery with security compliance validation, which requires direct comparison against a baseline.

194
MCQhard

Administrators must manage network switches from home. Requirements: encrypted management traffic, MFA for users, no management ports exposed to the Internet, and centralized logging of admin sessions. Which solution best meets the requirements?

A.Open SSH directly on each switch and allow access from the entire Internet.
B.Use a VPN with MFA that terminates on a hardened jump host, then reach switches over SSH or HTTPS.
C.Use port forwarding through the firewall to RDP on each switch.
D.Build an IPSec tunnel only between office routers and share a common admin password on the switches.
AnswerB

The VPN protects remote access, MFA strengthens authentication, and the jump host centralizes logging and control of management sessions.

Why this answer

Option B is correct because it satisfies all requirements: a VPN with MFA encrypts management traffic, the hardened jump host provides a secure intermediary that keeps switch management ports off the Internet, and centralized logging can be implemented on the jump host to record all admin sessions. This architecture aligns with the principle of defense-in-depth by combining encrypted tunnels, strong authentication, and network segmentation.

Exam trap

The trap here is that candidates may think a VPN alone is sufficient, forgetting that the jump host is necessary to avoid exposing switch management ports and to enable centralized logging and MFA enforcement.

How to eliminate wrong answers

Option A is wrong because opening SSH directly on each switch from the entire Internet exposes management ports to the public, violating the requirement that no management ports be exposed to the Internet, and it lacks MFA. Option C is wrong because port forwarding RDP to each switch exposes management ports (RDP uses port 3389) to the Internet, and RDP is not the native management protocol for network switches (switches typically use SSH or HTTPS), nor does it inherently provide MFA or centralized logging. Option D is wrong because an IPSec tunnel between office routers does not address MFA (it uses a shared common password, which is weak), and it does not provide centralized logging of admin sessions.

195
Multi-Selecthard

A contractor signs in to a project portal that integrates several SaaS apps. Access should be granted only while the user is on a managed device, assigned to the project, and using a fresh second factor. The business also wants the contractor to avoid separate logins to each app. Which three controls best fit this design? Select three.

Select 3 answers
A.Use federation or SSO so the identity provider issues the session for all approved apps.
B.Use ABAC or conditional access rules that check project assignment and device compliance.
C.Require MFA and step-up authentication before the contractor reaches sensitive functions.
D.Create a shared project account so access can be revoked by changing one password.
E.Issue long-lived refresh tokens that never expire unless the user reports a problem.
AnswersA, B, C

Federation and SSO allow one trusted identity provider to authenticate the user once and then pass that identity to approved applications. That matches the business requirement to avoid separate logins to each SaaS app. It also centralizes authentication control so access can be revoked or adjusted from one place.

Why this answer

Option A is correct because federation or SSO allows the identity provider to issue a single session token (e.g., SAML assertion or OIDC ID token) that is accepted by all integrated SaaS apps. This eliminates the need for separate logins, directly meeting the requirement to avoid multiple authentication prompts while maintaining centralized session control.

Exam trap

The trap here is that candidates may think a shared account (Option D) simplifies revocation, but it actually destroys audit trails and fails to meet the requirements for per-user MFA and device compliance, which are essential for the described zero-trust architecture.

196
MCQmedium

A DevOps team builds container images in a CI/CD pipeline. Security wants to reduce the chance of deploying vulnerable libraries and also wants the cluster to reject images that have not been approved. Which approach best meets both requirements?

A.Increase CPU and memory limits for the containers so they run more safely.
B.Allow developers to pull images from any registry as long as the tags look familiar.
C.Disable pipeline scanning to speed releases and rely on runtime monitoring after deployment.
D.Scan images in the pipeline and enforce signature verification or admission control before deployment.
AnswerD

Build-time scanning helps identify vulnerable packages before release, while signature verification or admission control ensures only approved images can run in the cluster. Together, these controls reduce both content risk and deployment risk. This is the strongest combined answer because it addresses prevention and policy enforcement.

Why this answer

Option D is correct because it combines two essential security controls: scanning container images for known vulnerabilities (e.g., using Trivy or Clair) during the CI/CD pipeline, and enforcing signature verification (e.g., using Notary or Cosign) or admission control (e.g., using OPA/Gatekeeper or Kyverno) to ensure only signed or approved images are deployed. This directly reduces the risk of deploying vulnerable libraries and prevents unapproved images from running in the cluster.

Exam trap

The trap here is that candidates may think runtime monitoring (Option C) is sufficient, but it fails to prevent the initial deployment of vulnerable or unapproved images, which is the core requirement of the question.

How to eliminate wrong answers

Option A is wrong because increasing CPU and memory limits does not address vulnerability scanning or image approval; it only affects runtime resource allocation, not security posture. Option B is wrong because allowing images from any registry based on tag familiarity is insecure—tags can be easily spoofed or overwritten, and this bypasses any approval or integrity verification. Option C is wrong because disabling pipeline scanning removes the vulnerability detection step entirely, and relying solely on runtime monitoring cannot prevent the initial deployment of vulnerable or unapproved images.

197
MCQhard

A team stores sensitive archives on cloud block storage. The provider already encrypts disks at rest, but the company wants copies of the disks to remain unreadable even if a cloud administrator can snapshot and mount the volume. Which control is best?

A.Enable provider-managed encryption at rest only and rotate the storage passwords monthly.
B.Use client-side encryption before upload and keep the keys in an external HSM or key service.
C.Place the storage account in a private subnet and block all Internet access.
D.Rely on immutable snapshots and versioning to prevent unauthorized access.
AnswerB

Client-side encryption protects the data before it reaches the provider, so copied storage remains ciphertext without the key.

