CCNA Cc Access Controls Questions

35 of 110 questions · Page 2/2 · Cc Access Controls topic · Answers revealed

76
MCQmedium

A system administrator has a regular user account for daily work and a separate account with elevated privileges. Which principle is being applied?

A.Separation of duties
B.Need-to-know
C.Defense in depth
D.Least privilege
AnswerD

Correct. Using a limited account for daily work follows least privilege.

Why this answer

Least privilege for admins means using a separate account with only necessary privileges, reducing risk.

77
Multi-Selectmedium

Which THREE are recommended practices for password policies according to current guidelines?

Select 3 answers
A.Check passwords against lists of known breached passwords
B.Require passwords at least 8 characters long
C.Require at least one uppercase letter, one number, and one special character
D.Allow passwords up to 64 characters
E.Force password changes every 30 days
AnswersA, B, D

Prevents use of compromised passwords.

Why this answer

Current guidelines recommend long passwords, breach checking, and avoiding frequent changes.

78
MCQhard

A security engineer is designing a physical security plan. Which combination of controls best represents defense in depth for a data center?

A.Visitor sign-in and escort policy only
B.A single high-tech lock on the server room door
C.A strong password policy for all employees
D.Perimeter fencing, access badges at building entrance, biometric reader on server room, and cable locks on servers
AnswerD

Correct. This layered approach exemplifies defense in depth.

Why this answer

Defense in depth uses multiple, overlapping controls. Perimeter fencing, access badges, biometric readers, and cable locks each address different layers, providing redundancy.

79
MCQmedium

An organization uses Active Directory to manage user accounts. Which protocol does Active Directory primarily use to query and modify directory services?

B.FTP
D.LDAP
AnswerD

LDAP is the protocol used by Active Directory for directory access.

Why this answer

Active Directory uses LDAP (Lightweight Directory Access Protocol) as the underlying protocol for directory queries and modifications.

80
MCQeasy

Which account type is considered highest risk and should be protected with strict controls, including separate daily use accounts?

A.Standard user account
B.Service account
C.Admin/root account
D.Guest account
AnswerC

Admin accounts have full system access and are high risk.

Why this answer

Admin/root accounts have elevated privileges and are high-risk targets.

81
MCQmedium

Which of the following is a recommended practice for password security according to NIST SP 800-63?

A.Require frequent password changes every 30 days
B.Use a minimum of 8 characters and check against breached password lists
C.Set maximum password age to 90 days
D.Enforce complex passwords with special characters
AnswerB

Correct. Length is favored, and passwords should be checked against known breaches.

Why this answer

NIST SP 800-63 recommends favoring password length over complexity and checking passwords against breached lists.

82
MCQmedium

A security analyst notices that a user is accessing files in a department they do not work in. Which principle is being violated?

A.Need-to-know
B.Least privilege
C.Defense in depth
D.Separation of duties
AnswerA

Accessing files outside job scope violates need-to-know.

Why this answer

Need-to-know restricts access to data necessary for one's job, even if the user has broader permissions.

83
MCQmedium

A company implements a visitor management policy requiring all visitors to sign in, wear a badge, and be escorted. Which access control principle does this primarily support?

A.Separation of duties
B.Defense in depth
C.Need-to-know
D.Least privilege
AnswerB

Multiple controls (sign-in, badge, escort) create layered security.

Why this answer

Visitor management controls physical access and supports defense in depth by adding layers.

84
MCQmedium

A security administrator is implementing controls to prevent a single employee from approving and disbursing payments. Which principle is being applied?

A.Need-to-know
B.Defense in depth
C.Least privilege
D.Separation of duties
AnswerD

Separation of duties prevents fraud by dividing critical functions.

Why this answer

Separation of duties ensures no single person can complete a high-risk action alone.

85
Multi-Selectmedium

Which THREE are best practices for password management according to modern guidelines? (Select THREE.)

