CCNA Cc Access Controls Questions

75 of 110 questions · Page 1/2 · Cc Access Controls topic · Answers revealed

1
MCQmedium

Which of the following is the primary purpose of a visitor log and escort policy?

A.To enforce least privilege for employees
B.To provide a record of visitor access and ensure they are supervised
C.To authenticate visitors using biometrics
D.To prevent visitors from accessing the internet
AnswerB

Visitor logs and escorts track and control visitor movement.

Why this answer

Visitor management controls physical access and ensures visitors are monitored.

2
MCQeasy

A security administrator is configuring access rights for a new employee. Which principle ensures the employee is granted only the minimum permissions necessary to perform their job duties?

A.Least privilege
B.Separation of duties
C.Need-to-know
D.Defense in depth
AnswerA

Least privilege grants only the minimum permissions needed for job functions.

Why this answer

Least privilege means granting only the minimum permissions needed, reducing the blast radius of account compromise.

3
Multi-Selecthard

According to NIST SP 800-63 recommendations for password policies, which THREE practices are recommended? (Select THREE.)

Select 3 answers
A.Allow users to paste passwords to facilitate password manager use
B.Check passwords against known breached password lists
C.Require complex combinations of uppercase, lowercase, numbers, and symbols
D.Require frequent password changes every 30 days
E.Require a minimum length of 8 characters for most accounts
AnswersA, B, E

This supports use of password managers, which generate strong passwords.

Why this answer

NIST SP 800-63 recommends checking passwords against breached lists, setting minimum length (8+ characters, 15+ for high assurance), and avoiding frequent forced changes unless compromised.

4
MCQmedium

According to NIST SP 800-63, which password policy is most recommended?

A.Allow short passwords but require numbers and symbols
B.Use complex passwords with special characters and minimal length
C.Enforce a minimum length of 8 characters and check against breached password lists
D.Require frequent password changes every 30 days
AnswerC

Length and breach checking align with NIST recommendations.

Why this answer

NIST SP 800-63 emphasizes password length over complexity and discourages frequent mandatory changes.

5
MCQmedium

In Active Directory, a GPO is used to enforce a policy that automatically locks user sessions after 15 minutes of inactivity. This is an example of which type of access control?

A.Detective access control
B.Physical access control
C.Administrative access control
D.Logical access control
AnswerD

Session timeouts are logical controls enforced by the OS.

Why this answer

Session timeouts are logical access controls that reduce risk of unauthorized access from unattended workstations.

6
MCQmedium

A security analyst notices multiple failed login attempts from a single IP address within a short period. Which control would best mitigate this brute force attack?

A.Account lockout
B.Session timeout
C.Password complexity
D.Least privilege
AnswerA

Correct. Account lockout triggers after a set number of failures.

Why this answer

Account lockout disables an account after a threshold of failed attempts, thwarting brute force attacks.

7
Multi-Selecthard

An organization wants to implement defense in depth for its server room. Which THREE controls should be included?

Select 3 answers
A.Cable locks on all servers
B.Group Policy to enforce password complexity
C.Visitor sign-in log at the front desk
D.CCTV monitoring inside the server room
E.Biometric access control on the server room door
AnswersA, D, E

Cable locks prevent physical theft of equipment.

Why this answer

Defense in depth uses multiple overlapping controls. These three represent different layers.

8
MCQeasy

Which access control principle restricts access to data based on the user's job role and tasks?

A.Separation of duties
B.Need to know
C.Defense in depth
D.Least privilege
AnswerB

Correct. Need-to-know ensures users only access data required for their job.

Why this answer

Need-to-know restricts access to data only when necessary for job tasks, separate from least privilege which focuses on permissions.

9
MCQmedium

An organisation implements an account lockout policy that locks an account after 5 failed login attempts within 15 minutes. This control is designed to prevent:

A.Denial-of-service attacks
B.Brute-force attacks
C.Man-in-the-middle attacks
D.Phishing attacks
AnswerB

Lockout stops repeated guessing attempts.