Why this answer

Client-side encryption ensures data is encrypted before it ever reaches the cloud provider's storage. By keeping the encryption keys in an external HSM or key service, the cloud provider (including its administrators) never has access to the plaintext keys, so even if they snapshot and mount the volume, the data remains unreadable. This addresses the threat model where the provider's own administrators could otherwise access the data at rest.

Exam trap

The trap here is that candidates assume provider-managed encryption at rest is sufficient against insider threats, but it does not protect against a cloud administrator who has access to the underlying infrastructure and can use snapshot/mount operations to bypass the encryption layer.

How to eliminate wrong answers

Option A is wrong because provider-managed encryption at rest still gives the cloud provider access to the encryption keys (or the means to decrypt), so a cloud administrator with snapshot and mount privileges could read the data. Rotating storage passwords does not change this fundamental access issue. Option C is wrong because placing the storage account in a private subnet and blocking Internet access only restricts network-level access; it does not prevent a cloud administrator from taking a snapshot and mounting it internally, nor does it encrypt the data to protect against that insider threat.

198
MCQmedium

A security architect at a retail company is deploying a new e-commerce platform that processes credit card payments. The architect needs to minimize the scope of the PCI DSS assessment. The platform consists of a web server, an application server, and a database server. The cardholder data (credit card numbers) will be processed and stored only on the database server. Which of the following network architecture designs would best reduce the PCI DSS scope?

A.Place all servers in the same VLAN and apply a host-based firewall on the database server.
B.Place the database server in a separate, isolated network segment with a dedicated firewall that blocks all traffic except from the application server on the required port.
C.Encrypt all data in transit using TLS and at rest using AES-256.
D.Implement network intrusion detection systems on all network segments.
AnswerB

This design creates a clear cardholder data environment (CDE) boundary. The dedicated firewall restricts access so only the application server can communicate with the database server on a specific port. The web server and application server can be placed outside the CDE if they do not directly transmit or store cardholder data, thereby reducing the PCI DSS scope.

Why this answer

Option B is correct because isolating the database server in a separate network segment with a dedicated firewall that restricts traffic to only the application server on the required port creates a clear network segmentation boundary. This segmentation limits the cardholder data environment (CDE) to just the database server, thereby minimizing the scope of the PCI DSS assessment by excluding the web and application servers from the CDE.

Exam trap

The trap here is that candidates often confuse security controls (encryption, IDS) with architectural segmentation, mistakenly believing that encryption or monitoring alone can reduce PCI DSS scope, when only network isolation with a firewall boundary achieves that.

How to eliminate wrong answers

Option A is wrong because placing all servers in the same VLAN with only a host-based firewall on the database server does not create network segmentation; all servers remain in the same broadcast domain, which includes the web and application servers in the CDE, expanding the PCI DSS scope. Option C is wrong because encrypting data in transit with TLS and at rest with AES-256 is a security control, not a network architecture design; it does not reduce the scope of the PCI DSS assessment, as scope is determined by connectivity and access to cardholder data, not encryption alone. Option D is wrong because implementing network intrusion detection systems (NIDS) on all segments is a monitoring control that does not change the network architecture or isolate the database server; it does not reduce the CDE scope.

199
Multi-Selecteasy

A security team wants to reduce the chance that employees boot unmanaged tools from removable media and wants only approved software to run on laptops. Which two controls should they use? Select two.

Select 2 answers
A.Secure Boot
B.Application control or allowlisting
C.DNS forwarding
D.Longer screen-lock timeout
E.Public DNS resolvers
AnswersA, B

Secure Boot helps ensure the device starts using trusted boot components instead of unapproved pre-boot code. That reduces the risk of tampered boot media or rogue recovery tools.

Why this answer

Secure Boot is correct because it ensures that only signed, trusted firmware and bootloaders execute during system startup, preventing unauthorized bootable media (e.g., USB drives with unmanaged OS images) from loading. This directly reduces the chance that employees can boot unmanaged tools from removable media by enforcing a chain of trust from UEFI firmware to the operating system kernel.

Exam trap

The trap here is that candidates may confuse DNS forwarding (a network service) with DNS filtering or security controls, or think that a longer screen-lock timeout improves security, when in fact it weakens physical security by extending the window of opportunity for unauthorized access.

200
MCQmedium

A branch office has users, finance workstations, printers, and IP phones on one flat LAN. After a malware outbreak on a user PC, management wants to limit lateral movement without blocking printing or voice traffic. What should the network team implement?

A.Move all devices into one larger subnet and rely on endpoint antivirus for separation.
B.Create separate VLANs for device groups and apply inter-VLAN ACLs that permit only required traffic.
C.Place all devices behind a single proxy server and block all internal east-west traffic.
D.Enable port security on the switch and disable all VLAN tagging to reduce complexity.
AnswerB

This limits reachability between device classes while still allowing necessary business traffic such as printing and VoIP signaling.

Why this answer

Option B is correct because segmenting devices into separate VLANs (e.g., users, finance, printers, IP phones) and applying inter-VLAN ACLs restricts lateral movement by default while permitting only necessary traffic like printing (TCP 9100) and voice (RTP/UDP 16384-32767). This aligns with the principle of least privilege and zero trust segmentation, preventing malware from spreading across the flat LAN without disrupting critical services.

Exam trap

The trap here is that candidates often confuse 'limiting lateral movement' with 'blocking all east-west traffic,' forgetting that printing and voice require specific peer-to-peer flows that a proxy or full-block would break.