Select 3 answers
A.Enforce a minimum password length of 8 characters
B.Use a password manager to generate and store complex passwords
C.Require at least one uppercase, one lowercase, one digit, and one special character
D.Check passwords against lists of known compromised passwords
E.Require passwords to be changed every 30 days
AnswersA, B, D

Length is favored over complexity; 8+ is minimum.

Why this answer

Modern guidelines (NIST SP 800-63) recommend length over complexity, no frequent changes, and checking against breach lists.

86
MCQeasy

Which principle ensures that users are granted only the minimum permissions necessary to perform their job functions?

A.Defense in depth
B.Least privilege
C.Separation of duties
D.Need-to-know
AnswerB

Least privilege grants only the minimum permissions needed.

Why this answer

Least privilege limits permissions to the minimum required, reducing the blast radius of a compromise.

87
MCQhard

In a directory service such as Active Directory, which component is responsible for storing information about users, groups, and computers in a hierarchical structure?

A.LDAP
B.Group Policy Object (GPO)
C.Organizational Unit (OU)
D.Domain controller
AnswerC

Correct. OUs are containers that organize directory objects.

Why this answer

Organizational Units (OUs) are containers that organize objects like users and computers in a hierarchy.

88
MCQeasy

Which of the following is an example of a logical access control?

A.Biometric reader on a door
B.Password complexity requirements
C.Fencing around a building
D.Security guards
AnswerB

Correct. Passwords are logical access controls.

Why this answer

Logical access controls are software-based mechanisms that restrict access to systems and data. Passwords are a common logical control.

89
MCQmedium

A company implements a policy where users must swipe their access card and then enter a PIN to enter the data center. This is an example of:

B.Biometric authentication
C.Single sign-on
D.Single-factor authentication
AnswerA

Correct. Card (something you have) and PIN (something you know) constitute MFA.

Why this answer

Multi-factor authentication (MFA) requires two or more factors: something you have (card) and something you know (PIN).

90
Multi-Selecthard

A company wants to implement defense in depth for its data center. Which THREE of the following controls should be included? (Select THREE.)

Select 3 answers
A.Requiring access badges to enter the building
B.Single sign-on (SSO) for all applications
C.Using a single firewall for all network traffic
D.Encrypting data at rest
E.Fencing around the building
AnswersA, D, E

Correct. Badges control entry.

Why this answer

Defense in depth uses multiple layers: perimeter fencing (physical), access badges (physical/administrative), and encryption (logical).

91
MCQhard

A system administrator uses a separate administrative account with elevated privileges only when performing system maintenance, and uses a standard user account for daily activities like email. This practice aligns with which principle?

A.Need-to-know
B.Defense in depth
C.Least privilege
D.Separation of duties
AnswerC

Using separate accounts ensures admin rights are only used when necessary, adhering to least privilege.

Why this answer

Least privilege for administrators: using separate admin accounts minimizes the risk of accidental changes or compromise, as the admin account is only used when needed.

92
Multi-Selectmedium

Which THREE of the following are best practices for privileged account management? (Select THREE.)

Select 3 answers
A.Use a Privileged Access Management (PAM) solution to monitor and control admin access
B.Use the same admin account for daily tasks to simplify management
C.Create a separate admin account for administrative tasks, distinct from daily use account
D.Grant administrators full access to all systems at all times for convenience
E.Apply the principle of least privilege to administrative accounts
AnswersA, C, E

PAM solutions centralize and secure privileged access.

Why this answer

Privileged accounts require special controls like separate accounts, PAM, and least privilege.

93
MCQeasy

An organization requires that a financial transaction must be initiated by one employee and approved by a manager before processing. Which access control principle does this enforce?

A.Separation of duties
B.Defense in depth
C.Least privilege
D.Need-to-know
AnswerA

Separation of duties prevents a single person from performing both initiation and approval.

Why this answer

Separation of duties ensures no single individual can complete a high-risk action alone, reducing fraud risk.

94
MCQmedium

A company implements a policy where no single employee can approve a purchase order over $10,000. Instead, two managers must jointly approve it. Which security principle does this practice exemplify?