Why this answer

Account lockout mitigates brute-force password guessing attacks.

10
Multi-Selecthard

An organization is designing a privileged access management (PAM) solution. Which THREE of the following are best practices for managing privileged accounts? (Select three.)

Select 3 answers
A.Sharing the root password among all administrators for convenience
B.Storing privileged passwords in an unencrypted text file
C.Applying the principle of least privilege to admin accounts
D.Using separate administrative accounts for daily tasks and privileged tasks
E.Implementing session recording and monitoring of privileged activities
AnswersC, D, E

Admins should only have permissions necessary for their role.

Why this answer

PAM best practices include using separate admin accounts, monitoring privileged sessions, and applying least privilege. Sharing passwords and storing them in plaintext are security risks.

11
MCQhard

An employee is assigned a user account with read-only access to the sales database. However, the employee's job requires viewing only customer contact information, not sales figures. Which access control principle is being violated?

A.Defense in depth
B.Least privilege
C.Separation of duties
D.Need-to-know
AnswerD

Even with read-only access, the employee should only access data required for their role.

Why this answer

Need-to-know restricts access to only the data necessary for job functions, separate from the permissions level (least privilege). Here, the employee has permissions to read data they do not need.

12
MCQeasy

Which of the following is an example of a logical access control?

A.Security guard at entrance
B.Visitor logbook
C.Fence around building
D.Password complexity policy
AnswerD

Password policies enforce logical controls.

Why this answer

Logical access controls are technology-based mechanisms like passwords, biometrics, and ACLs.

13
MCQeasy

In the identification and authentication process, which step occurs first?

A.Accounting
B.Identification
C.Authentication
D.Authorization
AnswerB

Identification is the first step, such as entering a username.

Why this answer

Identification is the claim of identity (e.g., username) before authentication proves it.

14
MCQeasy

What is the process of claiming an identity called?

A.Authentication
B.Authorization
C.Accountability
D.Identification
AnswerD

Identification is the claim of identity.

Why this answer

Identification is the act of claiming an identity, such as providing a username.

15
MCQmedium

A system administrator has an account with full administrative privileges. To reduce risk, the organization implements a policy requiring the admin to use a separate, non-privileged account for daily tasks like email and web browsing. This practice aligns with which principle?

A.Separation of duties
B.Need-to-know
C.Least privilege
D.Defense in depth
AnswerC

Using a separate daily account with limited privileges embodies least privilege for admins.

Why this answer

Least privilege for administrators means using a separate admin account only when needed, limiting exposure of high-privilege credentials.

16
MCQeasy

Which access control principle ensures that a user is granted only the minimum permissions necessary to perform their job functions?

A.Least privilege
B.Need-to-know
C.Defense in depth
D.Separation of duties
AnswerA

Least privilege grants the minimum permissions required to perform a role.

Why this answer

Least privilege limits permissions to reduce the potential damage from accidents or attacks.

17
MCQhard

An organization's password policy requires passwords to be at least 8 characters long and prohibits common passwords found in breach databases. This policy aligns with which guideline?

A.COBIT
B.ISO 27001
C.NIST SP 800-63
D.PCI DSS
AnswerC

NIST SP 800-63 recommends length over complexity and breach checking.

Why this answer

NIST SP 800-63 recommends favoring length over complexity, minimum 8 characters, and checking passwords against known breached lists.

18
Multi-Selecthard

An organization is implementing a visitor management policy. Which THREE should be included? (Select THREE.)

Select 3 answers
A.Background checks for all visitors
B.Issuance of temporary visitor badges
C.Visitor sign-in with host notification
D.Escort policy requiring visitors to be accompanied
E.Biometric authentication for visitors
AnswersB, C, D

Badges identify visitors and distinguish them from employees.

Why this answer

Visitor management typically includes sign-in, escort policies, and visitor badges to track and control visitor access.

19
MCQhard

An LDAP distinguished name is formatted as: CN=John Smith,OU=Sales,DC=company,DC=com. What does OU represent?