How to eliminate wrong answers

Option A is wrong because moving all devices into one larger subnet increases the attack surface and does nothing to limit lateral movement; endpoint antivirus alone cannot prevent east-west propagation. Option C is wrong because placing all devices behind a single proxy server blocks east-west traffic entirely, which would break local printing (direct IPP/SMB) and voice (RTP) traffic that requires direct peer-to-peer communication. Option D is wrong because enabling port security only controls MAC address flooding and disabling VLAN tagging would collapse all traffic into a single broadcast domain, eliminating segmentation and increasing lateral movement risk.

201
Multi-Selecthard

A manufacturing floor uses barcode scanners and a kiosk terminal that cannot support full endpoint agents or frequent manual patching. USB storage has previously introduced malware, and the devices only need to run one approved application and reach a backend system. Which two controls best reduce risk while preserving function? Select two.

Select 2 answers
A.Isolate the scanners and kiosk terminal on a dedicated VLAN that allows only the required backend ports.
B.Place the devices on the user VLAN so patching and support tools can reach them easily.
C.Enforce kiosk mode or application allowlisting so only the approved application can run.
D.Allow USB storage so updates can be installed manually whenever needed.
E.Use local administrator accounts with shared passwords to reduce support calls.
AnswersA, C

A dedicated VLAN reduces exposure to user traffic and limits what the devices can reach if one is compromised. Allowing only the required backend ports enforces a narrow communication path and supports least privilege at the network layer. This is a practical compensating control for constrained endpoints that cannot run full enterprise security agents.

Why this answer

Option A is correct because isolating the barcode scanners and kiosk terminal on a dedicated VLAN with strict ACLs that permit only the required backend ports (e.g., TCP 443 for HTTPS or a specific application port) prevents lateral movement from infected devices and blocks unauthorized traffic, including USB-borne malware propagation. This network segmentation does not require endpoint agents or patching, preserving the devices' limited functionality while reducing the attack surface.

Exam trap

The trap here is that candidates often select 'Place the devices on the user VLAN' (Option B) thinking it simplifies management, but the exam expects you to recognize that unpatched, agentless devices must be isolated to prevent them from becoming a pivot point for lateral attacks.

202
MCQmedium

Field technicians use company-owned tablets that also run approved personal apps. Security needs corporate email and documents isolated from personal data, selective wipe of only business content if a device is lost, and compliance checks before access is allowed. What should be deployed?

A.Full-disk encryption on the tablets with no additional device management.
B.Mobile device management with a work profile or container and conditional access.
C.A mobile VPN client with split tunneling enabled for user convenience.
D.An antivirus app with a blacklist of approved and unapproved mobile apps.
AnswerB

MDM with containerization separates corporate data from personal apps and supports selective wipe plus policy-based access checks.

Why this answer

Mobile device management (MDM) with a work profile or container (e.g., Android Work Profile or iOS Managed Open In) provides the required isolation between corporate and personal data. Conditional access enforces compliance checks (e.g., device health attestation, OS patch level) before granting access to corporate resources. This combination also enables selective wipe of only the work container without affecting personal apps or data, meeting the lost-device requirement.

Exam trap

The trap here is that candidates confuse full-disk encryption (which only protects data at rest) with the isolation and selective-wipe capabilities of a managed work profile, or they assume a VPN or antivirus alone can enforce data separation and compliance checks.

How to eliminate wrong answers

Option A is wrong because full-disk encryption protects data at rest but does not isolate corporate from personal data, nor does it support selective wipe or compliance-based access control. Option C is wrong because a mobile VPN with split tunneling only controls network routing for user convenience; it provides no data isolation, no selective wipe capability, and no compliance enforcement. Option D is wrong because an antivirus app with an app blacklist only blocks or allows specific applications; it cannot isolate corporate data, perform selective wipes, or enforce compliance checks before access.

203
Multi-Selectmedium

A finance workflow currently lets one employee create a payment batch and approve it in the same session. Audit findings say the design increases fraud risk. Which two access architecture changes best reduce that risk while keeping the process functional? Select two.

Select 2 answers
A.Split the workflow into separate creator and approver roles.
B.Require the approver to be a different authenticated user before release.
C.Grant all finance users local administrator rights to speed up exception handling.
D.Store the payment password in a shared mailbox so the team can continue when someone is absent.
E.Remove approval steps entirely and rely on log reviews after payment runs.
AnswersA, B

Separating creator and approver responsibilities implements separation of duties and prevents one person from completing the full fraud-prone action alone. This preserves the workflow while requiring a second trusted person to review and approve the batch. It is a classic access architecture control for payment and procurement systems.

Why this answer

Option A is correct because implementing separation of duties (SoD) by splitting the payment batch creation and approval into distinct roles ensures that no single user can both create and approve a transaction. This directly mitigates the fraud risk identified in the audit by requiring collusion between two users to execute a fraudulent payment. The process remains functional because the workflow is simply reordered into two sequential steps performed by different users.

Exam trap

The trap here is that candidates may confuse 'functional efficiency' with 'security best practices' and incorrectly choose option C, thinking that local admin rights will speed up exception handling, when in fact it violates least privilege and separation of duties.

204
MCQmedium

A customer portal runs from a primary data center. Management wants the secondary site to take over within minutes if the primary site loses power, and the secondary site should already have current systems and data ready to serve users. Which design best fits this requirement?