A.Need-to-know
B.Defense in depth
C.Separation of duties
D.Least privilege
AnswerC

Requiring two approvals for high-risk actions prevents a single person from committing fraud.

Why this answer

Separation of duties ensures that no single individual has control over all critical functions, reducing the risk of fraud or error.

95
MCQmedium

A visitor signs in at a company's reception, receives a badge, and is escorted throughout the building. This process is part of which type of access control?

A.Technical access control
B.Physical access control
C.Administrative access control
D.Logical access control
AnswerB

Visitor management is a physical security measure.

Why this answer

Visitor management includes sign-in, badge issuance, and escort policies, all of which are physical access controls to secure the premises.

96
MCQmedium

A bank implements a policy that requires two different employees to approve any wire transfer over $10,000. One employee initiates the transfer, and another approves it. This is an example of which access control principle?

A.Need-to-know
B.Least privilege
C.Separation of duties
D.Defense in depth
AnswerC

Separation of duties requires multiple people to complete a sensitive action, preventing fraud.

Why this answer

Separation of duties prevents any single individual from having complete control over a high-risk action, reducing the risk of fraud.

97
MCQeasy

A visitor enters a company building and is required to sign in, present identification, and wear a visitor badge. This is an example of which type of access control?

A.Physical access control
B.Logical access control
C.Administrative control
D.Technical control
AnswerA

Visitor management involves physical security measures.

Why this answer

Visitor management procedures are part of physical access controls to monitor and restrict entry.

98
MCQhard

An organization enforces a password policy requiring a minimum of 15 characters with no complexity requirements, and does not force periodic changes. This policy aligns with which current best practice?

A.Passwords should be exactly 8 characters with at least one special character
B.Passwords should be changed every 30 days
C.Complexity requirements are more important than length
D.Length over complexity and no periodic changes
AnswerD

NIST SP 800-63 recommends longer passwords and only forced changes upon compromise.

Why this answer

NIST SP 800-63 recommends favoring length over complexity and avoiding frequent forced changes unless compromised.

99
MCQhard

An organization wants to implement a physical access control that requires two different credentials to enter a high-security server room. Which concept does this best represent?

A.Defense in depth
B.Separation of duties
C.Need-to-know
D.Least privilege
AnswerA

Correct. Using multiple layers of security (e.g., badge + biometric) is defense in depth.

Why this answer

Defense in depth involves multiple overlapping controls, such as requiring both a badge and a biometric scan.

100
MCQeasy

What is the difference between identification and authentication?

A.Identification proves identity; authentication claims identity
B.They are the same thing
C.Identification uses passwords; authentication uses biometrics
D.Identification claims identity; authentication proves identity
AnswerD

Correct.

Why this answer

Identification is claiming an identity; authentication is proving that identity.

101
MCQhard

A company wants to implement account lockout to prevent brute-force attacks. Which lockout threshold is most appropriate according to common best practices?

A.5 failed attempts
B.1 failed attempt
C.No lockout, only logging
D.20 failed attempts
AnswerA

5 attempts is within the recommended range.

Why this answer

Typical lockout thresholds are between 3 and 10 failed attempts to balance security and usability.

102
Multi-Selecteasy

An employee claims to have accessed a confidential document that is not related to their job role. The security team investigates and finds that the employee's account had read access to the folder containing the document. Which TWO access control concepts were likely violated?

Select 2 answers
A.Identification and authentication
B.Need-to-know
C.Separation of duties
D.Least privilege
E.Defense in depth
AnswersB, D

The employee accessed data not needed for their job.

Why this answer

Need-to-know restricts access to data required for job duties; the employee should not have accessed the document if it wasn't job-related. Least privilege ensures users have only necessary permissions; the employee likely had excessive rights if they could access unrelated data.

103
Multi-Selectmedium

A security analyst is reviewing physical security controls. Which TWO are examples of perimeter physical controls? (Select TWO.)