A.Organization Unit
B.Object Unit
C.Operating Unit
D.Organizational Unit
AnswerD

OU is standard abbreviation for Organizational Unit.

Why this answer

OU stands for Organizational Unit, a container within a directory tree.

20
MCQeasy

Which of the following is an example of a logical access control?

A.A password policy
B.A fence around a building
C.A security guard
D.A biometric reader on a door
AnswerA

Password policy governs logical access to systems.

Why this answer

Logical access controls are software-based mechanisms that regulate access to systems or data.

21
MCQeasy

Which of the following is a recommended practice for administrative accounts?

A.Use the same account for daily work and admin tasks
B.Grant admin rights to all users for convenience
C.Use a separate admin account distinct from daily use account
D.Disable all admin accounts to improve security
AnswerC

Separation reduces exposure.

Why this answer

Admins should have a separate account for privileged tasks to reduce risk.

22
MCQmedium

According to NIST SP 800-63, which password policy is recommended to enhance security?

A.Allow passwords as short as 4 characters
B.Enforce maximum complexity with special characters and numbers
C.Require frequent password changes every 30 days
D.Favor length over complexity and check against breached password lists
AnswerD

Length and breach checking are recommended by NIST.

Why this answer

NIST SP 800-63 recommends favoring long passwords over complex ones and avoiding frequent forced changes.

23
MCQeasy

A company requires that financial transactions be approved by two different managers before execution. This is an example of which access control principle?

A.Need-to-know
B.Defense in depth
C.Least privilege
D.Separation of duties
AnswerD

Correct. Separation of duties prevents fraud by requiring multiple approvals.

Why this answer

Separation of duties ensures no single individual can complete a high-risk action alone.

24
MCQhard

An organization implements a policy requiring employees to use a separate administrator account for privileged tasks and a different account for daily activities. Which principle does this support?

A.Separation of duties
B.Least privilege
C.Defense in depth
D.Need-to-know
AnswerB

Using separate admin accounts limits privileges to only what's needed for admin tasks.

Why this answer

Least privilege for administrators reduces the risk from compromised daily accounts.

25
Multi-Selecthard

An organization is designing a defense-in-depth strategy for physical security. Which of the following are examples of layered physical controls? (Choose THREE.)

Select 3 answers
A.Fencing and bollards around the property
B.Biometric reader on server room door
C.Encryption of data at rest
E.Access badge system at building entrance
AnswersA, B, E

External perimeter control.

Why this answer

Defense in depth uses multiple layers: perimeter, building, room, and equipment controls.

26
Multi-Selecthard

A security architect is designing an access control policy based on the principle of need-to-know. Which TWO practices support this principle? (Select TWO.)

Select 2 answers
A.Implementing data classification labels
B.Using a single sign-on solution
D.Granting all employees access to the company directory
E.Providing access to customer data only for customer support staff
AnswersA, E

Labels help determine who needs access.

Why this answer

Need-to-know means only accessing data necessary for job functions. Data classification and role-based access help enforce this.

27
Multi-Selectmedium

Which TWO of the following correctly describe components of a directory service distinguished name (DN) in LDAP? (Select two.)

Select 2 answers
A.OU=Sales
B.UID=jsmith
C.SN=Smith
D.GID=1234
E.CN=John Smith
AnswersA, E

OU (Organizational Unit) is a valid DN component.

Why this answer

In LDAP, a distinguished name uses CN (Common Name), OU (Organizational Unit), and DC (Domain Component). CN=John Smith and OU=Sales are valid components.

28
MCQhard

An LDAP distinguished name is written as: CN=John Smith,OU=Sales,DC=company,DC=com. What do the 'OU' and 'DC' components represent?

A.OU = Organizational Unit; DC = Domain Component
B.OU = Organizational Unit; DC = Domain Controller
C.OU = Organizational Unit; DC = Distinguished Component
D.OU = Object Unit; DC = Domain Component
AnswerA

Correct.

Why this answer

OU = Organizational Unit, DC = Domain Component.