A.A cold site with nightly backups stored offsite
B.A hot site with synchronized data replication and automated failover
C.RAID 0 across two storage arrays in the primary data center
D.A single backup server with larger disks and more memory
AnswerB

A hot site is already prepared to operate and can receive traffic quickly when the primary site fails. Synchronized replication keeps data current, and automated failover minimizes manual intervention and recovery time. This is the best match for a near-immediate continuity requirement.

Why this answer

A hot site with synchronized data replication and automated failover is the correct choice because it maintains an exact, real-time copy of systems and data at the secondary site. Synchronous replication ensures zero data loss (RPO=0), and automated failover enables the secondary site to become operational within minutes (RTO measured in minutes), meeting the requirement for immediate takeover after a power loss at the primary site.

Exam trap

The trap here is that candidates confuse a cold site with nightly backups as sufficient for rapid recovery, failing to recognize that the RTO of minutes requires pre-staged, synchronized systems and automated failover, not manual restoration from backups.

How to eliminate wrong answers

Option A is wrong because a cold site has no pre-installed hardware or current data; it requires manual setup and restoration from nightly backups, which takes hours or days, not minutes, and cannot achieve the required RTO. Option C is wrong because RAID 0 provides striping for performance but offers no fault tolerance; if either array fails, all data is lost, and it does not address site-level failover or power loss at the primary data center.

205
MCQmedium

Sales representatives use company-managed smartphones for email, CRM, and document access. If a phone is lost, IT must remove only the corporate apps and work data without erasing the employee's personal photos and contacts. Which control should be used?

A.Perform a full factory reset remotely as soon as any device is reported lost.
B.Use selective wipe through a mobile device management platform.
C.Disable password complexity so the user can regain access more easily after replacement.
D.Install a VPN profile and assume corporate data is safe if the network traffic is encrypted.
AnswerB

Selective wipe removes managed corporate content while preserving the user's personal data on the same device.

Why this answer

Option B is correct because Mobile Device Management (MDM) platforms support selective wipe, which uses management APIs (e.g., Android Enterprise Work Profile or iOS Managed Open In) to remove only corporate apps, accounts, and data while leaving personal content intact. This satisfies the requirement to protect corporate data without infringing on the employee's personal privacy.

Exam trap

The trap here is that candidates often confuse full factory reset (option A) with selective wipe, assuming any remote wipe will suffice, but the exam specifically tests the distinction between wiping all data versus only corporate-managed data.

How to eliminate wrong answers

Option A is wrong because a full factory reset erases all data on the device, including personal photos and contacts, which violates the requirement to preserve personal data. Option C is wrong because disabling password complexity weakens device security and does not address the need to selectively remove corporate data; it also does not help regain access after replacement. Option D is wrong because installing a VPN profile only encrypts network traffic in transit and does not provide any mechanism to remotely remove corporate data from a lost device.

206
Multi-Selecteasy

Company-owned tablets run both business apps and approved personal apps. Which two controls best keep company data separated and support selective wipe? Select two.

Select 2 answers
A.Mobile device management with a work profile or container for corporate data.
B.Selective remote wipe of only the managed corporate container.
C.Allow users to install any app if they promise not to open work files.
D.Store corporate files in the personal photo gallery for easier backup.
E.Disable screen locks so users can access business apps faster.
AnswersA, B

A managed work profile or container separates business content from personal apps and files. This is a standard mobile security approach when one device must support both corporate and personal use.

Why this answer

Option A is correct because Mobile Device Management (MDM) with a work profile or container creates a separate, encrypted partition on the device for corporate data. This container enforces policies (e.g., app whitelisting, VPN) and isolates business apps from personal apps, ensuring that company data remains protected even if the personal side is compromised.

Exam trap

The trap here is that candidates may confuse 'selective wipe' with a full device wipe, or assume that user promises (Option C) or convenience features (Option E) are acceptable security controls, when only containerization and managed wipe satisfy the separation and selective wipe requirements.

207
Multi-Selecteasy

A small company is deploying a public web application with a front-end server, an application server, and a database. Which two design choices best reduce exposure of the backend systems? Select two.

Select 2 answers
A.Place the web server in a DMZ that is reachable from the internet.
B.Put the database on the same subnet as the web server for faster communication.
C.Place the database on an internal subnet that is not directly reachable from the internet.
D.Allow every tier to communicate freely to simplify troubleshooting.
E.Use one flat VLAN for all three servers and rely on strong passwords.
AnswersA, C

The web server is the system that must face external traffic, so placing it in a DMZ keeps it separate from internal resources. This limits the damage if the public server is compromised.

Why this answer

Option A is correct because placing the web server in a DMZ (demilitarized zone) allows it to be reachable from the internet while isolating it from the internal network. This design ensures that even if the web server is compromised, an attacker cannot directly access the application server or database, as traffic must pass through a firewall with strict rules. The DMZ acts as a buffer zone, reducing the attack surface of backend systems.

Exam trap

CompTIA often tests the misconception that placing all servers in a single VLAN with strong passwords is sufficient security, but the trap here is that network segmentation (DMZ and internal subnets) is essential to limit lateral movement, and passwords alone cannot stop an attacker who exploits a vulnerability in the web server.

208
MCQmedium

A development team is moving a regulated application to a cloud platform. The security architect wants the strongest practical separation from other customers without buying and operating physical servers. Which hosting option is most appropriate?