Select 2 answers
A.Access badges at building entrance
B.Biometric reader on server room door
C.Cable locks on laptops
D.Fencing around the property
E.Lighting in the parking lot
AnswersD, E

Fencing is a perimeter control.

Why this answer

Perimeter controls secure the outer boundary. Fencing and lighting are common perimeter controls; badges and biometrics are interior or point-of-entry controls.

104
MCQhard

An organization implements a policy where no single employee can approve a financial transaction over $10,000; a second manager must also approve. This is an example of which access control principle?

A.Separation of duties
B.Least privilege
C.Need-to-know
D.Defense in depth
AnswerA

Dual approval for high-risk actions exemplifies separation of duties.

Why this answer

Separation of duties requires multiple people to complete a critical task, reducing fraud risk.

105
MCQmedium

According to modern password guidance from NIST SP 800-63, which of the following is the most important factor when setting password requirements?

A.Requiring a mix of uppercase, lowercase, numbers, and special characters
B.Using randomly generated passwords
C.Changing passwords every 30 days
D.Enforcing a minimum length of at least 8 characters
AnswerD

Length is prioritized, with 8 characters minimum (15+ for high assurance).

Why this answer

NIST SP 800-63 recommends favoring password length over complexity, with a minimum of 8 characters (or 15+ for high assurance) and avoiding frequent forced changes unless compromised.

106
MCQhard

A security analyst notices repeated failed login attempts from a single IP address. The account is locked after 10 failed attempts. This is an example of which type of control?

A.Logical access control
B.Compensating control
C.Physical access control
D.Administrative control
AnswerA

Account lockout is a software-based control to prevent unauthorized access.

Why this answer

Account lockout is a logical access control that detects and mitigates brute-force attacks.

107
MCQmedium

An LDAP distinguished name (DN) is formatted as: CN=John Smith,OU=Sales,DC=company,DC=com. Which component represents the organizational unit?

A.OU=Sales
B.DC=com
C.CN=John Smith
D.DC=company
AnswerA

OU represents the Organizational Unit.

Why this answer

OU stands for Organizational Unit in LDAP DNs.

108
Multi-Selecthard

An organization wants to implement layered physical security for its data center. Which THREE of the following controls would be considered part of a defense-in-depth physical security strategy?

Select 3 answers
A.Cable locks on laptop computers
B.Password complexity requirements
C.Visitor sign-in log
D.Biometric reader at the server room door
E.Fencing and bollards around the building
AnswersA, D, E

Equipment-level security is a final layer within the facility.

Why this answer

Defense in depth for physical security involves multiple layers: external perimeter controls (fencing, bollards, lighting), building entrance controls (guards, access badges, mantraps), and internal controls (server room biometric readers, equipment locks). Together they create overlapping barriers.

109
Multi-Selectmedium

A system administrator is configuring account lockout policies to mitigate brute-force attacks. Which TWO settings are most critical for this purpose?

Select 2 answers
A.Requiring password changes every 90 days
B.Account lockout threshold (e.g., 5 failed attempts)
C.Lockout duration (e.g., 30 minutes) or administrator unlock
D.Password history of 10 remembered passwords
E.Password minimum length of 8 characters
AnswersB, C

Threshold triggers lockout after a set number of failures.

Why this answer

Account lockout policies typically include an attempt threshold (e.g., 3-10 failed attempts) and a lockout duration or manual unlock requirement to prevent continuous brute-force attempts. These settings directly limit an attacker's ability to guess passwords.

110
MCQeasy

Which of the following is an example of a physical access control at the building entrance?

A.Password complexity requirements
B.Access badges
C.Biometric reader on a server room door
D.Account lockout policy
AnswerB

Access badges are used at building entrances to authenticate individuals.

Why this answer

Access badges are a common physical control at building entrances.

← PreviousPage 2 of 2 · 110 questions total

Ready to test yourself?

Try a timed practice session using only Cc Access Controls questions.