29
MCQmedium

Which of the following is an example of a logical access control?

A.Biometric reader on a server room door
B.Fencing around a building
C.Password policy requiring 8 characters
D.Security guards
AnswerC

Correct. Password policies are logical controls.

Why this answer

A password is a logical (software-based) control that authenticates users.

30
MCQhard

A security auditor discovers that a user's account has been granted full access to all financial databases, even though the user only needs to view quarterly reports. Which access control principle has been violated most directly?

A.Least privilege
B.Separation of duties
C.Need-to-know
D.Defense in depth
AnswerA

The user has more permissions than needed, violating least privilege.

Why this answer

Least privilege requires granting only the minimum permissions necessary to perform job functions.

31
MCQhard

A Privileged Access Management (PAM) solution is used to:

A.Control and monitor privileged accounts and sessions
B.Encrypt data at rest
C.Manage user passwords and enforce complexity
D.Provide single sign-on for all applications
AnswerA

PAM focuses on privileged accounts with elevated rights.

Why this answer

PAM solutions control, monitor, and audit privileged access to critical systems.

32
MCQhard

An organization uses a layered security approach: perimeter fencing, access badge readers at building entrances, biometric scanners in server rooms, and cable locks on laptops. This strategy best exemplifies which access control concept?

A.Need-to-know
B.Defense in depth
C.Least privilege
D.Separation of duties
AnswerB

Multiple overlapping physical controls create defense in depth.

Why this answer

Defense in depth employs multiple, overlapping layers of security controls to protect assets; if one layer fails, others still provide protection.

33
MCQmedium

An organization requires that financial transactions over $10,000 be approved by two different managers. This is an example of which access control principle?

A.Separation of duties
B.Defense in depth
C.Need to know
D.Least privilege
AnswerA

Correct. This requirement enforces separation of duties.

Why this answer

Separation of duties ensures that no single individual has complete control over a critical action, reducing the risk of fraud or error.

34
MCQeasy

Which of the following is an example of a logical access control?

A.Password policies
B.Security guards
C.Perimeter fencing
D.Biometric reader on server room door
AnswerA

Passwords are logical controls that authenticate users.

Why this answer

Logical access controls are technology-based mechanisms that restrict access to systems and data, such as passwords.

35
Multi-Selecteasy

Which TWO are examples of logical access controls? (Select TWO.)

Select 2 answers
A.Fencing around the property
B.Password complexity requirements
C.Guard at building entrance
D.Biometric door lock
E.Account lockout policy
AnswersB, E

Password policies are logical controls implemented in software.

Why this answer

Logical controls are software-based. Passwords and account lockout are logical.

36
MCQmedium

A company configures its firewall to block all inbound traffic except for specific necessary services. This approach aligns with which access control principle?

A.Separation of duties
B.Defense in depth
C.Need-to-know
D.Least privilege
AnswerD

Deny by default, allow only necessary traffic is least privilege for networks.

Why this answer

Least privilege in network security means denying all traffic except explicitly allowed.

37
MCQmedium

An organization configures account lockout after 5 failed login attempts within 15 minutes. This control is designed to mitigate which type of attack?

A.Phishing
B.Brute-force attack
C.Social engineering
D.Man-in-the-middle attack
AnswerB

Lockout stops automated password guessing by limiting attempts.

Why this answer

Account lockout thresholds (typically 3-10 attempts) help prevent brute-force attacks by temporarily disabling the account after repeated failures.

38
MCQmedium

In the context of identification and authentication, which of the following is an example of authentication?

A.Entering a username
B.Being assigned a user ID
C.Providing a fingerprint scan
D.Swiping an access badge
AnswerC

A biometric scan proves the claimed identity, thus authentication.

Why this answer

Authentication is the process of proving a claimed identity. Providing a fingerprint matches the user's biometric data, verifying identity.

39
MCQmedium

A company requires all visitors to sign in, wear a visible badge, and be escorted while on premises. This is an example of:

A.Separation of duties
B.Logical access control
C.Defense in depth
D.Visitor management
AnswerD

Visitor management includes sign-in, badges, and escorts.