A.A shared multi-tenant environment with no additional security configuration.
B.A dedicated host or isolated compute offering from the cloud provider.
C.Any public object storage service because the data will be encrypted by default.
D.A remote desktop service on the cheapest shared instance available.
AnswerB

A dedicated or isolated compute option provides stronger separation from other tenants while avoiding the need to manage physical hardware directly. It is a common architecture choice for regulated workloads that need enhanced tenant isolation, clearer placement controls, and a stronger compliance story than a standard shared environment.

Why this answer

A dedicated host or isolated compute offering (option B) provides the strongest practical separation because it ensures the application runs on a physical server dedicated solely to that customer, preventing any resource sharing or potential side-channel attacks from other tenants. This meets the regulatory requirement for strong isolation without the cost and operational overhead of purchasing and managing physical servers on-premises.

Exam trap

The trap here is that candidates often confuse 'dedicated host' with 'dedicated instance' or assume a shared multi-tenant environment can be secured solely with encryption, overlooking the need for physical isolation in regulated workloads.

How to eliminate wrong answers

Option A is wrong because a shared multi-tenant environment with no additional security configuration offers weak isolation, as other customers' virtual machines may run on the same hypervisor, increasing the risk of data exposure or side-channel attacks. Option C is wrong because public object storage services are not a compute hosting option; they are for storing data, not running applications, and encryption by default does not address the need for compute-level separation. Option D is wrong because a remote desktop service on the cheapest shared instance provides no dedicated hardware or strong isolation, and the instance is still shared with other tenants, failing to meet the required separation.

209
MCQmedium

Based on the exhibit, which integration best lets the SaaS application trust the company's existing identity provider so users can sign in with their corporate credentials?

A.Establish SAML federation so the SaaS app trusts the corporate identity provider.
B.Enable password synchronization so the SaaS app stores the same password as the directory.
C.Create a shared local administrator account for all subsidiary users.
D.Configure MAC address filtering on company laptops to allow portal access.
AnswerA

Federation lets the SaaS app accept authentication assertions from the trusted identity provider, eliminating separate passwords.

Why this answer

SAML (Security Assertion Markup Language) federation allows the SaaS application to trust the corporate identity provider (IdP) by exchanging signed XML assertions. This enables users to authenticate against their corporate credentials without the SaaS app ever storing or managing those credentials, providing single sign-on (SSO) across domains.

Exam trap

The trap here is that candidates confuse password synchronization (a legacy or on-premises approach) with federation (SAML), thinking that syncing passwords achieves the same 'trust' without realizing it requires the SaaS app to handle credentials directly, which is less secure and not true federation.

How to eliminate wrong answers

Option B is wrong because password synchronization replicates the password hash to the SaaS app, which still requires the app to store and manage credentials, violating the principle of federated trust and increasing the attack surface. Option C is wrong because creating a shared local administrator account violates the principle of least privilege and non-repudiation, as it cannot tie actions to individual users and poses a massive security risk. Option D is wrong because MAC address filtering is a network access control mechanism that restricts which devices can connect to the network; it does not provide identity-based authentication or trust between the SaaS app and the corporate IdP.

210
MCQmedium

Based on the exhibit, which action best addresses both the unsanctioned software problem and the need for consistent endpoint configuration? Exhibit: Device group: Sales-Laptops Baseline check: - Approved browser: installed - Approved EDR: installed - Unapproved remote admin tool: detected on 14 endpoints - Local administrator rights: granted to all users in group - Patch compliance: 68% Management wants to prevent unauthorized software from running and keep future builds consistent.

A.Deploy application allowlisting through centralized endpoint management and remove local administrator rights.
B.Keep users as local admins but require stronger email passwords for better overall security.
C.Disable the EDR agent during software installs to avoid false alerts from approved apps.
D.Store approved installers on a shared drive and let users choose what to install.
AnswerA

Application allowlisting is the best fit because it prevents unapproved tools from executing even if they are present on a device. Removing local administrator rights also reduces the chance that users can install or alter software outside the baseline. Combined, these controls support consistent endpoint hardening and make it much harder for risky utilities to appear across the fleet.

Why this answer

Option A is correct because application allowlisting (via AppLocker or Windows Defender Application Control) centrally enforces which software can run, directly addressing the unsanctioned remote admin tool. Removing local administrator rights prevents users from bypassing the allowlist or making unauthorized configuration changes, ensuring consistent endpoint builds and improving patch compliance by limiting user-driven modifications.

Exam trap

The trap here is that candidates may think removing admin rights alone is sufficient, but without application allowlisting, users can still run unapproved software from writable directories like AppData or Temp, so both controls are needed together.

How to eliminate wrong answers

Option B is wrong because keeping users as local admins perpetuates the root cause of unsanctioned software installation and inconsistent configurations, and stronger email passwords do not prevent unauthorized software execution. Option C is wrong because disabling the EDR agent during installs would allow malicious software to run undetected, violating the requirement to prevent unauthorized software and undermining endpoint security. Option D is wrong because storing installers on a shared drive and letting users choose what to install does not enforce any control over software execution, failing to prevent unsanctioned software and leading to inconsistent configurations.

211
MCQmedium

Employees sign in once to the corporate portal and then open email, the ticketing system, and an HR application without entering credentials again. The external SaaS providers should trust the company's identity provider rather than creating separate user databases. What architecture is being used?

A.Local authentication on each application with synchronized passwords
B.Federation with single sign-on using the corporate identity provider
C.Network access control using 802.1X authentication
D.Role-based access control on the file server
AnswerB

Federation allows one organization to trust authentication performed by another identity provider. When combined with single sign-on, the user signs in once and then accesses multiple applications without repeated logins. This is exactly what the scenario describes, especially across separate SaaS services.

