Configure Windows Security Settings

Question 1

Answer 1

Configuring members of the Administrators built-in group.

Question 2

Answer 2

UAC requiring confirmation of the use of administrator privileges.

Question 3

Answer 3

Configuring UAC notifications.

Question 4

Answer 4

Configuring Windows Hello sign-in options.

Question 5

Answer 5

Security groups in Active Directory

Question 6

Answer 6

Group Policy Management.

Question 7

Answer 7

Configuring iOS device enrollment in Microsoft’s Intune Enterprise Mobility Management (EMM)
suite.

Question 8

Logical security controls

Answer 8

are digital safeguards that protect systems and data through authentication, authorization, and accounting mechanisms, ensuring only authorized users can access resources while monitoring and enforcing security policies.

Question 9

Security Control Classes

Answer 9

• Physical controls: Examples fences, doors, and locks.
• Procedural controls Examples incident response processes/ management oversight/training programs.
• Logical controls: Examples user authentication, antivirus software, and firewalls.

Question 10

access control system

Answer 10

• Authentication
• Authorization
• Accounting

Question 11

access control systems

Authentication

Answer 11

ensures that users and systems are verified through unique accounts and credentials, allowing only authorized access to protect security.

Question 12

access control systems

Authorization

Answer 12

ensures that users can access resources based on predefined permissions, with access control lists defining actions they can perform, such as reading or editing files.

Question 13

access control systems

Accounting

Answer 13

means logging when and by whom a resource was accessed.

Question 14

access control list (ACL)

Answer 14

defines permissions for resources, specifying allowed actions for users, computers, or services based on identifiers like MAC address, IP address, port number, or security ID (SID).

Question 15

Implicit deny

Answer 15

is a security principle where access is denied by default unless explicitly permitted, commonly used in ACLs and firewall policies to ensure unauthorized requests are blocked.

Question 16

least privilege

Answer 16

security principle, balancing security with usability to minimize risks(challenging) and support overhead.

Question 17

user account

Answer 17

is the principal means of controlling access to computer and network resources

Question 18

user account

local account

Answer 18

defined on a specific computer, stored in the Security Account Manager (SAM) within the KEY_LOCAL_MACHINE registry, and cannot be used to access other devices or network resources.

Question 19

user account

Microsoft account

Answer 19

an online identity linked to an email address, allowing access to multiple devices and services while enabling synchronization of profile settings across them.

Question 20

Security Groups

Answer 20

are collections of user accounts used for efficient permission management, with built-in groups like Administrators having high-level access, while custom groups enforce least privilege principles for security.

Question 21

security group

standard account

Answer 21

has limited system permissions, allowing them to manage their profile settings, run applications, install store apps, use printers, and shut down the computer, while administrative accounts should be restricted for security.

Question 22

security groups

Guest group

Answer 22

is only present for legacy reasons. It has the same default permissions and rights as the User group.

Question 23

security groups

Power Users

Answer 23

was originally designed to provide intermediate permissions between administrators and standard users but was deprecated in Windows 10/11 due to security risks, now functioning with the same permissions as the Users group.

Question 25

Local Users and Groups management console

Answer 25

allows administrators to manage user and group accounts, including creating, modifying, disabling, deleting accounts, resetting passwords, and configuring group memberships.

Question 26

The net user command

Answer 26

in an administrative command prompt allows user account management, including adding accounts, enforcing password changes, disabling accounts, viewing account properties, and assigning accounts to local groups like Administrators.

Question 27

# net user command *net user dmartin Pa$$w0rd /add /fullname:"David Martin" /logonpasswordchg:yes*

Answer 27

Add a new user account and force the user to choose a new password at first login:

Question 28

# net user command *net user dmartin /active:no*

Answer 28

Disable the dmartin account:

Question 29

# net user command *net user dmartin*

Answer 29

Show the properties of the dmartin account:

Question 30

# net user command *net localgroup Administrators dmartin /add*

Answer 30

Add the dmartin account to the Administrators local group:

Question 31

User Account Control (UAC)

Answer 31

Windows security feature that enforces least privilege by requiring explicit user consent for privileged tasks. * * UAC are shown with a Security Shield icon * run admin short cut: (More > Run as administrator) or press CTRL+SHIFT+ENTER to open it.

Question 32

Windows PowerShell

Answer 32

It's essentially a more advanced and versatile version of the traditional **Windows Command Prompt** on a .NET Framework.

Question 33

Authentication

Answer 33

ensures users verify their identity before accessing accounts by supplying credentials categorized as knowledge (passwords), possession (smart cards), or inherence (biometrics).

Question 34

# authentication Multifactor authentication (MFA)

Answer 34

means that the user must submit at least two different kinds of credential.

Question 35

# authentication 2-step verification (2FA)

Answer 35

enhances security requiring users to confirm their identity with a soft token sent to a trusted contact method, such as email or SMS, whenever logging in from a new device or location.

Question 36

# authentication authenticator application

Answer 36

like Microsoft Authenticator, enhances security by enabling passwordless access or two-factor authentication (2FA), requiring users to verify their identity through a trusted device, encrypted registration, and secure prompts before granting access.

Question 37

# authentication Hard token authentication

Answer 37

uses a physical device, like a smart card or USB drive, to securely store credentials, requiring user authorization via password, PIN, or biometrics before transmitting authentication data to the service for access.