Why this answer

Visitor management procedures help control physical access of non-employees.

40
MCQeasy

Which type of access control is implemented by a cable lock attached to a laptop?

A.Administrative access control
B.Physical access control
C.Logical access control
D.Technical access control
AnswerB

Correct. Cable locks are physical.

Why this answer

Cable locks are physical security controls that prevent theft.

41
MCQmedium

A company's physical security includes fencing, security guards, access badges, and biometric locks on server room doors. This layered approach is an example of which access control concept?

A.Least privilege
B.Need-to-know
C.Separation of duties
D.Defense in depth
AnswerD

Defense in depth is the strategy of using multiple security layers.

Why this answer

Defense in depth uses multiple overlapping physical and logical controls to protect assets.

42
MCQhard

A session timeout automatically logs out a user after a period of inactivity. This control primarily protects against:

A.Password cracking
B.Unauthorized access from an unattended workstation
C.Brute force attacks
D.Shoulder surfing
AnswerB

Session timeouts reduce risk of session hijacking if user walks away.

Why this answer

Session timeouts prevent unauthorized access from an unattended active session.

43
MCQmedium

An employee uses their username to claim an identity and then enters a password to prove it. What is the term for the process of proving the claimed identity?

A.Authorization
B.Accounting
C.Authentication
D.Identification
AnswerC

Authentication verifies the claimed identity.

Why this answer

Authentication is the process of proving a claimed identity (e.g., via password, biometric).

44
Multi-Selecthard

A company is implementing separation of duties for financial transactions. Which of the following are examples of this principle? (Choose TWO.)

Select 2 answers
A.One employee creates a purchase order, another approves it
B.Two managers must approve any payment over $5,000
C.A manager can both initiate and approve a wire transfer
D.All employees use the same password for the accounting system
E.A user has read-only access to financial reports
AnswersA, B

Dual control over purchases.

Why this answer

Separation of duties requires multiple people to complete a critical task to prevent fraud.

45
Multi-Selectmedium

A security administrator is configuring a session timeout policy. Which of the following are valid reasons for implementing session timeouts? (Choose TWO.)

Select 2 answers
A.Enforce password complexity requirements
B.Limit the window for session hijacking attacks
C.Provide single sign-on functionality
D.Prevent brute-force attacks on passwords
E.Reduce the risk of unauthorized access from unattended workstations
AnswersB, E

Shorter timeouts reduce the time an attacker can use a stolen session.

Why this answer

Session timeouts mitigate unauthorized access from unattended sessions and reduce risk of session hijacking.

46
Multi-Selectmedium

Which THREE are key components of Active Directory? (Select THREE.)

Select 3 answers
A.Users
B.Firewalls
C.Groups
D.LDAP
E.Organizational Units (OUs)
AnswersA, C, E

Users are objects representing individuals.

Why this answer

Active Directory includes users, groups, and organizational units (OUs). LDAP is a protocol, not a component.

47
MCQeasy

An organization uses fencing, bollards, and lighting around the perimeter, guards at the main entrance, and biometric readers on server room doors. This approach is an example of:

A.Defense in depth
B.Separation of duties
C.Least privilege
D.Need-to-know
AnswerA

Multiple overlapping physical controls (fencing, guards, biometrics) exemplify defense in depth.

Why this answer

Defense in depth employs multiple layers of security to protect assets.

48
Multi-Selectmedium

Which TWO of the following are recommended practices for managing privileged accounts? (Select TWO.)

Select 2 answers
A.Create a separate admin account for privileged tasks
B.Use the same account for daily work and administrative tasks
C.Disable logging for admin activities to reduce overhead
D.Implement a Privileged Access Management (PAM) solution
E.Share admin passwords among team members for convenience
AnswersA, D

Correct. Separation reduces risk.

Why this answer

Separating admin accounts from daily accounts and using PAM solutions are key practices.