Why this answer

This scenario describes federation with single sign-on (SSO), where the corporate identity provider (IdP) authenticates the user once and issues a security token (e.g., SAML assertion or OIDC token) that external SaaS providers trust. This eliminates the need for separate user databases in each application and allows seamless access across multiple services without re-entering credentials.

Exam trap

The trap here is that candidates confuse 'single sign-on' with 'synchronized passwords' (Option A) or think that any centralized authentication mechanism (like 802.1X) can replace federated identity for external SaaS trust.

How to eliminate wrong answers

Option A is wrong because local authentication with synchronized passwords still requires each application to maintain its own user database and credential verification, which does not achieve the 'trust the company's identity provider' requirement and introduces password synchronization complexity. Option C is wrong because 802.1X network access control is a port-based authentication mechanism for network access (e.g., wired or Wi-Fi), not for web application SSO or federated identity across SaaS providers. Option D is wrong because role-based access control (RBAC) on the file server governs authorization (what a user can do) after authentication, not the authentication architecture or federated trust between an IdP and external applications.

212
Multi-Selecteasy

A customer portal must stay online if one application server fails. Which two design choices improve availability? Select two.

Select 2 answers
A.Use load balancing across multiple application servers.
B.Add a redundant standby server or failover target.
C.Store the application logs on a larger disk.
D.Increase the password length requirement for portal users.
E.Place all traffic on a single high-performance server.
AnswersA, B

Load balancing spreads traffic across more than one server, so the portal can keep working if one node becomes unavailable. It is one of the most common availability designs for web applications.

Why this answer

Option A is correct because load balancing distributes incoming traffic across multiple application servers. If one server fails, the load balancer automatically redirects traffic to the remaining healthy servers, ensuring the portal remains online. This design eliminates a single point of failure and provides fault tolerance through redundancy.

Exam trap

The trap here is that candidates confuse improving storage capacity (a scalability or performance concern) with improving availability, which requires redundancy and failover mechanisms, not just more resources.

213
MCQmedium

A security operations center (SOC) analyst is overwhelmed by the volume of alerts. The management wants to implement a solution that can automatically respond to common threats, such as blocking an IP address or isolating a compromised endpoint, without requiring human intervention. Which of the following technologies best meets this requirement?

A.Security Information and Event Management (SIEM)
B.Security Orchestration, Automation, and Response (SOAR)
C.Endpoint Detection and Response (EDR)
D.Cloud Access Security Broker (CASB)
AnswerB

SOAR platforms are built to orchestrate workflows, automate repetitive tasks, and respond to incidents without human intervention. This directly addresses the need described in the scenario.

Why this answer

SOAR is the correct choice because it is specifically designed to automate response actions to common security incidents, such as blocking an IP address via firewall APIs or isolating an endpoint through EDR integration, without requiring human intervention. This directly addresses the SOC analyst's alert fatigue by enabling playbook-driven, automated remediation.

Exam trap

The trap here is that candidates confuse SIEM's alerting capability with automated response, forgetting that SIEMs require a separate SOAR or custom scripting to perform actions, while SOAR is the dedicated solution for orchestrated, automated remediation.

How to eliminate wrong answers

Option A is wrong because a SIEM is primarily a log aggregation and correlation platform that generates alerts but does not natively execute automated response actions; it lacks the orchestration and playbook execution capabilities to block IPs or isolate endpoints without additional tools. Option C is wrong because EDR focuses on monitoring and detecting threats on endpoints, and while it can perform automated actions like isolating a host, it does not orchestrate multi-system responses (e.g., updating a firewall and ticketing system) across the entire security stack, which is the core requirement for automated response to common threats.

214
MCQmedium

Based on the exhibit, which control should be enabled so corporate data stays separated from personal data on company-owned tablets?

A.Perform a full-device wipe any time a tablet is lost or reassigned.
B.Deploy mobile threat defense scanning on every tablet.
C.Enable a work profile or container with selective wipe for corporate data.
D.Disable Bluetooth and the camera on all tablets to stop data leakage.
AnswerC

A work profile separates business apps and data from personal content and allows targeted removal of corporate data only.

Why this answer

Option C is correct because a work profile or container (e.g., Android Work Profile or iOS Managed Open In) creates a separate, encrypted partition for corporate data on the device. This allows IT to perform a selective wipe of only the corporate data without affecting the user's personal apps, photos, or settings, ensuring data separation while preserving user privacy.

Exam trap

The trap here is that candidates confuse security controls like full-device wipe or threat scanning with data separation mechanisms, failing to recognize that only containerization or work profiles provide the granular isolation needed to keep corporate and personal data separate on the same device.

How to eliminate wrong answers

Option A is wrong because performing a full-device wipe on loss or reassignment destroys both corporate and personal data, violating the requirement to keep corporate data separated from personal data; it does not enable ongoing separation. Option B is wrong because mobile threat defense scanning detects malware or suspicious activity but does not isolate corporate data into a separate container; it provides security monitoring, not data separation. Option D is wrong because disabling Bluetooth and the camera reduces data leakage vectors but does not create any logical separation between corporate and personal data; it is a restrictive control that does not address the core requirement of maintaining separate data stores.

215
Multi-Selectmedium

An organization is migrating its on-premises infrastructure to a hybrid cloud model. Which three of the following considerations are most important for maintaining a secure security architecture? (Choose three.)

