During a routine audit, it is discovered that someone has been using a stale administrator account to log
into a seldom used server. The person has been using the server to view inappropriate websites that are
prohibited to end users. Which of the following could best prevent this from occurring again?
A.
Credential management
B.
Group policy management
C.
Acceptable use policy
D.
Account expiration policy
Unless Account expiration is part of Group policy, how is that going to solve the problem?
4
0
Agreed. I chose C at first.
But after re-reading the question. The key term I found was “seldom” so I’m assuming that if it is not often used. The account should have some sort of expiration policy implemented.
1
0
P.S. Download that 1867q SY0-401 dumps for free here:
https://doc.co/FTT4SW
Good Luck!
0
6
I would go with D on this one.
Process of elimination:
A.. Credential management: Credential Management is a proposed application programming interface (API) under development by the World Wide Web Consortium for standardizing aspects of how password managers used by web user agents (web browsers and other applications) create, store, use, and modify username and password combinations for logins, in addition to the management of “federated” credentials (such as single sign-on tokens) by user agents.
B.. Group policy management: Group Policy Management can determine how the account is to be used, what level of access, etc. The fact is that the user account is being used, and group policy will not stop the account for being used.
In addition to that, there is no in-built GPO that would disable stale accounts. One could use
use dsquery to list users who have not login in the past 30 days and disable the account.
C..Acceptable use policies: Clearly the user already knows what the Acceptable use policies are, and is doing his/her uttermost to circumvent them by (a) using a stale admin account and (b) on a seldom used server so that (c) his her activities will go undetected.
The “best” answer to my mind is to ensure that accounts are set to expire.
D.. Account expiration policies
An even better answer would have been “account auditing”, running dsquery to identify un-used/stale accounts, then disabling them and moving them to a different OU
https://www.linkedin.com/pulse/cleaning-up-obsolete-user-computer-accounts-from-active-ajit-singh/
https://www.lepide.com/how-to/manage-inactive-accounts-in-active-directory.html
1
0
Credential management API is not what this is talking about. Mike Meyers book puts password policies under the credential management umbrella. Both credential management and account expiration can be set under group policy. None of which gives much of a answer.
0
0
If the user has the password and account name, wouldn’t they have the ability to reset the password when prompted? This would render credential management ineffective, as a password expiration would not matter.
To me it has to be B or D.
Account expiration can be set in GP and is the more specific answer IMO, but GP encompasses both A and D.
1
0