49
MCQhard

In an LDAP directory, an entry is represented as 'CN=John Smith,OU=Sales,DC=company,DC=com'. What does 'CN' stand for?

A.Container Name
B.Common Name
C.Country Name
D.Context Name
AnswerB

CN is Common Name, representing the object's name.

Why this answer

In LDAP, CN stands for Common Name, which is a component of the distinguished name.

50
Multi-Selecthard

A security architect is designing controls to protect a data center. Which TWO of the following are examples of physical access controls? (Select TWO.)

Select 2 answers
A.Biometric reader on server room door
B.Cable locks on laptops
C.Session timeout settings
D.Password complexity policy
E.Role-based access control (RBAC)
AnswersA, B

Biometric reader is a physical control (hardware).

Why this answer

Physical access controls include barriers and objects that physically restrict entry.

51
MCQmedium

An account lockout policy is implemented to protect against which type of attack?

A.Brute force
B.Man-in-the-middle
C.Social engineering
D.Phishing
AnswerA

Correct. Lockout mitigates brute-force attempts.

Why this answer

Account lockout detects and prevents brute-force attacks by disabling the account after a threshold of failed attempts.

52
MCQmedium

In a directory service like Active Directory, which component is used to organize users, groups, and computers into a hierarchical structure for applying policies?

A.Organizational Units (OUs)
B.Group Policy Objects (GPOs)
C.Domain controllers
D.LDAP
AnswerA

OUs are containers that organize objects and allow GPO linking.

Why this answer

Organizational Units (OUs) are containers in Active Directory that allow hierarchical organization and Group Policy application.

53
Multi-Selectmedium

A security administrator is implementing controls to protect a server room. Which TWO physical security layers should be included as part of a defense-in-depth strategy? (Select TWO.)

Select 2 answers
A.Fencing around the building
B.Complex password policy
C.Cable locks on individual servers
D.Session timeout settings
E.Biometric reader on server room door
AnswersA, E

Fencing is an external perimeter layer.

Why this answer

Defense in depth uses multiple layers. External perimeter (fencing) and internal server room (biometric) are distinct layers.

54
MCQeasy

Which of the following best describes the purpose of a session timeout?

A.To automatically log out inactive users
B.To enforce password complexity
C.To restrict access based on need-to-know
D.To prevent brute-force attacks
AnswerA

Session timeouts terminate idle sessions to prevent unauthorized use.

Why this answer

Session timeouts automatically log out idle users after a period of inactivity, reducing the risk of unauthorized access if a user leaves a session open.

55
MCQmedium

A user enters a username and password to access a system. Which phase of the access control process does entering the username represent?

A.Accounting
B.Authentication
C.Authorisation
D.Identification
AnswerD

The username identifies who the user claims to be.

Why this answer

Identification is the act of claiming an identity (e.g., username).

56
MCQhard

An organization wants to ensure that even if an attacker compromises a user's account, the damage is limited. Which principle is most directly applied?

A.Least privilege
B.Separation of duties
C.Defense in depth
D.Need-to-know
AnswerA

Least privilege minimizes permissions, reducing potential damage.

Why this answer

Least privilege reduces the blast radius of an account compromise.

57
MCQhard

In a directory service using LDAP, what is the distinguished name (DN) for a user named John Smith in the Sales organizational unit of the company domain company.com?

A.DC=company, DC=com, OU=Sales, CN=John Smith
B.OU=Sales, CN=John Smith, DC=company, DC=com
C.CN=John Smith, OU=Sales, DC=company, DC=com
D.CN=John Smith, DC=Sales, DC=company, DC=com
AnswerC

Correct. This follows the LDAP DN syntax: CN, OU, DC.

Why this answer

The DN format includes CN (common name), OU (organizational unit), and DC (domain components) in order from specific to general.

58
MCQmedium

A security administrator is configuring a system to prevent unauthorized access after a user leaves their workstation unattended. Which access control mechanism should be implemented?

A.Password complexity
B.Biometric authentication
C.Session timeout
D.Account lockout
AnswerC

Correct. Session timeout automatically logs out idle users.