Select 3 answers
.Ensuring consistent identity and access management across on-premises and cloud environments.
.Using a shared secret for all cloud API calls to simplify authentication.
.Implementing a secure VPN or dedicated connection for data in transit between environments.
.Storing encryption keys for cloud data in the same cloud tenant for convenience.
.Establishing a clear shared responsibility model for security between the organization and the cloud provider.
.Disabling all logging in the cloud to reduce storage costs.

Why this answer

Ensuring consistent identity and access management (IAM) across on-premises and cloud environments is critical because it prevents privilege escalation and unauthorized access. In a hybrid cloud, a unified IAM system (e.g., using Active Directory Federation Services or Azure AD Connect) enforces the same policies, roles, and multi-factor authentication for all resources, eliminating blind spots. Without this, attackers could exploit inconsistent permissions to move laterally between environments.

Exam trap

The trap here is that candidates often confuse 'convenience' with 'security' and select the shared secret or same-tenant key storage options, failing to recognize that these violate fundamental security principles like separation of duties and defense in depth.

216
MCQmedium

Based on the exhibit, which hardening change best prevents a laptop from booting unapproved tools from external media? Exhibit: UEFI Setup - Secure Boot: Disabled - Boot order: USB, External NIC, Internal SSD - Firmware admin password: Not configured - BitLocker status: Enabled Incident note: A technician confirmed the laptop was started from a USB recovery stick that bypassed the normal corporate login workflow.

A.Enable Secure Boot and change the firmware boot order so only the internal SSD is allowed first.
B.Extend the Windows login timeout so users have more time to notice suspicious activity.
C.Turn off BitLocker so recovery tools can boot without errors.
D.Install a host firewall rule to block USB storage devices from the network.
AnswerA

This is the best control because Secure Boot validates that the bootloader is trusted, and restricting the boot order reduces the chance of booting from unapproved removable media. Together, these changes stop many pre-boot attacks and unauthorized recovery tools before the operating system starts. BitLocker helps protect data at rest, but it does not by itself prevent booting alternate media.

Why this answer

Enabling Secure Boot ensures that only signed, trusted firmware and bootloaders can execute, preventing unauthorized tools like USB recovery sticks from loading. Changing the boot order to prioritize the internal SSD over USB media stops the system from even attempting to boot from external devices, directly addressing the incident where the laptop bypassed corporate login via a USB stick.

Exam trap

CompTIA often tests the misconception that host firewall rules can control local device access, but firewalls operate at the network layer and cannot block USB storage devices, which are managed by hardware or OS-level policies.

How to eliminate wrong answers

Option B is wrong because extending the Windows login timeout does not prevent booting from external media; it only affects the login screen after the OS has already loaded, leaving the boot process vulnerable. Option C is wrong because turning off BitLocker would actually make it easier for unauthorized tools to boot and access data, as BitLocker protects against offline attacks and does not cause boot errors for legitimate recovery tools when properly configured. Option D is wrong because a host firewall rule blocks network traffic, not local USB storage devices; USB storage is controlled by hardware policies or Group Policy, not firewall rules.

217
MCQmedium

A manufacturer wants to give partner-company users access to a procurement portal. The partner wants to authenticate its own users, and the manufacturer does not want to create separate local passwords for them. What is the best solution?

A.Create shared portal accounts and distribute credentials to the partner's staff.
B.Federate access with the partner's identity provider and map claims or attributes to portal roles.
C.Issue one VPN account for the partner organization and let them share it internally.
D.Require each partner user to create a password directly in the procurement portal.
AnswerB

Federation lets the partner authenticate its own users while the manufacturer trusts identity assertions from the partner identity provider. Claims or attributes can then be mapped to portal roles so access stays controlled without local password management. This is a strong fit for business-to-business access because it preserves administrative separation while still supporting centralized authorization decisions in the portal.

Why this answer

Federation with the partner's identity provider (IdP) using standards like SAML 2.0 or OIDC allows the partner to authenticate their own users while the manufacturer's portal trusts those assertions. Claims or attributes from the IdP (e.g., group membership) are mapped to portal roles, eliminating the need for local passwords and enabling single sign-on (SSO). This is the best solution because it maintains security boundaries and offloads authentication management to the partner.

Exam trap

The trap here is that candidates confuse federation with simple shared accounts or VPN-based access, failing to recognize that federation is the only option that delegates authentication to the partner while preserving individual accountability and eliminating local password management.

How to eliminate wrong answers

Option A is wrong because shared portal accounts violate the principle of least privilege and non-repudiation—multiple users sharing one set of credentials makes auditing impossible and increases the risk of credential leakage. Option C is wrong because a single VPN account shared internally provides no individual accountability, bypasses proper access controls, and does not solve the authentication delegation requirement; it also introduces a VPN dependency that is unnecessary for a web-based procurement portal.

218
Multi-Selecteasy

A network team must manage switches from home without exposing management ports to the internet. Which two controls best fit? Select two.

Select 2 answers
A.Require a VPN before allowing access to the management network.
B.Use SSH for command-line administration instead of Telnet.
C.Expose the switch web interface directly on a public IP address.
D.Use FTP to transfer configuration files because it is simple.
E.Send management passwords by email to approved admins.
AnswersA, B

A VPN creates a protected path into the management network without opening switch admin ports to the public internet. It also lets the organization control who can connect before management access is granted.

Why this answer

Requiring a VPN before allowing access to the management network ensures that all management traffic is encrypted and authenticated over the internet, effectively creating a secure tunnel that protects switch management interfaces from direct exposure. This control aligns with the principle of defense in depth by adding a layer of network segmentation and access control, preventing unauthorized external access to the switches.