Question 38

# Windows Login Options Windows authentication

Answer 38

operates through different login scenarios: * local sign-in, where the Local Security Authority (LSA) verifies credentials against the Security Accounts Manager (SAM); * network sign-in, where credentials are authenticated using Kerberos * remote sign-in, which relies on VPN or web-based authentication when outside the local network.

Question 39

# Windows Login Options Username and Password

Answer 39

is the standard authentication method where users create an account with a password that can be changed via CTRL+ALT+DELETE or account settings, while administrators can reset passwords using Local Users and Groups.

Question 40

# Windows Login Options Windows Hello

Answer 40

provides secure authentication through PINs, fingerprint scanning, facial recognition, and security keys, utilizing encryption and hardware protections like Trusted Platform Module (TPM) and infrared (IR) sensors to prevent unauthorized access.

Question 41

# Windows Login Options Single sign-on (SSO)

Answer 41

allows users to authenticate once and gain access to multiple applications or services, with Kerberos facilitating SSO in Active Directory environments. While SSO simplifies credential management, compromised accounts pose security risks. Windows Hello for Business enhances security by using passwordless SSO, leveraging public/private encryption keys stored in Trusted Platform Module (TPM) to verify users without transmitting credentials over the network.

Question 42

Trusted Platform Module (TPM) | Single sign-on

Answer 42

is a dedicated chip on a computer's motherboard that enhances security by securely storing cryptographic keys.

Question 43

# Windows Login Options Kerberos | Single sign-on

Answer 43

It uses symmetric-key cryptography and a Key Distribution Center (KDC) to distribute secret keys and issue tickets, allowing users to authenticate without directly exchanging passwords.

Question 44

Windows domains and Active Directory

Answer 44

provide scalable authentication for organizations, allowing domain accounts to access multiple machines without requiring separate credentials, unlike local accounts, which are device-specific and must be managed individually.

Question 45

# Windows Login Options domain controller (DC)

Answer 45

is a Windows Server computer that manages network authentication through **Active Directory (AD)**, storing user, group, and computer objects while ensuring secure and scalable access, with **Domain Admins** controlling account management.

Question 46

**member server**

Answer 46

is a domain-joined system that does not store a copy of **Active Directory (AD)** but provides services like file sharing, printing, email (Exchange), and databases (SQL Server), using **Kerberos** for single sign-on authentication.

Question 47

# Active Directory Security groups

Answer 47

in a domain simplify permission management by assigning access rights to user accounts collectively. Members of **Domain Admins** can sign in on any domain-joined computer, including domain controllers (DCs), while **Domain Users** have restricted access, typically limited to specific workstations.

Question 48

# Active Directory Windows domains

Answer 48

use **Active Directory (AD)** to centralize authentication and authorization, with **domain controllers (DCs)** managing accounts, **security groups** assigning permissions, **organizational units (OUs)** delegating administrative control, and **Kerberos-based single sign-on (SSO)** ensuring seamless access across domain resources.

Question 49

# Active Directory Organizational Units (OUs)

Answer 49

**segment a domain into administrative divisions,** allowing delegated control over account management while maintaining centralized security policies. They enable structured access control, ensuring users can authenticate only within designated OUs, like limiting "Sales" department users to Sales-related systems.

Question 50

# Active Directory Active Directory (AD) hierarchy

Answer 50

1. Forest 2. Trees 3. Domain 4. Organizational Units (OUs) 5. Ojects: They represent various entities like users, computers, printers, groups, etc.

Question 51

Group Policy

Answer 51

allows administrators to centrally configure security settings, user profiles, and software deployment across multiple domain-joined computers, with **Group Policy Objects (GPOs)** linked to domains or **Organizational Units (OUs)** to enforce settings, while **Resultant Set of Policies (RSoPs)** determines the final applied configurations.

Question 52

# Group Policy group policy objects (GPOs)

Answer 52

streamline administrative control by applying predefined policies to multiple users and computers within a **domain** or **Organizational Unit (OU)** in **Active Directory (AD)**, with **inheritance rules** determining the **Resultant Set of Policies (RSoPs)** for each account.

Question 53

# Group Policy Resultant Set of Policy (RSoP)

Answer 53

is a feature in Microsoft Windows that helps administrators understand and troubleshoot Group Policy settings applied to users and computers.

Question 54

# Group Policy Group Policy updates

Answer 54

use two key command-line tools: **gpupdate**, which applies new policies immediately and can force a full refresh, and **gpresult**, which displays the **Resultant Set of Policies (RSoP)** for a user or computer, allowing administrators to verify applied settings.

Question 55

# Group Policy logon script

Answer 55

is a set of instructions that a computer executes automatically when a user logs in. They are commonly used in Active Directory environments and can be configured through Group Policy.

Question 56

Mobile Device Management (MDM)

Answer 56

A software that enforces security policies for enterprise and **bring your own device (BYOD)** smartphones, controlling access to corporate data, applications, and built-in device functions based on administrator-defined parameters.

Question 57

# Mobile Device Management is a cloud-based enterprise mobility management (EMM), which is A software that enforces security policies

Answer 57

Microsoft’s Intune Enterprise Mobility Management (EMM)