Why this answer

Session timeouts automatically log out idle users to prevent unauthorized access.

59
Multi-Selectmedium

A company's security policy requires that employees use only the minimum permissions needed to perform their job functions. This practice reduces the potential impact if an account is compromised. Which TWO access control principles are being applied?

Select 2 answers
A.Defense in depth
B.Separation of duties
C.Privileged access management
D.Need-to-know
E.Least privilege
AnswersD, E

Need-to-know restricts access to data required for the job.

Why this answer

Least privilege ensures users have only the permissions necessary for their role. Need-to-know complements it by limiting access to data that is essential for job duties. Both principles reduce the blast radius of account compromise.

60
MCQeasy

A security administrator is configuring user permissions and ensures that each user has only the minimum rights needed to perform their job. Which access control principle is the administrator applying?

A.Separation of duties
B.Need-to-know
C.Defense in depth
D.Least privilege
AnswerD

Least privilege ensures users have only the minimum permissions required.

Why this answer

Least privilege grants users only the permissions necessary to perform their tasks, reducing the potential impact of account compromise.

61
MCQmedium

An LDAP distinguished name (DN) is written as 'CN=John Smith,OU=Sales,DC=company,DC=com'. What does 'CN' represent?

A.Common Name
B.Domain Component
C.Organizational Unit
D.Country Name
AnswerA

CN stands for Common Name.

Why this answer

In LDAP, CN stands for Common Name, which is typically the user's name.

62
MCQmedium

According to NIST SP 800-63, which password policy is most effective for user authentication?

A.Require a mix of uppercase, lowercase, numbers, and symbols, and force password changes every 30 days
B.Require a minimum length of 6 characters with no other requirements
C.Require a minimum length of 15 characters and check against breached password lists, without requiring complexity or frequent changes
D.Require a minimum length of 8 characters and check against breached password lists
AnswerC

Correct. This aligns with NIST guidance: favor length, avoid forced changes unless compromised, and screen against known breaches.

Why this answer

NIST SP 800-63 recommends favoring longer passwords (15+ characters for high assurance) over complexity, and avoiding frequent forced changes unless compromised.

63
MCQeasy

A security administrator is configuring user permissions and wants to ensure that each user has only the access rights necessary to perform their job. Which principle is being applied?

A.Separation of duties
B.Need to know
C.Defense in depth
D.Least privilege
AnswerD

Correct. Least privilege ensures users have only the access needed for their roles.

Why this answer

Least privilege means granting only the minimum permissions needed for a user to perform their job, reducing the potential impact of a compromised account.

64
MCQmedium

A security administrator is reviewing physical access controls. Which control is considered an external perimeter security measure?

A.Biometric reader on server room door
B.Cable locks on laptops
C.Visitor badge policy
D.Fencing around the property
AnswerD

Fencing is a typical external perimeter control.

Why this answer

External perimeter controls include fencing, bollards, and lighting to deter or delay intruders.

65
MCQmedium

What is the primary purpose of a Privileged Access Management (PAM) solution?

A.To provide single sign-on for all applications
B.To manage visitor access to the building
C.To enforce password complexity for all users
D.To control and monitor privileged access to critical systems
AnswerD

Correct. PAM manages privileged accounts, including session recording and just-in-time access.

Why this answer

PAM controls and monitors the use of privileged accounts (e.g., admin) to reduce risk of misuse or compromise.

66
Multi-Selectmedium

A security analyst is reviewing physical security controls. Which TWO are considered layered physical security measures for external perimeter protection?

Select 2 answers
A.Fencing around the property
B.Lighting in parking lots
C.Biometric reader on server room door
D.Cable locks on laptops
E.Chassis locks on servers
AnswersA, B

Fencing is a perimeter barrier.

Why this answer

Fencing and lighting are external perimeter controls.

67
MCQhard

An administrator configures a Group Policy Object (GPO) in Active Directory to enforce account lockout after 5 failed attempts within 15 minutes. Which type of control is this?