Exam trap

The trap here is that candidates often confuse 'secure protocol' (SSH) with 'secure access method' (VPN), mistakenly thinking that using SSH alone is sufficient to protect management interfaces from internet exposure, when in fact SSH only encrypts the session but does not prevent the port from being reachable by attackers.

219
MCQmedium

Based on the exhibit, which access design change best reduces fraud risk without stopping the payroll process? Exhibit: Payroll application roles: - HR-Editor: can update employee records - Payroll-Approver: can release payment batches - Audit-Reader: can view reports only Current assignment: User Lisa has both HR-Editor and Payroll-Approver because she "handles payroll end to end." Management wants to reduce the chance of one person creating and approving a fraudulent payment.

A.Keep both roles assigned but require a manager to review the batch after payment completes.
B.Split duties so record updates and payment approval require separate roles or separate accounts.
C.Remove the audit role and let payroll staff self-review their own work to save time.
D.Use a single shared payroll account so the workflow never pauses for approvals.
AnswerB

This is the best design because it enforces separation of duties, which directly reduces fraud risk. The same person should not be able to create a payment and approve it without independent review. Separate roles or accounts preserve workflow continuity while making collusion or abuse harder, and they provide a cleaner audit trail for accountability.

Why this answer

Option B is correct because it enforces separation of duties (SoD) by ensuring that no single user can both create and approve a payment. Splitting the HR-Editor and Payroll-Approver roles into separate accounts or requiring separate users for record updates and payment approval directly mitigates the fraud risk of a single insider creating a fake employee record and then approving a fraudulent payment batch. This aligns with the principle of least privilege and the NIST SP 800-53 AC-5 control for separation of duties, without halting the payroll workflow.

Exam trap

The trap here is that candidates may choose a detective control (like post-payment review) thinking it reduces risk, but the question specifically asks for a change that 'best reduces fraud risk' without stopping the process, and only a preventive control like separation of duties directly addresses the root cause of the conflict of interest.

How to eliminate wrong answers

Option A is wrong because requiring a manager to review the batch after payment completes is a detective control, not a preventive one; fraud could already occur before the review, and the review may be missed or bypassed. Option C is wrong because removing the audit role and letting payroll staff self-review eliminates independent oversight, increasing fraud risk rather than reducing it. Option D is wrong because using a single shared payroll account removes all individual accountability and audit trails, making it impossible to attribute actions to a specific user and actually increasing fraud risk.

220
MCQmedium

A security architect is designing a solution to process highly sensitive financial transactions in a shared cloud environment. The architect needs to ensure that the processor and memory used to handle transaction data are isolated from the host operating system and other virtual machines, even if the hypervisor is compromised. Which technology is specifically designed to provide this level of isolation for code and data during runtime?

A.Trusted Platform Module (TPM)
B.Hardware Security Module (HSM)
C.Secure enclave (e.g., Intel SGX)
D.UEFI Secure Boot
AnswerC

A secure enclave, such as Intel Software Guard Extensions (SGX), creates hardware-enforced encrypted regions of memory that protect code and data from access by the host OS, hypervisor, or other processes, even if those lower layers are compromised.

Why this answer

Secure enclave technology, such as Intel SGX, provides hardware-enforced isolation by creating trusted execution environments (TEEs) within the CPU. Code and data inside an enclave are encrypted in memory and decrypted only within the processor, ensuring that even a compromised hypervisor or host OS cannot access the transaction data during runtime. This meets the requirement for processor and memory isolation in a shared cloud environment.

Exam trap

The trap here is that candidates often confuse a TPM or HSM with runtime memory isolation, but those technologies focus on storage and cryptographic operations, not on protecting code and data during active execution in a compromised hypervisor environment.

How to eliminate wrong answers

Option A is wrong because a Trusted Platform Module (TPM) is a hardware chip that stores cryptographic keys and performs attestation, but it does not isolate runtime code and data in memory; it secures boot and storage, not active processing. Option B is wrong because a Hardware Security Module (HSM) is a dedicated device for managing cryptographic keys and performing cryptographic operations, but it does not isolate the processor and memory of a running application from the host OS or hypervisor. Option D is wrong because UEFI Secure Boot ensures that only signed firmware and bootloaders execute during startup, but it provides no runtime isolation for code and data after the OS has loaded.

221
Multi-Selectmedium

A finance portal lets one employee create a payment batch and approve it without review. Management wants to reduce fraud risk while keeping the workflow functional. Which two changes best achieve that goal? Select two.

Select 2 answers
A.Separate the create and approve functions into different roles or groups.
B.Require an independent approval step from a different account or manager before release.
C.Give the same user broader administrative access to avoid delays.
D.Allow the same role to perform both actions but log the activity after the fact.
E.Remove authentication so the process is faster.
AnswersA, B

Splitting duties prevents one person from both initiating and authorizing the same financial action. This is a classic role-based control that limits fraud opportunities without removing the workflow itself.

Why this answer

Option A is correct because it enforces separation of duties, a fundamental internal control that prevents a single user from both creating and approving a payment batch. By assigning the create and approve functions to different roles or groups, the organization ensures no single individual can complete a fraudulent transaction without collusion. This directly reduces fraud risk while maintaining workflow functionality by requiring two distinct actors.

Exam trap

The trap here is that candidates may mistakenly think broader administrative access streamlines workflow, but CompTIA emphasizes that separation of duties and independent approval are the correct controls to reduce fraud without sacrificing functionality.

← PreviousPage 3 of 3 · 221 questions total

Ready to test yourself?

Try a timed practice session using only Security Architecture questions.