A.Administrative access control
B.Logical access control
C.Compensating control
D.Physical access control
AnswerB

Correct. Lockout is enforced by the operating system or application, a logical control.

Why this answer

Logical access controls are software-based mechanisms that govern access to systems. Account lockout policies are logical controls.

68
Multi-Selectmedium

A security auditor is reviewing access controls at a financial institution. The auditor identifies a scenario where one employee can initiate a payment transaction, and the same employee can also approve it. Which access control principle is being violated, and what is the primary risk?

Select 1 answer
A.Separation of duties; risk of fraud
B.Defense in depth; risk of single point of failure
C.Need-to-know; risk of data exposure
D.Least privilege; risk of excessive permissions
E.Privileged access management; risk of account compromise
AnswersA

Correct. Separation of duties prevents a single person from performing conflicting tasks, reducing fraud risk.

Why this answer

Separation of duties requires that no single person has the ability to complete a high-risk action without another person's involvement. The scenario describes a violation of this principle, which increases the risk of fraud because an individual could both initiate and approve a fraudulent payment without oversight.

69
Multi-Selectmedium

A security analyst is reviewing access control mechanisms. Which TWO of the following are examples of logical access controls? (Select two.)

Select 2 answers
A.Security guard at entrance
B.Smart card authentication for system access
C.Bollards at parking lot
D.Password policy enforcing complexity
E.Perimeter fence
AnswersB, D

Smart cards are logical controls for authentication.

Why this answer

Logical access controls are technology-based mechanisms. Passwords and smart cards are logical; fences and guards are physical.

70
MCQhard

An organization uses a Privileged Access Management (PAM) solution. Which of the following is a primary benefit of PAM?

A.Controls and monitors privileged access
B.Provides a single sign-on for all users
C.Eliminates the need for passwords
D.Automates user provisioning for all accounts
AnswerA

PAM provides oversight and control over admin accounts.

Why this answer

PAM solutions monitor, control, and audit privileged account usage, reducing risk of misuse.

71
MCQeasy

Which process involves verifying the identity of a user who claims to be a specific person?

A.Authorization
B.Authentication
C.Identification
D.Accounting
AnswerB

Correct. Authentication verifies the claimed identity.

Why this answer

Authentication is the process of proving a claimed identity, typically with passwords, biometrics, or tokens.

72
MCQeasy

Which principle ensures that a user is granted only the permissions necessary to perform their job functions, thereby reducing the potential impact of a compromised account?

A.Least privilege
B.Need-to-know
C.Separation of duties
D.Defense in depth
AnswerA

Correct. Least privilege grants only the minimum permissions needed.

Why this answer

Least privilege limits permissions to the minimum required, reducing the blast radius if an account is compromised.

73
MCQmedium

An account lockout policy is designed to mitigate which type of attack?

A.SQL injection
B.Man-in-the-middle
C.Phishing
D.Brute force
AnswerD

Lockout stops repeated password guessing.

Why this answer

Account lockout prevents brute force attacks by disabling the account after several failed attempts.

74
Multi-Selectmedium

Which TWO of the following are components of the identification and authentication process? (Select TWO.)

Select 2 answers
A.Password
B.Username
C.Group policy
D.Access control list (ACL)
E.Role-based access control (RBAC)
AnswersA, B

Password is an authentication factor.

Why this answer

Identification claims an identity; authentication proves it.

75
Multi-Selectmedium

A security team is designing a visitor management policy. Which TWO of the following are essential components? (Select TWO.)

Select 2 answers
A.Requiring visitors to provide a biometric scan
B.Performing background checks on all visitors
C.Issuing temporary visitor badges
D.Requiring an escort for visitors
E.Requiring visitors to sign in and out
AnswersD, E

Correct. Escort policy ensures visitors are supervised.

Why this answer

Visitor sign-in and escort policy are core to visitor management.

Page 1 of 2 · 110 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cc Access Controls questions.

CCNA Cc Access Controls Questions — Page 1 of 2 | Courseiva